Updates from: 01/26/2021 04:08:31
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/conditional-access-identity-protection-setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/conditional-access-identity-protection-setup.md a/articles/active-directory-b2c/conditional-access-identity-protection-setup.md
@@ -91,9 +91,7 @@ To add a Conditional Access policy based on the Identity Protection risk detecti
1. Under **Security**, select **Conditional Access (Preview)**. The **Conditional Access Policies** page opens.
-1. Select **New policy** and follow the Azure AD Conditional Access documentation to create a new policy. The following is an example:
-
- - [Sign-in risk-based Conditional Access: Enable with Conditional Access policy](../active-directory/conditional-access/howto-conditional-access-policy-risk.md#enable-with-conditional-access-policy)
+1. Select **New policy** and follow the Azure AD Conditional Access documentation to create a new policy. For risk-based policies, you will need to configure separate policies based on [user risk](../active-directory/conditional-access/howto-conditional-access-policy-risk-user.md#enable-with-conditional-access-policy) or [sign-in risk](../active-directory/conditional-access/howto-conditional-access-policy-risk.md#enable-with-conditional-access-policy) depending on which type of risk you want to use as a condition. We do not recommend using both risk types in a single policy.
> [!IMPORTANT] > When selecting the users you want to apply the policy to, don't select **All users** only, or you could block yourself from signing in.
@@ -144,4 +142,4 @@ To review the result of a Conditional Access event:
## Next steps
-[Add Conditional Access to a user flow](conditional-access-user-flow.md).
\ No newline at end of file
+[Add Conditional Access to a user flow](conditional-access-user-flow.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/customize-application-attributes.md a/articles/active-directory/app-provisioning/customize-application-attributes.md
@@ -8,7 +8,7 @@
Previously updated : 11/10/2020 Last updated : 1/25/2021
@@ -70,7 +70,7 @@ Along with this property, attribute-mappings also support the following attribut
- **Only during creation** - Apply this mapping only on user creation actions. ## Matching users in the source and target systems
-The Azure AD provisioning service can be deployed in both "greenfield" scenarios (where users do not exit in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
+The Azure AD provisioning service can be deployed in both "green field" scenarios (where users do not exit in the target system) and "brownfield" scenarios (where users already exist in the target system). To support both scenarios, the provisioning service uses the concept of matching attributes. Matching attributes allow you to determine how to uniquely identify a user in the source and match the user in the target. As part of planning your deployment, identify the attribute that can be used to uniquely identify a user in the source and target systems. Things to note:
- **Matching attributes should be unique:** Customers often use attributes such as userPrincipalName, mail, or object ID as the matching attribute. - **Multiple attributes can be used as matching attributes:** You can define multiple attributes to be evaluated when matching users and the order in which they are evaluated (defined as matching precedence in the UI). If, for example, you define three attributes as matching attributes, and a user is uniquely matched after evaluating the first two attributes, the service will not evaluate the third attribute. The service will evaluate matching attributes in the order specified and stop evaluating when a match is found.
@@ -151,6 +151,7 @@ Custom attributes can't be referential attributes, multi-value or complex-typed
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User"], "userName":"bjensen",
+ "id": "48af03ac28ad4fb88478",
"externalId":"bjensen", "name":{ "formatted":"Ms. Barbara J Jensen III",
@@ -334,4 +335,4 @@ Selecting this option will effectively force a resynchronization of all users wh
- [Writing Expressions for Attribute-Mappings](functions-for-customizing-application-data.md) - [Scoping Filters for User Provisioning](define-conditional-rules-for-provisioning-user-accounts.md) - [Using SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applications](use-scim-to-provision-users-and-groups.md)-- [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)\ No newline at end of file
+- [List of Tutorials on How to Integrate SaaS Apps](../saas-apps/tutorial-list.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-accidental-deletes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/cloud-sync/how-to-accidental-deletes.md a/articles/active-directory/cloud-sync/how-to-accidental-deletes.md
@@ -7,7 +7,7 @@
Previously updated : 10/19/2020 Last updated : 01/25/2021
@@ -19,9 +19,9 @@ The following document describes the accidental deletion feature for Azure AD Co
- configure the ability to prevent accidental deletes automatically. - Set the # of objects (threshold) beyond which the configuration will take effect -- setup a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
+- set up a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
-To use this feature, you set the threshold for the number of objects that, if deleted, synchronization should stop. So if this number is reached, the synchronization will stop and a notification will be sent to the email that is specified. This allows you to investigate what is going on.
+To use this feature, you set the threshold for the number of objects that, if deleted, synchronization should stop. So if this number is reached, the synchronization will stop and a notification will be sent to the email that is specified. This notification will allow you to investigate what is going on.
## Configure accidental delete prevention
@@ -35,13 +35,53 @@ To use the new feature, follow the steps below.
5. Under **Settings** fill in the following: - **Notification email** - email used for notifications - **Prevent accidental deletions** - check this box to enable the feature
- - **Accidental deletion threshold** - enter a number of objects to trigger synchronization stop and notification
+ - **Accidental deletion threshold** - enter the number of objects to stop synchronization and send a notification
![Accidental deletes](media/how-to-accidental-deletes/accident-1.png)
+## Recovering from an accidental delete instance
+If you encounter an accidental delete you will see this on the status of your provisioning agent configuration. It will say **Delete threshold exceeded**.
+
+![Accidental delete status](media/how-to-accidental-deletes/delete-1.png)
+
+By clicking on **Delete threshold exceeded**, you will see the sync status info. This will provide additional details.
+
+ ![Sync status](media/how-to-accidental-deletes/delete-2.png)
+
+By right-clicking on the ellipses, you will get the following options:
+ - View provisioning log
+ - View agent
+ - Allow deletes
+
+ ![Right click](media/how-to-accidental-deletes/delete-3.png)
+
+Using **View provisioning log**, you can see the **StagedDelete** entries and review the information provided on the users that have been deleted.
+
+ ![Provisioning logs](media/how-to-accidental-deletes/delete-7.png)
+
+### Allowing deletes
+
+The **Allow deletes** action will delete the objects that triggered the accidental delete threshold. Use the following procedure to accept the deletes.
+
+1. Right-click on the ellipses and select **Allow deletes**.
+2. Click **Yes** on the confirmation to allow the deletions.
+
+ ![Yes on confirmation](media/how-to-accidental-deletes/delete-4.png)
+
+3. You will see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
+
+ ![Accept deletes](media/how-to-accidental-deletes/delete-8.png)
+
+### Rejecting deletions
+
+If you do not want to allow the deletions, you need to do the following:
+- investigate the source of the deletions
+- fix the issue (example, OU was moved out of scope accidentally and you have now re-added it back to the scope)
+- Run **Restart sync** on the agent configuration
+ ## Next steps -- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [How to install Azure AD Connect cloud sync](how-to-install.md)
+- [Azure AD Connect cloud sync troubleshooting?](how-to-troubleshoot.md)
+- [Azure AD Connect cloud sync error codes](reference-error-codes.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/accounts-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/accounts-overview.md a/articles/active-directory/develop/accounts-overview.md
@@ -1,6 +1,6 @@
Title: Microsoft identity platform accounts & tenant profiles on Android | Azure
-description: An overview of Microsoft identity platform accounts for Android
+description: An overview of the Microsoft identity platform accounts for Android
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-protocols https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-authentication-protocols.md a/articles/active-directory/develop/active-directory-authentication-protocols.md
@@ -1,6 +1,6 @@
Title: Microsoft identity platform authentication protocols
-description: An overview of the authentication protocols supported by Microsoft identity platform
+description: An overview of the authentication protocols supported by the Microsoft identity platform
@@ -18,12 +18,12 @@
# Microsoft identity platform authentication protocols
-Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section.
+The Microsoft identity platform supports several of the most widely used authentication and authorization protocols. The topics in this section describe the supported protocols and their implementation in Microsoft identity platform. The topics included a review of supported claim types, an introduction to the use of federation metadata, detailed OAuth 2.0. and SAML 2.0 protocol reference documentation, and a troubleshooting section.
## Authentication protocols articles and reference * [Important Information About Signing Key Rollover in Microsoft identity platform](active-directory-signing-key-rollover.md) ΓÇô Learn about Microsoft identity platformΓÇÖs signing key rollover cadence, changes you can make to update the key automatically, and discussion for how to update the most common application scenarios.
-* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that Microsoft identity platform issues.
+* [Supported Token and Claim Types](id-tokens.md) - Learn about the claims in the tokens that the Microsoft identity platform issues.
* [OAuth 2.0 in Microsoft identity platform](v2-oauth2-auth-code-flow.md) - Learn about the implementation of OAuth 2.0 in Microsoft identity platform. * [OpenID Connect 1.0](v2-protocols-oidc.md) - Learn how to use OAuth 2.0, an authorization protocol, for authentication. * [Service to Service Calls with Client Credentials](v2-oauth2-client-creds-grant-flow.md) - Learn how to use OAuth 2.0 client credentials grant flow for service to service calls.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-certificate-credentials.md a/articles/active-directory/develop/active-directory-certificate-credentials.md
@@ -18,7 +18,7 @@
# Microsoft identity platform application authentication certificate credentials
-Microsoft identity platform allows an application to use its own credentials for authentication anywhere a client secret could be used, for example, in the OAuth 2.0 [client credentials grant](v2-oauth2-client-creds-grant-flow.md) flow and the [on-behalf-of](v2-oauth2-on-behalf-of-flow.md) (OBO) flow.
+The Microsoft identity platform allows an application to use its own credentials for authentication anywhere a client secret could be used, for example, in the OAuth 2.0 [client credentials grant](v2-oauth2-client-creds-grant-flow.md) flow and the [on-behalf-of](v2-oauth2-on-behalf-of-flow.md) (OBO) flow.
One form of credential that an application can use for authentication is a [JSON Web Token](./security-tokens.md#json-web-tokens-jwts-and-claims) (JWT) assertion signed with a certificate that the application owns.
@@ -85,7 +85,7 @@ Gh95kHCOEGq5E_ArMBbDXhwKR577scxYaoJ1P{a lot of characters here}KKJDEg"
## Register your certificate with Microsoft identity platform
-You can associate the certificate credential with the client application in Microsoft identity platform through the Azure portal using any of the following methods:
+You can associate the certificate credential with the client application in the Microsoft identity platform through the Azure portal using any of the following methods:
### Uploading the certificate file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-configurable-token-lifetimes.md a/articles/active-directory/develop/active-directory-configurable-token-lifetimes.md
@@ -1,7 +1,7 @@
Title: Configurable token lifetimes
-description: Learn how to set lifetimes for access, SAML, and ID tokens issued by Microsoft identity platform.
+description: Learn how to set lifetimes for access, SAML, and ID tokens issued by the Microsoft identity platform.
@@ -15,9 +15,9 @@
-# Configurable token lifetimes in Microsoft identity platform (preview)
+# Configurable token lifetimes in the Microsoft identity platform (preview)
-You can specify the lifetime of a access, ID, or SAML token issued by Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. However, we currently do not support configuring the token lifetimes for [managed identity service principals](../managed-identities-azure-resources/overview.md).
+You can specify the lifetime of a access, ID, or SAML token issued by the Microsoft identity platform. You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization. However, we currently do not support configuring the token lifetimes for [managed identity service principals](../managed-identities-azure-resources/overview.md).
In Azure AD, a policy object represents a set of rules that are enforced on individual applications or on all applications in an organization. Each policy type has a unique structure, with a set of properties that are applied to objects to which they are assigned.
@@ -45,7 +45,7 @@ Clients use access tokens to access a protected resource. An access token can be
### SAML tokens
-SAML tokens are used by many web-based SAAS applications, and are obtained using Azure Active Directory's SAML2 protocol endpoint. They are also consumed by applications using WS-Federation. The default lifetime of the token is 1 hour. From an application's perspective, the validity period of the token is specified by the NotOnOrAfter value of the `<conditions …>` element in the token. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token.
+SAML tokens are used by many web-based SaaS applications, and are obtained using Azure Active Directory's SAML2 protocol endpoint. They are also consumed by applications using WS-Federation. The default lifetime of the token is 1 hour. From an application's perspective, the validity period of the token is specified by the NotOnOrAfter value of the `<conditions …>` element in the token. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token.
The value of NotOnOrAfter can be changed using the `AccessTokenLifetime` parameter in a `TokenLifetimePolicy`. It will be set to the lifetime configured in the policy if any, plus a clock skew factor of five minutes.
@@ -53,7 +53,7 @@ The subject confirmation NotOnOrAfter specified in the `<SubjectConfirmationData
### ID tokens
-ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web application matches a userΓÇÖs session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be re-authenticated with Microsoft identity platform (either silently or interactively).
+ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web application matches a userΓÇÖs session lifetime in the application to the lifetime of the ID token issued for the user. You can adjust the lifetime of an ID token to control how often the web application expires the application session, and how often it requires the user to be re-authenticated with the Microsoft identity platform (either silently or interactively).
### Token lifetime policy properties
@@ -101,9 +101,9 @@ Public clients cannot securely store a client password (secret). For example, an
The Max Age property is the length of time a single token can be used. ### Single sign-on session tokens
-When a user authenticates with Microsoft identity platform, a single sign-on session (SSO) is established with the userΓÇÖs browser and Microsoft identity platform. The SSO token, in the form of a cookie, represents this session. The SSO session token is not bound to a specific resource/client application. SSO session tokens can be revoked, and their validity is checked every time they are used.
+When a user authenticates with the Microsoft identity platform, a single sign-on session (SSO) is established with the userΓÇÖs browser and the Microsoft identity platform. The SSO token, in the form of a cookie, represents this session. The SSO session token is not bound to a specific resource/client application. SSO session tokens can be revoked, and their validity is checked every time they are used.
-Microsoft identity platform uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.)
+The Microsoft identity platform uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are destroyed when the browser is closed.)
Usually, a nonpersistent session token is stored. But, when the user selects the **Keep me signed in** check box during authentication, a persistent session token is stored. Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 90 days. Anytime an SSO session token is used within its validity period, the validity period is extended another 24 hours or 90 days, depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and is no longer accepted.
@@ -228,13 +228,13 @@ Factors:
* Web Application A is a regular-use web application and isnΓÇÖt linked to any policies. * Web Application B is used for highly sensitive processes. Its service principal is linked to Token Lifetime Policy 2, which has a Session Token Max Age of 30 minutes.
-At 12:00 PM, the user starts a new browser session and tries to access Web Application A. The user is redirected to Microsoft identity platform and is asked to sign in. This creates a cookie that has a session token in the browser. The user is redirected back to Web Application A with an ID token that allows the user to access the application.
+At 12:00 PM, the user starts a new browser session and tries to access Web Application A. The user is redirected to the Microsoft identity platform and is asked to sign in. This creates a cookie that has a session token in the browser. The user is redirected back to Web Application A with an ID token that allows the user to access the application.
-At 12:15 PM, the user tries to access Web Application B. The browser redirects to Microsoft identity platform, which detects the session cookie. Web Application BΓÇÖs service principal is linked to Token Lifetime Policy 2, but it's also part of the parent organization, with default Token Lifetime Policy 1. Token Lifetime Policy 2 takes effect because policies linked to service principals have a higher priority than organization default policies. The session token was originally issued within the last 30 minutes, so it is considered valid. The user is redirected back to Web Application B with an ID token that grants them access.
+At 12:15 PM, the user tries to access Web Application B. The browser redirects to the Microsoft identity platform, which detects the session cookie. Web Application BΓÇÖs service principal is linked to Token Lifetime Policy 2, but it's also part of the parent organization, with default Token Lifetime Policy 1. Token Lifetime Policy 2 takes effect because policies linked to service principals have a higher priority than organization default policies. The session token was originally issued within the last 30 minutes, so it is considered valid. The user is redirected back to Web Application B with an ID token that grants them access.
-At 1:00 PM, the user tries to access Web Application A. The user is redirected to Microsoft identity platform. Web Application A is not linked to any policies, but because it is in an organization with default Token Lifetime Policy 1, that policy takes effect. The session cookie that was originally issued within the last eight hours is detected. The user is silently redirected back to Web Application A with a new ID token. The user is not required to authenticate.
+At 1:00 PM, the user tries to access Web Application A. The user is redirected to the Microsoft identity platform. Web Application A is not linked to any policies, but because it is in an organization with default Token Lifetime Policy 1, that policy takes effect. The session cookie that was originally issued within the last eight hours is detected. The user is silently redirected back to Web Application A with a new ID token. The user is not required to authenticate.
-Immediately afterward, the user tries to access Web Application B. The user is redirected to Microsoft identity platform. As before, Token Lifetime Policy 2 takes effect. Because the token was issued more than 30 minutes ago, the user is prompted to reenter their sign-in credentials. A brand-new session token and ID token are issued. The user can then access Web Application B.
+Immediately afterward, the user tries to access Web Application B. The user is redirected to the Microsoft identity platform. As before, Token Lifetime Policy 2 takes effect. Because the token was issued more than 30 minutes ago, the user is prompted to reenter their sign-in credentials. A brand-new session token and ID token are issued. The user can then access Web Application B.
## Cmdlet reference
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-to-integrate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-how-to-integrate.md a/articles/active-directory/develop/active-directory-how-to-integrate.md
@@ -1,7 +1,7 @@
Title: How to integrate with Microsoft identity platform | Azure
+ Title: How to integrate with the Microsoft identity platform | Azure
-description: Learn the benefits of integrating your application with Microsoft identity platform, and get resources for features like simplified sign-in, identity management, multi-factor authentication, and access control.
+description: Learn the benefits of integrating your application with the Microsoft identity platform, and get resources for features like simplified sign-in, identity management, multi-factor authentication, and access control.
@@ -17,21 +17,21 @@
-# Integrating with Microsoft identity platform
+# Integrating with the Microsoft identity platform
[!INCLUDE [active-directory-devguide](../../../includes/active-directory-devguide.md)]
-In this article, you learn about the benefits of integrating your application with Microsoft identity platform and get resources for integration. Microsoft identity platform and Azure Active Directory (AD) provides organizations with enterprise-grade identity management for cloud applications. Microsoft identity platform integration gives your users a streamlined sign-in experience, and helps your application conform to IT policy.
+In this article, you learn about the benefits of integrating your application with the Microsoft identity platform and get resources for integration. The Microsoft identity platform and Azure Active Directory (AD) provides organizations with enterprise-grade identity management for cloud applications. The Microsoft identity platform integration gives your users a streamlined sign-in experience, and helps your application conform to IT policy.
## How to integrate
-There are several ways for your application to integrate with Microsoft identity platform. Take advantage of as many or as few of these scenarios as is appropriate for your application.
+There are several ways for your application to integrate with the Microsoft identity platform. Take advantage of as many or as few of these scenarios as is appropriate for your application.
-### Support Microsoft identity platform as a way to sign in to your application
+### Support the Microsoft identity platform as a way to sign in to your application
-**Reduce sign in friction and reduce support costs.** By using Microsoft identity platform to sign in to your application, your users won't have one more name and password to remember. As a developer, you'll have one less password to store and protect. Not having to handle forgotten password resets may be a significant savings alone. Microsoft identity platform powers sign in for some of the world's most popular cloud applications, including Microsoft 365 and Microsoft Azure. With hundreds of millions users from millions of organizations, chances are your user is already signed in to Microsoft identity platform. Learn more about [adding support for Microsoft identity platform sign in](./authentication-vs-authorization.md).
+**Reduce sign in friction and reduce support costs.** By using the Microsoft identity platform to sign in to your application, your users won't have one more name and password to remember. As a developer, you'll have one less password to store and protect. Not having to handle forgotten password resets may be a significant savings alone. The Microsoft identity platform powers sign in for some of the world's most popular cloud applications, including Microsoft 365 and Microsoft Azure. With hundreds of millions users from millions of organizations, chances are your user is already signed in to the Microsoft identity platform. Learn more about [adding support for the Microsoft identity platform sign in](./authentication-vs-authorization.md).
-**Simplify sign up for your application.** During sign up for your application, Microsoft identity platform can send essential information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for your application using their Azure AD account via a familiar consent experience similar to those found in social media and mobile applications. Any user can sign up and sign in to an application that is integrated with Microsoft identity platform without requiring IT involvement. Learn more about [signing-up your application for Azure AD Account login](../../app-service/configure-authentication-provider-aad.md).
+**Simplify sign up for your application.** During sign up for your application, the Microsoft identity platform can send essential information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for your application using their Azure AD account via a familiar consent experience similar to those found in social media and mobile applications. Any user can sign up and sign in to an application that is integrated with the Microsoft identity platform without requiring IT involvement. Learn more about [signing-up your application for Azure AD Account login](../../app-service/configure-authentication-provider-aad.md).
### Browse for users, manage user provisioning, and control access to your application
@@ -39,13 +39,13 @@ There are several ways for your application to integrate with Microsoft identity
**Re-use Active Directory groups and distribution lists your customer is already managing.** Azure AD contains the groups that your customer is already using for email distribution and managing access. Using the Microsoft Graph API, re-use these groups instead of requiring your customer to create and manage a separate set of groups in your application. Group information can also be sent to your application in sign in tokens. Learn more about the [Microsoft Graph API](/graph/overview).
-**Use Microsoft identity platform to control who has access to your application.** Administrators and application owners in Azure AD can assign access to applications to specific users and groups. Using the Microsoft Graph API, you can read this list and use it to control provisioning and de-provisioning of resources and access within your application.
+**Use the Microsoft identity platform to control who has access to your application.** Administrators and application owners in Azure AD can assign access to applications to specific users and groups. Using the Microsoft Graph API, you can read this list and use it to control provisioning and de-provisioning of resources and access within your application.
-**Use Microsoft identity platform for Roles Based Access Control.** Administrators and application owners can assign users and groups to roles that you define when you register your application in Microsoft identity platform. Role information is sent to your application in sign in tokens and can also be read using the Microsoft Graph API. Learn more about [using Microsoft identity platform for authorization](https://cloudblogs.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/).
+**Use the Microsoft identity platform for Roles Based Access Control.** Administrators and application owners can assign users and groups to roles that you define when you register your application in Microsoft identity platform. Role information is sent to your application in sign in tokens and can also be read using the Microsoft Graph API. Learn more about [using the Microsoft identity platform for authorization](https://cloudblogs.microsoft.com/enterprisemobility/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles/).
### Get access to users' profile, calendar, email, contacts, files, and more
-**Microsoft identity platform is the authorization server for Microsoft 365 and other Microsoft business services.** If you support Microsoft identity platform for sign in to your application or support linking your current user accounts to Azure AD user accounts using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other information. You can seamlessly write events to user's calendar, and read or write files to their OneDrive. Learn more about [the Microsoft 365 APIs](/graph/overview).
+**The Microsoft identity platform is the authorization server for Microsoft 365 and other Microsoft business services.** If you support the Microsoft identity platform for sign in to your application or support linking your current user accounts to Azure AD user accounts using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other information. You can seamlessly write events to user's calendar, and read or write files to their OneDrive. Learn more about [the Microsoft 365 APIs](/graph/overview).
### Promote your application in the Azure and Microsoft 365 Marketplaces
@@ -55,11 +55,11 @@ There are several ways for your application to integrate with Microsoft identity
### Secure device-to-service and service-to-service communication
-**Using Microsoft identity platform for identity management of services and devices reduces the code you need to write and enables IT to manage access.** Services and devices can get tokens from Microsoft identity platform using OAuth and use those tokens to access web APIs. Using Microsoft identity platform you can avoid writing complex authentication code. Since the identities of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of having to do this separately in your application.
+**Using the Microsoft identity platform for identity management of services and devices reduces the code you need to write and enables IT to manage access.** Services and devices can get tokens from the Microsoft identity platform using OAuth and use those tokens to access web APIs. Using the Microsoft identity platform you can avoid writing complex authentication code. Since the identities of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of having to do this separately in your application.
## Benefits of integration
-Integration with Microsoft identity platform comes with benefits that do not require you to write additional code.
+Integration with the Microsoft identity platform comes with benefits that do not require you to write additional code.
### Integration with enterprise identity management
@@ -69,15 +69,15 @@ Integration with Microsoft identity platform comes with benefits that do not req
### Advanced security features
-**Multi-factor authentication.** Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](https://azure.microsoft.com/documentation/services/multi-factor-authentication/).
+**Multi-factor authentication.** The Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](https://azure.microsoft.com/documentation/services/multi-factor-authentication/).
-**Anomalous sign in detection.** Microsoft identity platform processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting Microsoft identity platform sign-in, your application gets the benefit of this protection. Learn more about [viewing Azure Active Directory access report](../reports-monitoring/overview-reports.md).
+**Anomalous sign in detection.** The Microsoft identity platform processes more than a billion sign-ins a day, while using machine learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting the Microsoft identity platform sign-in, your application gets the benefit of this protection. Learn more about [viewing Azure Active Directory access report](../reports-monitoring/overview-reports.md).
**Conditional Access.** In addition to multi-factor authentication, administrators can require specific conditions be met before users can sign-in to your application. Conditions that can be set include the IP address range of client devices, membership in specified groups, and the state of the device being used for access. Learn more about [Azure Active Directory Conditional Access](../conditional-access/overview.md). ### Easy development
-**Industry standard protocols.** Microsoft is committed to supporting industry standards. The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. Learn more about [Microsoft identity platform authentication protocols](active-directory-v2-protocols.md).
+**Industry standard protocols.** Microsoft is committed to supporting industry standards. The Microsoft identity platform supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. Learn more about the [Microsoft identity platform authentication protocols](active-directory-v2-protocols.md).
**Open source libraries.** Microsoft provides fully supported open source libraries for popular languages and platforms to speed development. The source code is licensed under Apache 2.0, and you are free to fork and contribute back to the projects. Learn more about the [Microsoft Authentication Library (MSAL)](reference-v2-libraries.md).
@@ -89,4 +89,4 @@ Integration with Microsoft identity platform comes with benefits that do not req
[Get started writing code](v2-overview.md#getting-started).
-[Sign users in using Microsoft identity platform](./authentication-vs-authorization.md)
\ No newline at end of file
+[Sign users in using the Microsoft identity platform](./authentication-vs-authorization.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-optional-claims.md a/articles/active-directory/develop/active-directory-optional-claims.md
@@ -22,12 +22,12 @@ Application developers can use optional claims in their Azure AD applications to
You can use optional claims to: - Select additional claims to include in tokens for your application.-- Change the behavior of certain claims that Microsoft identity platform returns in tokens.
+- Change the behavior of certain claims that the Microsoft identity platform returns in tokens.
- Add and access custom claims for your application. For the lists of standard claims, see the [access token](access-tokens.md) and [id_token](id-tokens.md) claims documentation.
-While optional claims are supported in both v1.0 and v2.0 format tokens, as well as SAML tokens, they provide most of their value when moving from v1.0 to v2.0. One of the goals of the [v2.0 Microsoft identity platform endpoint](./v2-overview.md) is smaller token sizes to ensure optimal performance by clients. As a result, several claims formerly included in the access and ID tokens are no longer present in v2.0 tokens and must be asked for specifically on a per-application basis.
+While optional claims are supported in both v1.0 and v2.0 format tokens, as well as SAML tokens, they provide most of their value when moving from v1.0 to v2.0. One of the goals of the [Microsoft identity platform](./v2-overview.md) is smaller token sizes to ensure optimal performance by clients. As a result, several claims formerly included in the access and ID tokens are no longer present in v2.0 tokens and must be asked for specifically on a per-application basis.
**Table 1: Applicability**
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-saml-claims-customization.md a/articles/active-directory/develop/active-directory-saml-claims-customization.md
@@ -17,11 +17,11 @@
# How to: customize claims issued in the SAML token for enterprise applications
-Today, Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure AD app gallery as well as custom applications. When a user authenticates to an application through Microsoft identity platform using the SAML 2.0 protocol, Microsoft identity platform sends a token to the application (via an HTTP POST). And then, the application validates and uses the token to log the user in instead of prompting for a username and password. These SAML tokens contain pieces of information about the user known as *claims*.
+Today, the Microsoft identity platform supports single sign-on (SSO) with most enterprise applications, including both applications pre-integrated in the Azure AD app gallery as well as custom applications. When a user authenticates to an application through the Microsoft identity platform using the SAML 2.0 protocol, the Microsoft identity platform sends a token to the application (via an HTTP POST). And then, the application validates and uses the token to log the user in instead of prompting for a username and password. These SAML tokens contain pieces of information about the user known as *claims*.
A *claim* is information that an identity provider states about a user inside the token they issue for that user. In [SAML token](https://en.wikipedia.org/wiki/SAML_2.0), this data is typically contained in the SAML Attribute Statement. The userΓÇÖs unique ID is typically represented in the SAML Subject also called as Name Identifier.
-By default, Microsoft identity platform issues a SAML token to your application that contains a `NameIdentifier` claim with a value of the userΓÇÖs username (also known as the user principal name) in Azure AD, which can uniquely identify the user. The SAML token also contains additional claims containing the userΓÇÖs email address, first name, and last name.
+By default, the Microsoft identity platform issues a SAML token to your application that contains a `NameIdentifier` claim with a value of the userΓÇÖs username (also known as the user principal name) in Azure AD, which can uniquely identify the user. The SAML token also contains additional claims containing the userΓÇÖs email address, first name, and last name.
To view or edit the claims issued in the SAML token to the application, open the application in Azure portal. Then open the **User Attributes & Claims** section.
@@ -43,9 +43,9 @@ To edit the NameID (name identifier value):
### NameID format
-If the SAML request contains the element NameIDPolicy with a specific format, then Microsoft identity platform will honor the format in the request.
+If the SAML request contains the element NameIDPolicy with a specific format, then the Microsoft identity platform will honor the format in the request.
-If the SAML request doesn't contain an element for NameIDPolicy, then Microsoft identity platform will issue the NameID with the format you specify. If no format is specified Microsoft identity platform will use the default source format associated with the claim source selected.
+If the SAML request doesn't contain an element for NameIDPolicy, then the Microsoft identity platform will issue the NameID with the format you specify. If no format is specified, the Microsoft identity platform will use the default source format associated with the claim source selected.
From the **Choose name identifier format** dropdown, you can select one of the following options.
@@ -163,9 +163,9 @@ To add a claim condition:
The order in which you add the conditions are important. Azure AD evaluates the conditions from top to bottom to decide which value to emit in the claim. The last value which matches the expression will be emitted in the claim.
-For example, Britta Simon is a guest user in the Contoso tenant. She belongs to another organization that also uses Azure AD. Given the below configuration for the Fabrikam application, when Britta tries to sign in to Fabrikam, Microsoft identity platform will evaluate the conditions as follow.
+For example, Britta Simon is a guest user in the Contoso tenant. She belongs to another organization that also uses Azure AD. Given the below configuration for the Fabrikam application, when Britta tries to sign in to Fabrikam, the Microsoft identity platform will evaluate the conditions as follow.
-First, Microsoft identity platform verifies if Britta's user type is `All guests`. Since, this is true then Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, Microsoft identity platform verifies if Britta's user type is `AAD guests`, since this is also true then Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with value `user.mail` for Britta.
+First, the Microsoft identity platform verifies if Britta's user type is `All guests`. Since, this is true then the Microsoft identity platform assigns the source for the claim to `user.extensionattribute1`. Second, the Microsoft identity platform verifies if Britta's user type is `AAD guests`, since this is also true then the Microsoft identity platform assigns the source for the claim to `user.mail`. Finally, the claim is emitted with value `user.mail` for Britta.
![Claims conditional configuration](./media/active-directory-saml-claims-customization/sso-saml-user-conditional-claims.png)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-protocol-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-saml-protocol-reference.md a/articles/active-directory/develop/active-directory-saml-protocol-reference.md
@@ -1,5 +1,5 @@
Title: How Microsoft identity platform uses the SAML protocol
+ Title: How the Microsoft identity platform uses the SAML protocol
description: This article provides an overview of the Single Sign-On and Single Sign-Out SAML profiles in Azure Active Directory.
@@ -15,15 +15,15 @@
-# How Microsoft identity platform uses the SAML protocol
+# How the Microsoft identity platform uses the SAML protocol
-Microsoft identity platform uses the SAML 2.0 protocol to enable applications to provide a single sign-on experience to their users. The [Single Sign-On](single-sign-on-saml-protocol.md) and [Single Sign-Out](single-sign-out-saml-protocol.md) SAML profiles of Azure AD explain how SAML assertions, protocols, and bindings are used in the identity provider service.
+The Microsoft identity platform uses the SAML 2.0 protocol to enable applications to provide a single sign-on experience to their users. The [Single Sign-On](single-sign-on-saml-protocol.md) and [Single Sign-Out](single-sign-out-saml-protocol.md) SAML profiles of Azure AD explain how SAML assertions, protocols, and bindings are used in the identity provider service.
SAML Protocol requires the identity provider (Microsoft identity platform) and the service provider (the application) to exchange information about themselves. When an application is registered with Azure AD, the app developer registers federation-related information with Azure AD. This information includes the **Redirect URI** and **Metadata URI** of the application.
-Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. Customer can open the app in **Azure AD -> App Registration** and then in **Settings -> Properties**, they can update the Logout URL. This way Microsoft identity platform can send the response to the correct URL.
+The Microsoft identity platform uses the cloud service's **Metadata URI** to retrieve the signing key and the logout URI. Customer can open the app in **Azure AD -> App Registration** and then in **Settings -> Properties**, they can update the Logout URL. This way the Microsoft identity platform can send the response to the correct URL.
Azure Active Directory exposes tenant-specific and common (tenant-independent) single sign-on and single sign-out endpoints. These URLs represent addressable locations -- they are not just identifiers -- so you can go to the endpoint to read the metadata.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-schema-extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-schema-extensions.md a/articles/active-directory/develop/active-directory-schema-extensions.md
@@ -35,7 +35,7 @@ Directory schema extension attributes can be registered and populated in one of
Directory schema extension attributes created and synced using AD Connect are always associated with the application ID used by AD Connect. They can be used as a source for claims both by configuring them as claims in the **Enterprise Applications** configuration in the Portal UI for SAML applications registered using the Gallery or the non-Gallery application configuration experience under **Enterprise Applications**, and via a claims-mapping policy for applications registered via the Application registration experience. Once a directory extension attribute created via AD Connect is in the directory, it will show in the SAML SSO claims configuration UI. ### Emitting claims with data from directory schema extension attributes created for an application using Graph or PowerShell
-If a directory schema extension attribute is registered for an application using Microsoft Graph or PowerShell (via an applications initial setup or provisioning step for instance), the same application can be configured in Azure Active Directory to receive data in that attribute from a user object in a claim when the user signs in. The application can be configured to receive data in directory schema extensions that are registered on that same application using [optional claims](active-directory-optional-claims.md#configuring-directory-extension-optional-claims). These can be set in the application manifest. This enables a multi-tenant application to register directory schema extension attributes for its own use. When the application is provisioned into a tenant the associated directory schema extensions become available to be set on users in that tenant, and to be consumed. Once it's configured in the tenant and consent granted, it can be used to store and retrieve data via graph and to map to claims in tokens Microsoft identity platform emits to applications.
+If a directory schema extension attribute is registered for an application using Microsoft Graph or PowerShell (via an applications initial setup or provisioning step for instance), the same application can be configured in Azure Active Directory to receive data in that attribute from a user object in a claim when the user signs in. The application can be configured to receive data in directory schema extensions that are registered on that same application using [optional claims](active-directory-optional-claims.md#configuring-directory-extension-optional-claims). These can be set in the application manifest. This enables a multi-tenant application to register directory schema extension attributes for its own use. When the application is provisioned into a tenant the associated directory schema extensions become available to be set on users in that tenant, and to be consumed. Once it's configured in the tenant and consent granted, it can be used to store and retrieve data via graph and to map to claims in tokens the Microsoft identity platform emits to applications.
Directory schema extension attributes can be registered and populated for any application.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-signing-key-rollover.md a/articles/active-directory/develop/active-directory-signing-key-rollover.md
@@ -15,13 +15,13 @@
-# Signing key rollover in Microsoft identity platform
-This article discusses what you need to know about the public keys that are used by Microsoft identity platform to sign security tokens. It is important to note that these keys roll over on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use Microsoft identity platform should be able to programmatically handle the key rollover process. Continue reading to understand how the keys work, how to assess the impact of the rollover to your application and how to update your application or establish a periodic manual rollover process to handle key rollover if necessary.
+# Signing key rollover in the Microsoft identity platform
+This article discusses what you need to know about the public keys that are used by the Microsoft identity platform to sign security tokens. It is important to note that these keys roll over on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use the Microsoft identity platform should be able to programmatically handle the key rollover process. Continue reading to understand how the keys work, how to assess the impact of the rollover to your application and how to update your application or establish a periodic manual rollover process to handle key rollover if necessary.
-## Overview of signing keys in Microsoft identity platform
-Microsoft identity platform uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: Microsoft identity platform uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses Microsoft identity platform for authentication, Microsoft identity platform creates a security token that contains information about the user. This token is signed by Microsoft identity platform using its private key before it is sent back to the application. To verify that the token is valid and originated from Microsoft identity platform, the application must validate the tokenΓÇÖs signature using the public keys exposed by Microsoft identity platform that is contained in the tenantΓÇÖs [OpenID Connect discovery document](https://openid.net/specs/openid-connect-discovery-1_0.html) or SAML/WS-Fed [federation metadata document](../azuread-dev/azure-ad-federation-metadata.md).
+## Overview of signing keys in the Microsoft identity platform
+The Microsoft identity platform uses public-key cryptography built on industry standards to establish trust between itself and the applications that use it. In practical terms, this works in the following way: The Microsoft identity platform uses a signing key that consists of a public and private key pair. When a user signs in to an application that uses the Microsoft identity platform for authentication, the Microsoft identity platform creates a security token that contains information about the user. This token is signed by the Microsoft identity platform using its private key before it is sent back to the application. To verify that the token is valid and originated from Microsoft identity platform, the application must validate the tokenΓÇÖs signature using the public keys exposed by the Microsoft identity platform that is contained in the tenantΓÇÖs [OpenID Connect discovery document](https://openid.net/specs/openid-connect-discovery-1_0.html) or SAML/WS-Fed [federation metadata document](../azuread-dev/azure-ad-federation-metadata.md).
-For security purposes, Microsoft identity platformΓÇÖs signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. There is no set or guaranteed time between these key rolls - any application that integrates with Microsoft identity platform should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesnΓÇÖt, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail. Checking every 24 hours for updates is a best practice, with throttled (once every five minutes at most) immediate refreshes of the key document if a token is encountered with an unknown key identifier.
+For security purposes, the Microsoft identity platformΓÇÖs signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. There is no set or guaranteed time between these key rolls - any application that integrates with the Microsoft identity platform should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesnΓÇÖt, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail. Checking every 24 hours for updates is a best practice, with throttled (once every five minutes at most) immediate refreshes of the key document if a token is encountered with an unknown key identifier.
There is always more than one valid key available in the OpenID Connect discovery document and the federation metadata document. Your application should be prepared to use any and all of the keys specified in the document, since one key may be rolled soon, another may be its replacement, and so forth. The number of keys present can change over time based on the internal architecture of the Microsoft identity platform as we support new platforms, new clouds, or new authentication protocols. Neither the order of the keys in the JSON response nor the order in which they were exposed should be considered meaninful to your app.
@@ -301,7 +301,7 @@ Instructions to use the FedUtil to update your configuration:
### <a name="other"></a>Web applications / APIs protecting resources using any other libraries or manually implementing any of the supported protocols If you are using some other library or manually implemented any of the supported protocols, you'll need to review the library or your implementation to ensure that the key is being retrieved from either the OpenID Connect discovery document or the federation metadata document. One way to check for this is to do a search in your code or the library's code for any calls out to either the OpenID discovery document or the federation metadata document.
-If they key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. **It is strongly encouraged that you enhance your application to support automatic rollover** using any of the approaches outline in this article to avoid future disruptions and overhead if Microsoft identity platform increases its rollover cadence or has an emergency out-of-band rollover.
+If they key is being stored somewhere or hardcoded in your application, you can manually retrieve the key and update it accordingly by performing a manual rollover as per the instructions at the end of this guidance document. **It is strongly encouraged that you enhance your application to support automatic rollover** using any of the approaches outline in this article to avoid future disruptions and overhead if the Microsoft identity platform increases its rollover cadence or has an emergency out-of-band rollover.
## How to test your application to determine if it will be affected You can validate whether your application supports automatic key rollover by downloading the scripts and following the instructions in [this GitHub repository.](https://github.com/AzureAD/azure-activedirectory-powershell-tokenkey)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-v2-protocols.md a/articles/active-directory/develop/active-directory-v2-protocols.md
@@ -1,7 +1,7 @@
Title: OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform | Azure
+ Title: OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform | Azure
-description: A guide to OAuth 2.0 and OpenID Connect protocols that are supported by the Microsoft identity platform endpoint.
+description: A guide to OAuth 2.0 and OpenID Connect protocols that are supported by the Microsoft identity platform.
@@ -16,7 +16,7 @@
-# OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform
+# OAuth 2.0 and OpenID Connect protocols on the Microsoft identity platform
The Microsoft identity platform endpoint for identity-as-a-service implements authentication and authorization with the industry standard protocols OpenID Connect (OIDC) and OAuth 2.0, respectively. While the service is standards-compliant, there can be subtle differences between any two implementations of these protocols. The information here will be useful if you choose to write your code by directly sending and handling HTTP requests or use a third-party open-source library, rather than using one of our [open-source libraries](reference-v2-libraries.md).
@@ -26,7 +26,7 @@ In nearly all OAuth 2.0 and OpenID Connect flows, there are four parties involve
![Diagram showing the OAuth 2.0 roles](./media/active-directory-v2-flows/protocols-roles.svg)
-* The **Authorization Server** is the Microsoft identity platform endpoint and responsible for ensuring the user's identity, granting and revoking access to resources, and issuing tokens. The authorization server is also known as the identity provider - it securely handles anything to do with the user's information, their access, and the trust relationships between parties in a flow.
+* The **Authorization Server** is the Microsoft identity platform and is responsible for ensuring the user's identity, granting and revoking access to resources, and issuing tokens. The authorization server is also known as the identity provider - it securely handles anything to do with the user's information, their access, and the trust relationships between parties in a flow.
* The **Resource Owner** is typically the end user. It's the party that owns the data and has the power to allow clients to access that data or resource. * The **OAuth Client** is your app, identified by its application ID. The OAuth client is usually the party that the end user interacts with, and it requests tokens from the authorization server. The client must be granted permission to access the resource by the resource owner. * The **Resource Server** is where the resource or data resides. It trusts the Authorization Server to securely authenticate and authorize the OAuth Client, and uses Bearer access tokens to ensure that access to a resource can be granted.
@@ -43,7 +43,7 @@ For more details, learn how to [register an app](quickstart-register-app.md).
## Endpoints
-Once registered, the app communicates with Microsoft identity platform by sending requests to the endpoint:
+Once registered, the app communicates with the Microsoft identity platform by sending requests to the endpoint:
``` https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
@@ -62,11 +62,11 @@ Where the `{tenant}` can take one of four different values:
To learn how to interact with these endpoints, choose a particular app type in the [Protocols](#protocols) section and follow the links for more info. > [!TIP]
-> Any app registered in Azure AD can use the Microsoft identity platform endpoint, even if they don't sign in personal accounts. This way, you can migrate existing applications to Microsoft identity platform and [MSAL](reference-v2-libraries.md) without re-creating your application.
+> Any app registered in Azure AD can use the Microsoft identity platform, even if they don't sign in personal accounts. This way, you can migrate existing applications to the Microsoft identity platform and [MSAL](reference-v2-libraries.md) without re-creating your application.
## Tokens
-OAuth 2.0 and OpenID Connect make extensive use of **bearer tokens**, generally represented as [JWTs (JSON Web Tokens)](https://tools.ietf.org/html/rfc7519). A bearer token is a lightweight security token that grants the ΓÇ£bearerΓÇ¥ access to a protected resource. In this sense, the ΓÇ£bearerΓÇ¥ is anyone that gets a copy of the token. Though a party must first authenticate with Microsoft identity platform to receive the bearer token, if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party. While some security tokens have a built-in mechanism for preventing unauthorized parties from using them, bearer tokens do not have this mechanism and must be transported in a secure channel such as transport layer security (HTTPS). If a bearer token is transmitted in the clear, a malicious party can use a man-in-the-middle attack to acquire the token and use it for unauthorized access to a protected resource. The same security principles apply when storing or caching bearer tokens for later use. Always ensure that your app transmits and stores bearer tokens in a secure manner. For more security considerations on bearer tokens, see [RFC 6750 Section 5](https://tools.ietf.org/html/rfc6750).
+OAuth 2.0 and OpenID Connect make extensive use of **bearer tokens**, generally represented as [JWTs (JSON Web Tokens)](https://tools.ietf.org/html/rfc7519). A bearer token is a lightweight security token that grants the ΓÇ£bearerΓÇ¥ access to a protected resource. In this sense, the ΓÇ£bearerΓÇ¥ is anyone that gets a copy of the token. Though a party must first authenticate with the Microsoft identity platform to receive the bearer token, if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party. While some security tokens have a built-in mechanism for preventing unauthorized parties from using them, bearer tokens do not have this mechanism and must be transported in a secure channel such as transport layer security (HTTPS). If a bearer token is transmitted in the clear, a malicious party can use a man-in-the-middle attack to acquire the token and use it for unauthorized access to a protected resource. The same security principles apply when storing or caching bearer tokens for later use. Always ensure that your app transmits and stores bearer tokens in a secure manner. For more security considerations on bearer tokens, see [RFC 6750 Section 5](https://tools.ietf.org/html/rfc6750).
There are primarily 3 types of tokens used in OAuth 2.0 / OIDC:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-registration-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-v2-registration-portal.md a/articles/active-directory/develop/active-directory-v2-registration-portal.md
@@ -23,7 +23,7 @@ This document provides context and descriptions of various features found in the
## My Applications or Converged applications
-This list contains all of your applications registered for use with the Microsoft identity platform (v2.0) endpoint. These applications have the ability to sign in users with both personal Microsoft accounts and work/school accounts from Azure Active Directory. To learn more about the identity platform endpoint, see the [v2.0 overview](./v2-overview.md). These applications can also be used to integrate with the Microsoft account authentication endpoint, `https://login.live.com`.
+This list contains all of your applications registered for use with the Microsoft identity platform. These applications have the ability to sign in users with both personal Microsoft accounts and work/school accounts from Azure Active Directory. To learn more about the Microsoft identity platform, see the [v2.0 overview](./v2-overview.md). These applications can also be used to integrate with the Microsoft account authentication endpoint, `https://login.live.com`.
## Azure AD only applications
@@ -35,7 +35,7 @@ This list contains all of your applications registered for use solely with Micro
## Application Secrets
-Application secrets are credentials that allow your application to perform reliable [client authentication](https://tools.ietf.org/html/rfc6749#section-2.3) with Microsoft identity platform. In OAuth & OpenID Connect, an application secret is commonly referred to as a `client_secret`. In the v2.0 protocol, any application that receives a security token at a web addressable location (using an `https` scheme) must use an application secret to identify itself to Microsoft identity platform upon redemption of that security token. Furthermore, any native client that receives tokens on a device will be forbidden from using an application secret to perform client authentication. This discourages the storage of secrets in insecure environments.
+Application secrets are credentials that allow your application to perform reliable [client authentication](https://tools.ietf.org/html/rfc6749#section-2.3) with Microsoft identity platform. In OAuth & OpenID Connect, an application secret is commonly referred to as a `client_secret`. In the v2.0 protocol, any application that receives a security token at a web addressable location (using an `https` scheme) must use an application secret to identify itself to the Microsoft identity platform upon redemption of that security token. Furthermore, any native client that receives tokens on a device will be forbidden from using an application secret to perform client authentication. This discourages the storage of secrets in insecure environments.
Each app can contain two valid application secrets at any given time. By maintaining two secrets, you have the ability to perform periodic key rollover across your application's entire environment. Once you've migrated the entirety of your application to a new secret, you may delete the old secret and provision a new one.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/app-sign-in-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/app-sign-in-flow.md a/articles/active-directory/develop/app-sign-in-flow.md
@@ -1,7 +1,7 @@
Title: App sign-in flow with Microsoft identity platform | Azure
+ Title: App sign-in flow with the Microsoft identity platform | Azure
-description: Learn about the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform (v2.0).
+description: Learn about the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform.
@@ -17,7 +17,7 @@
#Customer intent: As an application developer, I want to understand the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform
-# App sign-in flow with Microsoft identity platform
+# App sign-in flow with the Microsoft identity platform
This topic discusses the basic sign-in flow for web, desktop, and mobile apps using Microsoft identity platform. See [Authentication flows and app scenarios](authentication-flows-app-scenarios.md) to learn about sign-in scenarios supported by Microsoft identity platform.
@@ -27,12 +27,12 @@ When a user navigates in the browser to a web app, the following happens:
* The web app determines whether the user is authenticated. * If the user isn't authenticated, the web app delegates to Azure AD to sign in the user. That sign in will be compliant with the policy of the organization, which may mean asking the user to enter their credentials, using [multi-factor authentication](../authentication/concept-mfa-howitworks.md) (sometimes referred to as two-factor authentication or 2FA), or not using a password at all (for example using Windows Hello).
-* The user is asked to consent to the access that the client app needs. This is why client apps need to be registered with Azure AD, so that Microsoft identity platform can deliver tokens representing the access that the user has consented to.
+* The user is asked to consent to the access that the client app needs. This is why client apps need to be registered with Azure AD, so that the Microsoft identity platform can deliver tokens representing the access that the user has consented to.
When the user has successfully authenticated:
-* Microsoft identity platform sends a token to the web app.
-* A cookie is saved, associated with Azure AD's domain, that contains the identity of the user in the browser's cookie jar. The next time an app uses the browser to navigate to the Microsoft identity platform authorization endpoint, the browser presents the cookie so that the user doesn't have to sign in again. This is also the way that SSO is achieved. The cookie is produced by Azure AD and can only be understood by Azure AD.
+* The Microsoft identity platform sends a token to the web app.
+* A cookie is saved, associated with Azure AD's domain, that contains the identity of the user in the browser's cookie jar. The next time an app uses the browser to navigate to the the Microsoft identity platform authorization endpoint, the browser presents the cookie so that the user doesn't have to sign in again. This is also the way that SSO is achieved. The cookie is produced by Azure AD and can only be understood by Azure AD.
* The web app then validates the token. If the validation succeeds, the web app displays the protected page and saves a session cookie in the browser's cookie jar. When the user navigates to another page, the web app knows that the user is authenticated based on the session cookie. The following sequence diagram summarizes this interaction:
@@ -45,12 +45,12 @@ Web app developers can indicate whether all or only certain pages require authen
This attribute causes ASP.NET to check for the presence of a session cookie containing the identity of the user. If a cookie isn't present, ASP.NET redirects authentication to the specified identity provider. If the identity provider is Azure AD, the web app redirects authentication to `https://login.microsoftonline.com`, which displays a sign-in dialog.
-### How a web app delegates sign-in to Microsoft identity platform and obtains a token
+### How a web app delegates sign-in to the Microsoft identity platform and obtains a token
User authentication happens via the browser. The OpenID protocol uses standard HTTP protocol messages. * The web app sends an HTTP 302 (redirect) to the browser to use Microsoft identity platform.
-* When the user is authenticated, Microsoft identity platform sends the token to the web app by using a redirect through the browser.
+* When the user is authenticated, the Microsoft identity platform sends the token to the web app by using a redirect through the browser.
* The redirect is provided by the web app in the form of a redirect URI. This redirect URI is registered with the Azure AD application object. There can be several redirect URIs because the application may be deployed at several URLs. So the web app will also need to specify the redirect URI to use. * Azure AD verifies that the redirect URI sent by the web app is one of the registered redirect URIs for the app.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/application-model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/application-model.md a/articles/active-directory/develop/application-model.md
@@ -1,7 +1,7 @@
Title: Application model | Azure
-description: Learn about the process of registering your application so it can integrate with Microsoft identity platform (v2.0).
+description: Learn about the process of registering your application so it can integrate with Microsoft identity platform.
@@ -29,16 +29,16 @@ For an identity provider to know that a user has access to a particular app, bot
* Decide if you want to let users sign in only if they belong to your organization. This is a single tenant application. Or allow users to sign in using any work or school account. This is a multi-tenant application. You can also allow personal Microsoft accounts, or a social account from LinkedIn, Google, and so on. * Request scope permissions. For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user. * Define scopes that define access to your web API. Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
-* Share a secret with Microsoft identity platform that proves the app's identity. This is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. They require a trusted backend server to store the credentials.
+* Share a secret with the Microsoft identity platform that proves the app's identity. This is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. They require a trusted backend server to store the credentials.
-Once registered, the application will be given a unique identifier that the app shares with Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key-depending on whether certificates or secrets were used.
+Once registered, the application will be given a unique identifier that the app shares with the Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key-depending on whether certificates or secrets were used.
-Microsoft identity platform represents applications using a model that fulfills two main functions:
+The Microsoft identity platform represents applications using a model that fulfills two main functions:
* Identify the app by the authentication protocols it supports * Provide all the identifiers, URLs, secrets, and related information that are needed to authenticate
-Microsoft identity platform:
+The Microsoft identity platform:
* Holds all the data required to support authentication at runtime * Holds all the data for deciding what resources an app might need to access, and under what circumstances a given request should be fulfilled
@@ -52,7 +52,7 @@ Microsoft identity platform:
## Multi-tenant apps
-In Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. Microsoft identity platform creates a service principal from an application object through [consent](developer-glossary.md#consent).
+In the Microsoft identity platform, an [application object](developer-glossary.md#application-object) describes an application. At deployment time, the Microsoft identity platform uses the application object as a blueprint to create a [service principal](developer-glossary.md#service-principal-object), which represents a concrete instance of an application within a directory or tenant. The service principal defines what the app can actually do in a specific target directory, who can use it, what resources it has access to, and so on. The Microsoft identity platform creates a service principal from an application object through [consent](developer-glossary.md#consent).
The following diagram shows a simplified Microsoft identity platform provisioning flow driven by consent. It shows two tenants: *A* and *B*.
@@ -66,7 +66,7 @@ In this provisioning flow:
1. A user from tenant B attempts to sign in with the app, the authorization endpoint requests a token for the application. 1. The user credentials are acquired and verified for authentication. 1. The user is prompted to provide consent for the app to gain access to tenant B.
-1. Microsoft identity platform uses the application object in tenant A as a blueprint for creating a service principal in tenant B.
+1. The Microsoft identity platform uses the application object in tenant A as a blueprint for creating a service principal in tenant B.
1. The user receives the requested token. You can repeat this process for additional tenants. Tenant A retains the blueprint for the app (application object). Users and admins of all the other tenants where the app is given consent keep control over what the application is allowed to do via the corresponding service principal object in each tenant. For more information, see [Application and service principal objects in Microsoft identity platform](app-objects-and-service-principals.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-flows-app-scenarios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/authentication-flows-app-scenarios.md a/articles/active-directory/develop/authentication-flows-app-scenarios.md
@@ -18,7 +18,7 @@
# Authentication flows and application scenarios
-The Microsoft identity platform (v2.0) endpoint supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs.
+The Microsoft identity platform supports authentication for different kinds of modern application architectures. All of the architectures are based on the industry-standard protocols [OAuth 2.0 and OpenID Connect](active-directory-v2-protocols.md). By using the [authentication libraries for the Microsoft identity platform](reference-v2-libraries.md), applications authenticate identities and acquire tokens to access protected APIs.
This article describes authentication flows and the application scenarios that they're used in.
@@ -76,7 +76,7 @@ For more information, see [Supported account types](v2-supported-account-types.m
## Application scenarios
-The Microsoft identity platform endpoint supports authentication for these app architectures:
+The Microsoft identity platform supports authentication for these app architectures:
- Single-page apps - Web apps
@@ -92,7 +92,7 @@ Applications use the different authentication flows to sign in users and get tok
Many modern web apps are built as client-side single-page applications. These applications use JavaScript or a framework like Angular, Vue, and React. These applications run in a web browser.
-Single-page applications differ from traditional server-side web apps in terms of authentication characteristics. By using the Microsoft identity platform, single-page applications can sign in users and get tokens to access back-end services or web APIs. Microsoft identity platform offers two grant types for JavaScript applications:
+Single-page applications differ from traditional server-side web apps in terms of authentication characteristics. By using the Microsoft identity platform, single-page applications can sign in users and get tokens to access back-end services or web APIs. The Microsoft identity platform offers two grant types for JavaScript applications:
| MSAL.js (2.x) | MSAL.js (1.x) | |||
@@ -157,7 +157,7 @@ For more information, see [Mobile app that calls web APIs](scenario-mobile-overv
### Protected web API
-You can use the Microsoft identity platform endpoint to secure web services like your app's RESTful web API. A protected web API is called through an access token. The token helps secure the API's data and authenticate incoming requests. The caller of a web API appends an access token in the authorization header of an HTTP request.
+You can use the Microsoft identity platform to secure web services like your app's RESTful web API. A protected web API is called through an access token. The token helps secure the API's data and authenticate incoming requests. The caller of a web API appends an access token in the authorization header of an HTTP request.
If you want to protect your ASP.NET or ASP.NET Core web API, you need to validate the access token. For this validation, you use the ASP.NET JWT middleware. The validation is done by the [IdentityModel extensions for .NET](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki) library and not by MSAL.NET.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/authentication-vs-authorization.md a/articles/active-directory/develop/authentication-vs-authorization.md
@@ -1,7 +1,7 @@
Title: Authentication vs. authorization | Azure
-description: Learn about the basics of authentication and authorization in the Microsoft identity platform (v2.0).
+description: Learn about the basics of authentication and authorization in the Microsoft identity platform.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/developer-glossary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/developer-glossary.md a/articles/active-directory/develop/developer-glossary.md
@@ -30,7 +30,7 @@ Access tokens are sometimes referred to as "User+App" or "App-Only", depending o
* ["Authorization code" authorization grant](#authorization-grant), the end user authenticates first as the resource owner, delegating authorization to the client to access the resource. The client authenticates afterward when obtaining the access token. The token can sometimes be referred to more specifically as a "User+App" token, as it represents both the user that authorized the client application, and the application. * ["Client credentials" authorization grant](#authorization-grant), the client provides the sole authentication, functioning without the resource-owner's authentication/authorization, so the token can sometimes be referred to as an "App-Only" token.
-See [Microsoft identity platform Token Reference][AAD-Tokens-Claims] for more details.
+See the [Microsoft identity platform Token Reference][AAD-Tokens-Claims] for more details.
## application ID (client ID)
@@ -85,13 +85,13 @@ A credential representing the [resource owner's](#resource-owner) [authorization
As defined by the [OAuth2 Authorization Framework][OAuth2-Role-Def], the server responsible for issuing access tokens to the [client](#client-application) after successfully authenticating the [resource owner](#resource-owner) and obtaining its authorization. A [client application](#client-application) interacts with the authorization server at runtime via its [authorization](#authorization-endpoint) and [token](#token-endpoint) endpoints, in accordance with the OAuth2 defined [authorization grants](#authorization-grant).
-In the case of Microsoft identity platform application integration, Microsoft identity platform implements the authorization server role for Azure AD applications and Microsoft service APIs, for example [Microsoft Graph APIs][Microsoft-Graph].
+In the case of the Microsoft identity platform application integration, the Microsoft identity platform implements the authorization server role for Azure AD applications and Microsoft service APIs, for example [Microsoft Graph APIs][Microsoft-Graph].
## claim A [security token](#security-token) contains claims, which provide assertions about one entity (such as a [client application](#client-application) or [resource owner](#resource-owner)) to another entity (such as the [resource server](#resource-server)). Claims are name/value pairs that relay facts about the token subject (for example, the security principal that was authenticated by the [authorization server](#authorization-server)). The claims present in a given token are dependent upon several variables, including the type of token, the type of credential used to authenticate the subject, the application configuration, etc.
-See [Microsoft identity platform token reference][AAD-Tokens-Claims] for more details.
+See the [Microsoft identity platform token reference][AAD-Tokens-Claims] for more details.
## client application
@@ -109,11 +109,11 @@ See [consent framework](consent-framework.md) for more information.
An [OpenID Connect][OpenIDConnect-ID-Token] [security token](#security-token) provided by an [authorization server's](#authorization-server) [authorization endpoint](#authorization-endpoint), which contains [claims](#claim) pertaining to the authentication of an end user [resource owner](#resource-owner). Like an access token, ID tokens are also represented as a digitally signed [JSON Web Token (JWT)][JWT]. Unlike an access token though, an ID token's claims are not used for purposes related to resource access and specifically access control.
-See [Microsoft identity platform token reference][AAD-Tokens-Claims] for more details.
+See the [Microsoft identity platform token reference][AAD-Tokens-Claims] for more details.
## Microsoft identity platform
-Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. ItΓÇÖs a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect.
+The Microsoft identity platform is an evolution of the Azure Active Directory (Azure AD) identity service and developer platform. It allows developers to build applications that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or APIs that developers have built. ItΓÇÖs a full-featured platform that consists of an authentication service, libraries, application registration and configuration, full developer documentation, code samples, and other developer content. The Microsoft identity platform supports industry standard protocols such as OAuth 2.0 and OpenID Connect.
## multi-tenant application
@@ -218,7 +218,7 @@ A type of [client application](#client-application) that executes all code on a
## Next steps
-The [Microsoft identity platform Developer's Guide][AAD-Dev-Guide] is the landing page to use for all Microsoft identity platform development-related topics, including an overview of [application integration][AAD-How-To-Integrate] and the basics of [Microsoft identity platform authentication and supported authentication scenarios][AAD-Auth-Scenarios]. You can also find code samples & tutorials on how to get up and running quickly on [GitHub](https://github.com/azure-samples?utf8=%E2%9C%93&q=active%20directory&type=&language=).
+The [Microsoft identity platform Developer's Guide][AAD-Dev-Guide] is the landing page to use for all the Microsoft identity platform development-related topics, including an overview of [application integration][AAD-How-To-Integrate] and the basics of the [Microsoft identity platform authentication and supported authentication scenarios][AAD-Auth-Scenarios]. You can also find code samples & tutorials on how to get up and running quickly on [GitHub](https://github.com/azure-samples?utf8=%E2%9C%93&q=active%20directory&type=&language=).
Use the following comments section to provide feedback and help to refine and shape this content, including requests for new definitions or updating existing ones!
@@ -231,7 +231,7 @@ Use the following comments section to provide feedback and help to refine and sh
[AAD-Dev-Guide]:azure-ad-developers-guide.md [Graph-Perm-Scopes]: /graph/permissions-reference [Graph-App-Resource]: /graph/api/resources/application
-[Graph-Sp-Resource]: /graph/api/resources/serviceprincipal?view=graph-rest-beta
+[Graph-Sp-Resource]: /graph/api/resources/serviceprincipal?view=graph-rest-beta&preserve-view=true
[Graph-User-Resource]: /graph/api/resources/user [AAD-How-Subscriptions-Assoc]:../fundamentals/active-directory-how-subscriptions-associated-directory.md [AAD-How-To-Integrate]: ./active-directory-how-to-integrate.md
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md a/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md
@@ -48,7 +48,7 @@ In a single-tenant application, sign-in requests are sent to the tenantΓÇÖs sign
With a multi-tenant application, the application doesnΓÇÖt know up front what tenant the user is from, so you canΓÇÖt send requests to a tenantΓÇÖs endpoint. Instead, requests are sent to an endpoint that multiplexes across all Azure AD tenants: `https://login.microsoftonline.com/common`
-When Microsoft identity platform receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. The /common endpoint works with all of the authentication protocols supported by the Azure AD: OpenID Connect, OAuth 2.0, SAML 2.0, and WS-Federation.
+When the Microsoft identity platform receives a request on the /common endpoint, it signs the user in and, as a consequence, discovers which tenant the user is from. The /common endpoint works with all of the authentication protocols supported by the Azure AD: OpenID Connect, OAuth 2.0, SAML 2.0, and WS-Federation.
The sign-in response to the application then contains a token representing the user. The issuer value in the token tells an application what tenant the user is from. When a response returns from the /common endpoint, the issuer value in the token corresponds to the userΓÇÖs tenant.
@@ -106,7 +106,7 @@ For a multi-tenant application, the initial registration for the application liv
![Illustrates consent to single-tier app][Consent-Single-Tier]
-This consent experience is affected by the permissions requested by the application. Microsoft identity platform supports two kinds of permissions, app-only and delegated.
+This consent experience is affected by the permissions requested by the application. The Microsoft identity platform supports two kinds of permissions, app-only and delegated.
* A delegated permission grants an application the ability to act as a signed in user for a subset of the things the user can do. For example, you can grant an application the delegated permission to read the signed in userΓÇÖs calendar. * An app-only permission is granted directly to the identity of the application. For example, you can grant an application the app-only permission to read the list of users in a tenant, regardless of who is signed in to the application.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/id-tokens.md a/articles/active-directory/develop/id-tokens.md
@@ -85,7 +85,7 @@ This list shows the JWT claims that are in most id_tokens by default (except whe
|`groups:src1`|JSON object | For token requests that are not length limited (see `hasgroups` above) but still too large for the token, a link to the full groups list for the user will be included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects" }`<br><br> For more info, see [Groups overage claim](#groups-overage-claim).| > [!NOTE]
-> The v1.0 and v2.0 id_token have differences in the amount of information they will carry as seen from the examples above. The version is based on the endpoint from where it was requested. While existing applications likely use the Azure AD endpoint, new applications should use the v2.0 "Microsoft identity platform" endpoint.
+> The v1.0 and v2.0 id_token have differences in the amount of information they will carry as seen from the examples above. The version is based on the endpoint from where it was requested. While existing applications likely use the Azure AD endpoint, new applications should use the "Microsoft identity platform".
> > - v1.0: Azure AD endpoints: `https://login.microsoftonline.com/common/oauth2/authorize` > - v2.0: Microsoft identity Platform endpoints: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/identity-platform-integration-checklist https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/identity-platform-integration-checklist.md a/articles/active-directory/develop/identity-platform-integration-checklist.md
@@ -1,5 +1,5 @@
Title: Best practices for Microsoft identity platform | Azure
+ Title: Best practices for the Microsoft identity platform | Azure
description: Learn about best practices, recommendations, and common oversights when integrating with the Microsoft identity platform.
@@ -101,7 +101,7 @@ Use the following checklist to ensure that your application is effectively integ
Explore in-depth information about v2.0:
-* [Microsoft identity platform (v2.0 overview)](v2-overview.md)
+* [Microsoft identity platform (overview)](v2-overview.md)
* [Microsoft identity platform protocols reference](active-directory-v2-protocols.md) * [Access tokens reference](access-tokens.md) * [ID tokens reference](id-tokens.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-adal-msal-java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-adal-msal-java.md a/articles/active-directory/develop/migrate-adal-msal-java.md
@@ -26,7 +26,7 @@ Both the Microsoft Authentication Library for Java (MSAL4J) and Azure AD Authent
MSAL offers the following benefits: -- Because it uses the newer Microsoft identity platform endpoint, you can authenticate a broader set of Microsoft identities such as Azure AD identities, Microsoft accounts, and social and local accounts through Azure AD Business to Consumer (B2C).
+- Because it uses the newer Microsoft identity platform, you can authenticate a broader set of Microsoft identities such as Azure AD identities, Microsoft accounts, and social and local accounts through Azure AD Business to Consumer (B2C).
- Your users will get the best single-sign-on experience. - Your application can enable incremental consent, and supporting conditional access is easier.
@@ -34,13 +34,13 @@ MSAL for Java is the auth library we recommend you use with the Microsoft identi
## Differences
-If you have been working with the Azure AD for developers (v1.0) endpoint (and ADAL4J), you might want to read [What's different about the Microsoft identity platform (v2.0) endpoint?](../azuread-dev/azure-ad-endpoint-comparison.md).
+If you have been working with the Azure AD for developers (v1.0) endpoint (and ADAL4J), you might want to read [What's different about the Microsoft identity platform?](../azuread-dev/azure-ad-endpoint-comparison.md).
## Scopes not resources ADAL4J acquires tokens for resources whereas MSAL for Java acquires tokens for scopes. A number of MSAL for Java classes require a scopes parameter. This parameter is a list of strings that declare the desired permissions and resources that are requested. See [Microsoft Graph's scopes](/graph/permissions-reference) to see example scopes.
-You can add the `/.default` scope suffix to the resource to help migrate your apps from the v1.0 endpoint (ADAL) to the Microsoft identity platform endpoint (MSAL). For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource is not in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`.
+You can add the `/.default` scope suffix to the resource to help migrate your apps from the ADAL to MSAL. For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource is not in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`.
For more details about the different types of scopes, refer [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-objc-adal-msal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-objc-adal-msal.md a/articles/active-directory/develop/migrate-objc-adal-msal.md
@@ -35,14 +35,14 @@ The Microsoft identity platform has a few key differences with Azure Active Dire
### Standards compliance
-* The Microsoft identity Platform endpoint follows OAuth 2.0 and OpenId Connect standards.
+* The Microsoft identity platform follows OAuth 2.0 and OpenId Connect standards.
### Incremental and dynamic consent * The Azure Active Directory v1.0 endpoint requires that all permissions be declared in advance during application registration. This means those permissions are static. * The Microsoft identity platform allows you to request permissions dynamically. Apps can ask for permissions only as needed and request more as the app needs them.
-For more about differences between Azure Active Directory v1.0 and the Microsoft identity platform, see [Why update to Microsoft identity platform (v2.0)?](../azuread-dev/azure-ad-endpoint-comparison.md).
+For more about differences between Azure Active Directory v1.0 and the Microsoft identity platform, see [Why update to Microsoft identity platform?](../azuread-dev/azure-ad-endpoint-comparison.md).
## ADAL and MSAL library differences
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-python-adal-msal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-python-adal-msal.md a/articles/active-directory/develop/migrate-python-adal-msal.md
@@ -35,13 +35,13 @@ Supports:
- OAuth v2.0 - OpenID Connect (OIDC)
-See [What's different about the Microsoft identity platform (v2.0) endpoint?](../azuread-dev/azure-ad-endpoint-comparison.md) for more details.
+See [What's different about the Microsoft identity platform?](../azuread-dev/azure-ad-endpoint-comparison.md) for more details.
### Scopes not resources ADAL Python acquires tokens for resources, but MSAL Python acquires tokens for scopes. The API surface in MSAL Python does not have resource parameter anymore. You would need to provide scopes as a list of strings that declare the desired permissions and resources that are requested. To see some example of scopes, see [Microsoft Graph's scopes](/graph/permissions-reference).
-You can add the `/.default` scope suffix to the resource to help migrate your apps from the v1.0 endpoint (ADAL) to the Microsoft identity platform endpoint (MSAL). For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource is not in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`.
+You can add the `/.default` scope suffix to the resource to help migrate your apps from the v1.0 endpoint (ADAL) to the Microsoft identity platform (MSAL). For example, for the resource value of `https://graph.microsoft.com`, the equivalent scope value is `https://graph.microsoft.com/.default`. If the resource is not in the URL form, but a resource ID of the form `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX`, you can still use the scope value as `XXXXXXXX-XXXX-XXXX-XXXXXXXXXXXX/.default`.
For more details about the different types of scopes, refer [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md) and the [Scopes for a Web API accepting v1.0 tokens](./msal-v1-app-scopes.md) articles.
@@ -91,7 +91,7 @@ def get_preexisting_rt_and_their_scopes_from_elsewhere():
# You may be able to append "/.default" to your v1 resource to form a scope # See https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope
- # Or maybe you have an app already talking to Microsoft identity platform v2,
+ # Or maybe you have an app already talking to the Microsoft identity platform,
# powered by some 3rd-party auth library, and persist its tokens somehow. # Either way, you need to extract RTs from there, and return them like this.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/migrate-spa-implicit-to-auth-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md a/articles/active-directory/develop/migrate-spa-implicit-to-auth-code.md
@@ -85,7 +85,7 @@ When you uncheck the implicit grant settings in the app registration, the implic
## Next steps
-To learn more about the authorization code flow, including the differences between the implicit and auth code flows, see [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
+To learn more about the authorization code flow, including the differences between the implicit and auth code flows, see the [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
If you'd like to dive deeper into JavaScript single-page application development on the Microsoft identity platform, the multi-part [Scenario: Single-page application](scenario-spa-overview.md) series of articles can help you get started.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-acquire-cache-tokens.md a/articles/active-directory/develop/msal-acquire-cache-tokens.md
@@ -27,7 +27,7 @@ You can also clear the token cache, which is achieved by removing the accounts f
## Scopes when acquiring tokens
-[Scopes](v2-permissions-and-consent.md) are the permissions that a web API exposes that client applications can request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs. MSAL allows you to get tokens to access Azure AD for developers (v1.0) and Microsoft identity platform (v2.0) APIs. v2.0 protocol uses scopes instead of resource in the requests. For more information, read [v1.0 and v2.0 comparison](../azuread-dev/azure-ad-endpoint-comparison.md). Based on the web API's configuration of the token version it accepts, the v2.0 endpoint returns the access token to MSAL.
+[Scopes](v2-permissions-and-consent.md) are the permissions that a web API exposes that client applications can request access to. Client applications request the user's consent for these scopes when making authentication requests to get tokens to access the web APIs. MSAL allows you to get tokens to access Azure AD for developers (v1.0) and the Microsoft identity platform APIs. v2.0 protocol uses scopes instead of resource in the requests. For more information, read [v1.0 and v2.0 comparison](../azuread-dev/azure-ad-endpoint-comparison.md). Based on the web API's configuration of the token version it accepts, the v2.0 endpoint returns the access token to MSAL.
Several of MSAL's token acquisition methods require a `scopes` parameter. The `scopes` parameter is a list of strings that declare the desired permissions and the resources requested. Well-known scopes are the [Microsoft Graph permissions](/graph/permissions-reference).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-android-handling-exceptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-android-handling-exceptions.md a/articles/active-directory/develop/msal-android-handling-exceptions.md
@@ -74,4 +74,4 @@ private SilentAuthenticationCallback getAuthSilentCallback() {
## Next steps
-Learn more about [logging errors](./msal-logging.md?tabs=android)
\ No newline at end of file
+Learn more about [Logging in MSAL for Android](msal-logging-android.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-android-shared-devices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-android-shared-devices.md a/articles/active-directory/develop/msal-android-shared-devices.md
@@ -37,7 +37,7 @@ To create a shared device mode app, developers and cloud device admins work toge
## Single vs multiple-account applications
-Applications written using the Microsoft Authentication Library SDK (MSAL) can manage a single account or multiple accounts. For details, see [single-account mode or multiple-account mode](single-multi-account.md). Microsoft identity platform features available to your app vary depending on whether the application is running in single-account mode or multiple-account mode.
+Applications written using the Microsoft Authentication Library SDK (MSAL) can manage a single account or multiple accounts. For details, see [single-account mode or multiple-account mode](single-multi-account.md). The Microsoft identity platform features available to your app vary depending on whether the application is running in single-account mode or multiple-account mode.
**Shared device mode apps only work in single-account mode**.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-authentication-flows.md a/articles/active-directory/develop/msal-authentication-flows.md
@@ -10,7 +10,7 @@
Previously updated : 07/08/2020 Last updated : 01/25/2021 # Customer intent: As an application developer, I want to learn about the authentication flows supported by MSAL.
@@ -220,7 +220,7 @@ This means that one of the following is true:
- You've provided a way for users to consent to the application; see [Requesting individual user consent](v2-permissions-and-consent.md#requesting-individual-user-consent). - You've provided a way for the tenant admin to consent for the application; see [admin consent](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant).
-The IWA flow is enabled for .NET desktop, .NET Core, and Windows Universal Platform apps. On .NET Core you must provide the username to IWA, because .NET Core can't obtain usernames from the operating system.
+The IWA flow is enabled for .NET desktop, .NET Core, and Windows Universal Platform apps.
For more information on consent, see [v2.0 permissions and consent](v2-permissions-and-consent.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-client-application-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-client-application-configuration.md a/articles/active-directory/develop/msal-client-application-configuration.md
@@ -146,8 +146,20 @@ For daemon apps, you don't need to specify a redirect URI.
This option specifies the client secret for the confidential client app. This secret (app password) is provided by the application registration portal or provided to Azure AD during app registration with PowerShell AzureAD, PowerShell AzureRM, or Azure CLI. ## Logging-
-The other configuration options enable logging and troubleshooting. See the [Logging](msal-logging.md) article for details on how to use them.
+To help in debugging and authentication failure troubleshooting scenarios, the Microsoft Authentication Library provides built-in logging support. Logging is each library is covered in the following articles:
+
+:::row:::
+ :::column:::
+ - [Logging in MSAL.NET](msal-logging-dotnet.md)
+ - [Logging in MSAL for Android](msal-logging-android.md)
+ - [Logging in MSAL.js](msal-logging-js.md)
+ :::column-end:::
+ :::column:::
+ - [Logging in MSAL for iOS/macOS](msal-logging-ios.md)
+ - [Logging in MSAL for Java](msal-logging-java.md)
+ - [Logging in MSAL for Python](msal-logging-python.md)
+ :::column-end:::
+:::row-end:::
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-compare-msal-js-and-adal-js https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md a/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md
@@ -19,7 +19,7 @@
# Differences between MSAL.js and ADAL.js
-Both the Microsoft Authentication Library for JavaScript (MSAL.js) and Azure AD Authentication Library for JavaScript (ADAL.js) are used to authenticate Azure AD entities and request tokens from Azure AD. Up until now, most developers have worked with Azure AD for developers (v1.0) to authenticate Azure AD identities (work and school accounts) by requesting tokens using ADAL. Now, using MSAL.js, you can authenticate a broader set of Microsoft identities (Azure AD identities and Microsoft accounts, and social and local accounts through Azure AD B2C) through Microsoft identity platform (v2.0).
+Both the Microsoft Authentication Library for JavaScript (MSAL.js) and Azure AD Authentication Library for JavaScript (ADAL.js) are used to authenticate Azure AD entities and request tokens from Azure AD. Up until now, most developers have worked with Azure AD for developers (v1.0) to authenticate Azure AD identities (work and school accounts) by requesting tokens using ADAL. Now, using MSAL.js, you can authenticate a broader set of Microsoft identities (Azure AD identities and Microsoft accounts, and social and local accounts through Azure AD B2C) through the Microsoft identity platform.
This article describes how to choose between the Microsoft Authentication Library for JavaScript (MSAL.js) and Azure AD Authentication Library for JavaScript (ADAL.js) and compares the two libraries.
@@ -93,4 +93,4 @@ In v2.0, using the `https://login.microsoftonline.com/common` authority, will al
``` ## Next steps
-For more information, refer to [v1.0 and v2.0 comparison](../azuread-dev/azure-ad-endpoint-comparison.md).
\ No newline at end of file
+For more information, refer to [v1.0 and v2.0 comparison](../azuread-dev/azure-ad-endpoint-comparison.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-error-handling-dotnet.md a/articles/active-directory/develop/msal-error-handling-dotnet.md
@@ -172,4 +172,4 @@ do
## Next steps
-Consider enabling [logging in MSAL.NET](msal-logging.md?tabs=dotnet) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL.NET](msal-logging-dotnet.md) to help you diagnose and debug issues.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-ios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-error-handling-ios.md a/articles/active-directory/develop/msal-error-handling-ios.md
@@ -237,4 +237,4 @@ See [Request custom claims using MSAL for iOS and macOS](request-custom-claims.m
## Next steps
-Consider enabling [Logging in MSAL iOS/macOS](msal-logging.md?tabs=swift) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL for iOS/macOS](msal-logging-ios.md) to help you diagnose and debug issues.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-error-handling-java.md a/articles/active-directory/develop/msal-error-handling-java.md
@@ -81,4 +81,4 @@ MSAL exposes a `reason` field, which you can use to provide a better user experi
## Next steps
-Consider enabling [Logging in MSAL for Java](msal-logging.md?tabs=java) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL for Java](msal-logging-java.md) to help you diagnose and debug issues.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-js https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-error-handling-js.md a/articles/active-directory/develop/msal-error-handling-js.md
@@ -150,4 +150,4 @@ See [Requesting Additional Claims](active-directory-optional-claims.md) for more
## Next steps
-Consider enabling [Logging in MSAL.js](msal-logging.md?tabs=javascript) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL.js](msal-logging-js.md) to help you diagnose and debug issues.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-error-handling-python.md a/articles/active-directory/develop/msal-error-handling-python.md
@@ -36,4 +36,4 @@ In MSAL for Python, exceptions are rare because most errors are handled by retur
## Next steps
-Consider enabling [Logging in MSAL for Python](msal-logging.md?tabs=python) to help you diagnose and debug issues.
+Consider enabling [Logging in MSAL for Python](msal-logging-python.md) to help you diagnose and debug issues.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-android.md new file mode 100644 /dev/null
@@ -0,0 +1,66 @@
+
+ Title: Logging errors and exceptions in MSAL for Android.
+
+description: Learn how to log errors and exceptions in MSAL for Android.
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL for Android
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## Logging in MSAL for Android using Java
+
+Turn logging on at app creation by creating a logging callback. The callback takes these parameters:
+
+- `tag` is a string passed to the callback by the library. It is associated with the log entry and can be used to sort logging messages.
+- `logLevel` enables you to decide which level of logging you want. The supported log levels are: `Error`, `Warning`, `Info`, and `Verbose`.
+- `message` is the content of the log entry.
+- `containsPII` specifies whether messages containing personal data, or organizational data are logged. By default, this is set to false, so that your application doesn't log personal data. If `containsPII` is `true`, this method will receive the messages twice: once with the `containsPII` parameter set to `false` and the `message` without personal data, and a second time with the `containsPii` parameter set to `true` and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.
+
+```java
+private StringBuilder mLogs;
+
+mLogs = new StringBuilder();
+Logger.getInstance().setExternalLogger(new ILoggerCallback()
+{
+ @Override
+ public void log(String tag, Logger.LogLevel logLevel, String message, boolean containsPII)
+ {
+ mLogs.append(message).append('\n');
+ }
+});
+```
+
+By default, the MSAL logger will not capture any personal identifiable information or organizational identifiable information.
+To enable the logging of personal identifiable information or organizational identifiable information:
+
+```java
+Logger.getInstance().setEnablePII(true);
+```
+
+To disable logging personal data and organization data:
+
+```java
+Logger.getInstance().setEnablePII(false);
+```
+
+By default logging to logcat is disabled. To enable:
+
+```java
+Logger.getInstance().setEnableLogcatLog(true);
+```
+
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples)](sample-v2-code.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-dotnet.md new file mode 100644 /dev/null
@@ -0,0 +1,63 @@
+
+ Title: Logging errors and exceptions in MSAL.NET
+
+description: Learn how to log errors and exceptions in MSAL.NET
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL.NET
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## Configure logging in MSAL.NET
+
+In MSAL 3.x, logging is set per application at app creation using the `.WithLogging` builder modifier. This method takes optional parameters:
+
+- `Level` enables you to decide which level of logging you want. Setting it to Errors will only get errors
+- `PiiLoggingEnabled` enables you to log personal and organizational data if set to true. By default this is set to false, so that your application does not log personal data.
+- `LogCallback` is set to a delegate that does the logging. If `PiiLoggingEnabled` is true, this method will receive the messages twice: once with the `containsPii` parameter equals false and the message without personal data, and a second time with the `containsPii` parameter equals to true and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.
+- `DefaultLoggingEnabled` enables the default logging for the platform. By default it's false. If you set it to true it uses Event Tracing in Desktop/UWP applications, NSLog on iOS and logcat on Android.
+
+```csharp
+class Program
+ {
+ private static void Log(LogLevel level, string message, bool containsPii)
+ {
+ if (containsPii)
+ {
+ Console.ForegroundColor = ConsoleColor.Red;
+ }
+ Console.WriteLine($"{level} {message}");
+ Console.ResetColor();
+ }
+
+ static void Main(string[] args)
+ {
+ var scopes = new string[] { "User.Read" };
+
+ var application = PublicClientApplicationBuilder.Create("<clientID>")
+ .WithLogging(Log, LogLevel.Info, true)
+ .Build();
+
+ AuthenticationResult result = application.AcquireTokenInteractive(scopes)
+ .ExecuteAsync().Result;
+ }
+ }
+ ```
+
+> [!TIP]
+ > See the [MSAL.NET wiki](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki) for samples of MSAL.NET logging and more.
+
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples)](sample-v2-code.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-ios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-ios.md new file mode 100644 /dev/null
@@ -0,0 +1,181 @@
+
+ Title: Logging errors and exceptions in MSAL for iOS/macOS
+
+description: Learn how to log errors and exceptions in MSAL for iOS/macOS
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL for iOS/macOS
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## [Objective-C](#tab/objc)
+
+## MSAL for iOS and macOS logging-ObjC
+
+Set a callback to capture MSAL logging and incorporate it in your own application's logging. The signature for the callback looks like this:
+
+```objc
+/*!
+ The LogCallback block for the MSAL logger
+
+ @param level The level of the log message
+ @param message The message being logged
+ @param containsPII If the message might contain Personally Identifiable Information (PII)
+ this will be true. Log messages possibly containing PII will not be
+ sent to the callback unless PIllLoggingEnabled is set to YES on the
+ logger.
+
+ */
+typedef void (^MSALLogCallback)(MSALLogLevel level, NSString *message, BOOL containsPII);
+```
+
+For example:
+
+```objc
+[MSALGlobalConfig.loggerConfig setLogCallback:^(MSALLogLevel level, NSString *message, BOOL containsPII)
+ {
+ if (!containsPII)
+ {
+#if DEBUG
+ // IMPORTANT: MSAL logs may contain sensitive information. Never output MSAL logs with NSLog, or print, directly unless you're running your application in debug mode. If you're writing MSAL logs to file, you must store the file securely.
+ NSLog(@"MSAL log: %@", message);
+#endif
+ }
+ }];
+```
+
+### Personal data
+
+By default, MSAL doesn't capture or log any personal data. The library allows app developers to turn this on through a property in the MSALLogger class. By turning on `pii.Enabled`, the app takes responsibility for safely handling highly sensitive data and following regulatory requirements.
+
+```objc
+// By default, the `MSALLogger` doesn't capture any PII
+
+// PII will be logged
+MSALGlobalConfig.loggerConfig.piiEnabled = YES;
+
+// PII will NOT be logged
+MSALGlobalConfig.loggerConfig.piiEnabled = NO;
+```
+
+### Logging levels
+
+To set the logging level when you log using MSAL for iOS and macOS, use one of the following values:
+
+|Level |Description |
+|||
+| `MSALLogLevelNothing`| Disable all logging |
+| `MSALLogLevelError` | Default level, prints out information only when errors occur |
+| `MSALLogLevelWarning` | Warnings |
+| `MSALLogLevelInfo` | Library entry points, with parameters and various keychain operations |
+|`MSALLogLevelVerbose` | API tracing |
+
+For example:
+
+```objc
+MSALGlobalConfig.loggerConfig.logLevel = MSALLogLevelVerbose;
+ ```
+
+ ### Log message format
+
+The message portion of MSAL log messages is in the format of `TID = <thread_id> MSAL <sdk_ver> <OS> <OS_ver> [timestamp - correlation_id] message`
+
+For example:
+
+`TID = 551563 MSAL 0.2.0 iOS Sim 12.0 [2018-09-24 00:36:38 - 36764181-EF53-4E4E-B3E5-16FE362CFC44] acquireToken returning with error: (MSALErrorDomain, -42400) User cancelled the authorization session.`
+
+Providing correlation IDs and timestamps are helpful for tracking down issues. Timestamp and correlation ID information is available in the log message. The only reliable place to retrieve them is from MSAL logging messages.
+
+## [Swift](#tab/swift)
+
+## MSAL for iOS and macOS logging-Swift
+
+Set a callback to capture MSAL logging and incorporate it in your own application's logging. The signature (represented in Objective-C) for the callback looks like this:
+
+```objc
+/*!
+ The LogCallback block for the MSAL logger
+
+ @param level The level of the log message
+ @param message The message being logged
+ @param containsPII If the message might contain Personally Identifiable Information (PII)
+ this will be true. Log messages possibly containing PII will not be
+ sent to the callback unless PIllLoggingEnabled is set to YES on the
+ logger.
+
+ */
+typedef void (^MSALLogCallback)(MSALLogLevel level, NSString *message, BOOL containsPII);
+```
+
+For example:
+
+```swift
+MSALGlobalConfig.loggerConfig.setLogCallback { (level, message, containsPII) in
+ if let message = message, !containsPII
+ {
+#if DEBUG
+ // IMPORTANT: MSAL logs may contain sensitive information. Never output MSAL logs with NSLog, or print, directly unless you're running your application in debug mode. If you're writing MSAL logs to file, you must store the file securely.
+ print("MSAL log: \(message)")
+#endif
+ }
+}
+```
+
+### Personal data
+
+By default, MSAL doesn't capture or log any personal data. The library allows app developers to turn this on through a property in the MSALLogger class. By turning on `pii.Enabled`, the app takes responsibility for safely handling highly sensitive data and following regulatory requirements.
+
+```swift
+// By default, the `MSALLogger` doesn't capture any PII
+
+// PII will be logged
+MSALGlobalConfig.loggerConfig.piiEnabled = true
+
+// PII will NOT be logged
+MSALGlobalConfig.loggerConfig.piiEnabled = false
+```
+
+### Logging levels
+
+To set the logging level when you log using MSAL for iOS and macOS, use one of the following values:
+
+|Level |Description |
+|||
+| `MSALLogLevelNothing`| Disable all logging |
+| `MSALLogLevelError` | Default level, prints out information only when errors occur |
+| `MSALLogLevelWarning` | Warnings |
+| `MSALLogLevelInfo` | Library entry points, with parameters and various keychain operations |
+|`MSALLogLevelVerbose` | API tracing |
+
+For example:
+
+```swift
+MSALGlobalConfig.loggerConfig.logLevel = .verbose
+ ```
+
+### Log message format
+
+The message portion of MSAL log messages is in the format of `TID = <thread_id> MSAL <sdk_ver> <OS> <OS_ver> [timestamp - correlation_id] message`
+
+For example:
+
+`TID = 551563 MSAL 0.2.0 iOS Sim 12.0 [2018-09-24 00:36:38 - 36764181-EF53-4E4E-B3E5-16FE362CFC44] acquireToken returning with error: (MSALErrorDomain, -42400) User cancelled the authorization session.`
+
+Providing correlation IDs and timestamps are helpful for tracking down issues. Timestamp and correlation ID information is available in the log message. The only reliable place to retrieve them is from MSAL logging messages.
+++
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples](sample-v2-code.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-java.md new file mode 100644 /dev/null
@@ -0,0 +1,72 @@
+
+ Title: Logging errors and exceptions in MSAL for Java
+
+description: Learn how to log errors and exceptions in MSAL for Java
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL for Java
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## MSAL for Java logging
+
+MSAL for Java allows you to use the logging library that you are already using with your app, as long as it is compatible with SLF4J. MSAL for Java uses the [Simple Logging Facade for Java](http://www.slf4j.org/) (SLF4J) as a simple facade or abstraction for various logging frameworks, such as [java.util.logging](https://docs.oracle.com/javase/7/docs/api/java/util/logging/package-summary.html), [Logback](http://logback.qos.ch/) and [Log4j](https://logging.apache.org/log4j/2.x/). SLF4J allows the user to plug in the desired logging framework at deployment time.
+
+For example, to use Logback as the logging framework in your application, add the Logback dependency to the Maven pom file for your application:
+
+```xml
+<dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>1.2.3</version>
+</dependency>
+```
+
+Then add the Logback configuration file:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration debug="true">
+
+</configuration>
+```
+
+SLF4J automatically binds to Logback at deployment time. MSAL logs will be written to the console.
+
+For instructions on how to bind to other logging frameworks, see the [SLF4J manual](http://www.slf4j.org/manual.html).
+
+### Personal and organization information
+
+By default, MSAL logging does not capture or log any personal or organizational data. In the following example, logging personal or organizational data is off by default:
+
+```java
+ PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID)
+ .authority(AUTHORITY)
+ .build();
+```
+
+Turn on personal and organizational data logging by setting `logPii()` on the client application builder. If you turn on personal or organizational data logging, your app must take responsibility for safely handling highly-sensitive data and complying with any regulatory requirements.
+
+In the following example, logging personal or organizational data is enabled:
+
+```java
+PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID)
+ .authority(AUTHORITY)
+ .logPii(true)
+ .build();
+```
+
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples)](sample-v2-code.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-js https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-js.md new file mode 100644 /dev/null
@@ -0,0 +1,56 @@
+
+ Title: Logging errors and exceptions in MSAL.js
+
+description: Learn how to log errors and exceptions in MSAL.js
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL.js
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## Configure logging in MSAL.js
+
+Enable logging in MSAL.js (JavaScript) by passing a logger object during the configuration for creating a `UserAgentApplication` instance. This logger object has the following properties:
+
+- `localCallback`: a Callback instance that can be provided by the developer to consume and publish logs in a custom manner. Implement the localCallback method depending on how you want to redirect logs.
+- `level` (optional): the configurable log level. The supported log levels are: `Error`, `Warning`, `Info`, and `Verbose`. The default is `Info`.
+- `piiLoggingEnabled` (optional): if set to true, logs personal and organizational data. By default this is false so that your application doesn't log personal data. Personal data logs are never written to default outputs like Console, Logcat, or NSLog.
+- `correlationId` (optional): a unique identifier, used to map the request with the response for debugging purposes. Defaults to RFC4122 version 4 guid (128 bits).
+
+```javascript
+function loggerCallback(logLevel, message, containsPii) {
+ console.log(message);
+}
+
+var msalConfig = {
+ auth: {
+ clientId: "<Enter your client id>",
+ },
+ system: {
+ logger: new Msal.Logger(
+ loggerCallback , {
+ level: Msal.LogLevel.Verbose,
+ piiLoggingEnabled: false,
+ correlationId: '1234'
+ }
+ )
+ }
+}
+
+var UserAgentApplication = new Msal.UserAgentApplication(msalConfig);
+```
+
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples)](sample-v2-code.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-python.md new file mode 100644 /dev/null
@@ -0,0 +1,54 @@
+
+ Title: Logging errors and exceptions in MSAL for Python
+
+description: Learn how to log errors and exceptions in MSAL for Python
++++++++ Last updated : 01/25/2021++++
+# Logging in MSAL for Python
+
+[!INCLUDE [MSAL logging introduction](../../../includes/active-directory-develop-error-logging-introduction.md)]
+
+## MSAL for Python logging
+
+Logging in MSAL Python uses the standard Python logging mechanism, for example `logging.info("msg")` You can configure MSAL logging as follows (and see it in action in the [username_password_sample](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.0.0/sample/username_password_sample.py#L31L32)):
+
+### Enable debug logging for all modules
+
+By default, the logging in any Python script is turned off. If you want to enable debug logging for all of the modules in your entire Python script, use:
+
+```python
+logging.basicConfig(level=logging.DEBUG)
+```
+
+### Silence only MSAL logging
+
+To silence only MSAL library logging, while enabling debug logging in all of the other modules in your Python script, turn off the logger used by MSAL Python:
+
+```Python
+logging.getLogger("msal").setLevel(logging.WARN)
+```
+
+### Personal and organizational data in Python
+
+MSAL for Python does not log personal data or organizational data. There is no property to turn personal or organization data logging on or off.
+
+You can use standard Python logging to log whatever you want, but you are responsible for safely handling sensitive data and following regulatory requirements.
+
+For more information about logging in Python, please refer to Python's [Logging: how-to](https://docs.python.org/3/howto/logging.html#logging-basic-tutorial).
+
+## Next steps
+
+For more code samples, refer to [Microsoft identity platform code samples)](sample-v2-code.md).
++\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging.md deleted file mode 100644 a/articles/active-directory/develop/msal-logging.md
@@ -1,391 +0,0 @@
- Title: Logging in MSAL apps | Azure-
-description: Learn about logging in Microsoft Authentication Library (MSAL) applications.
-------- Previously updated : 11/11/2019---
-#Customer intent: As an application developer, I want to learn about logging so I can diagnose and troubleshoot my apps.
--
-# Logging in MSAL applications
-
-Microsoft Authentication Library (MSAL) apps generate log messages that can help diagnose issues. An app can configure logging with a few lines of code, and have custom control over the level of detail and whether or not personal and organizational data is logged. We recommend you create an MSAL logging callback and provide a way for users to submit logs when they have authentication issues.
-
-## Logging levels
-
-MSAL provides several levels of logging detail:
--- Error: Indicates something has gone wrong and an error was generated. Use for debugging and identifying problems.-- Warning: There hasn't necessarily been an error or failure, but are intended for diagnostics and pinpointing problems.-- Info: MSAL will log events intended for informational purposes not necessarily intended for debugging.-- Verbose: Default. MSAL logs the full details of library behavior.-
-## Personal and organizational data
-
-By default, the MSAL logger doesn't capture any highly sensitive personal or organizational data. The library provides the option to enable logging personal and organizational data if you decide to do so.
-
-For details about MSAL logging in a particular language, choose the tab matching your language:
-
-## [.NET](#tab/dotnet)
-
-## Logging in MSAL.NET
-
- > [!NOTE]
- > See the [MSAL.NET wiki](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki) for samples of MSAL.NET logging and more.
-
-In MSAL 3.x, logging is set per application at app creation using the `.WithLogging` builder modifier. This method takes optional parameters:
--- `Level` enables you to decide which level of logging you want. Setting it to Errors will only get errors-- `PiiLoggingEnabled` enables you to log personal and organizational data if set to true. By default this is set to false, so that your application does not log personal data.-- `LogCallback` is set to a delegate that does the logging. If `PiiLoggingEnabled` is true, this method will receive the messages twice: once with the `containsPii` parameter equals false and the message without personal data, and a second time with the `containsPii` parameter equals to true and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.-- `DefaultLoggingEnabled` enables the default logging for the platform. By default it's false. If you set it to true it uses Event Tracing in Desktop/UWP applications, NSLog on iOS and logcat on Android.-
-```csharp
-class Program
- {
- private static void Log(LogLevel level, string message, bool containsPii)
- {
- if (containsPii)
- {
- Console.ForegroundColor = ConsoleColor.Red;
- }
- Console.WriteLine($"{level} {message}");
- Console.ResetColor();
- }
-
- static void Main(string[] args)
- {
- var scopes = new string[] { "User.Read" };
-
- var application = PublicClientApplicationBuilder.Create("<clientID>")
- .WithLogging(Log, LogLevel.Info, true)
- .Build();
-
- AuthenticationResult result = application.AcquireTokenInteractive(scopes)
- .ExecuteAsync().Result;
- }
- }
- ```
-
-## [Android](#tab/android)
-
-## Logging in MSAL for Android using Java
-
-Turn logging on at app creation by creating a logging callback. The callback takes these parameters:
--- `tag` is a string passed to the callback by the library. It is associated with the log entry and can be used to sort logging messages.-- `logLevel` enables you to decide which level of logging you want. The supported log levels are: `Error`, `Warning`, `Info`, and `Verbose`.-- `message` is the content of the log entry.-- `containsPII` specifies whether messages containing personal data, or organizational data are logged. By default, this is set to false, so that your application doesn't log personal data. If `containsPII` is `true`, this method will receive the messages twice: once with the `containsPII` parameter set to `false` and the `message` without personal data, and a second time with the `containsPii` parameter set to `true` and the message might contain personal data. In some cases (when the message does not contain personal data), the message will be the same.-
-```java
-private StringBuilder mLogs;
-
-mLogs = new StringBuilder();
-Logger.getInstance().setExternalLogger(new ILoggerCallback()
-{
- @Override
- public void log(String tag, Logger.LogLevel logLevel, String message, boolean containsPII)
- {
- mLogs.append(message).append('\n');
- }
-});
-```
-
-By default, the MSAL logger will not capture any personal identifiable information or organizational identifiable information.
-To enable the logging of personal identifiable information or organizational identifiable information:
-
-```java
-Logger.getInstance().setEnablePII(true);
-```
-
-To disable logging personal data and organization data:
-
-```java
-Logger.getInstance().setEnablePII(false);
-```
-
-By default logging to logcat is disabled. To enable:
-
-```java
-Logger.getInstance().setEnableLogcatLog(true);
-```
-
-## [JavaScript](#tab/javascript)
-
- Enable logging in MSAL.js (JavaScript) by passing a logger object during the configuration for creating a `UserAgentApplication` instance. This logger object has the following properties:
--- `localCallback`: a Callback instance that can be provided by the developer to consume and publish logs in a custom manner. Implement the localCallback method depending on how you want to redirect logs.-- `level` (optional): the configurable log level. The supported log levels are: `Error`, `Warning`, `Info`, and `Verbose`. The default is `Info`.-- `piiLoggingEnabled` (optional): if set to true, logs personal and organizational data. By default this is false so that your application doesn't log personal data. Personal data logs are never written to default outputs like Console, Logcat, or NSLog.-- `correlationId` (optional): a unique identifier, used to map the request with the response for debugging purposes. Defaults to RFC4122 version 4 guid (128 bits).-
-```javascript
-function loggerCallback(logLevel, message, containsPii) {
- console.log(message);
-}
-
-var msalConfig = {
- auth: {
- clientId: "<Enter your client id>",
- },
- system: {
- logger: new Msal.Logger(
- loggerCallback , {
- level: Msal.LogLevel.Verbose,
- piiLoggingEnabled: false,
- correlationId: '1234'
- }
- )
- }
-}
-
-var UserAgentApplication = new Msal.UserAgentApplication(msalConfig);
-```
-
-## [Objective-C](#tab/objc)
-
-## MSAL for iOS and macOS logging-ObjC
-
-Set a callback to capture MSAL logging and incorporate it in your own application's logging. The signature for the callback looks like this:
-
-```objc
-/*!
- The LogCallback block for the MSAL logger
-
- @param level The level of the log message
- @param message The message being logged
- @param containsPII If the message might contain Personally Identifiable Information (PII)
- this will be true. Log messages possibly containing PII will not be
- sent to the callback unless PIllLoggingEnabled is set to YES on the
- logger.
-
- */
-typedef void (^MSALLogCallback)(MSALLogLevel level, NSString *message, BOOL containsPII);
-```
-
-For example:
-
-```objc
-[MSALGlobalConfig.loggerConfig setLogCallback:^(MSALLogLevel level, NSString *message, BOOL containsPII)
- {
- if (!containsPII)
- {
-#if DEBUG
- // IMPORTANT: MSAL logs may contain sensitive information. Never output MSAL logs with NSLog, or print, directly unless you're running your application in debug mode. If you're writing MSAL logs to file, you must store the file securely.
- NSLog(@"MSAL log: %@", message);
-#endif
- }
- }];
-```
-
-### Personal data
-
-By default, MSAL doesn't capture or log any personal data (PII). The library allows app developers to turn this on through a property in the MSALLogger class. By turning on `pii.Enabled`, the app takes responsibility for safely handling highly sensitive data and following regulatory requirements.
-
-```objc
-// By default, the `MSALLogger` doesn't capture any PII
-
-// PII will be logged
-MSALGlobalConfig.loggerConfig.piiEnabled = YES;
-
-// PII will NOT be logged
-MSALGlobalConfig.loggerConfig.piiEnabled = NO;
-```
-
-### Logging levels
-
-To set the logging level when you log using MSAL for iOS and macOS, use one of the following values:
-
-|Level |Description |
-|||
-| `MSALLogLevelNothing`| Disable all logging |
-| `MSALLogLevelError` | Default level, prints out information only when errors occur |
-| `MSALLogLevelWarning` | Warnings |
-| `MSALLogLevelInfo` | Library entry points, with parameters and various keychain operations |
-|`MSALLogLevelVerbose` | API tracing |
-
-For example:
-
-```objc
-MSALGlobalConfig.loggerConfig.logLevel = MSALLogLevelVerbose;
- ```
-
- ### Log message format
-
-The message portion of MSAL log messages is in the format of `TID = <thread_id> MSAL <sdk_ver> <OS> <OS_ver> [timestamp - correlation_id] message`
-
-For example:
-
-`TID = 551563 MSAL 0.2.0 iOS Sim 12.0 [2018-09-24 00:36:38 - 36764181-EF53-4E4E-B3E5-16FE362CFC44] acquireToken returning with error: (MSALErrorDomain, -42400) User cancelled the authorization session.`
-
-Providing correlation IDs and timestamps are helpful for tracking down issues. Timestamp and correlation ID information is available in the log message. The only reliable place to retrieve them is from MSAL logging messages.
-
-## [Swift](#tab/swift)
-
-## MSAL for iOS and macOS logging-Swift
-
-Set a callback to capture MSAL logging and incorporate it in your own application's logging. The signature (represented in Objective-C) for the callback looks like this:
-
-```objc
-/*!
- The LogCallback block for the MSAL logger
-
- @param level The level of the log message
- @param message The message being logged
- @param containsPII If the message might contain Personally Identifiable Information (PII)
- this will be true. Log messages possibly containing PII will not be
- sent to the callback unless PIllLoggingEnabled is set to YES on the
- logger.
-
- */
-typedef void (^MSALLogCallback)(MSALLogLevel level, NSString *message, BOOL containsPII);
-```
-
-For example:
-
-```swift
-MSALGlobalConfig.loggerConfig.setLogCallback { (level, message, containsPII) in
- if let message = message, !containsPII
- {
-#if DEBUG
- // IMPORTANT: MSAL logs may contain sensitive information. Never output MSAL logs with NSLog, or print, directly unless you're running your application in debug mode. If you're writing MSAL logs to file, you must store the file securely.
- print("MSAL log: \(message)")
-#endif
- }
-}
-```
-
-### Personal data
-
-By default, MSAL doesn't capture or log any personal data (PII). The library allows app developers to turn this on through a property in the MSALLogger class. By turning on `pii.Enabled`, the app takes responsibility for safely handling highly sensitive data and following regulatory requirements.
-
-```swift
-// By default, the `MSALLogger` doesn't capture any PII
-
-// PII will be logged
-MSALGlobalConfig.loggerConfig.piiEnabled = true
-
-// PII will NOT be logged
-MSALGlobalConfig.loggerConfig.piiEnabled = false
-```
-
-### Logging levels
-
-To set the logging level when you log using MSAL for iOS and macOS, use one of the following values:
-
-|Level |Description |
-|||
-| `MSALLogLevelNothing`| Disable all logging |
-| `MSALLogLevelError` | Default level, prints out information only when errors occur |
-| `MSALLogLevelWarning` | Warnings |
-| `MSALLogLevelInfo` | Library entry points, with parameters and various keychain operations |
-|`MSALLogLevelVerbose` | API tracing |
-
-For example:
-
-```swift
-MSALGlobalConfig.loggerConfig.logLevel = .verbose
- ```
-
-### Log message format
-
-The message portion of MSAL log messages is in the format of `TID = <thread_id> MSAL <sdk_ver> <OS> <OS_ver> [timestamp - correlation_id] message`
-
-For example:
-
-`TID = 551563 MSAL 0.2.0 iOS Sim 12.0 [2018-09-24 00:36:38 - 36764181-EF53-4E4E-B3E5-16FE362CFC44] acquireToken returning with error: (MSALErrorDomain, -42400) User cancelled the authorization session.`
-
-Providing correlation IDs and timestamps are helpful for tracking down issues. Timestamp and correlation ID information is available in the log message. The only reliable place to retrieve them is from MSAL logging messages.
-
-## [Java](#tab/java)
-
-## MSAL for Java logging
-
-MSAL for Java allows you to use the logging library that you are already using with your app, as long as it is compatible with SLF4J. MSAL for Java uses the [Simple Logging Facade for Java](http://www.slf4j.org/) (SLF4J) as a simple facade or abstraction for various logging frameworks, such as [java.util.logging](https://docs.oracle.com/javase/7/docs/api/java/util/logging/package-summary.html), [Logback](http://logback.qos.ch/) and [Log4j](https://logging.apache.org/log4j/2.x/). SLF4J allows the user to plug in the desired logging framework at deployment time.
-
-For example, to use Logback as the logging framework in your application, add the Logback dependency to the Maven pom file for your application:
-
-```xml
-<dependency>
- <groupId>ch.qos.logback</groupId>
- <artifactId>logback-classic</artifactId>
- <version>1.2.3</version>
-</dependency>
-```
-
-Then add the Logback configuration file:
-
-```xml
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration debug="true">
-
-</configuration>
-```
-
-SLF4J automatically binds to Logback at deployment time. MSAL logs will be written to the console.
-
-For instructions on how to bind to other logging frameworks, see the [SLF4J manual](http://www.slf4j.org/manual.html).
-
-### Personal and organization information
-
-By default, MSAL logging does not capture or log any personal or organizational data. In the following example, logging personal or organizational data is off by default:
-
-```java
- PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID)
- .authority(AUTHORITY)
- .build();
-```
-
-Turn on personal and organizational data logging by setting `logPii()` on the client application builder. If you turn on personal or organizational data logging, your app must take responsibility for safely handling highly-sensitive data and complying with any regulatory requirements.
-
-In the following example, logging personal or organizational data is enabled:
-
-```java
-PublicClientApplication app2 = PublicClientApplication.builder(PUBLIC_CLIENT_ID)
- .authority(AUTHORITY)
- .logPii(true)
- .build();
-```
-
-## [Python](#tab/python)
-
-## MSAL for Python logging
-
-Logging in MSAL Python uses the standard Python logging mechanism, for example `logging.info("msg")` You can configure MSAL logging as follows (and see it in action in the [username_password_sample](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.0.0/sample/username_password_sample.py#L31L32)):
-
-### Enable debug logging for all modules
-
-By default, the logging in any Python script is turned off. If you want to enable debug logging for all of the modules in your entire Python script, use:
-
-```python
-logging.basicConfig(level=logging.DEBUG)
-```
-
-### Silence only MSAL logging
-
-To silence only MSAL library logging, while enabling debug logging in all of the other modules in your Python script, turn off the logger used by MSAL Python:
-
-```Python
-logging.getLogger("msal").setLevel(logging.WARN)
-```
-
-### Personal and organizational data in Python
-
-MSAL for Python does not log personal data or organizational data. There is no property to turn personal or organization data logging on or off.
-
-You can use standard Python logging to log whatever you want, but you are responsible for safely handling sensitive data and following regulatory requirements.
-
-For more information about logging in Python, please refer to Python's [Logging HOWTO](https://docs.python.org/3/howto/logging.html#logging-basic-tutorial).
--
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-migration.md a/articles/active-directory/develop/msal-net-migration.md
@@ -21,7 +21,7 @@
Both the Microsoft Authentication Library for .NET (MSAL.NET) and Azure AD Authentication Library for .NET (ADAL.NET) are used to authenticate Azure AD entities and request tokens from Azure AD. Up until now, most developers have worked with Azure AD for developers platform (v1.0) to authenticate Azure AD identities (work and school accounts) by requesting tokens using Azure AD Authentication Library (ADAL). Using MSAL: -- you can authenticate a broader set of Microsoft identities (Azure AD identities and Microsoft accounts, and social and local accounts through Azure AD B2C) as it uses the Microsoft identity platform endpoint,
+- you can authenticate a broader set of Microsoft identities (Azure AD identities and Microsoft accounts, and social and local accounts through Azure AD B2C) as it uses the Microsoft identity platform,
- your users will get the best single-sign-on experience. - your application can enable incremental consent, and supporting Conditional Access is easier - you benefit from the innovation.
@@ -32,9 +32,9 @@ This article describes the differences between the Microsoft Authentication Libr
## Differences between ADAL and MSAL apps
-In most cases you want to use MSAL.NET and the Microsoft identity platform endpoint, which is the latest generation of Microsoft authentication libraries. Using MSAL.NET, you acquire tokens for users signing-in to your application with Azure AD (work and school accounts), Microsoft (personal) accounts (MSA), or Azure AD B2C.
+In most cases you want to use MSAL.NET and the Microsoft identity platform, which is the latest generation of Microsoft authentication libraries. Using MSAL.NET, you acquire tokens for users signing-in to your application with Azure AD (work and school accounts), Microsoft (personal) accounts (MSA), or Azure AD B2C.
-If you are already familiar with the Azure AD for developers (v1.0) endpoint (and ADAL.NET), you might want to read [What's different about the Microsoft identity platform (v2.0) endpoint?](../azuread-dev/azure-ad-endpoint-comparison.md).
+If you are already familiar with the Azure AD for developers (v1.0) endpoint (and ADAL.NET), you might want to read [What's different about the Microsoft identity platform?](../azuread-dev/azure-ad-endpoint-comparison.md).
However, you still need to use ADAL.NET if your application needs to sign in users with earlier versions of [Active Directory Federation Services (ADFS)](/windows-server/identity/active-directory-federation-services). For more information, see [ADFS support](https://aka.ms/msal-net-adfs-support).
@@ -264,4 +264,4 @@ You can also use this method for various integration scenarios where you have a
## Next steps
-You can find more information about the scopes in [Scopes, permissions, and consent in the Microsoft identity platform endpoint](v2-permissions-and-consent.md)
+You can find more information about the scopes in [Scopes, permissions, and consent in the Microsoft identity platform](v2-permissions-and-consent.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md a/articles/active-directory/develop/msal-net-user-gets-consent-for-multiple-resources.md
@@ -18,7 +18,7 @@
# User gets consent for several resources using MSAL.NET
-The Microsoft identity platform endpoint does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method.
+The Microsoft identity platform does not allow you to get a token for several resources at once. When using the Microsoft Authentication Library for .NET (MSAL.NET), the scopes parameter in the acquire token method should only contain scopes for a single resource. However, you can pre-consent to several resources upfront by specifying additional scopes using the `.WithExtraScopeToConsent` builder method.
> [!NOTE] > Getting consent for several resources works for Microsoft identity platform, but not for Azure AD B2C. Azure AD B2C supports only admin consent, not user consent.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-overview.md a/articles/active-directory/develop/msal-overview.md
@@ -18,7 +18,7 @@
# Overview of the Microsoft Authentication Library (MSAL)
-The Microsoft Authentication Library (MSAL) enables developers to acquire [tokens](developer-glossary.md#security-token) from the Microsoft identity platform endpoint in order to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL supports many different application architectures and platforms including .NET, JavaScript, Java, Python, Android, and iOS.
+The Microsoft Authentication Library (MSAL) enables developers to acquire [tokens](developer-glossary.md#security-token) from the Microsoft identity platform in order to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL supports many different application architectures and platforms including .NET, JavaScript, Java, Python, Android, and iOS.
MSAL gives you many ways to get tokens, with a consistent API for a number of platforms. Using MSAL provides the following benefits:
@@ -56,6 +56,6 @@ MSAL can be used in many application scenarios, including the following:
## Differences between ADAL and MSAL
-Active Directory Authentication Library (ADAL) integrates with the Azure AD for developers (v1.0) endpoint, where MSAL integrates with the Microsoft identity platform (v2.0) endpoint. The v1.0 endpoint supports work accounts, but not personal accounts. The v2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. Additionally, with MSAL you can also get authentications for Azure AD B2C.
+Active Directory Authentication Library (ADAL) integrates with the Azure AD for developers (v1.0) endpoint, where MSAL integrates with the Microsoft identity platform. The v1.0 endpoint supports work accounts, but not personal accounts. The v2.0 endpoint is the unification of Microsoft personal accounts and work accounts into a single authentication system. Additionally, with MSAL you can also get authentications for Azure AD B2C.
For more specific information, read about [migrating to MSAL.NET from ADAL.NET](msal-net-migration.md) and [migrating to MSAL.js from ADAL.js](msal-compare-msal-js-and-adal-js.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-v1-app-scopes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-v1-app-scopes.md a/articles/active-directory/develop/msal-v1-app-scopes.md
@@ -61,7 +61,7 @@ var result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
The logic used by Azure AD is the following: - For ADAL (Azure AD v1.0) endpoint with a v1.0 access token (the only possible), aud=resource-- For MSAL (Microsoft identity platform (v2.0)) endpoint asking an access token for a resource accepting v2.0 tokens, `aud=resource.AppId`
+- For MSAL (Microsoft identity platform) asking an access token for a resource accepting v2.0 tokens, `aud=resource.AppId`
- For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token (which is the case above), Azure AD parses the desired audience from the requested scope by taking everything before the last slash and using it as the resource identifier. Therefore, if https:\//database.windows.net expects an audience of "https:\//database.windows.net/", you'll need to request a scope of "https:\//database.windows.net//.default". See also GitHub issue [#747: Resource url's trailing slash is omitted, which caused sql auth failure](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/747). ## Scopes to request access to all the permissions of a v1.0 application
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-register-app.md a/articles/active-directory/develop/quickstart-register-app.md
@@ -83,8 +83,8 @@ To configure application settings based on the platform or device you're targeti
| Platform | Configuration settings | | -- | - |
- | **Web** | Enter a **Redirect URI** for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication.<br/><br/>Select this platform for standard web applications that run on a server. |
- | **Single-page application** | Enter a **Redirect URI** for your app, the location where Microsoft identity platform redirects a user's client and sends security tokens after authentication.<br/><br/>Select this platform if you're building a client-side web app in JavaScript or with a framework like Angular, Vue.js, React.js, or Blazor WebAssembly. |
+ | **Web** | Enter a **Redirect URI** for your app, the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.<br/><br/>Select this platform for standard web applications that run on a server. |
+ | **Single-page application** | Enter a **Redirect URI** for your app, the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.<br/><br/>Select this platform if you're building a client-side web app in JavaScript or with a framework like Angular, Vue.js, React.js, or Blazor WebAssembly. |
| **iOS / macOS** | Enter the app **Bundle ID**, found in XCode in *Info.plist* or Build Settings.<br/><br/>A redirect URI is generated for you when you specify a Bundle ID. | | **Android** | Enter the app **Package name**, which you can find in the *AndroidManifest.xml* file, and generate and enter the **Signature hash**.<br/><br/>A redirect URI is generated for you when you specify these settings. | | **Mobile and desktop applications** | Select one of the **Suggested redirect URIs** or specify a **Custom redirect URI**.<br/>For desktop applications, we recommend:<br/>`https://login.microsoftonline.com/common/oauth2/nativeclient`<br/><br/>Select this platform for mobile applications that aren't using the latest Microsoft Authentication Library (MSAL) or are not using a broker. Also select this platform for desktop applications. |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-remove-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-remove-app.md a/articles/active-directory/develop/quickstart-remove-app.md
@@ -19,7 +19,7 @@
# How to remove an application registered with the Microsoft identity platform
-Enterprise developers and software-as-a-service (SaaS) providers who have registered applications with Microsoft identity platform may need to remove an application's registration.
+Enterprise developers and software-as-a-service (SaaS) providers who have registered applications with the Microsoft identity platform may need to remove an application's registration.
In the following sections, you learn how to:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-android.md a/articles/active-directory/develop/quickstart-v2-android.md
@@ -13,7 +13,7 @@
Last updated 10/15/2019
-#Customer intent: As an application developer, I want to learn how Android native apps can call protected APIs that require login and access tokens using the Microsoft identity platform endpoint.
+#Customer intent: As an application developer, I want to learn how Android native apps can call protected APIs that require login and access tokens using the Microsoft identity platform.
# Quickstart: Sign in users and call the Microsoft Graph API from an Android app
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-angular.md a/articles/active-directory/develop/quickstart-v2-angular.md
@@ -14,7 +14,7 @@
Last updated 03/18/2020
-#Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform endpoint so that my Angular app can sign in users of personal Microsoft accounts, work accounts, or school accounts.
+#Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform so that my Angular app can sign in users of personal Microsoft accounts, work accounts, or school accounts.
# Quickstart: Sign in users and get an access token in an Angular single-page application
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-core-web-api.md a/articles/active-directory/develop/quickstart-v2-aspnet-core-web-api.md
@@ -93,7 +93,7 @@ The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that
The `AddAuthentication()` method configures the service to add JwtBearer-based authentication.
-The line containing `.AddMicrosoftIdentityWebApi` adds Microsoft identity platform authorization to your web API. It's then configured to validate access tokens issued by the Microsoft identity platform endpoint based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
+The line containing `.AddMicrosoftIdentityWebApi` adds the Microsoft identity platform authorization to your web API. It's then configured to validate access tokens issued by the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
| *appsettings.json* key | Description | ||-|
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp-calls-graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp-calls-graph.md a/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp-calls-graph.md
@@ -163,7 +163,7 @@ The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that
The `AddAuthentication()` method configures the service to add cookie-based authentication, which is used in browser scenarios and to set the challenge to OpenID Connect.
-The line containing `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to your application. This is provided by [Microsoft.Identity.Web](microsoft-identity-web.md). It's then configured to sign in using the Microsoft identity platform endpoint based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
+The line containing `.AddMicrosoftIdentityWebApp` adds the Microsoft identity platform authentication to your application. This is provided by [Microsoft.Identity.Web](microsoft-identity-web.md). It's then configured to sign in using the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
| *appsettings.json* key | Description | ||-|
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md a/articles/active-directory/develop/quickstart-v2-aspnet-core-webapp.md
@@ -145,7 +145,7 @@ The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that
The `AddAuthentication()` method configures the service to add cookie-based authentication, which is used in browser scenarios and to set the challenge to OpenID Connect.
-The line containing `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to your application. It's then configured to sign in using the Microsoft identity platform endpoint based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
+The line containing `.AddMicrosoftIdentityWebApp` adds the Microsoft identity platform authentication to your application. It's then configured to sign in using the Microsoft identity platform based on the information in the `AzureAD` section of the *appsettings.json* configuration file:
| *appsettings.json* key | Description | ||-|
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-webapp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-aspnet-webapp.md a/articles/active-directory/develop/quickstart-v2-aspnet-webapp.md
@@ -166,7 +166,7 @@ public void Configuration(IAppBuilder app)
> ||| > | `ClientId` | Application ID from the application registered in the Azure portal | > | `Authority` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}/v2.0` for public cloud, where {tenant} is the name of your tenant, your tenant Id, or *common* for a reference to the common endpoint (used for multi-tenant applications) |
-> | `RedirectUri` | URL where users are sent after authentication against Microsoft identity platform endpoint |
+> | `RedirectUri` | URL where users are sent after authentication against the Microsoft identity platform |
> | `PostLogoutRedirectUri` | URL where users are sent after signing-off | > | `Scope` | The list of scopes being requested, separated by spaces | > | `ResponseType` | Request that the response from authentication contains an ID token |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-dotnet-native-aspnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-dotnet-native-aspnet.md a/articles/active-directory/develop/quickstart-v2-dotnet-native-aspnet.md
@@ -1,7 +1,7 @@
Title: "Quickstart: Call an ASP.NET web API that is protected by Microsoft identity platform | Azure"
+ Title: "Quickstart: Call an ASP.NET web API that is protected by the Microsoft identity platform | Azure"
-description: In this quickstart, learn how to call an ASP.NET web API that's protected by Microsoft identity platform from a Windows Desktop (WPF) application.
+description: In this quickstart, learn how to call an ASP.NET web API that's protected by the Microsoft identity platform from a Windows Desktop (WPF) application.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-ios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-ios.md a/articles/active-directory/develop/quickstart-v2-ios.md
@@ -178,7 +178,7 @@ self.applicationContext = try MSALPublicClientApplication(configuration: msalCon
> |Where: | Description | > ||| > | `clientId` | The Application ID from the application registered in *portal.azure.com* |
-> | `authority` | The Microsoft identity platform endpoint. In most of cases this will be `https://login.microsoftonline.com/common` |
+> | `authority` | The Microsoft identity platform. In most of cases this will be `https://login.microsoftonline.com/common` |
> | `redirectUri` | The redirect URI of the application. You can pass 'nil' to use the default value, or your custom redirect URI. | ### For iOS only, additional app requirements
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript-auth-code-angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript-auth-code-angular.md a/articles/active-directory/develop/quickstart-v2-javascript-auth-code-angular.md
@@ -13,7 +13,7 @@
Last updated 01/14/2021
-#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform endpoint so that my JavaScript Angular app can sign in users of personal accounts, work accounts, and school accounts.
+#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my JavaScript Angular app can sign in users of personal accounts, work accounts, and school accounts.
# Quickstart: Sign in and get an access token in an Angular SPA using the auth code flow
@@ -36,9 +36,7 @@ This quickstart uses MSAL Angular v2 with the authorization code flow. For a sim
> > ### Option 1 (Express): Register and auto configure your app and then download your code sample >
-> 1. Sign in to the [Azure portal](https://portal.azure.com).
-> 1. If your account gives you access to more than one tenant, select your account at the top right, and then set your portal session to the Azure AD tenant you want to use.
-> 1. Select [App registrations](https://aka.ms/AAatehv).
+> 1. Go to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/JavascriptSpaQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations<span class="docon docon-navigate-external x-hidden-focus"></span></a> quickstart experience.
> 1. Enter a name for your application. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**.
@@ -48,20 +46,19 @@ This quickstart uses MSAL Angular v2 with the authorization code flow. For a sim
> > #### Step 1: Register your application >
-> 1. Sign in to the [Azure portal](https://portal.azure.com).
-> 1. If your account gives you access to more than one tenant, select your account at the top right, and then set your portal session to the Azure Active Directory (Azure AD) tenant you want to use.
-> 1. Select [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908).
-> 1. Select **New registration**.
-> 1. When the **Register an application** page appears, enter a name for your application.
+> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
+> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
+> 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.
> 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.
-> 1. In the left pane of the registered application, select **Authentication**.
-> 1. Under **Platform configurations**, select `Add a platform`.
-> 1. In the resulting window, select **Single-page application**.
+> 1. Under **Manage**, select **Authentication**.
+> 1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.
> 1. Set the **Redirect URIs** value to `http://localhost:4200/`. This is the default port NodeJS will listen on your local machine. WeΓÇÖll return the authentication response to this URI after successfully authenticating the user.
-> 1. Click the **Configure** button to apply the changes.
+> 1. Select **Configure** to apply the changes.
> 1. Under **Platform Configurations** expand **Single-page application**.
-> 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png)Your Redirect URI is eligible for the Authorization Code Flow with PKCE.
+> 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png) Your Redirect URI is eligible for the Authorization Code Flow with PKCE.
> [!div class="sxs-lookup" renderon="portal"] > #### Step 1: Configure your application in the Azure portal
@@ -178,7 +175,7 @@ Run the project with a web server by using Node.js:
### msal.js
-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform.
+The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.
If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript-auth-code-react https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript-auth-code-react.md a/articles/active-directory/develop/quickstart-v2-javascript-auth-code-react.md
@@ -13,7 +13,7 @@
Last updated 01/14/2021
-#Customer intent: As an app developer, I want to learn how to login, logout, conditionally render components to authenticated users, and acquire an access token for a protected resource such as Microsoft Graph by using the Microsoft identity platform endpoint so that my JavaScript React app can sign in users of personal accounts, work accounts, and school accounts.
+#Customer intent: As an app developer, I want to learn how to login, logout, conditionally render components to authenticated users, and acquire an access token for a protected resource such as Microsoft Graph by using the Microsoft identity platform so that my JavaScript React app can sign in users of personal accounts, work accounts, and school accounts.
# Quickstart: Sign in and get an access token in a React SPA using the auth code flow
@@ -37,9 +37,7 @@ This quickstart uses MSAL React with the authorization code flow. For a similar
> > ### Option 1 (Express): Register and auto configure your app and then download your code sample >
-> 1. Sign in to the [Azure portal](https://portal.azure.com).
-> 1. If your account gives you access to more than one tenant, select your account at the top right, and then set your portal session to the Azure AD tenant you want to use.
-> 1. Select [App registrations](https://aka.ms/AAatrux).
+> 1. Go to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/JavascriptSpaQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations<span class="docon docon-navigate-external x-hidden-focus"></span></a> quickstart experience.
> 1. Enter a name for your application. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**.
@@ -49,20 +47,19 @@ This quickstart uses MSAL React with the authorization code flow. For a similar
> > #### Step 1: Register your application >
-> 1. Sign in to the [Azure portal](https://portal.azure.com).
-> 1. If your account gives you access to more than one tenant, select your account at the top right, and then set your portal session to the Azure AD tenant you want to use.
-> 1. Select [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908).
-> 1. Select **New registration**.
+> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
+> 1. If you have access to multiple tenants, use the **Directory + subscription** filter :::image type="icon" source="./media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to select the tenant in which you want to register an application.
+> 1. Search for and select **Azure Active Directory**.
+> 1. Under **Manage**, select **App registrations** > **New registration**.
> 1. When the **Register an application** page appears, enter a name for your application. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.
-> 1. In the left pane of the registered application, select **Authentication**.
-> 1. Under **Platform configurations**, select `Add a platform`.
-> 1. In the resulting window, select **Single-page application**.
+> 1. Under **Manage**, select **Authentication**.
+> 1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.
> 1. Set the **Redirect URIs** value to `http://localhost:3000/`. This is the default port NodeJS will listen on your local machine. WeΓÇÖll return the authentication response to this URI after successfully authenticating the user.
-> 1. Click the **Configure** button to apply the changes.
+> 1. Select **Configure** to apply the changes.
> 1. Under **Platform Configurations** expand **Single-page application**.
-> 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png)Your Redirect URI is eligible for the Authorization Code Flow with PKCE.
+> 1. Confirm that under **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png) Your Redirect URI is eligible for the Authorization Code Flow with PKCE.
> [!div class="sxs-lookup" renderon="portal"] > #### Step 1: Configure your application in the Azure portal
@@ -176,7 +173,7 @@ Run the project with a web server by using Node.js:
### msal.js
-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform.
+The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.
If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript-auth-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript-auth-code.md a/articles/active-directory/develop/quickstart-v2-javascript-auth-code.md
@@ -13,7 +13,7 @@
Last updated 07/17/2020
-#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform endpoint so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
+#Customer intent: As an app developer, I want to learn how to get access tokens and refresh tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
# Quickstart: Sign in users and get an access token in a JavaScript SPA using the auth code flow
@@ -36,9 +36,7 @@ This quickstart uses MSAL.js 2.0 with the authorization code flow. For a similar
> > ### Option 1 (Express): Register and auto configure your app and then download your code sample >
-> 1. Sign in to the <a href="https://portal.azure.com/" target="_blank">Azure portal<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
-> 1. If your account gives you access to more than one tenant, select the account at the top right, and then set your portal session to the Azure Active Directory (Azure AD) tenant you want to use.
-> 1. Select [App registrations](https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/JavascriptSpaQuickstartPage/sourceType/docs).
+> 1. Go to the <a href="https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType/JavascriptSpaQuickstartPage/sourceType/docs" target="_blank">Azure portal - App registrations<span class="docon docon-navigate-external x-hidden-focus"></span></a>.
> 1. Enter a name for your application. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**.
@@ -55,7 +53,7 @@ This quickstart uses MSAL.js 2.0 with the authorization code flow. For a similar
> 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.
-> 1. In the left pane of the registered application, select **Authentication**.
+> 1. Under **Manage**, select **Authentication**.
> 1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**. > 1. Set the **Redirect URI** value to `http://localhost:3000/`. > 1. Select **Configure**.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-javascript https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-javascript.md a/articles/active-directory/develop/quickstart-v2-javascript.md
@@ -14,7 +14,7 @@ Last updated 04/11/2019
-#Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform endpoint so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
+#Customer intent: As an app developer, I want to learn how to get access tokens by using the Microsoft identity platform so that my JavaScript app can sign in users of personal accounts, work accounts, and school accounts.
# Quickstart: Sign in users and get an access token in a JavaScript SPA
@@ -52,7 +52,7 @@ See [How the sample works](#how-the-sample-works) for an illustration.
> 1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later. > 1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. > 1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.
-> 1. This quickstart requires the [Implicit grant flow](v2-oauth2-implicit-grant-flow.md) to be enabled. In the left pane of the registered application, select **Authentication**.
+> 1. This quickstart requires the [Implicit grant flow](v2-oauth2-implicit-grant-flow.md) to be enabled. Under **Manage**, select **Authentication**.
> 1. Under **Platform Configurations**, select **Add a platform**. A panel opens on the left. There, select the **Web Applications** region. > 1. Still on the left, set the **Redirect URI** value to `http://localhost:3000/`. Then, select **Access Token** and **ID Token**. > 1. Select **Configure**.
@@ -264,14 +264,14 @@ myMSALObj.acquireTokenSilent(tokenRequest)
#### Get a user token interactively
-There are situations where you need to force users to interact with the Microsoft identity platform endpoint. For example:
+There are situations where you need to force users to interact with the Microsoft identity platform. For example:
* Users might need to reenter their credentials because their password has expired. * Your application is requesting access to additional resource scopes that the user needs to consent to. * Two-factor authentication is required. The usual recommended pattern for most applications is to call `acquireTokenSilent` first, then catch the exception, and then call `acquireTokenPopup` (or `acquireTokenRedirect`) to start an interactive request.
-Calling the `acquireTokenPopup` results in a popup window for signing in. (Or `acquireTokenRedirect` results in redirecting users to the Microsoft identity platform endpoint.) In that window, users need to interact by confirming their credentials, giving the consent to the required resource, or completing the two-factor authentication.
+Calling the `acquireTokenPopup` results in a popup window for signing in. (Or `acquireTokenRedirect` results in redirecting users to the Microsoft identity platform). In that window, users need to interact by confirming their credentials, giving the consent to the required resource, or completing the two-factor authentication.
```javascript // Add here scopes for access token to be used at MS Graph API endpoints.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-netcore-daemon.md a/articles/active-directory/develop/quickstart-v2-netcore-daemon.md
@@ -14,7 +14,7 @@ Last updated 10/05/2020
-#Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by an Microsoft identity platform endpoint using client credentials flow.
+#Customer intent: As an application developer, I want to learn how my .NET Core app can get an access token and call an API that's protected by the Microsoft identity platform using client credentials flow.
# Quickstart: Acquire a token and call Microsoft Graph API using console app's identity
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-python-daemon https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-python-daemon.md a/articles/active-directory/develop/quickstart-v2-python-daemon.md
@@ -1,7 +1,7 @@
Title: "Quickstart: Call Microsoft Graph from a Python daemon | Azure"
-description: In this quickstart, you learn how a Python process can get an access token and call an API protected by Microsoft identity platform endpoint, using the app's own identity
+description: In this quickstart, you learn how a Python process can get an access token and call an API protected by Microsoft identity platform, using the app's own identity
@@ -13,7 +13,7 @@
Last updated 10/22/2019
-#Customer intent: As an application developer, I want to learn how my Python app can get an access token and call an API that's protected by an Microsoft identity platform endpoint using client credentials flow.
+#Customer intent: As an application developer, I want to learn how my Python app can get an access token and call an API that's protected by the Microsoft identity platform using client credentials flow.
# Quickstart: Acquire a token and call Microsoft Graph API from a Python console app using app's identity
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-uwp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-uwp.md a/articles/active-directory/develop/quickstart-v2-uwp.md
@@ -13,7 +13,7 @@
Last updated 10/07/2020
-#Customer intent: As an application developer, I want to learn how my Universal Windows Platform (XAML) application can get an access token and call an API that's protected by an Microsoft identity platform endpoint.
+#Customer intent: As an application developer, I want to learn how my Universal Windows Platform (XAML) application can get an access token and call an API that's protected by the Microsoft identity platform.
# Quickstart: Call the Microsoft Graph API from a Universal Windows Platform (UWP) application
@@ -121,7 +121,7 @@ When the app's window appears, you can select the **Call Microsoft Graph API** b
### MSAL.NET
-MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request security tokens. The security tokens are used to access an API protected by Microsoft Identity platform for developers. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*:
+MSAL ([Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client)) is the library used to sign in users and request security tokens. The security tokens are used to access an API protected by the Microsoft Identity platform. You can install MSAL by running the following command in Visual Studio's *Package Manager Console*:
```powershell Install-Package Microsoft.Identity.Client
@@ -152,7 +152,7 @@ MSAL has two methods for acquiring tokens in a UWP app: `AcquireTokenInteractive
#### Get a user token interactively
-Some situations require forcing users to interact with the Microsoft identity platform endpoint through a popup window to either validate their credentials or to give consent. Some examples include:
+Some situations require forcing users to interact with the Microsoft identity platform through a popup window to either validate their credentials or to give consent. Some examples include:
- The first-time users sign in to the application - When users may need to reenter their credentials because the password has expired
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-windows-desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-windows-desktop.md a/articles/active-directory/develop/quickstart-v2-windows-desktop.md
@@ -1,6 +1,6 @@
Title: "Quickstart: Sign in users and call Microsoft Graph in a Universal Windows Platform desktop app | Azure"
-description: In this quickstart, learn how a Windows desktop .NET (XAML) application can get an access token and call an API protected by a Microsoft identity platform endpoint
+description: In this quickstart, learn how a Windows desktop .NET (XAML) application can get an access token and call an API protected by the Microsoft identity platform.
@@ -12,7 +12,7 @@
Last updated 12/12/2019
-#Customer intent: As an application developer, I want to learn how my Windows desktop .NET application can get an access token and call an API that's protected by a Microsoft identity platform endpoint.
+#Customer intent: As an application developer, I want to learn how my Windows desktop .NET application can get an access token and call an API that's protected by the Microsoft identity platform.
# Quickstart: Acquire a token and call Microsoft Graph API from a Windows desktop app
@@ -142,7 +142,7 @@ MSAL has two methods for acquiring tokens: `AcquireTokenInteractive` and `Acquir
#### Get a user token interactively
-Some situations require forcing users interact with the Microsoft identity platform endpoint through a popup window to either validate their credentials or to give consent. Some examples include:
+Some situations require forcing users interact with the Microsoft identity platform through a popup window to either validate their credentials or to give consent. Some examples include:
- The first time users sign in to the application - When users may need to reenter their credentials because the password has expired
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-third-party-cookies-spas.md a/articles/active-directory/develop/reference-third-party-cookies-spas.md
@@ -72,7 +72,7 @@ A common pattern in web apps is to use an iframe to embed one app inside another
Issuing refresh tokens to the browser is considered a security issue. Cross-site scripting (XSS) attacks or compromised JS packages can steal the refresh token and use it remotely until it expires or is revoked. In order to minimize the risk of stolen refresh tokens, SPAs will be issued tokens valid for only 24 hours. After 24 hours, the app must acquire a new authorization code via a top-level frame visit to the login page.
-This limited-lifetime refresh token pattern was chosen as a balance between security and degraded UX. Without refresh tokens or third-party cookies, the authorization code flow (as recommended by the [OAuth security best current practices draft](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14)) becomes onerous when new or additional tokens are required. A full page redirect or popup is needed for every single token, every time a token expires (every hour usually, for Microsoft identity platform tokens).
+This limited-lifetime refresh token pattern was chosen as a balance between security and degraded UX. Without refresh tokens or third-party cookies, the authorization code flow (as recommended by the [OAuth security best current practices draft](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-14)) becomes onerous when new or additional tokens are required. A full page redirect or popup is needed for every single token, every time a token expires (every hour usually, for the Microsoft identity platform tokens).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/reference-v2-libraries.md a/articles/active-directory/develop/reference-v2-libraries.md
@@ -1,6 +1,6 @@
Title: Microsoft identity platform authentication libraries
-description: Compatible client libraries and server middleware libraries, along with related library, source, and sample links, for the Microsoft identity platform endpoint.
+description: Compatible client libraries and server middleware libraries, along with related library, source, and sample links, for the Microsoft identity platform.
@@ -17,7 +17,7 @@
# Microsoft identity platform authentication libraries
-The [Microsoft identity platform endpoint](../azuread-dev/azure-ad-endpoint-comparison.md) supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. The Microsoft Authentication Library (MSAL) is designed to work with the Microsoft identity platform endpoint. You can also use open-source libraries that support OAuth 2.0 and OpenID Connect 1.0.
+The [Microsoft identity platform ](../azuread-dev/azure-ad-endpoint-comparison.md) supports the industry-standard OAuth 2.0 and OpenID Connect 1.0 protocols. The Microsoft Authentication Library (MSAL) is designed to work with the Microsoft identity platform. You can also use open-source libraries that support OAuth 2.0 and OpenID Connect 1.0.
We recommend that you use libraries written by protocol domain experts who follow a Security Development Lifecycle (SDL) methodology. Such methodologies include [the one that Microsoft follows][Microsoft-SDL]. If you hand code for the protocols, you should follow a methodology such as Microsoft SDL. Pay close attention to the security considerations in the standards specifications for each protocol.
@@ -26,7 +26,7 @@ We recommend that you use libraries written by protocol domain experts who follo
## Types of libraries
-The Microsoft identity platform endpoint works with two types of libraries:
+The Microsoft identity platform works with two types of libraries:
* **Client libraries**: Native clients and servers use client libraries to acquire access tokens for calling a resource such as Microsoft Graph. * **Server middleware libraries**: Web apps use server middleware libraries for user sign-in. Web APIs use server middleware libraries to validate tokens that are sent by native clients or by other servers.
@@ -36,9 +36,9 @@ The Microsoft identity platform endpoint works with two types of libraries:
Libraries come in two support categories: * **Microsoft-supported**: Microsoft provides fixes for these libraries and has done SDL due diligence on these libraries.
-* **Compatible**: Microsoft has tested these libraries in basic scenarios and has confirmed that they work with the Microsoft identity platform endpoint. Microsoft doesn't provide fixes for these libraries and hasn't done a review of these libraries. Issues and feature requests should be directed to the library's open-source project.
+* **Compatible**: Microsoft has tested these libraries in basic scenarios and has confirmed that they work with the Microsoft identity platform. Microsoft doesn't provide fixes for these libraries and hasn't done a review of these libraries. Issues and feature requests should be directed to the library's open-source project.
-For a list of libraries that work with the Microsoft identity platform endpoint, see the following sections.
+For a list of libraries that work with the Microsoft identity platform, see the following sections.
## Microsoft-supported client libraries
@@ -94,16 +94,16 @@ See also [Scenarios by supported platforms and languages](authentication-flows-a
| ![Ruby](media/sample-v2-code/logo_ruby.png) |[OmniAuth](https://github.com/omniauth/omniauth/wiki) |omniauth: 1.3.1<br />omniauth-oauth2: 1.4.0 |[OmniAuth](https://github.com/omniauth/omniauth)<br />[OmniAuth OAuth2](https://github.com/intridea/omniauth-oauth2) | | | iOS, macOS, & Android | [React Native App Auth](https://github.com/FormidableLabs/react-native-app-auth) | [Version 4.2.0](https://github.com/FormidableLabs/react-native-app-auth/releases/tag/v4.2.0) | [React Native App Auth](https://github.com/FormidableLabs/react-native-app-auth) | |
-For any standards-compliant library, you can use the Microsoft identity platform endpoint. It's important to know where to go for support:
+For any standards-compliant library, you can use the Microsoft identity platform. It's important to know where to go for support:
* For issues and new feature requests in library code, contact the library owner. * For issues and new feature requests in the service-side protocol implementation, contact Microsoft. * [File a feature request](https://feedback.azure.com/forums/169401-azure-active-directory) for additional features you want to see in the protocol.
-* [Create a support request](../../azure-portal/supportability/how-to-create-azure-support-request.md) if you find an issue where the Microsoft identity platform endpoint isn't compliant with OAuth 2.0 or OpenID Connect 1.0.
+* [Create a support request](../../azure-portal/supportability/how-to-create-azure-support-request.md) if you find an issue where the Microsoft identity platform isn't compliant with OAuth 2.0 or OpenID Connect 1.0.
## Related content
-For more information about the Microsoft identity platform endpoint, see the [Microsoft identity platform overview][AAD-App-Model-V2-Overview].
+For more information about the Microsoft identity platform, see the [Microsoft identity platform overview][AAD-App-Model-V2-Overview].
<!--Image references-->
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/registration-config-sso-how-to https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/registration-config-sso-how-to.md a/articles/active-directory/develop/registration-config-sso-how-to.md
@@ -37,6 +37,6 @@ For iOS, see [Enabling Cross App SSO in iOS](../azuread-dev/howto-v1-enable-sso-
[Integrating Apps to AzureAD](./quickstart-register-app.md)<br>
-[Permissions and consent in the Microsoft identity platform endpoint](./v2-permissions-and-consent.md)<br>
+[Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md)<br>
[AzureAD StackOverflow](https://stackoverflow.com/questions/tagged/azure-active-directory)\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sample-v2-code.md a/articles/active-directory/develop/sample-v2-code.md
@@ -1,6 +1,6 @@
Title: Code samples for Microsoft identity platform
-description: Provides an index of available Microsoft identity platform (v2.0 endpoint) code samples, organized by scenario.
+description: Provides an index of available Microsoft identity platform code samples, organized by scenario.
@@ -17,14 +17,14 @@
# Microsoft identity platform code samples (v2.0 endpoint)
-You can use Microsoft identity platform to:
+You can use the Microsoft identity platform to:
- Add authentication and authorization to your web applications and web APIs. - Require an access token to access a protected web API.
-This article briefly describes and provides you with links to samples for the Microsoft identity platform endpoint. These samples show you how it's done, and also provide code snippets that you can use in your applications. On the code sample page, you'll find detailed readme topics that help with requirements, installation, and setup. Comments within the code help you understand the critical sections.
+This article briefly describes and provides you with links to samples for the Microsoft identity platform. These samples show you how it's done, and also provide code snippets that you can use in your applications. On the code sample page, you'll find detailed readme topics that help with requirements, installation, and setup. Comments within the code help you understand the critical sections.
-To understand the basic scenario for each sample type, see [App types for the Microsoft identity platform endpoint](v2-app-types.md).
+To understand the basic scenario for each sample type, see [App types for the Microsoft identity platform](v2-app-types.md).
You can also contribute to the samples on GitHub. To learn how, see [Microsoft Azure Active Directory samples and documentation](https://github.com/Azure-Samples?page=3&query=active-directory).
@@ -117,7 +117,7 @@ The following samples show how to configure your application to accept sign-ins
## Web APIs
-The following samples show how to protect a web API with the Microsoft identity platform endpoint, and how to call a downstream API from the web API.
+The following samples show how to protect a web API with the Microsoft identity platform, and how to call a downstream API from the web API.
| Platform | Sample | | -- | - |
@@ -129,7 +129,7 @@ The following samples show how to protect a web API with the Microsoft identity
## Azure Functions as web APIs
-The following samples show how to protect an Azure Function using HttpTrigger and exposing a web API with the Microsoft identity platform endpoint, and how to call a downstream API from the web API.
+The following samples show how to protect an Azure Function using HttpTrigger and exposing a web API with the Microsoft identity platform, and how to call a downstream API from the web API.
| Platform | Sample | | -- | - |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-acquire-token.md a/articles/active-directory/develop/scenario-daemon-acquire-token.md
@@ -1,5 +1,5 @@
Title: Acquire tokens to call a web API (daemon app) - Microsoft identity platform | Azure
+ Title: Acquire tokens to call a web API (daemon app) - The Microsoft identity platform | Azure
description: Learn how to build a daemon app that calls web APIs (acquiring tokens)
@@ -13,7 +13,7 @@ Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-app-configuration.md a/articles/active-directory/develop/scenario-daemon-app-configuration.md
@@ -12,7 +12,7 @@
Last updated 09/19/2020
-# Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform for developers.
+# Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
# Daemon app that calls web APIs - code configuration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-call-api.md a/articles/active-directory/develop/scenario-daemon-call-api.md
@@ -1,5 +1,6 @@
Title: Call a web API from a daemon app - Microsoft identity platform | Azure
+ Title: Call a web API from a daemon app | Azure
+ description: Learn how to build a daemon app that calls a web API.
@@ -13,7 +14,7 @@ Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-overview.md a/articles/active-directory/develop/scenario-daemon-overview.md
@@ -1,5 +1,6 @@
Title: Build a daemon app that calls web APIs - Microsoft identity platform | Azure
+ Title: Build a daemon app that calls web APIs | Azure
+ description: Learn how to build a daemon app that calls web APIs
@@ -13,7 +14,7 @@ Last updated 01/31/2020
-#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
@@ -44,7 +45,7 @@ Applications that acquire a token for their own identities:
> [!IMPORTANT] >
-> - Users can't interact with a daemon application. A daemon application requires its own identity. This type of application requests an access token by using its application identity and presenting its application ID, credential (password or certificate), and application ID URI to Azure AD. After successful authentication, the daemon receives an access token (and a refresh token) from the Microsoft identity platform endpoint. This token is then used to call the web API (and is refreshed as needed).
+> - Users can't interact with a daemon application. A daemon application requires its own identity. This type of application requests an access token by using its application identity and presenting its application ID, credential (password or certificate), and application ID URI to Azure AD. After successful authentication, the daemon receives an access token (and a refresh token) from the Microsoft identity platform. This token is then used to call the web API (and is refreshed as needed).
> - Because users can't interact with daemon applications, incremental consent isn't possible. All the required API permissions need to be configured at application registration. The code of the application just requests statically defined permissions. This also means that daemon applications won't support incremental consent. For developers, the end-to-end experience for this scenario has the following aspects:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-production.md a/articles/active-directory/develop/scenario-daemon-production.md
@@ -1,5 +1,6 @@
Title: Move a daemon app that calls web APIs to production - Microsoft identity platform | Azure
+ Title: Move a daemon app that calls web APIs to production | Azure
+ description: Learn how to move a daemon app that calls web APIs to production
@@ -13,7 +14,7 @@ Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a daemon app that can call web APIs by using the Microsoft identity platform.
@@ -30,20 +31,17 @@ If you're an ISV creating a daemon application that can run in several tenants,
You'll need to explain to your customers how to perform these operations. For more info, see [Requesting consent for an entire tenant](v2-permissions-and-consent.md#requesting-consent-for-an-entire-tenant).
-[!INCLUDE [Move to production common steps](../../../includes/active-directory-develop-scenarios-production.md)]
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
-## Next steps
-
-Here are a few links to help you learn more:
+## Code samples
# [.NET](#tab/dotnet) -- Quickstart: [Acquire a token and call Microsoft Graph API from a console app by using app's identity](./quickstart-v2-netcore-daemon.md). - Reference documentation for: - Instantiating [ConfidentialClientApplication](/dotnet/api/microsoft.identity.client.confidentialclientapplicationbuilder). - Calling [AcquireTokenForClient](/dotnet/api/microsoft.identity.client.acquiretokenforclientparameterbuilder). - Other samples/tutorials:
- - [microsoft-identity-platform-console-daemon](https://github.com/Azure-Samples/microsoft-identity-platform-console-daemon) features a simple .NET Core daemon console application that displays the users of a tenant querying Microsoft Graph.
+ - [microsoft-identity-platform-console-daemon](https://github.com/Azure-Samples/microsoft-identity-platform-console-daemon) features a small .NET Core daemon console application that displays the users of a tenant querying Microsoft Graph.
![Sample daemon app topology](media/scenario-daemon-app/daemon-app-sample.svg)
@@ -55,6 +53,12 @@ Here are a few links to help you learn more:
![topology](media/scenario-daemon-app/damon-app-sample-web.svg) ++
+## Next steps
+
+Here are a few links to help you learn more:
+ # [Python](#tab/python) Try the quickstart [Acquire a token and call Microsoft Graph API from a Python console app using app's identity](./quickstart-v2-python-daemon.md).
@@ -63,4 +67,4 @@ Try the quickstart [Acquire a token and call Microsoft Graph API from a Python c
MSAL Java is currently in public preview. For more info, see [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/src/samples). -\ No newline at end of file+
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-acquire-token.md a/articles/active-directory/develop/scenario-desktop-acquire-token.md
@@ -13,7 +13,7 @@
Last updated 01/06/2021
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Desktop app that calls web APIs: Acquire a token
@@ -436,7 +436,7 @@ To sign in a domain user on a domain or Azure AD joined machine, use Integrated
- This flow is enabled for .NET desktop, .NET Core, and UWP apps.
-For more information on consent, see [Microsoft identity platform permissions and consent](./v2-permissions-and-consent.md).
+For more information on consent, see the [Microsoft identity platform permissions and consent](./v2-permissions-and-consent.md).
### Learn how to use it
@@ -448,7 +448,7 @@ In MSAL.NET, you need to use:
AcquireTokenByIntegratedWindowsAuth(IEnumerable<string> scopes) ```
-You normally need only one parameter (`scopes`). Depending on the way your Windows administrator set up the policies, applications on your Windows machine might not be allowed to look up the signed-in user. In that case, use a second method, `.WithUsername()`, and pass in the username of the signed-in user as a UPN format, for example, `joe@contoso.com`. On .NET Core, only the overload taking the username is available because the .NET Core platform can't ask the username to the OS.
+You normally need only one parameter (`scopes`). Depending on the way your Windows administrator set up the policies, applications on your Windows machine might not be allowed to look up the signed-in user. In that case, use a second method, `.WithUsername()`, and pass in the username of the signed-in user as a UPN format, for example, `joe@contoso.com`.
The following sample presents the most current case, with explanations of the kind of exceptions you can get and their mitigations.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-app-configuration.md a/articles/active-directory/develop/scenario-desktop-app-configuration.md
@@ -1,5 +1,6 @@
Title: Configure desktop apps that call web APIs - Microsoft identity platform | Azure
+ Title: Configure desktop apps that call web APIs | Azure
+ description: Learn how to configure the code of a desktop app that calls web APIs
@@ -12,7 +13,7 @@
Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Desktop app that calls web APIs: Code configuration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-app-registration.md a/articles/active-directory/develop/scenario-desktop-app-registration.md
@@ -1,5 +1,6 @@
Title: Register desktop apps that call web APIs - Microsoft identity platform | Azure
+ Title: Register desktop apps that call web APIs | Azure
+ description: Learn how to build a desktop app that calls web APIs (app registration)
@@ -12,7 +13,7 @@
Last updated 09/09/2019
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Desktop app that calls web APIs: App registration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-call-api.md a/articles/active-directory/develop/scenario-desktop-call-api.md
@@ -1,5 +1,6 @@
Title: Call web APIs from a desktop app - Microsoft identity platform | Azure
+ Title: Call web APIs from a desktop app | Azure
+ description: Learn how to build a desktop app that calls web APIs
@@ -12,7 +13,7 @@
Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Desktop app that calls web APIs: Call a web API
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-overview.md a/articles/active-directory/develop/scenario-desktop-overview.md
@@ -13,7 +13,7 @@
Last updated 05/18/2020
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Scenario: Desktop app that calls web APIs
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-desktop-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-desktop-production.md a/articles/active-directory/develop/scenario-desktop-production.md
@@ -1,5 +1,6 @@
Title: Move desktop app calling web APIs to production - Microsoft identity platform | Azure
+ Title: Move desktop app calling web APIs to production | Azure
+ description: Learn how to move a desktop app that calls web APIs to production
@@ -12,7 +13,7 @@
Last updated 10/30/2019
-#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a desktop app that calls web APIs by using the Microsoft identity platform.
# Desktop app that calls web APIs: Move to production
@@ -26,9 +27,9 @@ In the different flows, you've learned how to handle the errors for the silent f
## Have the user consent upfront for several resources > [!NOTE]
-> Getting consent for several resources works for Microsoft identity platform but not for Azure Active Directory (Azure AD) B2C. Azure AD B2C supports only admin consent, not user consent.
+> Getting consent for several resources works for the Microsoft identity platform but not for Azure Active Directory (Azure AD) B2C. Azure AD B2C supports only admin consent, not user consent.
-You can't get a token for several resources at once with the Microsoft identity platform (v2.0) endpoint. The `scopes` parameter can contain scopes for only a single resource. You can ensure that the user pre-consents to several resources by using the `extraScopesToConsent` parameter.
+You can't get a token for several resources at once with the Microsoft identity platform. The `scopes` parameter can contain scopes for only a single resource. You can ensure that the user pre-consents to several resources by using the `extraScopesToConsent` parameter.
For instance, you might have two resources that have two scopes each:
@@ -102,6 +103,11 @@ AcquireTokenSilent(scopesForVendorApi, accounts.FirstOrDefault()).ExecuteAsync()
For Microsoft personal account users, reprompting for consent on each native client (desktop or mobile app) call to authorize is the intended behavior. Native client identity is inherently insecure, which is contrary to confidential client application identity. Confidential client applications exchange a secret with the Microsoft Identity platform to prove their identity. The Microsoft identity platform chose to mitigate this insecurity for consumer services by prompting the user for consent each time the application is authorized.
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
+ ## Next steps
-[!INCLUDE [Move to production common steps](../../../includes/active-directory-develop-scenarios-production.md)]
+To try out additional samples, see [Desktop and mobile public client apps](sample-v2-code.md#desktop-and-mobile-public-client-apps).
+++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-acquire-token.md a/articles/active-directory/develop/scenario-mobile-acquire-token.md
@@ -14,7 +14,7 @@ Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform.
# Get a token for a mobile app that calls web APIs
@@ -25,7 +25,7 @@ Before your app can call protected web APIs, it needs an access token. This arti
When you request a token, you need to define a scope. The scope determines what data your app can access.
-The easiest way to define a scope is to combine the desired web API's `App ID URI` with the scope `.default`. This definition tells Microsoft identity platform that your app requires all scopes that are set in the portal.
+The easiest way to define a scope is to combine the desired web API's `App ID URI` with the scope `.default`. This definition tells the Microsoft identity platform that your app requires all scopes that are set in the portal.
### Android ```Java
@@ -240,7 +240,7 @@ The class defines the following constants:
##### WithExtraScopeToConsent
-Use the `WithExtraScopeToConsent` modifier in an advanced scenario where you want the user to provide upfront consent to several resources. You can use this modifier when you don't want to use incremental consent, which is normally used with MSAL.NET or Microsoft identity platform 2.0. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).
+Use the `WithExtraScopeToConsent` modifier in an advanced scenario where you want the user to provide upfront consent to several resources. You can use this modifier when you don't want to use incremental consent, which is normally used with MSAL.NET or the Microsoft identity platform. For more information, see [Have the user consent upfront for several resources](scenario-desktop-production.md#have-the-user-consent-upfront-for-several-resources).
Here's a code example:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-app-configuration.md a/articles/active-directory/develop/scenario-mobile-app-configuration.md
@@ -13,7 +13,7 @@
Last updated 06/16/2020
-#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs using the Microsoft identity platform.
# Configure a mobile app that calls web APIs
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-call-api.md a/articles/active-directory/develop/scenario-mobile-call-api.md
@@ -14,7 +14,7 @@ Last updated 05/18/2020
-#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform.
# Call a web API from a mobile app
@@ -116,7 +116,7 @@ task.resume()
If you need to call the same API several times, or if you need to call multiple APIs, then consider the following subjects when you build your app: -- **Incremental consent**: Microsoft identity platform allows apps to get user consent when permissions are required rather than all at the start. Each time your app is ready to call an API, it should request only the scopes that it needs.
+- **Incremental consent**: The Microsoft identity platform allows apps to get user consent when permissions are required rather than all at the start. Each time your app is ready to call an API, it should request only the scopes that it needs.
- **Conditional access**: When you make several API requests, in certain scenarios you might have to meet additional conditional-access requirements. Requirements can increase in this way if the first request has no conditional-access policies and your app attempts to silently access a new API that requires conditional access. To handle this problem, be sure to catch errors from silent requests, and be prepared to make an interactive request. For more information, see [Guidance for conditional access](../azuread-dev/conditional-access-dev-guide.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-overview.md a/articles/active-directory/develop/scenario-mobile-overview.md
@@ -14,7 +14,7 @@ Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a mobile app that calls web APIs by using the Microsoft identity platform.
# Scenario: Mobile application that calls web APIs
@@ -31,7 +31,7 @@ If you haven't already, create your first application by completing a quickstart
## Overview
-A personalized, seamless user experience is essential for mobile apps. Microsoft identity platform enables mobile developers to create that experience for iOS and Android users. Your application can sign in Azure Active Directory (Azure AD) users, personal Microsoft account users, and Azure AD B2C users. It can also acquire tokens to call a web API on their behalf. To implement these flows, we'll use the Microsoft Authentication Library (MSAL). MSAL implements the industry standard [OAuth2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
+A personalized, seamless user experience is essential for mobile apps. The Microsoft identity platform enables mobile developers to create that experience for iOS and Android users. Your application can sign in Azure Active Directory (Azure AD) users, personal Microsoft account users, and Azure AD B2C users. It can also acquire tokens to call a web API on their behalf. To implement these flows, we'll use the Microsoft Authentication Library (MSAL). MSAL implements the industry standard [OAuth2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
![Daemon apps](./media/scenarios/mobile-app.svg)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-mobile-production.md a/articles/active-directory/develop/scenario-mobile-production.md
@@ -31,18 +31,9 @@ For each Microsoft Authentication Library (MSAL) type, you can find sample code
- [MSAL iOS wiki](https://github.com/AzureAD/microsoft-authentication-library-for-objc/wiki) - [MSAL.NET wiki](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki)
-## Mitigate and investigate issues
-To better diagnose issues in your app, collect data. For information about the kinds of data that you can collect, see [Logging in MSAL applications](./msal-logging.md).
-
-Here are some suggestions for data collection:
--- Users might ask for help when they have problems. A best practice is to capture and temporarily store logs. Provide a location where users can upload the logs. MSAL provides logging extensions to capture detailed information about authentication.--- If telemetry is available, enable it through MSAL to gather data about how users sign in to your app.
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
## Next steps
-[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
- To try out additional samples, see [Desktop and mobile public client apps](sample-v2-code.md#desktop-and-mobile-public-client-apps).\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md a/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md
@@ -52,7 +52,7 @@ HttpResponseMessage response = await _httpClient.GetAsync(apiUri);
``` > [!IMPORTANT]
-> A client application requests the bearer token to the Microsoft identity platform endpoint *for the web API*. The web API is the only application that should verify the token and view the claims it contains. Client apps should never try to inspect the claims in tokens.
+> A client application requests the bearer token to the Microsoft identity platform *for the web API*. The web API is the only application that should verify the token and view the claims it contains. Client apps should never try to inspect the claims in tokens.
> > In the future, the web API might require that the token be encrypted. This requirement would prevent access for client apps that can view access tokens.
@@ -137,7 +137,7 @@ public void ConfigureServices(IServiceCollection services)
} ```
- Currently, the ASP.NET Core templates create Azure Active Directory (Azure AD) web APIs that sign in users within your organization or any organization. They don't sign in users with personal accounts. However, you can change the templates to use the Microsoft identity platform endpoint by using [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) replacing the code in *Startup.cs*:
+ Currently, the ASP.NET Core templates create Azure Active Directory (Azure AD) web APIs that sign in users within your organization or any organization. They don't sign in users with personal accounts. However, you can change the templates to use the Microsoft identity platform by using [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) replacing the code in *Startup.cs*:
```csharp using Microsoft.Identity.Web;
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-protected-web-api-app-registration.md a/articles/active-directory/develop/scenario-protected-web-api-app-registration.md
@@ -24,7 +24,7 @@ For the common steps to register an app, see [Quickstart: Register an applicatio
## Accepted token version
-The Microsoft identity platform endpoint can issue v1.0 tokens and v2.0 tokens. For more information about these tokens, see [Access tokens](access-tokens.md).
+The Microsoft identity platform can issue v1.0 tokens and v2.0 tokens. For more information about these tokens, see [Access tokens](access-tokens.md).
The token version your API may accept depends on your **Supported account types** selection when you create your web API application registration in the Azure portal.
@@ -41,7 +41,7 @@ After you create the application, you can determine or change the accepted token
1. If you changed the token version, select **Save**. > [!NOTE]
-> The web API specifies which token version it accepts. When a client requests a token for your web API from the Microsoft identity platform (v2.0) endpoint, the client gets a token that indicates which token version the web API accepts.
+> The web API specifies which token version it accepts. When a client requests a token for your web API from the Microsoft identity platform, the client gets a token that indicates which token version the web API accepts.
## No redirect URI
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-protected-web-api-production.md a/articles/active-directory/develop/scenario-protected-web-api-production.md
@@ -18,9 +18,9 @@
# Protected web API - move to production
-Now that you know how to protect your web API, here's how you can move it to production.
+Now that you know how to protect your web API, here are some things to consider when moving your application to production.
-[!INCLUDE [Move to production common steps](../../../includes/active-directory-develop-scenarios-production.md)]
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-acquire-token.md a/articles/active-directory/develop/scenario-spa-acquire-token.md
@@ -1,5 +1,6 @@
Title: Acquire a token to call a web API (single-page apps) - Microsoft identity platform | Azure
+ Title: Acquire a token to call a web API (single-page apps) | Azure
+ description: Learn how to build a single-page application (acquire a token to call an API)
@@ -12,7 +13,7 @@
Last updated 08/20/2019
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: Acquire a token to call an API
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-app-configuration.md a/articles/active-directory/develop/scenario-spa-app-configuration.md
@@ -1,5 +1,6 @@
Title: Configure single-page app - Microsoft identity platform | Azure
+ Title: Configure single-page app | Azure
+ description: Learn how to build a single-page application (app's code configuration)
@@ -12,7 +13,7 @@
Last updated 02/11/2020
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: Code configuration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-app-registration.md a/articles/active-directory/develop/scenario-spa-app-registration.md
@@ -12,7 +12,7 @@
Last updated 05/19/2020
-# Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+# Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: App registration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-call-api.md a/articles/active-directory/develop/scenario-spa-call-api.md
@@ -1,5 +1,6 @@
Title: Build single-page app calling a web API - Microsoft identity platform | Azure
+ Title: Build single-page app calling a web API
+ description: Learn how to build a single-page application that calls a web API
@@ -12,7 +13,7 @@
Last updated 05/06/2019
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: Call a web API
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-overview.md a/articles/active-directory/develop/scenario-spa-overview.md
@@ -1,5 +1,6 @@
Title: JavaScript single-page app scenario - Microsoft identity platform | Azure
+ Title: JavaScript single-page app scenario
+ description: Learn how to build a single-page application (scenario overview) by using the Microsoft identity platform.
@@ -12,7 +13,7 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Scenario: Single-page application
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-production.md a/articles/active-directory/develop/scenario-spa-production.md
@@ -1,5 +1,6 @@
Title: Move single-page app to production - Microsoft identity platform | Azure
+ Title: Move single-page app to production
+ description: Learn how to build a single-page application (move to production)
@@ -12,20 +13,14 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: Move to production
-Now that you know how to acquire a token to call web APIs, learn how to move to production.
+Now that you know how to acquire a token to call web APIs, here are some things to consider when moving your application to production.
-## Improve your app
-
-[Enable logging](msal-logging.md) to make your app production ready.
-
-## Test your integration
-
-Test your integration by following the [Microsoft identity platform integration checklist](identity-platform-integration-checklist.md).
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
## Deploy your app
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-sign-in https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-spa-sign-in.md a/articles/active-directory/develop/scenario-spa-sign-in.md
@@ -1,5 +1,6 @@
Title: Single-page app sign-in & sign-out - Microsoft identity platform | Azure
+ Title: Single-page app sign-in & sign-out
+ description: Learn how to build a single-page application (sign-in)
@@ -12,7 +13,7 @@
Last updated 02/11/2020
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
# Single-page application: Sign-in and Sign-out
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-acquire-token.md a/articles/active-directory/develop/scenario-web-api-call-api-acquire-token.md
@@ -13,7 +13,7 @@
Last updated 07/15/2020
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
# A web API that calls web APIs: Acquire a token for the app
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md a/articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
@@ -13,7 +13,7 @@
Last updated 09/26/2020
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
# A web API that calls web APIs: Code configuration
@@ -249,7 +249,7 @@ You can also see an example of OBO flow implementation in [Node.js and Azure Fun
## Protocol
-For more information about the OBO protocol, see [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](./v2-oauth2-on-behalf-of-flow.md).
+For more information about the OBO protocol, see the [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](./v2-oauth2-on-behalf-of-flow.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-app-registration.md a/articles/active-directory/develop/scenario-web-api-call-api-app-registration.md
@@ -1,5 +1,6 @@
Title: Register a web API that calls web APIs - Microsoft identity platform | Azure
+ Title: Register a web API that calls web APIs | Azure
+ description: Learn how to build a web API that calls downstream web APIs (app registration).
@@ -12,7 +13,7 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
# A web API that calls web APIs: App registration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-call-api.md a/articles/active-directory/develop/scenario-web-api-call-api-call-api.md
@@ -1,5 +1,6 @@
Title: Web API that calls web APIs - Microsoft identity platform | Azure
+ Title: Web API that calls web APIs | Azure
+ description: Learn how to build a web API that calls web APIs.
@@ -12,7 +13,7 @@
Last updated 09/26/2020
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
# A web API that calls web APIs: Call an API
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-overview.md a/articles/active-directory/develop/scenario-web-api-call-api-overview.md
@@ -1,5 +1,6 @@
Title: Build a web API that calls web APIs - Microsoft identity platform | Azure
+ Title: Build a web API that calls web APIs | Azure
+ description: Learn how to build a web API that calls downstream web APIs (overview).
@@ -12,7 +13,7 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
# Scenario: A web API that calls web APIs
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-api-call-api-production.md a/articles/active-directory/develop/scenario-web-api-call-api-production.md
@@ -1,5 +1,6 @@
Title: Move web API calling web APIs to production - Microsoft identity platform | Azure
+ Title: Move web API calling web APIs to production | Azure
+ description: Learn how to move a web API that calls web APIs to production.
@@ -12,19 +13,19 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web API that calls web APIs using the Microsoft identity platform.
# A web API that calls web APIs: Move to production
-After you've acquired a token to call web APIs, you can move your app to production.
+After you've acquired a token to call web APIs, here are some things to consider when moving your application to production.
-[!INCLUDE [Move to production common steps](../../../includes/active-directory-develop-scenarios-production.md)]
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
-## Learn more
+## Next steps
Now that you know the basics of how to call web APIs from your own web API, you might be interested in the following tutorial, which describes the code that's used to build a protected web API that calls web APIs. | Sample | Platform | Description | |--|-|-|
-| [active-directory-aspnetcore-webapi-tutorial-v2](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) chapter 1 | ASP.NET Core web API, Desktop (WPF) | ASP.NET Core web API calls Microsoft Graph, which you call from a WPF application by using the Microsoft identity platform (v2.0). |
+| [active-directory-aspnetcore-webapi-tutorial-v2](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) chapter 1 | ASP.NET Core web API, Desktop (WPF) | ASP.NET Core web API calls Microsoft Graph, which you call from a WPF application by using the Microsoft identity platform. |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-acquire-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md a/articles/active-directory/develop/scenario-web-app-call-api-acquire-token.md
@@ -13,7 +13,7 @@
Last updated 09/25/2020
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: Acquire a token for the app
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md a/articles/active-directory/develop/scenario-web-app-call-api-app-configuration.md
@@ -13,7 +13,7 @@
Last updated 09/25/2020
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: Code configuration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-app-registration.md a/articles/active-directory/develop/scenario-web-app-call-api-app-registration.md
@@ -1,5 +1,6 @@
Title: Register a web app that calls web APIs - Microsoft identity platform | Azure
+ Title: Register a web app that calls web APIs | Azure
+ description: Learn how to register a web app that calls web APIs
@@ -12,7 +13,7 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: App registration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-call-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-call-api.md a/articles/active-directory/develop/scenario-web-app-call-api-call-api.md
@@ -13,7 +13,7 @@
Last updated 09/25/2020
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: Call a web API
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-overview.md a/articles/active-directory/develop/scenario-web-app-call-api-overview.md
@@ -1,5 +1,6 @@
Title: Build a web app that calls web APIs - Microsoft identity platform | Azure
+ Title: Build a web app that calls web APIs | Azure
+ description: Learn how to build a web app that calls web APIs (overview)
@@ -12,7 +13,7 @@
Last updated 07/14/2020
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# Scenario: A web app that calls web APIs
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-production.md a/articles/active-directory/develop/scenario-web-app-call-api-production.md
@@ -1,5 +1,6 @@
Title: Move to production a web app that calls web APIs - Microsoft identity platform | Azure
+ Title: Move to production a web app that calls web APIs | Azure
+ description: Learn how to move to production a web app that calls web APIs.
@@ -12,12 +13,12 @@
Last updated 05/07/2019
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: Move to production
-Now that you know how to acquire a token to call web APIs, learn how to move to production.
+Now that you know how to acquire a token to call web APIs, here are some things to consider when moving your application to production.
[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-sign-in https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-call-api-sign-in.md a/articles/active-directory/develop/scenario-web-app-call-api-sign-in.md
@@ -1,5 +1,6 @@
Title: Remove accounts from the token cache on sign-out - Microsoft identity platform | Azure
+ Title: Remove accounts from the token cache on sign-out | Azure
+ description: Learn how to remove an account from the token cache on sign-out
@@ -12,7 +13,7 @@
Last updated 07/14/2019
-#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that calls web APIs by using the Microsoft identity platform.
# A web app that calls web APIs: Remove accounts from the token cache on global sign-out
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-app-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md a/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md
@@ -1,5 +1,6 @@
Title: Configure a web app that signs in users - Microsoft identity platform | Azure
+ Title: Configure a web app that signs in users | Azure
+ description: Learn how to build a web app that signs in users (code configuration)
@@ -12,7 +13,7 @@
Last updated 07/14/2020
-#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
# Web app that signs in users: Code configuration
@@ -199,7 +200,7 @@ SESSION_TYPE = "filesystem" # So the token cache will be stored in a server-sid
## Initialization code
-The initialization code is different depending on the platform. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Azure Active Directory (Azure AD) v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform (v2.0) endpoint. In the case of Java, it's handled by Spring with the cooperation of the application.
+The initialization code is different depending on the platform. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Azure Active Directory (Azure AD) v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform. In the case of Java, it's handled by Spring with the cooperation of the application.
# [ASP.NET Core](#tab/aspnetcore)
@@ -259,7 +260,7 @@ In the code above:
- The `AddMicrosoftIdentityWebAppAuthentication` extension method is defined in **Microsoft.Identity.Web**. It: - Adds the authentication service. - Configures options to read the configuration file (here from the "AzureAD" section)
- - Configures the OpenID Connect options so that the authority is the Microsoft identity platform endpoint.
+ - Configures the OpenID Connect options so that the authority is the Microsoft identity platform.
- Validates the issuer of the token. - Ensures that the claims corresponding to name are mapped from the `preferred_username` claim in the ID token.
@@ -288,7 +289,7 @@ The code related to authentication in an ASP.NET web app and web APIs is located
app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions {
- // `Authority` represents the identity platform endpoint - https://login.microsoftonline.com/common/v2.0.
+ // Authority` represents the identity platform endpoint - https://login.microsoftonline.com/common/v2.0.
// `Scope` describes the initial permissions that your app will need. // See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/. ClientId = clientId,
@@ -313,7 +314,7 @@ For details, see the `doFilter()` method in [AuthFilter.java](https://github.com
> [!NOTE] > The code of the `doFilter()` is written in a slightly different order, but the flow is the one described.
-For details about the authorization code flow that this method triggers, see [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
+For details about the authorization code flow that this method triggers, see the [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
# [Python](#tab/python)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-app-registration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md a/articles/active-directory/develop/scenario-web-app-sign-user-app-registration.md
@@ -1,5 +1,6 @@
Title: Register a web app that signs in users - Microsoft identity platform | Azure
+ Title: Register a web app that signs in users | Azure
+ description: Learn how to register a web app that signs in users
@@ -12,7 +13,7 @@
Last updated 07/14/2020
-#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
# Web app that signs in users: App registration
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-overview.md a/articles/active-directory/develop/scenario-web-app-sign-user-overview.md
@@ -1,5 +1,6 @@
Title: Sign in users from a Web app - Microsoft identity platform | Azure
+ Title: Sign in users from a Web app | Azure
+ description: Learn how to build a web app that signs in users (overview)
@@ -12,7 +13,7 @@
Last updated 09/17/2019
-#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
# Scenario: Web app that signs in users
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-production.md a/articles/active-directory/develop/scenario-web-app-sign-user-production.md
@@ -1,5 +1,6 @@
Title: Move web app that signs in users to production - Microsoft identity platform | Azure
+ Title: Move web app that signs in users to production | Azure
+ description: Learn how to build a web app that signs in users (move to production)
@@ -12,23 +13,19 @@
Last updated 09/17/2019
-#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
# Web app that signs in users: Move to production
-Now that you know how to get a token to call web APIs, learn how to move it to production.
+Now that you know how to get a token to call web APIs, here are some things to consider when moving your application to production.
-[!INCLUDE [Move to production common steps](../../../includes/active-directory-develop-scenarios-production.md)]
+[!INCLUDE [Common steps to move to production](../../../includes/active-directory-develop-scenarios-production.md)]
## Troubleshooting-
-> [!NOTE]
-> When users sign-in to the web application for the first time, they will need to consent. However, in some organizations, users can see a message like the following:
->
-> *AppName needs permissions to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.*
->
-> This is because your tenant administrator has **disabled** the ability for users to consent. In that case, you need to contact your tenant administrators so that they do an admin-consent for the scopes required by the application.
+When users sign-in to the web application for the first time, they will need to consent. However, in some organizations, users can see a message like the following:
+*AppName needs permissions to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.*
+This is because your tenant administrator has **disabled** the ability for users to consent. In that case, you need to contact your tenant administrators so that they do an admin-consent for the scopes required by the application.
## Same site
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-sign-in https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md a/articles/active-directory/develop/scenario-web-app-sign-user-sign-in.md
@@ -1,5 +1,6 @@
Title: Write a web app that signs in/out users - Microsoft identity platform | Azure
+ Title: Write a web app that signs in/out users | Azure
+ description: Learn how to build a web app that signs in/out users
@@ -12,7 +13,7 @@
Last updated 07/14/2020
-#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform for developers.
+#Customer intent: As an application developer, I want to know how to write a web app that signs in users by using the Microsoft identity platform.
# Web app that signs in users: Sign-in and sign-out
@@ -210,7 +211,7 @@ After the user has signed in to your app, you'll want to enable them to sign out
Signing out from a web app involves more than removing the information about the signed-in account from the web app's state. The web app must also redirect the user to the Microsoft identity platform `logout` endpoint to sign out.
-When your web app redirects the user to the `logout` endpoint, this endpoint clears the user's session from the browser. If your app didn't go to the `logout` endpoint, the user will reauthenticate to your app without entering their credentials again. The reason is that they'll have a valid single sign-in session with the Microsoft identity platform endpoint.
+When your web app redirects the user to the `logout` endpoint, this endpoint clears the user's session from the browser. If your app didn't go to the `logout` endpoint, the user will reauthenticate to your app without entering their credentials again. The reason is that they'll have a valid single sign-in session with the Microsoft identity platform.
To learn more, see the [Send a sign-out request](v2-protocols-oidc.md#send-a-sign-out-request) section in the [Microsoft identity platform and the OpenID Connect protocol](v2-protocols-oidc.md) documentation.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/security-tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/security-tokens.md a/articles/active-directory/develop/security-tokens.md
@@ -1,7 +1,7 @@
Title: Security tokens | Azure
-description: Learn about the basics of security tokens in Microsoft identity platform (v2.0).
+description: Learn about the basics of security tokens in the Microsoft identity platform.
@@ -19,13 +19,13 @@
# Security tokens
-A centralized identity provider is especially useful for apps that have users located around the globe that don't necessarily sign in from the enterprise's network. Microsoft identity platform authenticates users and provides security tokens, such as [access token](developer-glossary.md#access-token), [refresh token](developer-glossary.md#refresh-token), and [ID token](developer-glossary.md#id-token), that allow a [client application](developer-glossary.md#client-application) to access protected resources on a [resource server](developer-glossary.md#resource-server).
+A centralized identity provider is especially useful for apps that have users located around the globe that don't necessarily sign in from the enterprise's network. The Microsoft identity platform authenticates users and provides security tokens, such as [access token](developer-glossary.md#access-token), [refresh token](developer-glossary.md#refresh-token), and [ID token](developer-glossary.md#id-token), that allow a [client application](developer-glossary.md#client-application) to access protected resources on a [resource server](developer-glossary.md#resource-server).
-An **access token** is a security token that is issued by an [authorization server](developer-glossary.md#authorization-server) as part of an [OAuth 2.0](active-directory-v2-protocols.md) flow. It contains information about the user and the app for which the token is intended; which can be used to access web APIs and other protected resources. To learn more about how Microsoft identity platform issues access tokens, see [Access tokens](access-tokens.md).
+An **access token** is a security token that is issued by an [authorization server](developer-glossary.md#authorization-server) as part of an [OAuth 2.0](active-directory-v2-protocols.md) flow. It contains information about the user and the app for which the token is intended; which can be used to access web APIs and other protected resources. To learn more about how the Microsoft identity platform issues access tokens, see [Access tokens](access-tokens.md).
-Access tokens are only valid for a short period of time, so authorization servers will sometimes issue a **refresh token** at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. To learn more about how Microsoft identity platform uses refresh tokens to revoke permissions, see [Token revocation](access-tokens.md#token-revocation).
+Access tokens are only valid for a short period of time, so authorization servers will sometimes issue a **refresh token** at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. To learn more about how the Microsoft identity platform uses refresh tokens to revoke permissions, see [Token revocation](access-tokens.md#token-revocation).
-**ID tokens** are sent to the client application as part of an [OpenID Connect](v2-protocols-oidc.md) flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user. To learn more about how Microsoft identity platform issues ID tokens, see [ID tokens](id-tokens.md).
+**ID tokens** are sent to the client application as part of an [OpenID Connect](v2-protocols-oidc.md) flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see [ID tokens](id-tokens.md).
> [!NOTE] > This article discusses security tokens used by the OAuth2 and OpenID Connect protocols. Many enterprise applications use SAML to authenticate users. See [Azure AD SAML token reference](reference-saml-tokens.md) for information on SAML assertions.
@@ -43,7 +43,7 @@ Access tokens are passed to a web API as the bearer token in the `Authorization`
## JSON Web Tokens (JWTs) and claims
-Microsoft identity platform implements security tokens as **JSON Web Tokens (JWTs)** that contain **claims**. Since JWTs are used as security tokens, this form of authentication is sometimes called **JWT authentication**.
+The Microsoft identity platform implements security tokens as **JSON Web Tokens (JWTs)** that contain **claims**. Since JWTs are used as security tokens, this form of authentication is sometimes called **JWT authentication**.
A [claim](developer-glossary.md#claim) provides assertions about one entity, such as a client application or [resource owner](developer-glossary.md#resource-owner), to another entity, such as a resource server. A claim may also be referred to as a JWT claim or JSON Web Token claim.
@@ -64,7 +64,7 @@ A claim consists of key-value pairs that provide information such as the:
* Audience, which is the app for which the token was generated * App (the client) that asked for the token. In the case of web apps, this may be the same as the audience
-To learn more about how Microsoft identity platform implements tokens and claim information, see [access tokens](access-tokens.md) and [ID tokens](id-tokens.md).
+To learn more about how the Microsoft identity platform implements tokens and claim information, see [access tokens](access-tokens.md) and [ID tokens](id-tokens.md).
## How each flow emits tokens and codes
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/single-multi-account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/single-multi-account.md a/articles/active-directory/develop/single-multi-account.md
@@ -113,7 +113,7 @@ Use one or more accounts in your application by calling `acquireToken` one or mo
- Call `getAccount` to get a specific account. - Call `getAccounts`to get a list of accounts currently known to the app.
-Your app won't be able to enumerate all Microsoft identity platform accounts on the device known to the broker app. It can only enumerate accounts that have been used by your app. Accounts that have been removed from the device won't be returned by these functions.
+Your app won't be able to enumerate all the Microsoft identity platform accounts on the device known to the broker app. It can only enumerate accounts that have been used by your app. Accounts that have been removed from the device won't be returned by these functions.
### Remove an account
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/sso-between-adal-msal-apps-macos-ios https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/sso-between-adal-msal-apps-macos-ios.md a/articles/active-directory/develop/sso-between-adal-msal-apps-macos-ios.md
@@ -1,6 +1,7 @@
Title: SSO between ADAL & MSAL apps (iOS/macOS) - Microsoft identity platform | Azure
-description:
+ Title: SSO between ADAL & MSAL apps (iOS/macOS) | Azure
+
+description: Learn how to share SSO between ADAL and MSAL apps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/supported-accounts-validation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/supported-accounts-validation.md a/articles/active-directory/develop/supported-accounts-validation.md
@@ -1,6 +1,7 @@
# required metadata Title: Validation differences by supported account types - Microsoft identity platform | Azure
+ Title: Validation differences by supported account types | Azure
+ description: Learn about the validation differences of various properties for different supported account types when registering your app with the Microsoft identity platform.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/troubleshoot-publisher-verification.md a/articles/active-directory/develop/troubleshoot-publisher-verification.md
@@ -1,6 +1,7 @@
Title: Troubleshoot publisher verification - Microsoft identity platform | Azure
-description: Describes how to troubleshoot publisher verification for Microsoft identity platform by calling Microsoft Graph APIs.
+ Title: Troubleshoot publisher verification | Azure
+
+description: Describes how to troubleshoot publisher verification for the Microsoft identity platform by calling Microsoft Graph APIs.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-android.md a/articles/active-directory/develop/tutorial-v2-android.md
@@ -18,7 +18,7 @@
# Tutorial: Sign in users and call the Microsoft Graph API from an Android application
-In this tutorial, you build an Android app that integrates with Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API.
+In this tutorial, you build an Android app that integrates with the Microsoft identity platform to sign in users and get an access token to call the Microsoft Graph API.
When you've completed this tutorial, your application will accept sign-ins of personal Microsoft accounts (including outlook.com, live.com, and others) as well as work or school accounts from any company or organization that uses Azure Active Directory.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-angular.md a/articles/active-directory/develop/tutorial-v2-angular.md
@@ -267,7 +267,7 @@ For example:
#### Get a user token interactively
-Sometimes you need the user to interact with the Microsoft identity platform endpoint. For example:
+Sometimes you need the user to interact with the Microsoft identity platform. For example:
* Users might need to reenter their credentials because their password has expired. * Your application is requesting access to additional resource scopes that the user needs to consent to.
@@ -275,7 +275,7 @@ Sometimes you need the user to interact with the Microsoft identity platform end
The recommended pattern for most applications is to call `acquireTokenSilent` first, then catch the exception, and then call `acquireTokenPopup` (or `acquireTokenRedirect`) to start an interactive request.
-Calling `acquireTokenPopup` results in a pop-up sign-in window. Alternatively, `acquireTokenRedirect` redirects users to the Microsoft identity platform endpoint. In that window, users need to confirm their credentials, give consent to the required resource, or complete two-factor authentication.
+Calling `acquireTokenPopup` results in a pop-up sign-in window. Alternatively, `acquireTokenRedirect` redirects users to the Microsoft identity platform. In that window, users need to confirm their credentials, give consent to the required resource, or complete two-factor authentication.
```javascript const requestObj = {
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-asp-webapp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-asp-webapp.md a/articles/active-directory/develop/tutorial-v2-asp-webapp.md
@@ -19,7 +19,7 @@
In this tutorial, you build an ASP.NET MVC web app that signs in users by using the Open Web Interface for .NET (OWIN) middleware and the Microsoft identity platform.
-When you've completed this guide, your application will be able to accept sign-ins of personal accounts from the likes of outlook.com and live.com. Additionally, work and school accounts from any company or organization that's integrated with Microsoft identity platform will be able to sign in to your app.
+When you've completed this guide, your application will be able to accept sign-ins of personal accounts from the likes of outlook.com and live.com. Additionally, work and school accounts from any company or organization that's integrated with the Microsoft identity platform will be able to sign in to your app.
In this tutorial:
@@ -115,7 +115,7 @@ The following steps are used to create an OWIN middleware Startup class to confi
// Tenant is the tenant ID (e.g. contoso.onmicrosoft.com, or 'common' for multi-tenant) static string tenant = System.Configuration.ConfigurationManager.AppSettings["Tenant"];
- // Authority is the URL for authority, composed by Microsoft identity platform endpoint and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
+ // Authority is the URL for authority, composed of the Microsoft identity platform and the tenant name (e.g. https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0)
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, System.Configuration.ConfigurationManager.AppSettings["Authority"], tenant); /// <summary>
@@ -402,14 +402,13 @@ When you're ready to run your test, use an Azure AD account (work or school acco
<br/><br/> ![Sign in to your Microsoft account](media/active-directory-develop-guidedsetup-aspnetwebapp-test/aspnetbrowsersignin2.png)
-#### Permissions and consent in the Microsoft identity platform endpoint
-
-Applications that integrate with Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. After a user authenticates with Microsoft identity platform to access this application, they will be prompted to consent to the permissions requested by the application ("View your basic profile" and "Maintain access to data you have given it access to"). After accepting these permissions, the user will continue on to the application results. However, the user may instead be prompted with a **Need admin consent** page if either of the following occur:
+#### Permissions and consent in the Microsoft identity platform
+Applications that integrate with the Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. After a user authenticates with the Microsoft identity platform to access this application, they will be prompted to consent to the permissions requested by the application ("View your basic profile" and "Maintain access to data you have given it access to"). After accepting these permissions, the user will continue on to the application results. However, the user may instead be prompted with a **Need admin consent** page if either of the following occur:
- The application developer adds any additional permissions that require **Admin consent**. - Or the tenant is configured (in **Enterprise Applications -> User Settings**) where users cannot consent to apps accessing company data on their behalf.
-For more information, refer to [Permissions and consent in the Microsoft identity platform endpoint](./v2-permissions-and-consent.md).
+For more information, refer to [Permissions and consent in the Microsoft identity platform](./v2-permissions-and-consent.md).
### View application results
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-aspnet-daemon-web-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md a/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md
@@ -46,7 +46,7 @@ Because the app is a multi-tenant app for Microsoft business customers, it must
![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Azure A D, AccountController getting admin consent to connect to Azure A D, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png)
-For more information on the concepts used in this sample, read the [client credentials protocol documentation for the identity platform endpoint](v2-oauth2-client-creds-grant-flow.md).
+For more information on the concepts used in this sample, read the [client credentials protocol documentation for the identity platform](v2-oauth2-client-creds-grant-flow.md).
## Clone or download this repository
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md a/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md
@@ -23,7 +23,7 @@ In this tutorial:
> * Perform the OAuth 2.0 authorization code flow with PKCE > * Sign in personal Microsoft accounts as well as work and school accounts > * Acquire an access token
-> * Call Microsoft Graph or your own API that requires access tokens obtained from the Microsoft identity platform endpoint
+> * Call Microsoft Graph or your own API that requires access tokens obtained from the Microsoft identity platform
MSAL.js 2.0 improves on MSAL.js 1.0 by supporting the authorization code flow in the browser instead of the implicit grant flow. MSAL.js 2.0 does **NOT** support the implicit flow.
@@ -36,7 +36,7 @@ MSAL.js 2.0 improves on MSAL.js 1.0 by supporting the authorization code flow in
:::image type="content" source="media/tutorial-v2-javascript-auth-code/diagram-01-auth-code-flow.png" alt-text="Diagram showing the authorization code flow in a single-page application":::
-The application you create in this tutorial enables a JavaScript SPA to query the Microsoft Graph API by acquiring security tokens from the the Microsoft identity platform endpoint. In this scenario, after a user signs in, an access token is requested and added to HTTP requests in the authorization header. Token acquisition and renewal are handled by the Microsoft Authentication Library for JavaScript (MSAL.js).
+The application you create in this tutorial enables a JavaScript SPA to query the Microsoft Graph API by acquiring security tokens from the the Microsoft identity platform. In this scenario, after a user signs in, an access token is requested and added to HTTP requests in the authorization header. Token acquisition and renewal are handled by the Microsoft Authentication Library for JavaScript (MSAL.js).
This tutorial uses the following library:
@@ -553,13 +553,13 @@ The SPA you've created in this tutorial calls `acquireTokenSilent` and/or `acqui
#### Get a user token interactively
-After their initial sign-in, your app shouldn't ask users to reauthenticate every time they need to access a protected resource (that is, to request a token). To prevent such reauthentication requests, call `acquireTokenSilent`. There are some situations, however, where you might need to force users to interact with the Microsoft identity platform endpoint. For example:
+After their initial sign-in, your app shouldn't ask users to reauthenticate every time they need to access a protected resource (that is, to request a token). To prevent such reauthentication requests, call `acquireTokenSilent`. There are some situations, however, where you might need to force users to interact with the Microsoft identity platform. For example:
- Users need to re-enter their credentials because the password has expired. - Your application is requesting access to a resource and you need the user's consent. - Two-factor authentication is required.
-Calling `acquireTokenPopup` opens a pop-up window (or `acquireTokenRedirect` redirects users to the Microsoft identity platform endpoint). In that window, users need to interact by confirming their credentials, giving consent to the required resource, or completing the two-factor authentication.
+Calling `acquireTokenPopup` opens a pop-up window (or `acquireTokenRedirect` redirects users to the Microsoft identity platform). In that window, users need to interact by confirming their credentials, giving consent to the required resource, or completing the two-factor authentication.
#### Get a user token silently
@@ -614,7 +614,7 @@ You've completed creation of the application and are now ready to launch the Nod
### Sign in to the application
-After the browser loads your *https://docsupdatetracker.net/index.html* file, select **Sign In**. You're prompted to sign in with the Microsoft identity platform endpoint:
+After the browser loads your *https://docsupdatetracker.net/index.html* file, select **Sign In**. You're prompted to sign in with the Microsoft identity platform:
:::image type="content" source="media/tutorial-v2-javascript-auth-code/spa-01-signin-dialog.png" alt-text="Web browser displaying sign-in dialog":::
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-spa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-javascript-spa.md a/articles/active-directory/develop/tutorial-v2-javascript-spa.md
@@ -41,7 +41,7 @@ In this tutorial:
![Shows how the sample app generated by this tutorial works](media/active-directory-develop-guidedsetup-javascriptspa-introduction/javascriptspa-intro.svg)
-The sample application created by this guide enables a JavaScript SPA to query the Microsoft Graph API or a web API that accepts tokens from the Microsoft identity platform endpoint. In this scenario, after a user signs in, an access token is requested and added to HTTP requests through the authorization header. This token will be used to acquire the user's profile and mails via **MS Graph API**.
+The sample application created by this guide enables a JavaScript SPA to query the Microsoft Graph API or a web API that accepts tokens from the Microsoft identity platform. In this scenario, after a user signs in, an access token is requested and added to HTTP requests through the authorization header. This token will be used to acquire the user's profile and mails via **MS Graph API**.
Token acquisition and renewal are handled by the [Microsoft Authentication Library (MSAL) for JavaScript](https://github.com/AzureAD/microsoft-authentication-library-for-js).
@@ -409,13 +409,13 @@ The SPA generated by this guide calls `acquireTokenSilent` and/or `acquireTokenP
#### Get a user token interactively
-After the initial sign-in, you do not want to ask users to reauthenticate every time they need to request a token to access a resource. So *acquireTokenSilent* should be used most of the time to acquire tokens. There are situations, however, where you need to force users to interact with Microsoft identity platform endpoint. Examples include:
+After the initial sign-in, you do not want to ask users to reauthenticate every time they need to request a token to access a resource. So *acquireTokenSilent* should be used most of the time to acquire tokens. There are situations, however, where you need to force users to interact with Microsoft identity platform. Examples include:
- Users need to reenter their credentials because the password has expired. - Your application is requesting access to a resource, and you need the user's consent. - Two-factor authentication is required.
-Calling *acquireTokenPopup* opens a pop-up window (or *acquireTokenRedirect* redirects users to the Microsoft identity platform endpoint). In that window, users need to interact by confirming their credentials, giving consent to the required resource, or completing the two-factor authentication.
+Calling *acquireTokenPopup* opens a pop-up window (or *acquireTokenRedirect* redirects users to the Microsoft identity platform). In that window, users need to interact by confirming their credentials, giving consent to the required resource, or completing the two-factor authentication.
#### Get a user token silently
@@ -480,7 +480,7 @@ In the sample application created by this guide, the `callMSGraph()` method is u
``` 1. In your browser, enter **http://localhost:3000** or **http://localhost:{port}**, where *port* is the port that your web server is listening to. You should see the contents of your *https://docsupdatetracker.net/index.html* file and the **Sign In** button.
-After the browser loads your *https://docsupdatetracker.net/index.html* file, select **Sign In**. You're prompted to sign in with the Microsoft identity platform endpoint:
+After the browser loads your *https://docsupdatetracker.net/index.html* file, select **Sign In**. You're prompted to sign in with the Microsoft identity platform:
![The JavaScript SPA account sign-in window](media/active-directory-develop-guidedsetup-javascriptspa-test/javascriptspascreenshot1.png)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-windows-desktop https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-windows-desktop.md a/articles/active-directory/develop/tutorial-v2-windows-desktop.md
@@ -43,7 +43,7 @@ The sample application that you create with this guide enables a Windows Desktop
## Handling token acquisition for accessing protected web APIs
-After the user is authenticated, the sample application receives a token you can use to query Microsoft Graph API or a web API that's secured by Microsoft identity platform for developers.
+After the user is authenticated, the sample application receives a token you can use to query Microsoft Graph API or a web API that's secured by the Microsoft identity platform.
APIs such as Microsoft Graph require a token to allow access to specific resources. For example, a token is required to read a userΓÇÖs profile, access a userΓÇÖs calendar, or send email. Your application can request an access token by using MSAL to access these resources by specifying API scopes. This access token is then added to the HTTP Authorization header for every call that's made against the protected resource.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/userinfo https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/userinfo.md a/articles/active-directory/develop/userinfo.md
@@ -24,7 +24,7 @@ The UserInfo endpoint is part of the [OpenID Connect standard](https://openid.ne
You can programmatically discover the UserInfo endpoint using the OpenID Connect discovery document, at `https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration`. ItΓÇÖs listed in the `userinfo_endpoint` field, and this pattern can be used across clouds to help point to the right endpoint. We do not recommend hard-coding the UserInfo endpoint in your app ΓÇô use the OIDC discovery document to find this endpoint at runtime instead.
-As part of the OpenID Connect specification, the UserInfo endpoint is often automatically called by [OIDC compliant libraries](https://openid.net/developers/certified/) to get information about the user. Without hosting such an endpoint, Microsoft identity platform would not be standards compliant and some libraries would fail. From the [list of claims identified in the OIDC standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) we produce the name claims, subject claim, and email when available and consented for.
+As part of the OpenID Connect specification, the UserInfo endpoint is often automatically called by [OIDC compliant libraries](https://openid.net/developers/certified/) to get information about the user. Without hosting such an endpoint, the Microsoft identity platform would not be standards compliant and some libraries would fail. From the [list of claims identified in the OIDC standard](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) we produce the name claims, subject claim, and email when available and consented for.
## Consider: Use an ID Token instead
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-admin-consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-admin-consent.md a/articles/active-directory/develop/v2-admin-consent.md
@@ -1,6 +1,6 @@
Title: Microsoft identity platform admin consent protocols
-description: A description of authorization in the Microsoft identity platform endpoint, including scopes, permissions, and consent.
+description: A description of authorization in the Microsoft identity platform, including scopes, permissions, and consent.
@@ -23,7 +23,7 @@ Some permissions require consent from an administrator before they can be grante
Typically, when you build an application that uses the admin consent endpoint, the app needs a page or view in which the admin can approve the app's permissions. This page can be part of the app's sign-up flow, part of the app's settings, or it can be a dedicated "connect" flow. In many cases, it makes sense for the app to show this "connect" view only after a user has signed in with a work or school Microsoft account.
-When you sign the user into your app, you can identify the organization to which the admin belongs before asking them to approve the necessary permissions. Although not strictly necessary, it can help you create a more intuitive experience for your organizational users. To sign the user in, follow our [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).
+When you sign the user into your app, you can identify the organization to which the admin belongs before asking them to approve the necessary permissions. Although not strictly necessary, it can help you create a more intuitive experience for your organizational users. To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).
## Request the permissions from a directory admin
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-app-types.md a/articles/active-directory/develop/v2-app-types.md
@@ -1,6 +1,6 @@
Title: Application types for Microsoft identity platform | Azure
-description: The types of apps and scenarios supported by the Microsoft identity platform endpoint.
+ Title: Application types for the Microsoft identity platform | Azure
+description: The types of apps and scenarios supported by the Microsoft identity platform.
@@ -15,13 +15,13 @@
-# Application types for Microsoft identity platform
+# Application types for the Microsoft identity platform
-The Microsoft identity platform endpoint supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](active-directory-v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios).
+The Microsoft identity platform supports authentication for a variety of modern app architectures, all of them based on industry-standard protocols [OAuth 2.0 or OpenID Connect](active-directory-v2-protocols.md). This article describes the types of apps that you can build by using Microsoft identity platform, regardless of your preferred language or platform. The information is designed to help you understand high-level scenarios before you start working with the code in the [application scenarios](authentication-flows-app-scenarios.md#application-scenarios).
## The basics
-You must register each app that uses the Microsoft identity platform endpoint in the Azure portal [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908). The app registration process collects and assigns these values for your app:
+You must register each app that uses the Microsoft identity platform in the Azure portal [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908). The app registration process collects and assigns these values for your app:
* An **Application (client) ID** that uniquely identifies your app * A **Redirect URI** that you can use to direct responses back to your app
@@ -29,7 +29,7 @@ You must register each app that uses the Microsoft identity platform endpoint in
For details, learn how to [register an app](quickstart-register-app.md).
-After the app is registered, the app communicates with Microsoft identity platform by sending requests to the endpoint. We provide open-source frameworks and libraries that handle the details of these requests. You also have the option to implement the authentication logic yourself by creating requests to these endpoints:
+After the app is registered, the app communicates with the Microsoft identity platform by sending requests to the endpoint. We provide open-source frameworks and libraries that handle the details of these requests. You also have the option to implement the authentication logic yourself by creating requests to these endpoints:
```HTTP https://login.microsoftonline.com/common/oauth2/v2.0/authorize
@@ -38,7 +38,7 @@ https://login.microsoftonline.com/common/oauth2/v2.0/token
## Single-page apps (JavaScript)
-Many modern apps have a single-page app front end written primarily in JavaScript, often with a framework like Angular, React, or Vue. The Microsoft identity platform endpoint supports these apps by using the [OpenID Connect](v2-protocols-oidc.md) protocol for authentication and either [OAuth 2.0 implicit grant flow](v2-oauth2-implicit-grant-flow.md) or the more recent [OAuth 2.0 authorization code + PKCE flow](v2-oauth2-auth-code-flow.md) for authorization (see below).
+Many modern apps have a single-page app front end written primarily in JavaScript, often with a framework like Angular, React, or Vue. The Microsoft identity platform supports these apps by using the [OpenID Connect](v2-protocols-oidc.md) protocol for authentication and either [OAuth 2.0 implicit grant flow](v2-oauth2-implicit-grant-flow.md) or the more recent [OAuth 2.0 authorization code + PKCE flow](v2-oauth2-auth-code-flow.md) for authorization (see below).
The flow diagram below demonstrates the OAuth 2.0 authorization code grant (with details around PKCE omitted), where the app receives a code from the Microsoft identity platform `authorize` endpoint, and redeems it for tokens and refresh tokens using cross-site web requests. The refresh token expires every 24 hours, and the app must request another code. In addition to the access token, an `id_token` that represents the signed-in user to the client application is typically also requested through the same flow and/or a separate OpenID Connect request (not shown here).
@@ -69,13 +69,13 @@ eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtyaU1QZG1Cd...
} ```
-Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the [access token](access-tokens.md) reference and [id_token reference](id-tokens.md)
+Further details of different types of tokens used in the Microsoft identity platform are available in the [access token](access-tokens.md) reference and [id_token reference](id-tokens.md)
In web server apps, the sign-in authentication flow takes these high-level steps: ![Shows the web app authentication flow](./media/v2-app-types/convergence-scenarios-webapp.svg)
-You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform endpoint. A session cookie is set, which can be used to identify the user on subsequent page requests.
+You can ensure the user's identity by validating the ID token with a public signing key that is received from the Microsoft identity platform. A session cookie is set, which can be used to identify the user on subsequent page requests.
To see this scenario in action, try the code samples in the [Web app that signs in users scenario](scenario-web-app-sign-user-overview.md).
@@ -83,7 +83,7 @@ In addition to simple sign-in, a web server app might need to access another web
## Web APIs
-You can use the Microsoft identity platform endpoint to secure web services, such as your app's RESTful web API. Web APIs can be implemented in numerous platforms and languages. They can also be implemented using HTTP Triggers in Azure Functions. Instead of ID tokens and session cookies, a web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. The caller of a web API appends an access token in the authorization header of an HTTP request, like this:
+You can use the Microsoft identity platform to secure web services, such as your app's RESTful web API. Web APIs can be implemented in numerous platforms and languages. They can also be implemented using HTTP Triggers in Azure Functions. Instead of ID tokens and session cookies, a web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests. The caller of a web API appends an access token in the authorization header of an HTTP request, like this:
```HTTP GET /api/items HTTP/1.1
@@ -93,9 +93,9 @@ Accept: application/json
... ```
-The web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. Further details of different types of tokens used in the Microsoft identity platform endpoint are available in the [access token](access-tokens.md) reference and [id_token](id-tokens.md) reference.
+The web API uses the access token to verify the API caller's identity and to extract information about the caller from claims that are encoded in the access token. Further details of different types of tokens used in the Microsoft identity platform are available in the [access token](access-tokens.md) reference and [id_token](id-tokens.md) reference.
-A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](v2-permissions-and-consent.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform endpoint asks the user for permission, and then records permissions in all access tokens that the web API receives. The web API validates the access tokens it receives on each call and performs authorization checks.
+A web API can give users the power to opt in or opt out of specific functionality or data by exposing permissions, also known as [scopes](v2-permissions-and-consent.md). For a calling app to acquire permission to a scope, the user must consent to the scope during a flow. The Microsoft identity platform asks the user for permission, and then records permissions in all access tokens that the web API receives. The web API validates the access tokens it receives on each call and performs authorization checks.
A web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other web APIs. The high-level flow for a web API looks like this:
@@ -103,13 +103,13 @@ A web API can receive access tokens from all types of apps, including web server
To learn how to secure a web API by using OAuth2 access tokens, check out the web API code samples in the [protected web API scenario](scenario-protected-web-api-overview.md).
-In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Microsoft identity platform. To do so, web APIs can take advantage of the **On-Behalf-Of** flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. For more info, see [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md).
+In many cases, web APIs also need to make outbound requests to other downstream web APIs secured by Microsoft identity platform. To do so, web APIs can take advantage of the **On-Behalf-Of** flow, which allows the web API to exchange an incoming access token for another access token to be used in outbound requests. For more info, see the [Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow](v2-oauth2-on-behalf-of-flow.md).
## Mobile and native apps Device-installed apps, such as mobile and desktop apps, often need to access back-end services or web APIs that store data and perform functions on behalf of a user. These apps can add sign-in and authorization to back-end services by using the [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md).
-In this flow, the app receives an authorization code from the Microsoft identity platform endpoint when the user signs in. The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.
+In this flow, the app receives an authorization code from the Microsoft identity platform when the user signs in. The authorization code represents the app's permission to call back-end services on behalf of the user who is signed in. The app can exchange the authorization code in the background for an OAuth 2.0 access token and a refresh token. The app can use the access token to authenticate to web APIs in HTTP requests, and use the refresh token to get new access tokens when older access tokens expire.
![Shows the native app authentication flow](./media/v2-app-types/convergence-scenarios-native.svg)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-howto-app-gallery-listing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-howto-app-gallery-listing.md a/articles/active-directory/develop/v2-howto-app-gallery-listing.md
@@ -143,7 +143,7 @@ To learn more about authentication, see [What is authentication?](../azuread-dev
For OpenID Connect, the application must be multi-tenanted and the [Azure AD consent framework](consent-framework.md) must be properly implemented for the application. The user can send the sign-in request to a common endpoint so that any customer can provide consent to the application. You can control user access based on the tenant ID and the user's UPN received in the token.
-To review specific examples, see [Microsoft identity platform code samples](sample-v2-code.md).
+To review specific examples, see the [Microsoft identity platform code samples](sample-v2-code.md).
To review mobile specific examples, see: * [Android](quickstart-v2-android.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth-ropc.md a/articles/active-directory/develop/v2-oauth-ropc.md
@@ -18,14 +18,14 @@
# Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
-Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password Credentials (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows). Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
+The Microsoft identity platform supports the [OAuth 2.0 Resource Owner Password Credentials (ROPC) grant](https://tools.ietf.org/html/rfc6749#section-4.3), which allows an application to sign in the user by directly handling their password. This article describes how to program directly against the protocol in your application. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows). Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
> [!WARNING] > Microsoft recommends you do _not_ use the ROPC flow. In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows. You should only use this flow when other more secure flows can't be used. > [!IMPORTANT] >
-> * The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint.
+> * The Microsoft identity platform only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (`https://login.microsoftonline.com/{TenantId_or_Name}`) or the `organizations` endpoint.
> * Personal accounts that are invited to an Azure AD tenant can't use ROPC. > * Accounts that don't have passwords can't sign in through ROPC. For this scenario, we recommend that you use a different flow for your app instead. > * If users need to use [multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md) to log in to the application, they will be blocked instead.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md a/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
@@ -22,7 +22,7 @@ The OAuth 2.0 authorization code grant can be used in apps that are installed on
This article describes how to program directly against the protocol in your application using any language. When possible, we recommend you use the supported Microsoft Authentication Libraries (MSAL) instead to [acquire tokens and call secured web APIs](authentication-flows-app-scenarios.md#scenarios-and-supported-authentication-flows). Also take a look at the [sample apps that use MSAL](sample-v2-code.md).
-The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). It's used to perform authentication and authorization in the majority of app types, including [single page apps](v2-app-types.md#single-page-apps-javascript), [web apps](v2-app-types.md#web-apps), and [natively installed apps](v2-app-types.md#mobile-and-native-apps). The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user.
+The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). It's used to perform authentication and authorization in the majority of app types, including [single page apps](v2-app-types.md#single-page-apps-javascript), [web apps](v2-app-types.md#web-apps), and [natively installed apps](v2-app-types.md#mobile-and-native-apps). The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user.
## Protocol diagram
@@ -73,16 +73,16 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
| `scope` | required | A space-separated list of [scopes](v2-permissions-and-consent.md) that you want the user to consent to. For the `/authorize` leg of the request, this can cover multiple resources, allowing your app to get consent for multiple web APIs you want to call. | | `response_mode` | recommended | Specifies the method that should be used to send the resulting token back to your app. Can be one of the following:<br/><br/>- `query`<br/>- `fragment`<br/>- `form_post`<br/><br/>`query` provides the code as a query string parameter on your redirect URI. If you're requesting an ID token using the implicit flow, you can't use `query` as specified in the [OpenID spec](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations). If you're requesting just the code, you can use `query`, `fragment`, or `form_post`. `form_post` executes a POST containing the code to your redirect URI. | | `state` | recommended | A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The value can also encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. |
-| `prompt` | optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`.<br/><br/>- `prompt=login` will force the user to enter their credentials on that request, negating single-sign on.<br/>- `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an `interaction_required` error.<br/>- `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.<br/>- `prompt=select_account` will interrupt single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.<br/> |
+| `prompt` | optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`.<br/><br/>- `prompt=login` will force the user to enter their credentials on that request, negating single-sign on.<br/>- `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an `interaction_required` error.<br/>- `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app.<br/>- `prompt=select_account` will interrupt single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether.<br/> |
| `login_hint` | optional | Can be used to pre-fill the username/email address field of the sign-in page for the user, if you know their username ahead of time. Often apps will use this parameter during re-authentication, having already extracted the username from a previous sign-in using the `preferred_username` claim. | | `domain_hint` | optional | If included, it will skip the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience - for example, sending them to their federated identity provider. Often apps will use this parameter during re-authentication, by extracting the `tid` from a previous sign-in. If the `tid` claim value is `9188040d-6c67-4c5b-b112-36a304b66dad`, you should use `domain_hint=consumers`. Otherwise, use `domain_hint=organizations`. | | `code_challenge` | recommended / required | Used to secure authorization code grants via Proof Key for Code Exchange (PKCE). Required if `code_challenge_method` is included. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is now recommended for all application types - native apps, SPAs, and confidential clients like web apps. |
-| `code_challenge_method` | recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if for some reason the client cannot support SHA256. <br/><br/>If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is required for [single page apps using the authorization code flow](reference-third-party-cookies-spas.md).|
+| `code_challenge_method` | recommended / required | The method used to encode the `code_verifier` for the `code_challenge` parameter. This *SHOULD* be `S256`, but the spec allows the use of `plain` if for some reason the client cannot support SHA256. <br/><br/>If excluded, `code_challenge` is assumed to be plaintext if `code_challenge` is included. The Microsoft identity platform supports both `plain` and `S256`. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). This is required for [single page apps using the authorization code flow](reference-third-party-cookies-spas.md).|
-At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has not consented to any of those permissions, it will ask the user to consent to the required permissions. Details of [permissions, consent, and multi-tenant apps are provided here](v2-permissions-and-consent.md).
+At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has not consented to any of those permissions, it will ask the user to consent to the required permissions. Details of [permissions, consent, and multi-tenant apps are provided here](v2-permissions-and-consent.md).
-Once the user authenticates and grants consent, the Microsoft identity platform endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter.
+Once the user authenticates and grants consent, the Microsoft identity platform will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter.
#### Successful response
@@ -332,7 +332,7 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `grant_type` | required | Must be `refresh_token` for this leg of the authorization code flow. |
-| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform endpoint will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). |
+| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). |
| `refresh_token` | required | The refresh_token that you acquired in the second leg of the flow. | | `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. This secret needs to be URL-Encoded. For more information, see the [URI Generic Syntax specification](https://tools.ietf.org/html/rfc3986#page-12). |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md a/articles/active-directory/develop/v2-oauth2-client-creds-grant-flow.md
@@ -42,9 +42,9 @@ These two methods are the most common in Azure AD and we recommend them for clie
### Access control lists
-A resource provider might enforce an authorization check based on a list of application (client) IDs that it knows and grants a specific level of access to. When the resource receives a token from the Microsoft identity platform endpoint, it can decode the token and extract the client's application ID from the `appid` and `iss` claims. Then it compares the application against an access control list (ACL) that it maintains. The ACL's granularity and method might vary substantially between resources.
+A resource provider might enforce an authorization check based on a list of application (client) IDs that it knows and grants a specific level of access to. When the resource receives a token from the Microsoft identity platform, it can decode the token and extract the client's application ID from the `appid` and `iss` claims. Then it compares the application against an access control list (ACL) that it maintains. The ACL's granularity and method might vary substantially between resources.
-A common use case is to use an ACL to run tests for a web application or for a web API. The web API might grant only a subset of full permissions to a specific client. To run end-to-end tests on the API, create a test client that acquires tokens from the Microsoft identity platform endpoint and then sends them to the API. The API then checks the ACL for the test client's application ID for full access to the API's entire functionality. If you use this kind of ACL, be sure to validate not only the caller's `appid` value but also validate that the `iss` value of the token is trusted.
+A common use case is to use an ACL to run tests for a web application or for a web API. The web API might grant only a subset of full permissions to a specific client. To run end-to-end tests on the API, create a test client that acquires tokens from the Microsoft identity platform and then sends them to the API. The API then checks the ACL for the test client's application ID for full access to the API's entire functionality. If you use this kind of ACL, be sure to validate not only the caller's `appid` value but also validate that the `iss` value of the token is trusted.
This type of authorization is common for daemons and service accounts that need to access data owned by consumer users who have personal Microsoft accounts. For data owned by organizations, we recommend that you get the necessary authorization through application permissions.
@@ -73,7 +73,7 @@ For more information about application permissions, see [Permissions and consent
Typically, when you build an application that uses application permissions, the app requires a page or view on which the admin approves the app's permissions. This page can be part of the app's sign-in flow, part of the app's settings, or it can be a dedicated "connect" flow. In many cases, it makes sense for the app to show this "connect" view only after a user has signed in with a work or school Microsoft account.
-If you sign the user into your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow our [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).
+If you sign the user into your app, you can identify the organization to which the user belongs to before you ask the user to approve the application permissions. Although not strictly necessary, it can help you create a more intuitive experience for your users. To sign the user in, follow the [Microsoft identity platform protocol tutorials](active-directory-v2-protocols.md).
#### Request the permissions from a directory admin
@@ -138,7 +138,7 @@ After you've received a successful response from the app provisioning endpoint,
## Get a token
-After you've acquired the necessary authorization for your application, proceed with acquiring access tokens for APIs. To get a token by using the client credentials grant, send a POST request to the `/token` Microsoft identity platform endpoint:
+After you've acquired the necessary authorization for your application, proceed with acquiring access tokens for APIs. To get a token by using the client credentials grant, send a POST request to the `/token` Microsoft identity platform:
> [!TIP] > Try executing this request in Postman! (Use your own app ID for best results - the tutorial application won't request useful permissions.)
@@ -166,7 +166,7 @@ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=
| | | | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required | The application ID that's assigned to your app. You can find this information in the portal where you registered your app. |
-| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. <br/>This value tells the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). |
+| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. <br/>This value tells the Microsoft identity platform that of all the direct application permissions you have configured for your app, the endpoint should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). |
| `client_secret` | Required | The client secret that you generated for your app in the app registration portal. The client secret must be URL-encoded before being sent. | | `grant_type` | Required | Must be set to `client_credentials`. |
@@ -188,7 +188,7 @@ scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
| | | | | `tenant` | Required | The directory tenant the application plans to operate against, in GUID or domain-name format. | | `client_id` | Required |The application (client) ID that's assigned to your app. |
-| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. <br/>This value informs the Microsoft identity platform endpoint that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). |
+| `scope` | Required | The value passed for the `scope` parameter in this request should be the resource identifier (application ID URI) of the resource you want, affixed with the `.default` suffix. For the Microsoft Graph example, the value is `https://graph.microsoft.com/.default`. <br/>This value informs the Microsoft identity platform that of all the direct application permissions you have configured for your app, it should issue a token for the ones associated with the resource you want to use. To learn more about the `/.default` scope, see the [consent documentation](v2-permissions-and-consent.md#the-default-scope). |
| `client_assertion_type` | Required | The value must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. | | `client_assertion` | Required | An assertion (a JSON web token) that you need to create and sign with the certificate you registered as credentials for your application. Read about [certificate credentials](active-directory-certificate-credentials.md) to learn how to register your certificate and the format of the assertion.| | `grant_type` | Required | Must be set to `client_credentials`. |
@@ -210,7 +210,7 @@ A successful response looks like this:
| Parameter | Description | | | | | `access_token` | The requested access token. The app can use this token to authenticate to the secured resource, such as to a web API. |
-| `token_type` | Indicates the token type value. The only type that Microsoft identity platform supports is `bearer`. |
+| `token_type` | Indicates the token type value. The only type that the Microsoft identity platform supports is `bearer`. |
| `expires_in` | The amount of time that an access token is valid (in seconds). | ### Error response
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md a/articles/active-directory/develop/v2-oauth2-implicit-grant-flow.md
@@ -1,5 +1,5 @@
Title: OAuth 2.0 implicit grant flow - Microsoft identity platform | Azure
+ Title: OAuth 2.0 implicit grant flow - The Microsoft identity platform | Azure
description: Secure single-page apps using Microsoft identity platform implicit flow.
@@ -37,7 +37,7 @@ The following diagram shows what the entire implicit sign-in flow looks like and
## Send the sign-in request
-To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authentication request and get an `id_token` from the Microsoft identity platform endpoint.
+To initially sign the user into your app, you can send an [OpenID Connect](v2-protocols-oidc.md) authentication request and get an `id_token` from the Microsoft identity platform.
> [!IMPORTANT] > To successfully request an ID token and/or an access token, the app registration in the [Azure portal - App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page must have the corresponding implicit grant flow enabled, by selecting **ID tokens** and.or **access tokens** under the **Implicit grant** section. If it's not enabled, an `unsupported_response` error will be returned: **The provided value for the input parameter 'response_type' is not allowed for this client. Expected value is 'code'**
@@ -69,13 +69,13 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
| `response_mode` | optional |Specifies the method that should be used to send the resulting token back to your app. Defaults to query for just an access token, but fragment if the request includes an id_token. | | `state` | recommended |A value included in the request that will also be returned in the token response. It can be a string of any content that you wish. A randomly generated unique value is typically used for [preventing cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state is also used to encode information about the user's state in the app before the authentication request occurred, such as the page or view they were on. | | `nonce` | required |A value included in the request, generated by the app, that will be included in the resulting id_token as a claim. The app can then verify this value to mitigate token replay attacks. The value is typically a randomized, unique string that can be used to identify the origin of the request. Only required when an id_token is requested. |
-| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform endpoint will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |
+| `prompt` | optional |Indicates the type of user interaction that is required. The only valid values at this time are 'login', 'none', 'select_account', and 'consent'. `prompt=login` will force the user to enter their credentials on that request, negating single-sign on. `prompt=none` is the opposite - it will ensure that the user isn't presented with any interactive prompt whatsoever. If the request can't be completed silently via single-sign on, the Microsoft identity platform will return an error. `prompt=select_account` sends the user to an account picker where all of the accounts remembered in the session will appear. `prompt=consent` will trigger the OAuth consent dialog after the user signs in, asking the user to grant permissions to the app. |
| `login_hint` |optional |Can be used to pre-fill the username/email address field of the sign in page for the user, if you know their username ahead of time. Often apps will use this parameter during reauthentication, having already extracted the username from a previous sign-in using the `preferred_username` claim.| | `domain_hint` | optional |If included, it will skip the email-based discovery process that user goes through on the sign in page, leading to a slightly more streamlined user experience. This parameter is commonly used for Line of Business apps that operate in a single tenant, where they will provide a domain name within a given tenant, forwarding the user to the federation provider for that tenant. Note that this hint prevents guests from signing into this application, and limits the use of cloud credentials like FIDO. |
-At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform endpoint will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md).
+At this point, the user will be asked to enter their credentials and complete the authentication. The Microsoft identity platform will also ensure that the user has consented to the permissions indicated in the `scope` query parameter. If the user has consented to **none** of those permissions, it will ask the user to consent to the required permissions. For more info, see [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md).
-Once the user authenticates and grants consent, the Microsoft identity platform endpoint will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter.
+Once the user authenticates and grants consent, the Microsoft identity platform will return a response to your app at the indicated `redirect_uri`, using the method specified in the `response_mode` parameter.
#### Successful response
@@ -195,7 +195,7 @@ In browsers that do not support third party cookies, this will result in an erro
## Send a sign out request
-The OpenID Connect `end_session_endpoint` allows your app to send a request to the Microsoft identity platform endpoint to end a user's session and clear cookies set by the Microsoft identity platform endpoint. To fully sign a user out of a web application, your app should end its own session with the user (usually by clearing a token cache or dropping cookies), and then redirect the browser to:
+The OpenID Connect `end_session_endpoint` allows your app to send a request to the Microsoft identity platform to end a user's session and clear cookies set by the Microsoft identity platform . To fully sign a user out of a web application, your app should end its own session with the user (usually by clearing a token cache or dropping cookies), and then redirect the browser to:
``` https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redirect_uri=https://localhost/myapp/
@@ -204,7 +204,7 @@ https://login.microsoftonline.com/{tenant}/oauth2/v2.0/logout?post_logout_redire
| Parameter | Type | Description | | | | | | `tenant` |required |The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). |
-| `post_logout_redirect_uri` | recommended | The URL that the user should be returned to after logout completes. This value must match one of the redirect URIs registered for the application. If not included, the user will be shown a generic message by the Microsoft identity platform endpoint. |
+| `post_logout_redirect_uri` | recommended | The URL that the user should be returned to after logout completes. This value must match one of the redirect URIs registered for the application. If not included, the user will be shown a generic message by the Microsoft identity platform. |
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md a/articles/active-directory/develop/v2-oauth2-on-behalf-of-flow.md
@@ -126,7 +126,7 @@ A success response is a JSON OAuth 2.0 response with the following parameters.
| Parameter | Description | | | |
-| `token_type` | Indicates the token type value. The only type that Microsoft identity platform supports is `Bearer`. For more info about bearer tokens, see the [OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). |
+| `token_type` | Indicates the token type value. The only type that the Microsoft identity platform supports is `Bearer`. For more info about bearer tokens, see the [OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)](https://www.rfc-editor.org/rfc/rfc6750.txt). |
| `scope` | The scope of access granted in the token. | | `expires_in` | The length of time, in seconds, that the access token is valid. | | `access_token` | The requested access token. The calling service can use this token to authenticate to the receiving service. |
@@ -147,7 +147,7 @@ The following example shows a success response to a request for an access token
} ```
-The above access token is a v1.0-formatted token for Microsoft Graph. This is because the token format is based on the **resource** being accessed and unrelated to the endpoints used to request it. The Microsoft Graph is setup to accept v1.0 tokens, so Microsoft identity platform produces v1.0 access tokens when a client requests tokens for Microsoft Graph. Other apps may indicate that they want v2.0-format tokens, v1.0-format tokens, or even proprietary or encrypted token formats. Both the v1.0 and v2.0 endpoints can emit either format of token - this way the resource can always get the right format of token regardless of how or where the token was requested by the client.
+The above access token is a v1.0-formatted token for Microsoft Graph. This is because the token format is based on the **resource** being accessed and unrelated to the endpoints used to request it. The Microsoft Graph is setup to accept v1.0 tokens, so the Microsoft identity platform produces v1.0 access tokens when a client requests tokens for Microsoft Graph. Other apps may indicate that they want v2.0-format tokens, v1.0-format tokens, or even proprietary or encrypted token formats. Both the v1.0 and v2.0 endpoints can emit either format of token - this way the resource can always get the right format of token regardless of how or where the token was requested by the client.
Only applications should look at access tokens. Clients **must not** inspect them. Inspecting access tokens for other apps in your code will result in your app unexpectedly breaking when that app changes the format of their tokens or starts encrypting them.
@@ -197,7 +197,7 @@ Depending on the architecture or usage of your application, you may consider dif
### /.default and combined consent
-The middle tier application adds the client to the known client applications list in its manifest, and then the client can trigger a combined consent flow for both itself and the middle tier application. On the Microsoft identity platform endpoint, this is done using the [`/.default` scope](v2-permissions-and-consent.md#the-default-scope). When triggering a consent screen using known client applications and `/.default`, the consent screen will show permissions for **both** the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works.
+The middle tier application adds the client to the known client applications list in its manifest, and then the client can trigger a combined consent flow for both itself and the middle tier application. On the Microsoft identity platform, this is done using the [`/.default` scope](v2-permissions-and-consent.md#the-default-scope). When triggering a consent screen using known client applications and `/.default`, the consent screen will show permissions for **both** the client to the middle tier API, and also request whatever permissions are required by the middle-tier API. The user provides consent for both applications, and then the OBO flow works.
### Pre-authorized applications
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-overview.md a/articles/active-directory/develop/v2-overview.md
@@ -75,7 +75,7 @@ Learn how core authentication and Azure AD concepts apply to the Microsoft ident
## Next steps
-If you have an Azure account you already have access to an Azure Active Directory tenant, but most Microsoft identity platform developers need their own Azure AD tenant for use while developing applications, a "dev tenant."
+If you have an Azure account you already have access to an Azure Active Directory tenant, but most the Microsoft identity platform developers need their own Azure AD tenant for use while developing applications, a "dev tenant."
Learn how to create your own tenant for use while building your applications:
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-permissions-and-consent.md a/articles/active-directory/develop/v2-permissions-and-consent.md
@@ -15,9 +15,9 @@
-# Permissions and consent in the Microsoft identity platform endpoint
+# Permissions and consent in the Microsoft identity platform
-Applications that integrate with Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. The implementation of the authorization model has been updated on the Microsoft identity platform endpoint. It changes how an app must interact with the Microsoft identity platform. This article covers the basic concepts of this authorization model, including scopes, permissions, and consent.
+Applications that integrate with the Microsoft identity platform follow an authorization model that gives users and administrators control over how data can be accessed. The implementation of the authorization model has been updated on the Microsoft identity platform. It changes how an app must interact with the Microsoft identity platform. This article covers the basic concepts of this authorization model, including scopes, permissions, and consent.
## Scopes and permissions
@@ -49,7 +49,7 @@ An app most commonly requests these permissions by specifying the scopes in requ
## Permission types
-Microsoft identity platform supports two types of permissions: *delegated permissions* and *application permissions*.
+The Microsoft identity platform supports two types of permissions: *delegated permissions* and *application permissions*.
* **Delegated permissions** are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated permission to act as the signed-in user when it makes calls to the target resource.
@@ -124,7 +124,7 @@ https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
The `scope` parameter is a space-separated list of delegated permissions that the app is requesting. Each permission is indicated by appending the permission value to the resource's identifier (the application ID URI). In the request example, the app needs permission to read the user's calendar and send mail as the user.
-After the user enters their credentials, the Microsoft identity platform endpoint checks for a matching record of *user consent*. If the user hasn't consented to any of the requested permissions in the past, and if the administrator hasn't consented to these permissions on behalf of the entire organization, the Microsoft identity platform endpoint asks the user to grant the requested permissions.
+After the user enters their credentials, the Microsoft identity platform checks for a matching record of *user consent*. If the user hasn't consented to any of the requested permissions in the past, and if the administrator hasn't consented to these permissions on behalf of the entire organization, the Microsoft identity platform asks the user to grant the requested permissions.
At this time, the `offline_access` ("Maintain access to data you have given it access to") permission and `user.read` ("Sign you in and read your profile") permission are automatically included in the initial consent to an application. These permissions are generally required for proper app functionality. The `offline_access` permission gives the app access to refresh tokens that are critical for native apps and web apps. The `user.read` permission gives access to the `sub` claim. It allows the client or app to correctly identify the user over time and access rudimentary user information.
@@ -160,7 +160,7 @@ If the application requests application permissions and an administrator grants
After you use the admin consent endpoint to grant admin consent, you're finished. Users don't need to take any further action. After admin consent is granted, users can get an access token through a typical auth flow. The resulting access token has the consented permissions.
-When a company administrator uses your application and is directed to the authorize endpoint, Microsoft identity platform detects the user's role. It asks if the company administrator wants to consent on behalf of the entire tenant for the permissions you requested. You could instead use a dedicated admin consent endpoint to proactively request an administrator to grant permission on behalf of the entire tenant. This endpoint is also necessary for requesting application permissions. Application permissions can't be requested by using the authorize endpoint.
+When a company administrator uses your application and is directed to the authorize endpoint, the Microsoft identity platform detects the user's role. It asks if the company administrator wants to consent on behalf of the entire tenant for the permissions you requested. You could instead use a dedicated admin consent endpoint to proactively request an administrator to grant permission on behalf of the entire tenant. This endpoint is also necessary for requesting application permissions. Application permissions can't be requested by using the authorize endpoint.
If you follow these steps, your app can request permissions for all users in a tenant, including admin-restricted scopes. This operation is high privilege. Use the operation only if necessary for your scenario.
@@ -331,7 +331,7 @@ response_type=token //Code or a hybrid flow is also possible here
This code example produces a consent page for all registered permissions if the preceding descriptions of consent and `/.default` apply to the scenario. Then the code returns an `id_token`, rather than an access token.
-This behavior accommodates some legacy clients that are moving from Azure AD Authentication Library (ADAL) to Microsoft Authentication Library (MSAL). This setup *shouldn't* be used by new clients that target the Microsoft identity platform endpoint.
+This behavior accommodates some legacy clients that are moving from Azure AD Authentication Library (ADAL) to the Microsoft Authentication Library (MSAL). This setup *shouldn't* be used by new clients that target the Microsoft identity platform.
### Client credentials grant flow and /.default
@@ -353,5 +353,5 @@ For troubleshooting steps, see [Unexpected error when performing consent to an a
## Next steps
-* [ID tokens in Microsoft identity platform](id-tokens.md)
-* [Access tokens in Microsoft identity platform](access-tokens.md)
+* [ID tokens in the Microsoft identity platform](id-tokens.md)
+* [Access tokens in the Microsoft identity platform](access-tokens.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-protocols-oidc.md a/articles/active-directory/develop/v2-protocols-oidc.md
@@ -18,7 +18,7 @@
# Microsoft identity platform and OpenID Connect protocol
-OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application. When you use the Microsoft identity platform endpoint's implementation of OpenID Connect, you can add sign-in and API access to your apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any [Microsoft open-source libraries](reference-v2-libraries.md).
+OpenID Connect (OIDC) is an authentication protocol built on OAuth 2.0 that you can use to securely sign in a user to an application. When you use the Microsoft identity platform's implementation of OpenID Connect, you can add sign-in and API access to your apps. This article shows how to do this independent of language and describes how to send and receive HTTP messages without using any [Microsoft open-source libraries](reference-v2-libraries.md).
[OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html) extends the OAuth 2.0 *authorization* protocol for use as an *authentication* protocol, so that you can do single sign-on using OAuth. OpenID Connect introduces the concept of an *ID token*, which is a security token that allows the client to verify the identity of the user. The ID token also gets basic profile information about the user. It also introduces the [UserInfo endpoint](userinfo.md), an API that returns information about the user.
@@ -84,7 +84,7 @@ The metadata is a simple JavaScript Object Notation (JSON) document. See the fol
If your app has custom signing keys as a result of using the [claims-mapping](active-directory-claims-mapping.md) feature, you must append an `appid` query parameter containing the app ID in order to get a `jwks_uri` pointing to your app's signing key information. For example: `https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration?appid=6731de76-14a6-49ae-97bc-6eba6914391e` contains a `jwks_uri` of `https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys?appid=6731de76-14a6-49ae-97bc-6eba6914391e`.
-Typically, you would use this metadata document to configure an OpenID Connect library or SDK; the library would use the metadata to do its work. However, if you're not using a pre-built OpenID Connect library, you can follow the steps in the remainder of this article to do sign-in in a web app by using the Microsoft identity platform endpoint.
+Typically, you would use this metadata document to configure an OpenID Connect library or SDK; the library would use the metadata to do its work. However, if you're not using a pre-built OpenID Connect library, you can follow the steps in the remainder of this article to do sign-in in a web app by using the Microsoft identity platform.
## Send the sign-in request
@@ -122,13 +122,13 @@ client_id=6731de76-14a6-49ae-97bc-6eba6914391e
| `nonce` | Required | A value included in the request, generated by the app, that will be included in the resulting id_token value as a claim. The app can verify this value to mitigate token replay attacks. The value typically is a randomized, unique string that can be used to identify the origin of the request. | | `response_mode` | Recommended | Specifies the method that should be used to send the resulting authorization code back to your app. Can be `form_post` or `fragment`. For web applications, we recommend using `response_mode=form_post`, to ensure the most secure transfer of tokens to your application. | | `state` | Recommended | A value included in the request that also will be returned in the token response. It can be a string of any content you want. A randomly generated unique value typically is used to [prevent cross-site request forgery attacks](https://tools.ietf.org/html/rfc6749#section-10.12). The state also is used to encode information about the user's state in the app before the authentication request occurred, such as the page or view the user was on. |
-| `prompt` | Optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`. The `prompt=login` claim forces the user to enter their credentials on that request, which negates single sign-on. The `prompt=none` claim is the opposite. This claim ensures that the user isn't presented with any interactive prompt at. If the request can't be completed silently via single sign-on, the Microsoft identity platform endpoint returns an error. The `prompt=consent` claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. |
+| `prompt` | Optional | Indicates the type of user interaction that is required. The only valid values at this time are `login`, `none`, and `consent`. The `prompt=login` claim forces the user to enter their credentials on that request, which negates single sign-on. The `prompt=none` claim is the opposite. This claim ensures that the user isn't presented with any interactive prompt at. If the request can't be completed silently via single sign-on, the Microsoft identity platform returns an error. The `prompt=consent` claim triggers the OAuth consent dialog after the user signs in. The dialog asks the user to grant permissions to the app. |
| `login_hint` | Optional | You can use this parameter to pre-fill the username and email address field of the sign-in page for the user, if you know the username ahead of time. Often, apps use this parameter during reauthentication, after already extracting the username from an earlier sign-in by using the `preferred_username` claim. | | `domain_hint` | Optional | The realm of the user in a federated directory. This skips the email-based discovery process that the user goes through on the sign-in page, for a slightly more streamlined user experience. For tenants that are federated through an on-premises directory like AD FS, this often results in a seamless sign-in because of the existing login session. |
-At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform endpoint verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, the Microsoft identity platform endpoint prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md).
+At this point, the user is prompted to enter their credentials and complete the authentication. The Microsoft identity platform verifies that the user has consented to the permissions indicated in the `scope` query parameter. If the user hasn't consented to any of those permissions, the Microsoft identity platform prompts the user to consent to the required permissions. You can read more about [permissions, consent, and multi-tenant apps](v2-permissions-and-consent.md).
-After the user authenticates and grants consent, the Microsoft identity platform endpoint returns a response to your app at the indicated redirect URI by using the method specified in the `response_mode` parameter.
+After the user authenticates and grants consent, the Microsoft identity platform returns a response to your app at the indicated redirect URI by using the method specified in the `response_mode` parameter.
### Successful response
@@ -180,7 +180,7 @@ The following table describes error codes that can be returned in the `error` pa
## Validate the ID token
-Just receiving an id_token isn't always sufficient to authenticate the user; you may also need to validate the id_token's signature and verify the claims in the token per your app's requirements. Like all OIDC platforms, the Microsoft identity platform endpoint uses [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519) and public key cryptography to sign ID tokens and verify that they're valid.
+Just receiving an id_token isn't always sufficient to authenticate the user; you may also need to validate the id_token's signature and verify the claims in the token per your app's requirements. Like all OIDC platforms, the Microsoft identity platform uses [JSON Web Tokens (JWTs)](https://tools.ietf.org/html/rfc7519) and public key cryptography to sign ID tokens and verify that they're valid.
Not all apps benefit from verifying the ID token - native apps and single page apps, for instance, rarely benefit from validating the ID token. Someone with physical access to the device (or browser) can bypass the validation in many ways - from editing the web traffic to the device to provide fake tokens and keys to simply debugging the application to skip the validation logic. On the other hand, web apps and APIs using an ID token to authorization must validate the ID token carefully since they are gating access to data.
@@ -279,7 +279,7 @@ Review the [UserInfo documentation](userinfo.md#calling-the-api) to look over ho
## Send a sign-out request
-When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform endpoint to sign out. If you don't do this, the user reauthenticates to your app without entering their credentials again, because they will have a valid single sign-in session with the Microsoft identity platform endpoint.
+When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out. If you don't do this, the user reauthenticates to your app without entering their credentials again, because they will have a valid single sign-in session with the Microsoft identity platform.
You can redirect the user to the `end_session_endpoint` listed in the OpenID Connect metadata document:
@@ -290,11 +290,11 @@ post_logout_redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
| Parameter | Condition | Description | | -- | - | |
-| `post_logout_redirect_uri` | Recommended | The URL that the user is redirected to after successfully signing out. If the parameter isn't included, the user is shown a generic message that's generated by the Microsoft identity platform endpoint. This URL must match one of the redirect URIs registered for your application in the app registration portal. |
+| `post_logout_redirect_uri` | Recommended | The URL that the user is redirected to after successfully signing out. If the parameter isn't included, the user is shown a generic message that's generated by the Microsoft identity platform. This URL must match one of the redirect URIs registered for your application in the app registration portal. |
## Single sign-out
-When you redirect the user to the `end_session_endpoint`, the Microsoft identity platform endpoint clears the user's session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the Microsoft identity platform endpoint sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign-out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the app registration portal.
+When you redirect the user to the `end_session_endpoint`, the Microsoft identity platform clears the user's session from the browser. However, the user may still be signed in to other applications that use Microsoft accounts for authentication. To enable those applications to sign the user out simultaneously, the Microsoft identity platform sends an HTTP GET request to the registered `LogoutUrl` of all the applications that the user is currently signed in to. Applications must respond to this request by clearing any session that identifies the user and returning a `200` response. If you wish to support single sign-out in your application, you must implement such a `LogoutUrl` in your application's code. You can set the `LogoutUrl` from the app registration portal.
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-supported-account-types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-supported-account-types.md a/articles/active-directory/develop/v2-supported-account-types.md
@@ -1,5 +1,6 @@
Title: Supported account types - Microsoft identity platform | Azure
+ Title: Supported account types | Azure
+ description: Conceptual documentation about audiences and supported account types in applications
@@ -17,7 +18,7 @@
# Supported account types
-This article explains what account types (sometimes called *audiences*) are supported in Microsoft identity platform applications.
+This article explains what account types (sometimes called *audiences*) are supported in the Microsoft identity platform applications.
<!-- This section can be in an include for many of the scenarios (SPA, web app signing-in users, protecting a web API, Desktop (depending on the flows), Mobile -->
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/whats-new-docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/whats-new-docs.md a/articles/active-directory/develop/whats-new-docs.md
@@ -1,5 +1,5 @@
Title: "What's new in Microsoft identity platform docs"
+ Title: "What's new in the Microsoft identity platform docs"
description: "New and updated documentation for the Microsoft identity platform."
@@ -16,7 +16,7 @@
# Microsoft identity platform docs: What's new
-Welcome to what's new in Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
+Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
## January 2021
active-directory https://docs.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-windows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md a/articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
@@ -348,7 +348,9 @@ Verify that the Windows 10 PC you are using to initiate the remote desktop conne
> [!NOTE] > Windows 10 Build 20H1 added support for an Azure AD registered PC to initiate RDP connection to your VM. When using an Azure AD registered (not Azure AD joined or hybrid Azure AD joined) PC as the RDP client to initiate connections to your VM, you must enter credentials in the format AzureAD\UPn (e.g. AzureAD\john@contoso.com).
-Also, verify the AADLoginForWindows extension has not been uninstalled after Azure AD join has completed.
+Verify that the AADLoginForWindows extension was not uninstalled after the Azure AD join finished.
+
+Also, make sure that the security policy ΓÇ£Network security: Allow PKU2U authentication requests to this computer to use online identitiesΓÇ¥ is enabled on both the server *and* the client.
#### MFA sign-in method required
@@ -371,4 +373,4 @@ Share your feedback about this preview feature or report issues using it on the
## Next steps
-For more information on Azure Active Directory, see [What is Azure Active Directory](../fundamentals/active-directory-whatis.md)
\ No newline at end of file
+For more information on Azure Active Directory, see [What is Azure Active Directory](../fundamentals/active-directory-whatis.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-naming-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/groups-naming-policy.md a/articles/active-directory/enterprise-users/groups-naming-policy.md
@@ -67,6 +67,7 @@ Blocked word list rules:
To configure naming policy, one of the following roles is required: - Global administrator - Group administrator
+- Directory writer
Selected administrators can be exempted from these policies, across all group workloads and endpoints, so that they can create groups using blocked words and with their own naming conventions. The following are the list of administrator roles exempted from the group naming policy.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md a/articles/active-directory/hybrid/how-to-connect-sso-quick-start.md
@@ -32,7 +32,7 @@ Ensure that the following prerequisites are in place:
* **Set up your Azure AD Connect server**: If you use [Pass-through Authentication](how-to-connect-pta.md) as your sign-in method, no additional prerequisite check is required. If you use [password hash synchronization](how-to-connect-password-hash-synchronization.md) as your sign-in method, and if there is a firewall between Azure AD Connect and Azure AD, ensure that: - You use version 1.1.644.0 or later of Azure AD Connect.
- - If your firewall or proxy allows, add the connections to the allowed list for **\*.msappproxy.net** URLs over port 443. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.
+ - If your firewall or proxy allows, add the connections to the allowed list for **\*.msappproxy.net** URLs over port 443. If you require a specific URL rather than a wildcard for proxy configuration, you can configure **tenantid.registration.msappproxy.net**, where tenantid is the GUID of the tenant where you are configuring the feature. If URL-based proxy exceptions are not possible in your organization, you can instead allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly. This prerequisite is applicable only when you enable the feature. It is not required for actual user sign-ins.
>[!NOTE] >Azure AD Connect versions 1.1.557.0, 1.1.558.0, 1.1.561.0, and 1.1.614.0 have a problem related to password hash synchronization. If you _don't_ intend to use password hash synchronization in conjunction with Pass-through Authentication, read the [Azure AD Connect release notes](./reference-connect-version-history.md) to learn more.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-staged-rollout https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-staged-rollout.md a/articles/active-directory/hybrid/how-to-connect-staged-rollout.md
@@ -57,8 +57,11 @@ The following scenarios are supported for staged rollout. The feature works only
- Users who are provisioned to Azure AD by using Azure AD Connect. It does not apply to cloud-only users. - User sign-in traffic on browsers and *modern authentication* clients. Applications or cloud services that use legacy authentication will fall back to federated authentication flows. An example might be Exchange online with modern authentication turned off, or Outlook 2010, which does not support modern authentication.+ - Group size is currently limited to 50,000 users. If you have groups that are larger then 50,000 users, it is recommended to split this group over multiple groups for staged rollout.
+- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition without line-of-sight to the federation server for Windows 10 version 1903 and newer, when userΓÇÖs UPN is routable and domain suffix is verified in Azure AD.
+ ## Unsupported scenarios The following scenarios are not supported for staged rollout:
@@ -84,6 +87,10 @@ The following scenarios are not supported for staged rollout:
- While users are in Staged Rollout, when EnforceCloudPasswordPolicyForPasswordSyncedUsers is enabled, password expiration policy is set to 90 days with no option to customize it.
+- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for Windows 10 version older than 1903. This scenario will fall back to the WS-Trust endpoint of the federation server, even if the user signing in is in scope of staged rollout.
+
+- Windows 10 Hybrid Join or Azure AD Join primary refresh token acquisition for all versions, when userΓÇÖs on-premises UPN is not routable. This scenario will fall back to the WS-Trust endpoint while in staged rollout mode, but will stop working when staged migration is complete and user sign-on is no longer relying on federation server.
+ ## Get started with staged rollout
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/tshoot-connect-pass-through-authentication.md a/articles/active-directory/hybrid/tshoot-connect-pass-through-authentication.md
@@ -12,7 +12,7 @@
na ms.devlang: na Previously updated : 07/27/2020 Last updated : 01/25/2021
@@ -152,7 +152,7 @@ For errors related to the Authentication Agent, open up the Event Viewer applica
For detailed analytics, enable the "Session" log (right-click inside the Event Viewer application to find this option). Don't run the Authentication Agent with this log enabled during normal operations; use only for troubleshooting. The log contents are only visible after the log is disabled again.
-PTA agent event manifest can be found [here](https://msazure.visualstudio.com/One/_git/AD-AppProxy?path=%2Fsrc%2FProduct%2FMUC%2FPTADiagnosticsResource%2FPTADiagnosticsResource%2FPTAConnectorDiagnosticsResource%2FPTAConnectorEventManifest.man&_a=contents&version=GBmaster).
+ ### Detailed trace logs
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-faq.md a/articles/active-directory/manage-apps/application-proxy-faq.md
@@ -97,6 +97,10 @@ Here are some tips for troubleshooting this error:
The default length is 85 seconds. The "long" setting is 180 seconds. The timeout limit can't be extended.
+### Can a service principal manage Application Proxy using Powershell or Microsoft Graph APIs?
+
+No, this is currently not supported.
+ ### How do I change the landing page my application loads? From the Application Registrations page, you can change the homepage URL to the desired external URL of the landing page. The specified page will load when the application is launched from My Apps or the Office 365 Portal. For configuration steps, see [Set a custom home page for published apps by using Azure AD Application Proxy](./application-proxy-configure-custom-home-page.md)
aks https://docs.microsoft.com/en-us/azure/aks/enable-host-encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/enable-host-encryption.md a/articles/aks/enable-host-encryption.md
@@ -22,34 +22,32 @@ This feature can only be set at cluster creation or node pool creation time.
### Prerequisites - Ensure you have the `aks-preview` CLI extension v0.4.55 or higher installed-- Ensure you have the `EncryptionAtHost` feature flag under `Microsoft.Compute` enabled. - Ensure you have the `EnableEncryptionAtHostPreview` feature flag under `Microsoft.ContainerService` enabled.
+In order to be able to use encryption at host for your VMs or virtual machine scale sets, you must get the feature enabled on your subscription. Send an email to encryptionAtHost@microsoft .com with your subscription Ids to get the feature enabled for your subscriptions.
+ ### Register `EncryptionAtHost` preview features
+> [!IMPORTANT]
+> You must email encryptionAtHost@microsoft .com with your subscription Ids to get the feature enabled for compute resources. You cannot enable it yourself for those resources. You can enable it yourself on the container service.
+ To create an AKS cluster that uses host-based encryption, you must enable the `EnableEncryptionAtHostPreview` and `EncryptionAtHost` feature flags on your subscription. Register the `EncryptionAtHost` feature flag using the [az feature register][az-feature-register] command as shown in the following example: ```azurecli-interactive
-az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"
- az feature register --namespace "Microsoft.ContainerService" --name "EnableEncryptionAtHostPreview" ``` It takes a few minutes for the status to show *Registered*. You can check on the registration status using the [az feature list][az-feature-list] command: ```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.Compute/EncryptionAtHost')].{Name:name,State:properties.state}"
- az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableEncryptionAtHostPreview')].{Name:name,State:properties.state}" ``` When ready, refresh the registration of the `Microsoft.ContainerService` and `Microsoft.Compute` resource providers using the [az provider register][az-provider-register] command: ```azurecli-interactive
-az provider register --namespace Microsoft.Compute
- az provider register --namespace Microsoft.ContainerService ```
aks https://docs.microsoft.com/en-us/azure/aks/kubernetes-action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-action.md a/articles/aks/kubernetes-action.md
@@ -11,7 +11,7 @@
# GitHub Actions for deploying to Kubernetes service
-[GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions) gives you the flexibility to build an automated software development lifecycle workflow. You can use multiple Kubernetes actions to deploy to containers from Azure Container Registry to Azure Kubernetes Service with GitHub Actions.
+[GitHub Actions](https://docs.github.com/en/actions) gives you the flexibility to build an automated software development lifecycle workflow. You can use multiple Kubernetes actions to deploy to containers from Azure Container Registry to Azure Kubernetes Service with GitHub Actions.
## Prerequisites
aks https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-identity.md a/articles/aks/operator-best-practices-identity.md
@@ -94,39 +94,42 @@ To see how to control access to the AKS resource and the kubeconfig, see [Limit
2. Access to the Kubernetes API. This access level is controlled either by [Kubernetes RBAC](#use-kubernetes-role-based-access-control-kubernetes-rbac) (traditionally) or by integrating Azure RBAC with AKS for kubernetes authorization. To see how to granularly give permissions to the Kubernetes API using Azure RBAC see [Use Azure RBAC for Kubernetes authorization](manage-azure-rbac.md).
-## Use pod identities
+## Use Pod-managed Identities
**Best practice guidance** - Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use pod identities to automatically request access using a central Azure AD identity solution. Pod identities are intended for use with Linux pods and container images only.
+> [!NOTE]
+> Pod-managed identities support for Windows containers is coming soon.
+ When pods need access to other Azure services, such as Cosmos DB, Key Vault, or Blob Storage, the pod needs access credentials. These access credentials could be defined with the container image or injected as a Kubernetes secret, but need to be manually created and assigned. Often, the credentials are reused across pods, and aren't regularly rotated.
-Managed identities for Azure resources (currently implemented as an associated AKS open source project) let you automatically request access to services through Azure AD. You don't manually define credentials for pods, instead they request an access token in real time, and can use it to access only their assigned services. In AKS, two components are deployed by the cluster operator to allow pods to use managed identities:
+Pod-managed identities for Azure resources lets you automatically request access to services through Azure AD. Pod-managed identities is now currently in preview for Azure Kubernetes Service. Please refer to the [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)]( https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity) documentation to get started. With Pod-managed identities, you do not manually define credentials for pods, instead they request an access token in real time, and can use it to access only their assigned services. In AKS, there are two components that handle the operations to allow pods to use managed identities:
* **The Node Management Identity (NMI) server** is a pod that runs as a DaemonSet on each node in the AKS cluster. The NMI server listens for pod requests to Azure services.
-* **The Managed Identity Controller (MIC)** is a central pod with permissions to query the Kubernetes API server and checks for an Azure identity mapping that corresponds to a pod.
+* **The Azure Resource Provider** queries the Kubernetes API server and checks for an Azure identity mapping that corresponds to a pod.
-When pods request access to an Azure service, network rules redirect the traffic to the Node Management Identity (NMI) server. The NMI server identifies pods that request access to Azure services based on their remote address, and queries the Managed Identity Controller (MIC). The MIC checks for Azure identity mappings in the AKS cluster, and the NMI server then requests an access token from Azure Active Directory (AD) based on the pod's identity mapping. Azure AD provides access to the NMI server, which is returned to the pod. This access token can be used by the pod to then request access to services in Azure.
+When pods request access to an Azure service, network rules redirect the traffic to the Node Management Identity (NMI) server. The NMI server identifies pods that request access to Azure services based on their remote address, and queries the Azure Resource Provider. The Azure Resoruce Provider checks for Azure identity mappings in the AKS cluster, and the NMI server then requests an access token from Azure Active Directory (AD) based on the pod's identity mapping. Azure AD provides access to the NMI server, which is returned to the pod. This access token can be used by the pod to then request access to services in Azure.
In the following example, a developer creates a pod that uses a managed identity to request access to Azure SQL Database: ![Pod identities allow a pod to automatically request access to other services](media/operator-best-practices-identity/pod-identities.png) 1. Cluster operator first creates a service account that can be used to map identities when pods request access to services.
-1. The NMI server and MIC are deployed to relay any pod requests for access tokens to Azure AD.
+1. The NMI server is deployed to relay any pod requests, along with the Azure Resource Provider, for access tokens to Azure AD.
1. A developer deploys a pod with a managed identity that requests an access token through the NMI server. 1. The token is returned to the pod and used to access Azure SQL Database > [!NOTE]
-> Managed pod identities is an open source project, and is not supported by Azure technical support.
+> Pod-managed identities is currently in preview status.
-To use pod identities, see [Azure Active Directory identities for Kubernetes applications][aad-pod-identity].
+To use Pod-managed identities, see [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)]( https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity).
## Next steps This best practices article focused on authentication and authorization for your cluster and resources. To implement some of these best practices, see the following articles: * [Integrate Azure Active Directory with AKS][aks-aad]
-* [Use managed identities for Azure resources with AKS][aad-pod-identity]
+* [Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)]( https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity)
For more information about cluster operations in AKS, see the following best practices:
api-management https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-disaster-recovery-backup-restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md a/articles/api-management/api-management-howto-disaster-recovery-backup-restore.md
@@ -217,8 +217,8 @@ Restore is a long running operation that may take up to 30 or more minutes to co
## What is not backed up - **Usage data** used for creating analytics reports **isn't included** in the backup. Use [Azure API Management REST API][azure api management rest api] to periodically retrieve analytics reports for safekeeping.-- [Custom domain TLS/SSL](configure-custom-domain.md) certificates-- [Custom CA Certificate](api-management-howto-ca-certificates.md), which include intermediate or root certificates uploaded by customer
+- [Custom domain TLS/SSL](configure-custom-domain.md) certificates.
+- [Custom CA Certificate](api-management-howto-ca-certificates.md), which includes intermediate or root certificates uploaded by the customer.
- [Virtual network](api-management-using-with-vnet.md) integration settings. - [Managed Identity](api-management-howto-use-managed-service-identity.md) configuration. - [Azure Monitor Diagnostic](api-management-howto-use-azure-monitor.md) Configuration.
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-container-github-action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-container-github-action.md a/articles/app-service/deploy-container-github-action.md
@@ -12,7 +12,7 @@
# Deploy a custom container to App Service using GitHub Actions
-[GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions) gives you the flexibility to build an automated software development workflow. With the [Azure Web Deploy action](https://github.com/Azure/webapps-deploy), you can automate your workflow to deploy custom containers to [App Service](overview.md) using GitHub Actions.
+[GitHub Actions](https://docs.github.com/en/actions) gives you the flexibility to build an automated software development workflow. With the [Azure Web Deploy action](https://github.com/Azure/webapps-deploy), you can automate your workflow to deploy custom containers to [App Service](overview.md) using GitHub Actions.
A workflow is defined by a YAML (.yml) file in the `/.github/workflows/` path in your repository. This definition contains the various steps and parameters that are in the workflow.
@@ -35,7 +35,7 @@ For an Azure App Service container workflow, the file has three sections:
The recommended way to authenticate with Azure App Services for GitHub Actions is with a publish profile. You can also authenticate with a service principal but the process requires more steps.
-Save your publish profile credential or service principal as a [GitHub secret](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets) to authenticate with Azure. You'll access the secret within your workflow.
+Save your publish profile credential or service principal as a [GitHub secret](https://docs.github.com/en/actions/reference/encrypted-secrets) to authenticate with Azure. You'll access the secret within your workflow.
# [Publish profile](#tab/publish-profile)
@@ -269,7 +269,7 @@ You can find our set of Actions grouped into different repositories on GitHub, e
- [Docker login/logout](https://github.com/Azure/docker-login) -- [Events that trigger workflows](https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows)
+- [Events that trigger workflows](https://docs.github.com/en/actions/reference/events-that-trigger-workflows)
- [K8s deploy](https://github.com/Azure/k8s-deploy)
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-github-actions.md a/articles/app-service/deploy-github-actions.md
@@ -12,7 +12,7 @@
# Deploy to App Service using GitHub Actions
-Get started with [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions) to automate your workflow and deploy to [Azure App Service](overview.md) from GitHub.
+Get started with [GitHub Actions](https://docs.github.com/en/actions/learn-github-actions) to automate your workflow and deploy to [Azure App Service](overview.md) from GitHub.
## Prerequisites
@@ -59,7 +59,7 @@ You can also deploy a workflow without using the Deployment Center. To do so, yo
The recommended way to authenticate with Azure App Services for GitHub Actions is with a publish profile. You can also authenticate with a service principal but the process requires more steps.
-Save your publish profile credential or service principal as a [GitHub secret](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets) to authenticate with Azure. You'll access the secret within your workflow.
+Save your publish profile credential or service principal as a [GitHub secret](https://docs.github.com/en/actions/reference/encrypted-secrets) to authenticate with Azure. You'll access the secret within your workflow.
# [Publish profile](#tab/applevel)
@@ -742,7 +742,7 @@ You can find our set of Actions grouped into different repositories on GitHub, e
- [Docker login/logout](https://github.com/Azure/docker-login) -- [Events that trigger workflows](https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows)
+- [Events that trigger workflows](https://docs.github.com/en/actions/reference/events-that-trigger-workflows)
- [K8s deploy](https://github.com/Azure/k8s-deploy)
app-service https://docs.microsoft.com/en-us/azure/app-service/monitor-instances-health-check https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/monitor-instances-health-check.md new file mode 100644 /dev/null
@@ -0,0 +1,68 @@
+
+ Title: Monitor the health of App Service instances
+description: Learn how to monitor the health of App Service instances using Health check.
+keywords: azure app service, web app, health check, route traffic, healthy instances, path, monitoring,
+++ Last updated : 12/03/2020+++
+# Monitor App Service instances using Health check
+
+![Health check failure][2]
+
+This article uses Health check in the Azure portal to monitor App Service instances. Health check increases your application's availability by removing unhealthy instances. Your [App Service plan](/overview-hosting-plans) should be scaled to two or more instances to use Health check. The Health check path should check critical components of your application. For example, if your application depends on a database and a messaging system, the Health check endpoint should connect to those components. If the application cannot connect to a critical component, then the path should return a 500-level response code to indicate the app is unhealthy.
+
+## What App Service does with Health checks
+
+- When given a path on your app, Health check pings this path on all instances of your App Service app at 1-minute intervals.
+- If an instance doesn't respond with a status code between 200-299 (inclusive) after two or more requests, or fails to respond to the ping, the system determines it's unhealthy and removes it.
+- After removal, Health check continues to ping the unhealthy instance. If it continues to respond unsuccessfully, App Service restarts the underlying VM in an effort to return the instance to a healthy state.
+- If an instance remains unhealthy for one hour, it will be replaced with new instance.
+- Furthermore, when scaling up or out, App Service pings the Health check path to ensure new instances are ready.
+
+> [!NOTE]
+> Health check doesn't follow 302 redirects. At most one instance will be replaced per hour, with a maximum of three instances per day per App Service Plan.
+>
+
+## Enable Health Check
+
+![Health check navigation in Azure Portal][3]
+
+- To enable Health check, browse to the Azure portal and select your App Service app.
+- Under **Monitoring**, select **Health check**.
+- Select **Enable** and provide a valid URL path on your application, such as `/health` or `/api/health`.
+- Click **Save**.
+
+> [!CAUTION]
+> Health check configuration changes restart your app. To minimize impact to production apps, we recommend [configuring staging slots](deploy-staging-slots.md) and swapping to production.
+>
+
+### Configuration
+
+In addition to configuring the Health check options, you can also configure the following [app settings](configure-common.md):
+
+| App setting name | Allowed values | Description |
+|-|-|-|
+|`WEBSITE_HEALTHCHECK_MAXPINGFAILURES` | 2 - 10 | The maximum number of ping failures. For example, when set to `2`, your instances will be removed after `2` failed pings. Furthermore, when you are scaling up or out, App Service pings the Health check path to ensure new instances are ready. |
+|`WEBSITE_HEALTHCHECK_MAXUNHEALTYWORKERPERCENT` | 0 - 100 | To avoid overwhelming healthy instances, no more than half of the instances will be excluded. For example, if an App Service Plan is scaled to four instances and three are unhealthy, at most two will be excluded. The other two instances (one healthy and one unhealthy) will continue to receive requests. In the worst-case scenario where all instances are unhealthy, none will be excluded. To override this behavior, set app setting to a value between `0` and `100`. A higher value means more unhealthy instances will be removed (default is 50). |
+
+#### Authentication and security
+
+Health check integrates with App Service's authentication and authorization features. No additional settings are required if these security features are enabled. However, if you're using your own authentication system, the Health check path must allow anonymous access. If the site is HTTP**S**-Only enabled, the Health check request will be sent via HTTP**S**.
+
+Large enterprise development teams often need to adhere to security requirements for exposed APIs. To secure the Health check endpoint, you should first use features such as [IP restrictions](app-service-ip-restrictions.md#set-an-ip-address-based-rule), [client certificates](app-service-ip-restrictions.md#set-an-ip-address-based-rule), or a Virtual Network to restrict application access. You can secure the Health check endpoint by requiring the `User-Agent` of the incoming request matches `ReadyForRequest/1.0`. The User-Agent can't be spoofed since the request would already secured by prior security features.
+
+## Monitoring
+
+After providing your application's Health check path, you can monitor the health of your site using Azure Monitor. From the **Health check** blade in the Portal, click the **Metrics** in the top toolbar. This will open a new blade where you can see the site's historical health status and create a new alert rule. For more information on monitoring your sites, [see the guide on Azure Monitor](web-sites-monitor.md).
+
+## Next steps
+- [Create an Activity Log Alert to monitor all Autoscale engine operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-alert)
+- [Create an Activity Log Alert to monitor all failed Autoscale scale-in/scale-out operations on your subscription](https://github.com/Azure/azure-quickstart-templates/tree/master/monitor-autoscale-failed-alert)
+
+[1]: ./media/app-service-monitor-instances-health-check/health-check-success-diagram.png
+[2]: ./media/app-service-monitor-instances-health-check/health-check-failure-diagram.png
+[3]: ./media/app-service-monitor-instances-health-check/azure-portal-navigation-health-check.png
app-service https://docs.microsoft.com/en-us/azure/app-service/networking/private-endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking/private-endpoint.md a/articles/app-service/networking/private-endpoint.md
@@ -115,7 +115,7 @@ For pricing details, see [Azure Private Link pricing][pricing].
When you use Azure Function in Elastic Premium Plan with Private Endpoint, to run or execute the function in Azure Web portal, you must have direct network access or you will receive an HTTP 403 error. In other words, your browser must be able to reach the Private Endpoint to execute the function from the Azure Web portal.
-You can connect up to 100 Private Endpoint to a particular Web App.
+You can connect up to 100 Private Endpoints to a particular Web App.
Slots cannot use Private Endpoint.
@@ -148,4 +148,4 @@ We are improving Private Link feature and Private Endpoint regularly, check [thi
[howtoguide3]: ../scripts/powershell-deploy-private-endpoint.md [howtoguide4]: ../scripts/template-deploy-private-endpoint.md [howtoguide5]: https://github.com/Azure/azure-quickstart-templates/tree/master/101-webapp-privateendpoint-vnet-injection
-[howtoguide6]: ../scripts/terraform-secure-backend-frontend.md
\ No newline at end of file
+[howtoguide6]: ../scripts/terraform-secure-backend-frontend.md
app-service https://docs.microsoft.com/en-us/azure/app-service/quickstart-python-1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python-1.md a/articles/app-service/quickstart-python-1.md
@@ -12,8 +12,6 @@
In this quickstart, you deploy a Python web app to [App Service on Linux](overview.md#app-service-on-linux), Azure's highly scalable, self-patching web hosting service. You use the local [Azure command-line interface (CLI)](/cli/azure/install-azure-cli) on a Mac, Linux, or Windows computer to deploy a sample with either the Flask or Django frameworks. The web app you configure uses a free App Service tier, so you incur no costs in the course of this article.
-For **definitions of common terms**, see [Azure Terminology In Brief](/azure/developer/python/cloud-azure-terminology?toc=/azure/app-service/toc.json).
- > [!TIP] > If you prefer to deploy apps through an IDE, see **[Deploy Python apps to App Service from Visual Studio Code](/azure/developer/python/tutorial-deploy-app-service-on-linux-01)**.
app-service https://docs.microsoft.com/en-us/azure/app-service/quickstart-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-python.md a/articles/app-service/quickstart-python.md
@@ -15,8 +15,6 @@ adobe-target-content: ./quickstart-python-1
In this quickstart, you deploy a Python web app to [App Service on Linux](overview.md#app-service-on-linux), Azure's highly scalable, self-patching web hosting service. You use the local [Azure command-line interface (CLI)](/cli/azure/install-azure-cli) on a Mac, Linux, or Windows computer to deploy a sample with either the Flask or Django frameworks. The web app you configure uses a free App Service tier, so you incur no costs in the course of this article.
-For **definitions of common terms**, see [Azure Terminology In Brief](/azure/developer/python/cloud-azure-terminology?toc=/azure/app-service/toc.json).
- > [!TIP] > If you prefer using Visual Studio Code instead, follow our **[Visual Studio Code App Service quickstart](/azure/developer/python/tutorial-deploy-app-service-on-linux-01)**.
attestation https://docs.microsoft.com/en-us/azure/attestation/claim-sets https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/claim-sets.md a/articles/attestation/claim-sets.md
@@ -51,6 +51,12 @@ Below claims that are defined by the [IETF JWT](https://tools.ietf.org/html/rfc7
Below claims that are defined by the [IETF EAT](https://tools.ietf.org/html/draft-ietf-rats-eat-03#page-9) and used by Azure Attestation in the response object: - **"Nonce claim" (nonce)**
+Below claims are generated by default based on the incoming claims
+- **x-ms-ver**: JWT schema version (expected to be "1.0")
+- **x-ms-attestation-type**: String value representing attestation type
+- **x-ms-policy-hash**: String value containing SHA256 hash of the policy text computed by BASE64URL(SHA256(UTF8(BASE64URL(UTF8(policy text)))))
+- **x-ms-policy-signer**: Contains a JWK with the public key or the certificate chain present in the signed policy header. x-ms-policy-signer is only added if the policy is signed
+ ## Claims specific to SGX enclaves ### Incoming claims specific to SGX attestation
@@ -67,7 +73,6 @@ Below claims are generated by the service for SGX attestation and can be used to
Below claims are generated by the service and included in the response object for SGX attestation: - **x-ms-sgx-is-debuggable**: A Boolean, which indicates whether or not the enclave has debugging enabled or not - **x-ms-sgx-product-id**-- **x-ms-ver** - **x-ms-sgx-mrsigner**: hex encoded value of the ΓÇ£mrsignerΓÇ¥ field of the quote - **x-ms-sgx-mrenclave**: hex encoded value of the ΓÇ£mrenclaveΓÇ¥ field of the quote - **x-ms-sgx-svn**: security version number encoded in the quote
@@ -95,36 +100,39 @@ maa-ehd | x-ms-sgx-ehd
aas-ehd | x-ms-sgx-ehd maa-attestationcollateral | x-ms-sgx-collateral
-## Claims issued specific to Trusted Platform Module (TPM) attestation
-
-### Incoming claims (can also be used as outgoing claims)
--- **aikValidated**: Boolean value containing information if the Attestation Identity Key (AIK) cert has been validated or not.-- **aikPubHash**: String containing the base64(SHA256(AIK public key in DER format)).-- **tpmVersion**: Integer value containing the Trusted Platform Module (TPM) major version.-- **secureBootEnabled**: Boolean value to indicate if secure boot is enabled.-- **iommuEnabled**: Boolean value to indicate if Input-output memory management unit (Iommu) is enabled.-- **bootDebuggingDisabled**: Boolean value to indicate if boot debugging is disabled.-- **notSafeMode**: Boolean value to indicate if the Windows is not running on safe mode.-- **notWinPE**: Boolean value indicating if Windows is not running in WinPE mode.-- **vbsEnabled**: Boolean value indicating if VBS is enabled.-- **vbsReportPresent**: Boolean value indicating if VBS enclave report is available.-- **enclaveAuthorId**: String value containing the Base64Url encoded value of the enclave author id-The author identifier of the primary module for the enclave.-- **enclaveImageId**: String value containing the Base64Url encoded value of the enclave Image id-The image identifier of the primary module for the enclave.-- **enclaveOwnerId**: String value containing the Base64Url encoded value of the enclave Owner id-The identifier of the owner for the enclave.-- **enclaveFamilyId**: String value containing the Base64Url encoded value of the enclave Family ID. The family identifier of the primary module for the enclave.-- **enclaveSvn**: Integer value containing the security version number of the primary module for the enclave.-- **enclavePlatformSvn**: Integer value containing the security version number of the platform that hosts the enclave.-- **enclaveFlags**: The enclaveFlags claim is an Integer value containing Flags that describe the runtime policy for the enclave.
-
-### Outgoing claims specific to TPM attestation
--- **policy_hash**: String value containing SHA256 hash of the policy text computed by BASE64URL(SHA256(BASE64URL(UTF8(Policy text)))).-- **policy_signer**: Contains a JWK with the public key or the certificate chain present in the signed policy header.-- **ver (Version)**: String value containing version of the report. Currently 1.0.-- **cnf (Confirmation) Claim**: The "cnf" claim is used to identify the proof-of-possession key. Confirmation claims as defined in RFC 7800, contains the public part of the attested enclave key represented as a JSON Web Key (JWK) object (RFC 7517).-- **rp_data (relying party data)**: Relying party data, if any, specified in the request, used by the relying party as a nonce to guarantee freshness of the report.-- **"jti" (JWT ID) Claim**: The "jti" (JWT ID) claim provides a unique identifier for the JWT. The identifier value is assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object.
+## Claims specific to Trusted Platform Module (TPM)/ VBS attestation
+
+### Incoming claims for TPM attestation
+
+Claims issued by Azure Attestation for TPM attestation. The availability of the claims is dependent on the evidence provided for attestation.
+
+- **aikValidated**: Boolean value containing information if the Attestation Identity Key (AIK) cert has been validated or not
+- **aikPubHash**: String containing the base64(SHA256(AIK public key in DER format))
+- **tpmVersion**: Integer value containing the Trusted Platform Module (TPM) major version
+- **secureBootEnabled**: Boolean value to indicate if secure boot is enabled
+- **iommuEnabled**: Boolean value to indicate if Input-output memory management unit (Iommu) is enabled
+- **bootDebuggingDisabled**: Boolean value to indicate if boot debugging is disabled
+- **notSafeMode**: Boolean value to indicate if the Windows is not running on safe mode
+- **notWinPE**: Boolean value indicating if Windows is not running in WinPE mode
+- **vbsEnabled**: Boolean value indicating if VBS is enabled
+- **vbsReportPresent**: Boolean value indicating if VBS enclave report is available
+
+### Incoming claims for VBS attestation
+
+Claims issued by Azure Attestation for VBS attestation is in addition to the claims made available for TPM attestation. The availability of the claims is dependent on the evidence provided for attestation.
+
+- **enclaveAuthorId**: String value containing the Base64Url encoded value of the enclave author id-The author identifier of the primary module for the enclave
+- **enclaveImageId**: String value containing the Base64Url encoded value of the enclave Image id-The image identifier of the primary module for the enclave
+- **enclaveOwnerId**: String value containing the Base64Url encoded value of the enclave Owner id-The identifier of the owner for the enclave
+- **enclaveFamilyId**: String value containing the Base64Url encoded value of the enclave Family ID. The family identifier of the primary module for the enclave
+- **enclaveSvn**: Integer value containing the security version number of the primary module for the enclave
+- **enclavePlatformSvn**: Integer value containing the security version number of the platform that hosts the enclave
+- **enclaveFlags**: The enclaveFlags claim is an Integer value containing Flags that describe the runtime policy for the enclave
+
+### Outgoing claims specific to TPM and VBS attestation
+
+- **cnf (Confirmation)**: The "cnf" claim is used to identify the proof-of-possession key. Confirmation claim as defined in RFC 7800, contains the public part of the attested enclave key represented as a JSON Web Key (JWK) object (RFC 7517)
+- **rp_data (relying party data)**: Relying party data, if any, specified in the request, used by the relying party as a nonce to guarantee freshness of the report. rp_data is only added if there is rp_data
### Property claims
attestation https://docs.microsoft.com/en-us/azure/attestation/workflow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/workflow.md a/articles/attestation/workflow.md
@@ -35,6 +35,18 @@ Here are the general steps in a typical SGX enclave attestation workflow (using
> [!Note] > When you send attestation requests in the [2018-09-01-preview](https://github.com/Azure/azure-rest-api-specs/tree/master/specification/attestation/data-plane/Microsoft.Attestation/stable/2018-09-01-preview) API version, the client needs to send evidence to Azure Attestation along with the Azure AD access token.
+## Trusted Platform Module (TPM) enclave validation work flow
+
+Here are the general steps in a typical TPM enclave attestation workflow (using Azure Attestation):
+
+1. On device/platform boot, various boot loaders and boot services measure events which backed by the TPM and are securely stored (TCG log).
+2. Client collects the TCG logs from the device and TPM quote, which acts the evidence for attestation.
+3. The client has an URI which refers to an instance of Azure Attestation. The client sends evidence to Azure Attestation. Exact information submitted to the provider depends on the platform.
+4. Azure Attestation validates the submitted information and evaluates it against a configured policy. If the verification succeeds, Azure Attestation issues an attestation token and returns it to the client. If this step fails, Azure Attestation reports an error to the client. The communication between the client and attestation service is dictated by the Azure attestation TPM protocol.
+5. The client then sends the attestation token to relying party. The relying party calls public key metadata endpoint of Azure Attestation to retrieve signing certificates. The relying party then verifies the signature of the attestation token and ensures the platforms trustworthiness.
+
+![TPM validation flow](./media/tpm-validation-flow.png)
+ ## Next steps - [How to author and sign an attestation policy](author-sign-policy.md) - [Set up Azure Attestation using PowerShell](quickstart-powershell.md)
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/update-agent-issues-linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-agent-issues-linux.md a/articles/automation/troubleshoot/update-agent-issues-linux.md
@@ -4,7 +4,7 @@ description: This article tells how to troubleshoot and resolve issues with the
Previously updated : 12/03/2019 Last updated : 01/25/2021
@@ -22,7 +22,7 @@ There can be many reasons why your machine isn't showing up as ready (healthy) i
> [!NOTE] > There can be a slight delay between what the Azure portal shows and the current state of a machine.
-This article discusses how to run the troubleshooter for Azure machines from the Azure portal and non-Azure machines in the [offline scenario](#troubleshoot-offline).
+This article discusses how to run the troubleshooter for Azure machines from the Azure portal and non-Azure machines in the [offline scenario](#troubleshoot-offline).
> [!NOTE] > The troubleshooter script currently doesn't route traffic through a proxy server if one is configured.
@@ -85,7 +85,6 @@ Update Management downloads Hybrid Runbook Worker packages from the operations e
This check makes sure the Hybrid Runbook Worker is running on the machine. The processes in the example below should be present if the Hybrid Runbook Worker is running correctly. - ```bash nxautom+ 8567 1 0 14:45 ? 00:00:00 python /opt/microsoft/omsconfig/modules/nxOMSAutomationWorker/DSCResources/MSFT_nxOMSAutomationWorkerResource/automationworker/worker/main.py /var/opt/microsoft/omsagent/state/automationworker/oms.conf rworkspace:<workspaceId> <Linux hybrid worker version> nxautom+ 8593 1 0 14:45 ? 00:00:02 python /opt/microsoft/omsconfig/modules/nxOMSAutomationWorker/DSCResources/MSFT_nxOMSAutomationWorkerResource/automationworker/worker/hybridworker.py /var/opt/microsoft/omsagent/state/automationworker/worker.conf managed rworkspace:<workspaceId> rversion:<Linux hybrid worker version>
@@ -124,7 +123,7 @@ This check verifies that your machine has access to the endpoints needed by the
## <a name="troubleshoot-offline"></a>Troubleshoot offline
-You can use the troubleshooter offline on a Hybrid Runbook Worker by running the script locally. The Python script, [update_mgmt_health_check.py](https://gallery.technet.microsoft.com/scriptcenter/Troubleshooting-utility-3bcbefe6), can be found in Script Center. An example of the output of this script is shown in the following example:
+You can use the troubleshooter offline on a Hybrid Runbook Worker by running the script locally. The Python script, [UM_Linux_Troubleshooter_Offline.py](https://github.com/Azure/updatemanagement/blob/main/UM_Linux_Troubleshooter_Offline.py), can be found in GitHub. An example of the output of this script is shown in the following example:
```output Debug: Machine Information: Static hostname: LinuxVM2
automation https://docs.microsoft.com/en-us/azure/automation/troubleshoot/update-agent-issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/update-agent-issues.md a/articles/automation/troubleshoot/update-agent-issues.md
@@ -4,7 +4,7 @@ description: This article tells how to troubleshoot and resolve issues with the
Previously updated : 01/16/2020 Last updated : 01/25/2020
@@ -22,10 +22,10 @@ There can be many reasons why your machine isn't showing up as ready (healthy) d
> [!NOTE] > There can be a slight delay between what the Azure portal shows and the current state of a machine.
-This article discusses how to run the troubleshooter for Azure machines from the Azure portal, and non-Azure machines in the [offline scenario](#troubleshoot-offline).
+This article discusses how to run the troubleshooter for Azure machines from the Azure portal, and non-Azure machines in the [offline scenario](#troubleshoot-offline).
> [!NOTE]
-> The troubleshooter script now includes checks for Windows Server Update Services (WSUS) and for the autodownload and install keys.
+> The troubleshooter script now includes checks for Windows Server Update Services (WSUS) and for the autodownload and install keys.
## Start the troubleshooter
@@ -105,7 +105,7 @@ The Crypto folder access check determines whether the local system account has a
## <a name="troubleshoot-offline"></a>Troubleshoot offline
-You can use the troubleshooter on a Hybrid Runbook Worker offline by running the script locally. Get the following script from the PowerShell Gallery: [Troubleshoot-WindowsUpdateAgentRegistration](https://www.powershellgallery.com/packages/Troubleshoot-WindowsUpdateAgentRegistration). To run the script, you must have WMF 4.0 or later installed. To download the latest version of PowerShell, see [Installing various versions of PowerShell](/powershell/scripting/install/installing-powershell).
+You can use the troubleshooter on a Hybrid Runbook Worker offline by running the script locally. Get the following script from GitHub: [UM_Windows_Troubleshooter_Offline.ps1](https://github.com/Azure/updatemanagement/blob/main/UM_Windows_Troubleshooter_Offline.ps1). To run the script, you must have WMF 4.0 or later installed. To download the latest version of PowerShell, see [Installing various versions of PowerShell](/powershell/scripting/install/installing-powershell).
The output of this script looks like the following example:
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-github-action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/concept-github-action.md a/articles/azure-app-configuration/concept-github-action.md
@@ -15,9 +15,9 @@ Teams that want to continue using their existing source control practices can us
&nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Updating configuration without redeploying your entire app <br> &nbsp;&nbsp;&nbsp;&nbsp;ΓÇó Integration with services like Azure App Service and Functions.
-A GitHub Actions [workflow](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) defines an automated process in a GitHub repository. The *Azure App Configuration Sync* Action triggers updates to an App Configuration instance when changes are made to the source repository. It uses a YAML (.yml) file found in the `/.github/workflows/` path of your repository to define the steps and parameters. You can trigger configuration updates when pushing, reviewing, or branching app configuration files just as you do with app code.
+A GitHub Actions [workflow](https://docs.github.com/en/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) defines an automated process in a GitHub repository. The *Azure App Configuration Sync* Action triggers updates to an App Configuration instance when changes are made to the source repository. It uses a YAML (.yml) file found in the `/.github/workflows/` path of your repository to define the steps and parameters. You can trigger configuration updates when pushing, reviewing, or branching app configuration files just as you do with app code.
-The GitHub [documentation](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/introduction-to-github-actions) provides in-depth view of GitHub workflows and actions.
+The GitHub [documentation](https://docs.github.com/en/actions/learn-github-actions/introduction-to-github-actions) provides in-depth view of GitHub workflows and actions.
## Enable GitHub Actions in your repository To start using this GitHub action, go to your repository and select the **Actions** tab. Select **New workflow**, then **Set up a workflow yourself**. Finally, search the marketplace for ΓÇ£Azure App Configuration Sync.ΓÇ¥
@@ -30,7 +30,7 @@ To start using this GitHub action, go to your repository and select the **Action
## Sync configuration files after a push This action syncs Azure App Configuration files when a change is pushed to `appsettings.json`. When a developer pushes a change to `appsettings.json`, the App Configuration Sync action updates the App Configuration instance with the new values.
-The first section of this workflow specifies that the action triggers *on* a *push* containing `appsettings.json` to the *main* branch. The second section lists the jobs run once the action is triggered. The action checks out the relevant files and updates the App Configuration instance using the connection string stored as a secret in the repository. For more information about using secrets in GitHub, see [GitHub's article](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets) about creating and using encrypted secrets.
+The first section of this workflow specifies that the action triggers *on* a *push* containing `appsettings.json` to the *main* branch. The second section lists the jobs run once the action is triggered. The action checks out the relevant files and updates the App Configuration instance using the connection string stored as a secret in the repository. For more information about using secrets in GitHub, see [GitHub's article](https://docs.github.com/en/actions/reference/encrypted-secrets) about creating and using encrypted secrets.
```json on:
@@ -297,7 +297,7 @@ Given a depth of 2, the example above now returns the following key-value pair:
| Object:Inner | {"InnerKey":"InnerValue"} | ## Understand action inputs
-Input parameters specify data used by the action during runtime. The following table contains input parameters accepted by App Configuration Sync and the expected values for each. For more information about action inputs for GitHub Actions, see GitHub's [documentation](https://docs.github.com/en/free-pro-team@latest/actions/creating-actions/metadata-syntax-for-github-actions#inputs).
+Input parameters specify data used by the action during runtime. The following table contains input parameters accepted by App Configuration Sync and the expected values for each. For more information about action inputs for GitHub Actions, see GitHub's [documentation](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputs).
> [!Note] > Input IDs are case insensitive.
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/consumption-plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/consumption-plan.md a/articles/azure-functions/consumption-plan.md
@@ -12,7 +12,7 @@ When you're using the Consumption plan, instances of the Azure Functions host ar
## Benefits
-The Consumption plan scales automatically, even even during periods of high load. When running functions in a Consumption plan, you're charged for compute resources only when your functions are running. On a Consumption plan, a function execution times out after a configurable period of time.
+The Consumption plan scales automatically, even during periods of high load. When running functions in a Consumption plan, you're charged for compute resources only when your functions are running. On a Consumption plan, a function execution times out after a configurable period of time.
For a comparison of the Consumption plan against the other plan and hosting types, see [function scale and hosting options](functions-scale.md).
@@ -41,4 +41,4 @@ Function apps in the same region can be assigned to the same Consumption plan. T
## Next steps + [Azure Functions hosting options](functions-scale.md)
-+ [Event-driven scaling in Azure Functions](event-driven-scaling.md)
\ No newline at end of file++ [Event-driven scaling in Azure Functions](event-driven-scaling.md)
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/create-first-function-cli-java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-java.md a/articles/azure-functions/create-first-function-cli-java.md
@@ -106,7 +106,7 @@ The response message is generated by the [HttpResponseMessage.Builder](/java/api
Settings for the Azure resources created to host your app are defined in the **configuration** element of the plugin with a **groupId** of `com.microsoft.azure` in the generated pom.xml file. For example, the configuration element below instructs a Maven-based deployment to create a function app in the `java-functions-group` resource group in the `westus` region. The function app itself runs on Windows hosted in the `java-functions-app-service-plan` plan, which by default is a serverless Consumption plan.
-:::code language="java" source="~/azure-functions-samples-java/pom.xml" range="62-102":::
+:::code language="java" source="~/azure-functions-samples-java/pom.xml" range="62-107":::
You can change these settings to control how resources are created in Azure, such as by changing `runtime.os` from `windows` to `linux` before initial deployment. For a complete list of settings supported by the Maven plug-in, see the [configuration details](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Functions:-Configuration-Details).
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-service-bus-output https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-service-bus-output.md a/articles/azure-functions/functions-bindings-service-bus-output.md
@@ -83,6 +83,41 @@ public static async Task Run(TimerInfo myTimer, ILogger log, IAsyncCollector<str
} ```
+# [Java](#tab/java)
+
+The following example shows a Java function that sends a message to a Service Bus queue `myqueue` when triggered by an HTTP request.
+
+```java
+@FunctionName("httpToServiceBusQueue")
+@ServiceBusQueueOutput(name = "message", queueName = "myqueue", connection = "AzureServiceBusConnection")
+public String pushToQueue(
+ @HttpTrigger(name = "request", methods = {HttpMethod.POST}, authLevel = AuthorizationLevel.ANONYMOUS)
+ final String message,
+ @HttpOutput(name = "response") final OutputBinding<T> result ) {
+ result.setValue(message + " has been sent.");
+ return message;
+ }
+```
+
+ In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@QueueOutput` annotation on function parameters whose value would be written to a Service Bus queue. The parameter type should be `OutputBinding<T>`, where T is any native Java type of a POJO.
+
+Java functions can also write to a Service Bus topic. The following example uses the `@ServiceBusTopicOutput` annotation to describe the configuration for the output binding.
+
+```java
+@FunctionName("sbtopicsend")
+ public HttpResponseMessage run(
+ @HttpTrigger(name = "req", methods = {HttpMethod.GET, HttpMethod.POST}, authLevel = AuthorizationLevel.ANONYMOUS) HttpRequestMessage<Optional<String>> request,
+ @ServiceBusTopicOutput(name = "message", topicName = "mytopicname", subscriptionName = "mysubscription", connection = "ServiceBusConnection") OutputBinding<String> message,
+ final ExecutionContext context) {
+
+ String name = request.getBody().orElse("Azure Functions");
+
+ message.setValue(name);
+ return request.createResponseBuilder(HttpStatus.OK).body("Hello, " + name).build();
+
+ }
+```
+ # [JavaScript](#tab/javascript) The following example shows a Service Bus output binding in a *function.json* file and a [JavaScript function](functions-reference-node.md) that uses the binding. The function uses a timer trigger to send a queue message every 15 seconds.
@@ -135,6 +170,39 @@ module.exports = function (context, myTimer) {
}; ```
+# [PowerShell](#tab/powershell)
+
+The following example shows a Service Bus output binding in a *function.json* file and a [PowerShell function](functions-reference-powershell.md) that uses the binding.
+
+Here's the binding data in the *function.json* file:
+
+```json
+{
+ "bindings": [
+ {
+ "type": "serviceBus",
+ "direction": "out",
+ "connection": "AzureServiceBusConnectionString",
+ "name": "outputSbMsg",
+ "queueName": "outqueue",
+ "topicName": "outtopic"
+ }
+ ]
+}
+```
+
+Here's the PowerShell that creates a message as the function's output.
+
+```powershell
+param($QueueItem,ΓÇ»$TriggerMetadata)
+
+Push-OutputBinding -Name outputSbMsg -Value @{
+    name = $QueueItem.name
+    employeeId = $QueueItem.employeeId
+    address = $QueueItem.address
+}
+```
+ # [Python](#tab/python) The following example demonstrates how to write out to a Service Bus queue in Python.
@@ -185,41 +253,6 @@ def main(req: func.HttpRequest, msg: func.Out[str]) -> func.HttpResponse:
return 'OK' ```
-# [Java](#tab/java)
-
-The following example shows a Java function that sends a message to a Service Bus queue `myqueue` when triggered by an HTTP request.
-
-```java
-@FunctionName("httpToServiceBusQueue")
-@ServiceBusQueueOutput(name = "message", queueName = "myqueue", connection = "AzureServiceBusConnection")
-public String pushToQueue(
- @HttpTrigger(name = "request", methods = {HttpMethod.POST}, authLevel = AuthorizationLevel.ANONYMOUS)
- final String message,
- @HttpOutput(name = "response") final OutputBinding<T> result ) {
- result.setValue(message + " has been sent.");
- return message;
- }
-```
-
- In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `@QueueOutput` annotation on function parameters whose value would be written to a Service Bus queue. The parameter type should be `OutputBinding<T>`, where T is any native Java type of a POJO.
-
-Java functions can also write to a Service Bus topic. The following example uses the `@ServiceBusTopicOutput` annotation to describe the configuration for the output binding.
-
-```java
-@FunctionName("sbtopicsend")
- public HttpResponseMessage run(
- @HttpTrigger(name = "req", methods = {HttpMethod.GET, HttpMethod.POST}, authLevel = AuthorizationLevel.ANONYMOUS) HttpRequestMessage<Optional<String>> request,
- @ServiceBusTopicOutput(name = "message", topicName = "mytopicname", subscriptionName = "mysubscription", connection = "ServiceBusConnection") OutputBinding<String> message,
- final ExecutionContext context) {
-
- String name = request.getBody().orElse("Azure Functions");
-
- message.setValue(name);
- return request.createResponseBuilder(HttpStatus.OK).body("Hello, " + name).build();
-
- }
-```
- ## Attributes and annotations
@@ -258,17 +291,21 @@ You can use the `ServiceBusAccount` attribute to specify the Service Bus account
Attributes are not supported by C# Script.
+# [Java](#tab/java)
+
+The `ServiceBusQueueOutput` and `ServiceBusTopicOutput` annotations are available to write a message as a function output. The parameter decorated with these annotations must be declared as an `OutputBinding<T>` where `T` is the type corresponding to the message's type.
+ # [JavaScript](#tab/javascript) Attributes are not supported by JavaScript.
-# [Python](#tab/python)
+# [PowerShell](#tab/powershell)
-Attributes are not supported by Python.
+Attributes are not supported by PowerShell.
-# [Java](#tab/java)
+# [Python](#tab/python)
-The `ServiceBusQueueOutput` and `ServiceBusTopicOutput` annotations are available to write a message as a function output. The parameter decorated with these annotations must be declared as an `OutputBinding<T>` where `T` is the type corresponding to the message's type.
+Attributes are not supported by Python.
@@ -326,15 +363,19 @@ When working with C# functions:
* To access the session ID, bind to a [`Message`](/dotnet/api/microsoft.azure.servicebus.message) type and use the `sessionId` property.
+# [Java](#tab/java)
+
+Use the [Azure Service Bus SDK](../service-bus-messaging/index.yml) rather than the built-in output binding.
+ # [JavaScript](#tab/javascript) Access the queue or topic by using `context.bindings.<name from function.json>`. You can assign a string, a byte array, or a JavaScript object (deserialized into JSON) to `context.binding.<name>`.
-# [Python](#tab/python)
+# [PowerShell](#tab/powershell)
-Use the [Azure Service Bus SDK](../service-bus-messaging/index.yml) rather than the built-in output binding.
+Output to the Service Bus is available via the `Push-OutputBinding` cmdlet where you pass arguments that match the name designated by binding's name parameter in the *function.json* file.
-# [Java](#tab/java)
+# [Python](#tab/python)
Use the [Azure Service Bus SDK](../service-bus-messaging/index.yml) rather than the built-in output binding.
@@ -384,7 +425,7 @@ If you have `isSessionsEnabled` set to `true`, the `sessionHandlerOptions` will
|||| |prefetchCount|0|Gets or sets the number of messages that the message receiver can simultaneously request.| |maxAutoRenewDuration|00:05:00|The maximum duration within which the message lock will be renewed automatically.|
-|autoComplete|true|Whether the trigger should automatically call complete after processing, or if the function code will manually call complete.<br><br>Setting to `false` is only supported in C#.<br><br>If set to `true`, the trigger completes the message automatically if the function execution completes successfully, and abandons the message otherwise.<br><br>When set to `false`, you are responsible for calling [MessageReceiver](/dotnet/api/microsoft.azure.servicebus.core.messagereceiver?view=azure-dotnet) methods to complete, abandon, or deadletter the message. If an exception is thrown (and none of the `MessageReceiver` methods are called), then the lock remains. Once the lock expires, the message is re-queued with the `DeliveryCount` incremented and the lock is automatically renewed.<br><br>In non-C# functions, exceptions in the function results in the runtime calls `abandonAsync` in the background. If no exception occurs, then `completeAsync` is called in the background. |
+|autoComplete|true|Whether the trigger should automatically call complete after processing, or if the function code will manually call complete.<br><br>Setting to `false` is only supported in C#.<br><br>If set to `true`, the trigger completes the message automatically if the function execution completes successfully, and abandons the message otherwise.<br><br>When set to `false`, you are responsible for calling [MessageReceiver](/dotnet/api/microsoft.azure.servicebus.core.messagereceiver?view=azure-dotnet&preserve-view=true) methods to complete, abandon, or deadletter the message. If an exception is thrown (and none of the `MessageReceiver` methods are called), then the lock remains. Once the lock expires, the message is re-queued with the `DeliveryCount` incremented and the lock is automatically renewed.<br><br>In non-C# functions, exceptions in the function results in the runtime calls `abandonAsync` in the background. If no exception occurs, then `completeAsync` is called in the background. |
|maxConcurrentCalls|16|The maximum number of concurrent calls to the callback that the message pump should initiate per scaled instance. By default, the Functions runtime processes multiple messages concurrently.| |maxConcurrentSessions|2000|The maximum number of sessions that can be handled concurrently per scaled instance.|
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-service-bus-trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-service-bus-trigger.md a/articles/azure-functions/functions-bindings-service-bus-trigger.md
@@ -81,9 +81,42 @@ public static void Run(string myQueueItem,
} ```
+# [Java](#tab/java)
+
+The following Java function uses the `@ServiceBusQueueTrigger` annotation from the [Java functions runtime library](/java/api/overview/azure/functions/runtime) to describe the configuration for a Service Bus queue trigger. The function grabs the message placed on the queue and adds it to the logs.
+
+```java
+@FunctionName("sbprocessor")
+ public void serviceBusProcess(
+ @ServiceBusQueueTrigger(name = "msg",
+ queueName = "myqueuename",
+ connection = "myconnvarname") String message,
+ final ExecutionContext context
+ ) {
+ context.getLogger().info(message);
+ }
+```
+
+Java functions can also be triggered when a message is added to a Service Bus topic. The following example uses the `@ServiceBusTopicTrigger` annotation to describe the trigger configuration.
+
+```java
+@FunctionName("sbtopicprocessor")
+ public void run(
+ @ServiceBusTopicTrigger(
+ name = "message",
+ topicName = "mytopicname",
+ subscriptionName = "mysubscription",
+ connection = "ServiceBusConnection"
+ ) String message,
+ final ExecutionContext context
+ ) {
+ context.getLogger().info(message);
+ }
+```
+ # [JavaScript](#tab/javascript)
-The following example shows a Service Bus trigger binding in a *function.json* file and a [JavaScript function](functions-reference-node.md) that uses the binding. The function reads [message metadata](#message-metadata) and logs a Service Bus queue message.
+The following example shows a Service Bus trigger binding in a *function.json* file and a [JavaScript function](functions-reference-node.md) that uses the binding. The function reads [message metadata](#message-metadata) and logs a Service Bus queue message.
Here's the binding data in the *function.json* file:
@@ -114,6 +147,35 @@ module.exports = function(context, myQueueItem) {
}; ```
+# [PowerShell](#tab/powershell)
+
+The following example shows a Service Bus trigger binding in a *function.json* file and a [PowerShell function](functions-reference-powershell.md) that uses the binding.
+
+Here's the binding data in the *function.json* file:
+
+```json
+{
+ "bindings": [
+ {
+ "name": "mySbMsg",
+ "type": "serviceBusTrigger",
+ "direction": "in",
+ "topicName": "mytopic",
+ "subscriptionName": "mysubscription",
+ "connection": "AzureServiceBusConnectionString"
+ }
+ ]
+}
+```
+
+Here's the function that runs when a Service Bus message is sent.
+
+```powershell
+param([string] $mySbMsg, $TriggerMetadata)
+
+Write-Host "PowerShell ServiceBus queue trigger function processed message: $mySbMsg"
+```
+ # [Python](#tab/python) The following example demonstrates how to read a Service Bus queue message via a trigger.
@@ -166,39 +228,6 @@ def main(msg: func.ServiceBusMessage):
logging.info(result) ```
-# [Java](#tab/java)
-
-The following Java function uses the `@ServiceBusQueueTrigger` annotation from the [Java functions runtime library](/java/api/overview/azure/functions/runtime) to describe the configuration for a Service Bus queue trigger. The function grabs the message placed on the queue and adds it to the logs.
-
-```java
-@FunctionName("sbprocessor")
- public void serviceBusProcess(
- @ServiceBusQueueTrigger(name = "msg",
- queueName = "myqueuename",
- connection = "myconnvarname") String message,
- final ExecutionContext context
- ) {
- context.getLogger().info(message);
- }
-```
-
-Java functions can also be triggered when a message is added to a Service Bus topic. The following example uses the `@ServiceBusTopicTrigger` annotation to describe the trigger configuration.
-
-```java
-@FunctionName("sbtopicprocessor")
- public void run(
- @ServiceBusTopicTrigger(
- name = "message",
- topicName = "mytopicname",
- subscriptionName = "mysubscription",
- connection = "ServiceBusConnection"
- ) String message,
- final ExecutionContext context
- ) {
- context.getLogger().info(message);
- }
-```
- ## Attributes and annotations
@@ -266,14 +295,6 @@ The Service Bus account to use is determined in the following order:
Attributes are not supported by C# Script.
-# [JavaScript](#tab/javascript)
-
-Attributes are not supported by JavaScript.
-
-# [Python](#tab/python)
-
-Attributes are not supported by Python.
- # [Java](#tab/java) The `ServiceBusQueueTrigger` annotation allows you to create a function that runs when a Service Bus queue message is created. Configuration options available include queue name and connection string name.
@@ -282,6 +303,18 @@ The `ServiceBusTopicTrigger` annotation allows you to designate a topic and subs
See the trigger [example](#example) for more detail.
+# [JavaScript](#tab/javascript)
+
+Attributes are not supported by JavaScript.
+
+# [PowerShell](#tab/powershell)
+
+Attributes are not supported by PowerShell.
+
+# [Python](#tab/python)
+
+Attributes are not supported by Python.
+ ## Configuration
@@ -311,9 +344,9 @@ The following parameter types are available for the queue or topic message:
* `string` - If the message is text. * `byte[]` - Useful for binary data. * A custom type - If the message contains JSON, Azure Functions tries to deserialize the JSON data.
-* `BrokeredMessage` - Gives you the deserialized message with the [BrokeredMessage.GetBody\<T>()](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.getbody?view=azure-dotnet#Microsoft_ServiceBus_Messaging_BrokeredMessage_GetBody__1)
+* `BrokeredMessage` - Gives you the deserialized message with the [BrokeredMessage.GetBody\<T>()](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.getbody?view=azure-dotnet#Microsoft_ServiceBus_Messaging_BrokeredMessage_GetBody__1&preserve-view=true)
method.
-* [`MessageReceiver`](/dotnet/api/microsoft.azure.servicebus.core.messagereceiver?view=azure-dotnet) - Used to receive and acknowledge messages from the message container (required when [`autoComplete`](functions-bindings-service-bus-output.md#hostjson-settings) is set to `false`)
+* [`MessageReceiver`](/dotnet/api/microsoft.azure.servicebus.core.messagereceiver?view=azure-dotnet&preserve-view=true) - Used to receive and acknowledge messages from the message container (required when [`autoComplete`](functions-bindings-service-bus-output.md#hostjson-settings) is set to `false`)
These parameter types are for Azure Functions version 1.x; for 2.x and higher, use [`Message`](/dotnet/api/microsoft.azure.servicebus.message) instead of `BrokeredMessage`.
@@ -324,24 +357,28 @@ The following parameter types are available for the queue or topic message:
* `string` - If the message is text. * `byte[]` - Useful for binary data. * A custom type - If the message contains JSON, Azure Functions tries to deserialize the JSON data.
-* `BrokeredMessage` - Gives you the deserialized message with the [BrokeredMessage.GetBody\<T>()](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.getbody?view=azure-dotnet#Microsoft_ServiceBus_Messaging_BrokeredMessage_GetBody__1)
+* `BrokeredMessage` - Gives you the deserialized message with the [BrokeredMessage.GetBody\<T>()](/dotnet/api/microsoft.servicebus.messaging.brokeredmessage.getbody?view=azure-dotnet#Microsoft_ServiceBus_Messaging_BrokeredMessage_GetBody__1&preserve-view=true)
method. These parameters are for Azure Functions version 1.x; for 2.x and higher, use [`Message`](/dotnet/api/microsoft.azure.servicebus.message) instead of `BrokeredMessage`.
+# [Java](#tab/java)
+
+The incoming Service Bus message is available via a `ServiceBusQueueMessage` or `ServiceBusTopicMessage` parameter.
+
+[See the example for details](#example).
+ # [JavaScript](#tab/javascript) Access the queue or topic message by using `context.bindings.<name from function.json>`. The Service Bus message is passed into the function as either a string or JSON object.
-# [Python](#tab/python)
-
-The queue message is available to the function via a parameter typed as `func.ServiceBusMessage`. The Service Bus message is passed into the function as either a string or JSON object.
+# [PowerShell](#tab/powershell)
-# [Java](#tab/java)
+The Service Bus instance is available via the parameter configured in the *function.json* file's name property.
-The incoming Service Bus message is available via a `ServiceBusQueueMessage` or `ServiceBusTopicMessage` parameter.
+# [Python](#tab/python)
-[See the example for details](#example).
+The queue message is available to the function via a parameter typed as `func.ServiceBusMessage`. The Service Bus message is passed into the function as either a string or JSON object.
@@ -351,13 +388,13 @@ Poison message handling can't be controlled or configured in Azure Functions. Se
## PeekLock behavior
-The Functions runtime receives a message in [PeekLock mode](../service-bus-messaging/service-bus-performance-improvements.md#receive-mode). It calls `Complete` on the message if the function finishes successfully, or calls `Abandon` if the function fails. If the function runs longer than the `PeekLock` timeout, the lock is automatically renewed as long as the function is running.
+The Functions runtime receives a message in [PeekLock mode](../service-bus-messaging/service-bus-performance-improvements.md#receive-mode). It calls `Complete` on the message if the function finishes successfully, or calls `Abandon` if the function fails. If the function runs longer than the `PeekLock` timeout, the lock is automatically renewed as long as the function is running.
-The `maxAutoRenewDuration` is configurable in *host.json*, which maps to [OnMessageOptions.MaxAutoRenewDuration](/dotnet/api/microsoft.azure.servicebus.messagehandleroptions.maxautorenewduration?view=azure-dotnet). The maximum allowed for this setting is 5 minutes according to the Service Bus documentation, whereas you can increase the Functions time limit from the default of 5 minutes to 10 minutes. For Service Bus functions you wouldnΓÇÖt want to do that then, because youΓÇÖd exceed the Service Bus renewal limit.
+The `maxAutoRenewDuration` is configurable in *host.json*, which maps to [OnMessageOptions.MaxAutoRenewDuration](/dotnet/api/microsoft.azure.servicebus.messagehandleroptions.maxautorenewduration?view=azure-dotnet&preserve-view=true). The maximum allowed for this setting is 5 minutes according to the Service Bus documentation, whereas you can increase the Functions time limit from the default of 5 minutes to 10 minutes. For Service Bus functions you wouldnΓÇÖt want to do that then, because youΓÇÖd exceed the Service Bus renewal limit.
## Message metadata
-The Service Bus trigger provides several [metadata properties](./functions-bindings-expressions-patterns.md#trigger-metadata). These properties can be used as part of binding expressions in other bindings or as parameters in your code. These properties are members of the [Message](/dotnet/api/microsoft.azure.servicebus.message?view=azure-dotnet) class.
+The Service Bus trigger provides several [metadata properties](./functions-bindings-expressions-patterns.md#trigger-metadata). These properties can be used as part of binding expressions in other bindings or as parameters in your code. These properties are members of the [Message](/dotnet/api/microsoft.azure.servicebus.message?view=azure-dotnet&preserve-view=true) class.
|Property|Type|Description| |--|-|--|
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-github-actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-how-to-github-actions.md a/articles/azure-functions/functions-how-to-github-actions.md
@@ -12,7 +12,7 @@
Use [GitHub Actions](https://github.com/features/actions) to define a workflow to automatically build and deploy code to your function app in Azure Functions.
-In GitHub Actions, a [workflow](https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) is an automated process that you define in your GitHub repository. This process tells GitHub how to build and deploy your function app project on GitHub.
+In GitHub Actions, a [workflow](https://docs.github.com/en/actions/learn-github-actions/introduction-to-github-actions#the-components-of-github-actions) is an automated process that you define in your GitHub repository. This process tells GitHub how to build and deploy your function app project on GitHub.
A workflow is defined by a YAML (.yml) file in the `/.github/workflows/` path in your repository. This definition contains the various steps and parameters that make up the workflow.
@@ -35,7 +35,7 @@ For an Azure Functions workflow, the file has three sections:
The recommended way to authenticate with Azure Functions for GitHub Actions is by using a publish profile. You can also authenticate with a service principal. To learn more, see [this GitHub Actions repository](https://github.com/Azure/functions-action).
-After saving your publish profile credential as a [GitHub secret](https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets), you'll use this secret within your workflow to authenticate with Azure.
+After saving your publish profile credential as a [GitHub secret](https://docs.github.com/en/actions/reference/encrypted-secrets), you'll use this secret within your workflow to authenticate with Azure.
#### Download your publish profile
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/python-scale-performance-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/python-scale-performance-reference.md a/articles/azure-functions/python-scale-performance-reference.md
@@ -16,10 +16,10 @@ By default, Azure Functions automatically monitors the load on your application
The default configurations are suitable for most of Azure Functions applications. However, you can improve the performance of your applications' throughput by employing configurations based on your workload profile. The first step is to understand the type of workload that you are running.
-|| I/O-bound workload | CPU-bound workload |
-|--| -- | -- |
-|Function app characteristics| <ul><li>App needs to handle many concurrent invocations.</li> <li> App processes a large number of I/O events, such as network calls and disk read/writes.</li> </ul>| <ul><li>App does long-running computations, such as image resizing.</li> <li>App does data transformation.</li> </ul> |
-|Examples| <ul><li>Web APIs</li><ul> | <ul><li>Data processing</li><li> Machine learning inference</li><ul>|
+| Workload type | Function app characteristics | Examples |
+| - | - | - |
+| **I/O-bound** | ΓÇó App needs to handle many concurrent invocations.<br>ΓÇó App processes a large number of I/O events, such as network calls and disk read/writes. | ΓÇó Web APIs |
+| **CPU-bound** | ΓÇó App does long-running computations, such as image resizing.<br>ΓÇó App does data transformation. | ΓÇó Data processing<br>ΓÇó Machine learning inference<br> |
As real world function workloads are usually a mix of I/O and CPU bound, you should profile the app under realistic production loads.
azure-government https://docs.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md a/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
@@ -3,7 +3,7 @@ Title: Azure Services in FedRAMP and DoD SRG Audit Scope
description: This article contains tables for Azure Public and Azure Government that illustrate what FedRAMP (Moderate vs. High) and DoD SRG (Impact level 2, 4, 5 or 6) audit scope a given service has reached. Previously updated : 01/13/2021 Last updated : 01/25/2021
@@ -26,11 +26,13 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
* Planned 2021 = indicates the service will be reviewed by 3PAO and JAB in 2021. Once the service is authorized, status will be updated ## Azure public services by audit scope
-| _Last Updated: November 2020_ |
+| _Last Updated: January 2021_ |
| Azure Service| DoD CC SRG IL 2 | FedRAMP Moderate | FedRAMP High | Planned 2021 | | |::|:-:|::|::|
+| [AI Builder](https://docs.microsoft.com/ai-builder/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [API Management](https://azure.microsoft.com/services/api-management/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Application Change Analysis](https://docs.microsoft.com/azure/azure-monitor/app/change-analysis) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Application Gateway](https://azure.microsoft.com/services/application-gateway/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Automation](https://azure.microsoft.com/services/automation/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Active Directory (Free and Basic)](https://azure.microsoft.com/services/active-directory/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -43,7 +45,9 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Analysis Services](https://azure.microsoft.com/services/analysis-services/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure App Configuration](https://azure.microsoft.com/services/app-configuration/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Arc enabled Servers](https://docs.microsoft.com/azure/azure-arc/servers/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Blueprints](https://azure.microsoft.com/services/blueprints/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Azure Bot Service](/azure/bot-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Archive Storage](https://azure.microsoft.com/services/storage/archive/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -67,7 +71,6 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure File Sync](https://azure.microsoft.com/services/storage/files/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Azure Healthcare Bot](https://www.microsoft.com/research/project/health-bot/) | | | | :heavy_check_mark: |
| [Azure HPC Cache](https://azure.microsoft.com/services/hpc-cache/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Intune](/intune/what-is-intune) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -76,6 +79,8 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/services/kubernetes-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Lab Services](https://azure.microsoft.com/services/lab-services/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Machine Learning Services](https://azure.microsoft.com/services/machine-learning-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Machine Learning studio](https://azure.microsoft.com/services/machine-learning-studio/) | | | | :heavy_check_mark: |
| [Azure Managed Applications](https://azure.microsoft.com/services/managed-applications/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Marketplace Portal](https://azuremarketplace.microsoft.com/en-us) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Maps](https://azure.microsoft.com/services/azure-maps/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -85,6 +90,7 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Open Datasets](https://azure.microsoft.com/services/open-datasets/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Policy](https://azure.microsoft.com/services/azure-policy/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Private Link](https://azure.microsoft.com/services/private-link/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Public IP](https://docs.microsoft.com/azure/virtual-network/public-ip-addresses) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Azure RedHat OpenShift](https://azure.microsoft.com/services/openshift/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Resource Graph](../../governance/resource-graph/overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -94,6 +100,7 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Sphere](https://azure.microsoft.com/services/azure-sphere/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Backup](https://azure.microsoft.com/services/backup/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Batch](https://azure.microsoft.com/services/batch/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Cloud Shell](https://azure.microsoft.com/features/cloud-shell/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -102,6 +109,7 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Cognitive | [Cognitive | [Cognitive
+| [Cognitive
| [Cognitive | [Cognitive Services Personalizer](https://azure.microsoft.com/services/cognitive-services/personalizer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Cognitive
@@ -117,10 +125,11 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Data Catalog](https://azure.microsoft.com/services/data-catalog/) | | | | :heavy_check_mark: | | [Data Factory](https://azure.microsoft.com/services/data-factory/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [D365 Integrator App](/power-platform/admin/data-integrator) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Dynamics 365 Commerce](https://dynamics.microsoft.com/commerce/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Dynamics 365 Customer Service](https://dynamics.microsoft.com/customer-service/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Dynamics 365 Field Service](https://dynamics.microsoft.com/field-service/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Dynamics 365 Finance](https://dynamics.microsoft.com/finance/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Dynamics 365 Commerce](https://dynamics.microsoft.com/commerce/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Dynamics 365 Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/get-started)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Dynamics 365 Supply Chain](https://dynamics.microsoft.com/supply-chain-management/overview/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Dynamics 365 Service Omni-Channel Engagement Hub](/dynamics365/omnichannel/introduction-omnichannel) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Dynamics 365 Customer Engagement (Common Data Service)](/powerapps/maker/common-data-service/data-platform-intro) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -129,8 +138,8 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Event Hubs](https://azure.microsoft.com/services/event-hubs/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [ExpressRoute](https://azure.microsoft.com/services/expressroute/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Flow](/flow/getting-started) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Form Recognizer](https://azure.microsoft.com/services/cognitive-services/form-recognizer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Functions](https://azure.microsoft.com/services/functions/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Guest Configuration](../../governance/policy/concepts/guest-configuration.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [HDInsight](https://azure.microsoft.com/services/hdinsight/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Import / Export](https://azure.microsoft.com/services/storage/import-export/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -140,21 +149,23 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Load Balancer](https://azure.microsoft.com/services/load-balancer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Log Analytics](../../azure-monitor/platform/data-platform-logs.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Logic Apps](https://azure.microsoft.com/services/logic-apps/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Azure Machine Learning Services](https://azure.microsoft.com/services/machine-learning-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Azure Machine Learning studio](https://azure.microsoft.com/services/machine-learning-studio/) | | | | :heavy_check_mark: |
| [Media Services](https://azure.microsoft.com/services/media-services/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Microsoft Azure Attestation](https://azure.microsoft.com/services/azure-attestation/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Microsoft Azure portal](https://azure.microsoft.com/features/azure-portal/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Microsoft Azure Peering Service](../../peering-service/about.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Microsoft Graph](https://developer.microsoft.com/en-us/graph) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Microsoft Health Bot](https://docs.microsoft.com/healthbot/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Microsoft Managed Desktop](https://www.microsoft.com/en-us/microsoft-365/modern-desktop/enterprise/microsoft-managed-desktop) | | | | | | [Microsoft PowerApps](/powerapps/powerapps-overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Microsoft Stream](/stream/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Network Watcher](https://azure.microsoft.com/services/network-watcher/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Network Watcher Traffic Analytics](../../network-watcher/traffic-analytics.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Notification Hubs](https://azure.microsoft.com/services/notification-hubs/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Power Virtual Agents](https://docs.microsoft.com/power-virtual-agents/fundamentals-what-is-power-virtual-agents) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Redis Cache](https://azure.microsoft.com/services/cache/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Scheduler](../../scheduler/scheduler-intro.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Security Center](https://azure.microsoft.com/services/security-center/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -175,9 +186,13 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Virtual Machines (incl. Reserved Instances)](https://azure.microsoft.com/services/virtual-machines/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Virtual Network](https://azure.microsoft.com/services/virtual-network/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Virtual Network NAT](https://docs.microsoft.com/azure/virtual-network/nat-overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Virtual WAN](https://azure.microsoft.com/services/virtual-wan/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Visual Studio Codespaces](https://azure.microsoft.com/services/visual-studio-online/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Web Apps (App Service)](https://azure.microsoft.com/services/app-service/web/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Web Application Firewall)](https://azure.microsoft.com/services/web-application-firewall/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Windows 10 IoT Core Services](https://azure.microsoft.com/services/windows-10-iot-core/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
| [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | **&ast;** FedRAMP high certification covers Datacenter Infrastructure Services & Databox Pod and Disk Service which are the online software components supporting Data Box hardware appliance.
@@ -192,12 +207,12 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Automation](https://azure.microsoft.com/services/automation/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Active Directory (Free and Basic)](https://azure.microsoft.com/services/active-directory/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Azure Active Directory (Premium P1 + P2)](https://azure.microsoft.com/services/active-directory/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Active Directory Domain Services](https://azure.microsoft.com/services/active-directory-ds/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure Active Directory Domain Services](https://azure.microsoft.com/services/active-directory-ds/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Advanced Threat Protection](https://azure.microsoft.com/features/azure-advanced-threat-protection/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Advisor](https://azure.microsoft.com/services/advisor/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Analysis Services](https://azure.microsoft.com/services/analysis-services/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) | :heavy_check_mark: | | | | :heavy_check_mark:
-| [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) | :heavy_check_mark: | | | | :heavy_check_mark:
+| [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Blueprints](https://azure.microsoft.com/services/blueprints/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Bot Service](/azure/bot-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Archive Storage](https://azure.microsoft.com/services/storage/archive/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
@@ -207,44 +222,45 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Cloud Shell](https://azure.microsoft.com/features/cloud-shell/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Cognitive Search](https://azure.microsoft.com/services/search/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Stack Edge (Data Box Edge)](https://azure.microsoft.com/services/databox/edge/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Azure Data Box](https://azure.microsoft.com/services/databox/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure Data Box](https://azure.microsoft.com/services/databox/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Data Factory](https://azure.microsoft.com/services/data-factory/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Data Explorer](https://azure.microsoft.com/services/data-explorer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: | | [Azure Database Migration Service](https://azure.microsoft.com/services/database-migration/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Azure Data Share](https://azure.microsoft.com/services/data-share/) | :heavy_check_mark: | | | | :heavy_check_mark: |
-| [Azure Databricks](https://azure.microsoft.com/services/databricks/)| :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure Data Share](https://azure.microsoft.com/services/data-share/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Databricks](https://azure.microsoft.com/services/databricks/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure DB for MySQL](https://azure.microsoft.com/services/mysql/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Azure DB for PostgreSQL](https://azure.microsoft.com/services/postgresql/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Azure DB for MariaDB](https://azure.microsoft.com/services/mariadb/) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
-| [Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)| :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Dedicated HSM](https://azure.microsoft.com/services/azure-dedicated-hsm/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure DevTest Labs](https://azure.microsoft.com/services/devtest-lab/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure DNS](https://azure.microsoft.com/services/dns/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Event Grid](https://azure.microsoft.com/services/event-grid/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Event Grid](https://azure.microsoft.com/services/event-grid/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Azure File Sync](https://azure.microsoft.com/services/storage/files/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Firewall](https://azure.microsoft.com/services/azure-firewall/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure HPC Cache](https://azure.microsoft.com/services/hpc-cache/) | :heavy_check_mark: | | | | :heavy_check_mark: |
-| [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
-| [Azure Intune](/intune/what-is-intune) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
+| [Azure HPC Cache](https://azure.microsoft.com/services/hpc-cache/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Intune](/intune/what-is-intune) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure IoT Security](https://azure.microsoft.com/overview/iot/security/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/services/kubernetes-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Lighthouse](https://azure.microsoft.com/services/azure-lighthouse/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Lab Services](https://azure.microsoft.com/services/lab-services/) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Managed Applications](https://azure.microsoft.com/services/managed-applications/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Managed Applications](https://azure.microsoft.com/services/managed-applications/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Azure Maps](https://azure.microsoft.com/services/azure-maps/)| :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Azure Migrate](https://azure.microsoft.com/services/azure-migrate/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Monitor](https://azure.microsoft.com/services/monitor/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure NetApp Files](https://azure.microsoft.com/services/netapp/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure NetApp Files](https://azure.microsoft.com/services/netapp/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Policy](https://azure.microsoft.com/services/azure-policy/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Azure Private Link](https://azure.microsoft.com/services/private-link/)| :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure Private Link](https://azure.microsoft.com/services/private-link/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Azure Public IP](https://docs.microsoft.com/azure/virtual-network/public-ip-addresses) | :heavy_check_mark: | | | | :heavy_check_mark: |
| [Azure Resource Manager](https://azure.microsoft.com/features/resource-manager/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Azure Resource Graph](../../governance/resource-graph/overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Azure Security Center](https://azure.microsoft.com/services/security-center/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Azure Service Health](https://azure.microsoft.com/features/service-health/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure Service Health](https://azure.microsoft.com/features/service-health/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Service Manager (RDFE)](/previous-versions/azure/ee460799(v=azure.100)) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Azure Stack Hub](/azure-stack/operator/azure-stack-overview?view=azs-2002)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Backup](https://azure.microsoft.com/services/backup/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -253,29 +269,32 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Cognitive | [Cognitive | [Cognitive
+| [Cognitive
| [Cognitive | [Cognitive | [Cognitive | [Cognitive
-| [Cognitive
-| [Cognitive Services Personalizer](https://azure.microsoft.com/services/cognitive-services/personalizer/) | :heavy_check_mark: | | | | :heavy_check_mark: |
-| [Cognitive
+| [Cognitive
+| [Cognitive Services Personalizer](https://azure.microsoft.com/services/cognitive-services/personalizer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Cognitive
| [Container Instances](https://azure.microsoft.com/services/container-instances/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Content Delivery Network](https://azure.microsoft.com/services/cdn/)| :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Content Delivery Network](https://azure.microsoft.com/services/cdn/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Customer Lockbox](../../security/fundamentals/customer-lockbox-overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [D365 Integrator App](/power-platform/admin/data-integrator) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Dynamics 365 Service Omni-Channel Engagement Hub](/dynamics365/omnichannel/introduction-omnichannel) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Dynamics 365 Forms Pro](/forms-pro/get-started) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
-| [Dynamics 365 Customer Insights](/dynamics365/ai/customer-insights/overview)| :heavy_check_mark: | | | | :heavy_check_mark: |
-| [Dynamics 365 Customer Engagement (Common Data Service)](/dynamics365/customerengagement/on-premises/overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
+| [Dynamics 365 Customer Insights](/dynamics365/ai/customer-insights/overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
+| [Dynamics 365 Customer Engagement (Common Data Service)](/dynamics365/customerengagement/on-premises/overview) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
| [Dynamics 365 Customer Service](/dynamics365/customer-service/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Dynamics 365 Field Service](/dynamics365/field-service/overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Dynamics 365 Project Service Automation](/dynamics365/project-service/overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Dynamics 365 Sales](/dynamics365/sales-enterprise/overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: | | [Event Hubs](https://azure.microsoft.com/services/event-hubs/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| [Export to Data Lake service](https://docs.microsoft.com/powerapps/maker/data-platform/export-to-data-lake) | :heavy_check_mark: | | | | :heavy_check_mark: |
| [ExpressRoute](https://azure.microsoft.com/services/expressroute/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Power Automate](/flow/getting-started) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Power Automate](/flow/getting-started) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Functions](https://azure.microsoft.com/services/functions/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
+| [GitHub AE](https://docs.github.com/en/github-ae@latest/admin/overview/about-github-ae) | :heavy_check_mark: | | | | :heavy_check_mark: |
| [Guest Configuration](../../governance/policy/concepts/guest-configuration.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [HDInsight](https://azure.microsoft.com/services/hdinsight/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Import / Export](https://azure.microsoft.com/services/storage/import-export/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -283,22 +302,22 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Key Vault](https://azure.microsoft.com/services/key-vault/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Load Balancer](https://azure.microsoft.com/services/load-balancer/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Log Analytics](../../azure-monitor/platform/data-platform-logs.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
-| [Logic Apps](https://azure.microsoft.com/services/logic-apps/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
+| [Logic Apps](https://azure.microsoft.com/services/logic-apps/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Machine Learning Services](https://azure.microsoft.com/services/machine-learning-service/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Media Services](https://azure.microsoft.com/services/media-services/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Microsoft Azure Peering Service](../../peering-service/about.md) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Microsoft Azure Peering Service](../../peering-service/about.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Microsoft Azure portal](https://azure.microsoft.com/features/azure-portal/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
+| [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Microsoft Graph](/graph/overview) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Microsoft PowerApps](/powerapps/powerapps-overview) | :heavy_check_mark: | :heavy_check_mark: | | | :heavy_check_mark: |
+| [Microsoft PowerApps](/powerapps/powerapps-overview) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
| [Microsoft Stream](/stream/overview) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: | | [Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: | | [Network Watcher](https://azure.microsoft.com/services/network-watcher/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Network Watcher(Traffic Analytics)](../../network-watcher/traffic-analytics.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Notification Hubs](https://azure.microsoft.com/services/notification-hubs/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | | [Power BI](https://powerbi.microsoft.com/) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
-| [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/) | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
+| [Power BI Embedded](https://azure.microsoft.com/services/power-bi-embedded/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
| [Redis Cache](https://azure.microsoft.com/services/cache/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Scheduler](../../scheduler/scheduler-intro.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Service Bus](https://azure.microsoft.com/services/service-bus/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
@@ -317,12 +336,12 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Virtual Machine Scale Sets](https://azure.microsoft.com/services/virtual-machine-scale-sets/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Virtual Network](https://azure.microsoft.com/services/virtual-network/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network NAT](../../virtual-network/nat-overview.md) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Virtual Network NAT](../../virtual-network/nat-overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
| [Virtual WAN](https://azure.microsoft.com/services/virtual-wan/) | :heavy_check_mark: | | | | :heavy_check_mark: | :heavy_check_mark: | [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | [Web Apps (App Service)](https://azure.microsoft.com/services/app-service/web/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Web Application Firewall)](https://azure.microsoft.com/services/web-application-firewall/) | :heavy_check_mark: | | | | :heavy_check_mark: |
-| [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) | :heavy_check_mark: | | | | :heavy_check_mark: |
+| [Web Application Firewall)](https://azure.microsoft.com/services/web-application-firewall/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
+| [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | :heavy_check_mark: |
**&ast;** DoD CC SRG IL5 (Azure Gov) column shows DoD CC SRG IL5 certification status of services in Azure Government. For details, please refer to [Azure Government Isolation Guidelines for Impact Level 5](../documentation-government-impact-level-5.md)
azure-government https://docs.microsoft.com/en-us/azure/azure-government/compliance/compliance-tic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/compliance-tic.md a/articles/azure-government/compliance/compliance-tic.md
@@ -48,11 +48,12 @@ The rest of this article provides customer guidance that is pertinent to Azure c
## Azure networking options
-There are three main options to connect to Azure
+There are four main options to connect to Azure
-- **Direct Internet connection:** Connect to Azure services directly through an open internet connection. The medium and the connection are public. Application and transport level encryption are relied upon to ensure privacy. Bandwidth is limited by a site's connectivity to the internet. Use more than one active provider to ensure resiliency.-- **Virtual Private Network (VPN):** Connect to your Azure virtual network privately by using a VPN gateway. The medium is public because it traverses a site's standard internet connection, but the connection is encrypted in a tunnel to ensure privacy. Bandwidth is limited depending on the VPN devices and the configuration chosen. Azure point-to-site connections are typically limited to 100 Mbps and site-to-site connections are limited to 1.25 Gbps.-- **Azure ExpressRoute:** ExpressRoute is a direct connection to Microsoft services. Because connectivity is through an isolated fiber channel, the connection can be public or private depending on the configuration that's used. The bandwidth is typically limited to a maximum of 10 Gbps.
+- **Direct internet connection:** Connect to Azure services directly through an open internet connection. The medium and the connection are public. Application and transport-level encryption are relied on to ensure privacy. Bandwidth is limited by a site's connectivity to the internet. Use more than one active provider to ensure resiliency.
+- **Virtual Private Network (VPN):** Connect to your Azure virtual network privately by using a VPN gateway. The medium is public because it traverses a site's standard internet connection, but the connection is encrypted in a tunnel to ensure privacy. Bandwidth is limited depending on the VPN devices and the configuration you choose. Azure point-to-site connections usually are limited to 100 Mbps. Site-to-site connections range from 100 Mbps to 10 Gbps.
+- **Azure ExpressRoute:** ExpressRoute is a direct connection to Microsoft services. ExpressRoute uses a provider at a peering location to connect to Microsoft Enterprise edge routers. ExpressRoute uses different peering types for IaaS and PaaS/SaaS services, private peering and Microsoft peering. Bandwidth ranges from 50 Mbps to 10 Gbps.
+- **Azure ExpressRoute Direct:** ExpressRoute Direct allows for direct fiber connections from your edge to the Microsoft Enterprise edge routers at the peering location. ExpressRoute Direct removes a third-party connectivity provider from the required hops. Bandwidth ranges from 10 Gbps to 100 Gbps.
To enable the connection from the *agency* to Azure or Microsoft 365, without routing traffic through the agency TIC, the agency must use an encrypted tunnel or a dedicated connection to the cloud service provider (CSP). The CSP services can ensure that connectivity to the agency cloud assets isn't offered via the public Internet for direct agency personnel access.
@@ -85,7 +86,7 @@ The simplest scenario to support TIC compliance is to assure that a virtual mach
#### Force Internet traffic through an on-premises network
-Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create or remove system routes, but you can override some system routes with custom routes. Azure creates default system routes for each subnet. Azure adds optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities. This type of routing ensures:
+Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. You can't create or remove system routes, but you can override system routes with custom routes. Azure creates default system routes for each subnet. Azure adds optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities. This type of routing ensures:
- Traffic that's destined within the virtual network stays within the virtual network. - Internet Assigned Numbers Authority (IANA)-designated private address spaces like 10.0.0.0/8 are dropped, unless they're included in the virtual network address space.
@@ -97,7 +98,7 @@ All traffic that leaves the virtual network needs to route through the on-premis
#### Add user-defined routes
-If you use a route-based virtual network gateway, you can force tunneling in Azure. Add a user-defined route that sets 0.0.0.0/0 traffic to route to a **next hop** of your virtual network gateway. Azure prioritizes user-defined routes over system-defined routes. All non-virtual network traffic is sent to your virtual network gateway, which can then route the traffic to on-premises. After you define the user-defined route, associate the route with existing subnets or new subnets within all virtual networks in your Azure environment.
+If you use a route-based virtual network gateway, you can use forced tunneling in Azure. Add a user-defined route that sets 0.0.0.0/0 traffic to route to a **next hop** of your virtual network gateway. Azure prioritizes user-defined routes over system-defined routes. All non-virtual network traffic is sent to your virtual network gateway, which can then route the traffic to on-premises. After you define the user-defined route, associate the route with existing subnets or new subnets within all virtual networks in your Azure environment.
:::image type="content" source="./media/tic-diagram-d.png" alt-text="User-defined routes and TIC" border="false":::
@@ -212,4 +213,4 @@ Networks in regions that are monitored by Network Watcher can conduct next hop t
## Conclusions
-You can easily configure network access to help comply with TIC 2.0 guidance, as well as leverage Azure support for the NIST CSF and NIST SP 800-53 to address TIC 3.0 requirements.
\ No newline at end of file
+You can easily configure network access to help comply with TIC 2.0 guidance, as well as leverage Azure support for the NIST CSF and NIST SP 800-53 to address TIC 3.0 requirements.
azure-government https://docs.microsoft.com/en-us/azure/azure-government/compliance/secure-azure-computing-architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/secure-azure-computing-architecture.md a/articles/azure-government/compliance/secure-azure-computing-architecture.md
@@ -111,7 +111,7 @@ When you plan your SCCA compliancy strategy and technical architecture, consider
- Use integrated IPS or bring-your-own IPS. #### Which network virtual appliance vendor will you use for VDSS?
-As mentioned earlier, you can build this SACA reference by using a variety of appliances and Azure services. Microsoft has automated solution templates to deploy the SACA architecture with Palo Alto, F5, and Citrix. These solutions are covered in the following section.
+As mentioned earlier, you can build this SACA reference by using a variety of appliances and Azure services. Microsoft has automated solution templates to deploy the SACA architecture with Palo Alto Networks, F5, and Citrix. These solutions are covered in the following section.
#### Which Azure services will you use? - There are Azure services that can meet requirements for log analytics, host-based protection, and IDS functionality. It's possible that some services arenΓÇÖt generally available in Microsoft Azure DoD regions. In this case, you might need to use third-party tools if these Azure services canΓÇÖt meet your requirements. Look at the tools you're comfortable with and the feasibility of using Azure native tooling.
@@ -169,14 +169,14 @@ We recommend this architecture because it meets SCCA requirements. ItΓÇÖs highly
- Network security groups - They're used to control which types of traffic can traverse to certain endpoints.
-### Palo Alto SACA deployment
+### Palo Alto Networks SACA deployment
-The Palo Alto deployment template deploys one to many VM-Series appliances, as well as the VDMS staging and routing to enable a one-tier, VDSS-compliant architecture. This architecture meets the requirements of SCCA.
+The Palo Alto Networks deployment template deploys one to many VM-Series appliances, as well as the VDMS staging and routing to enable a one-tier, VDSS-compliant architecture. This architecture meets the requirements of SCCA.
![Palo Alto SACA diagram](media/pansaca.png)
-For the Palo Alto documentation and deployment script, see [this GitHub link](https://github.com/PaloAltoNetworks/Palo-Azure-SACA).
+For the Palo Alto Networks documentation and deployment script, see [this GitHub link](https://github.com/PaloAltoNetworks/Palo-Azure-SACA).
### F5 SACA deployment
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/customer-managed-keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/customer-managed-keys.md a/articles/azure-monitor/platform/customer-managed-keys.md
@@ -122,7 +122,7 @@ These settings can be updated in Key Vault via CLI and PowerShell:
## Create cluster Clusters support two [managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types): System-assigned and User-assigned, while a single identity can be defined in a cluster depending on your scenario. -- System-assigned managed identity is simpler and being generated automatically with the cluster creation when identity `type` is set to "*SystemAssigned*". This identity can be used later to grant the cluster access to your Key Vault.
+- System-assigned managed identity is simpler and being generated automatically with the cluster creation when identity `type` is set to "*SystemAssigned*". This identity can be used later to grant storage access to your Key Vault for wrap and unwrap operations.
Identity settings in cluster for System-assigned managed identity ```json
@@ -133,7 +133,7 @@ Clusters support two [managed identity types](../../active-directory/managed-ide
} ``` -- If you want to configure Customer-managed key at cluster creation, you should have a key and User-assigned identity granted in your Key Vault beforehand, then create the cluster with these settings: identity `type` as "*UserAssigned*", `UserAssignedIdentities` with the resource ID of the identity.
+- If you want to configure Customer-managed key at cluster creation, you should have a key and User-assigned identity granted in your Key Vault beforehand, then create the cluster with these settings: identity `type` as "*UserAssigned*", `UserAssignedIdentities` with the *resource ID* of your identity.
Identity settings in cluster for User-assigned managed identity ```json
@@ -147,27 +147,7 @@ Clusters support two [managed identity types](../../active-directory/managed-ide
``` > [!IMPORTANT]
-> You can't use Customer-managed key with User-assigned managed identity if your Key Vault is in Private-Link (vNet). You can use System-assigned managed identity in this scenario.
-
-```json
-{
- "identity": {
- "type": "SystemAssigned"
-}
-```
-
-With:
-
-```json
-{
- "identity": {
- "type": "UserAssigned",
- "userAssignedIdentities": {
- "subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft. ManagedIdentity/UserAssignedIdentities/<user-assigned-managed-identity-name>"
- }
-}
-```
-
+> You can't use User-assigned managed identity if your Key Vault is in Private-Link (vNet). You can use System-assigned managed identity in this scenario.
Follow the procedure illustrated in [Dedicated Clusters article](../log-query/logs-dedicated-clusters.md#creating-a-cluster).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-dashboard-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-dashboard-errors.md a/articles/azure-monitor/platform/itsmc-dashboard-errors.md
@@ -9,13 +9,13 @@ Last updated 01/18/2021
-# Errors in the connector status
+# Errors in the connector status section
-In the connector status list you can find errors that can help you to fix issues in your ITSM connector.
+In the connector status list section in the dashboard you can find errors that can help you to fix issues in your ITSM connector.
## Status Common Errors
-in this section you can find the common errors that presented in the connector status section and how you should resolve it:
+In this section you can find the common errors that presented in the connector status section and how you should resolve them:
* **Error**: "Unexpected response from ServiceNow along with success status code. Response: { "import_set": "{import_set_id}", "staging_table": "x_mioms_microsoft_oms_incident", "result": [ { "transform_map": "OMS Incident", "table": "incident", "status": "error", "error_message": "{Target record not found|Invalid table|Invalid staging table" }"
@@ -23,7 +23,7 @@ in this section you can find the common errors that presented in the connector s
* A custom script deployed in ServiceNow instance causes incidents to be ignored. * "OMS Integrator App" code itself was modified on ServiceNow side, e.g. the onBefore script.
- **Resolution**: Disable all custom scripts or code modifications of the data import path.
+ **Resolution**: Disable all custom scripts or code modifications.
* **Error**: "{"error":{"message":"Operation Failed","detail":"ACL Exception Update Failed due to security constraints"}"
@@ -54,7 +54,7 @@ in this section you can find the common errors that presented in the connector s
**Cause**: ITSM Connector was deleted. **Resolution**: The ITSM Connector was deleted but there are still ITSM action groups defined associated to it. There are 2 options to solve this issue:
- * Find and disable or delete such action
+ * Find and disable or delete such action groups
* [Reconfigure the action group](./itsmc-definition.md#create-itsm-work-items-from-azure-alerts) to use an existing ITSM Connector. * [Create a new ITSM connector](./itsmc-definition.md#create-an-itsm-connection) and [reconfigure the action group to use it](itsmc-definition.md#create-itsm-work-items-from-azure-alerts).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-troubleshoot-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-troubleshoot-overview.md a/articles/azure-monitor/platform/itsmc-troubleshoot-overview.md
@@ -38,24 +38,23 @@ If you're using Service Map, you can view the service desk items created in ITSM
![Screenshot that shows the Log Analytics screen.](media/itsmc-overview/itsmc-overview-integrated-solutions.png)
-## Troubleshoot ITSM connections
--- If a connection fails to connect to the ITSM system and you get an **Error in saving connection** message, take the following steps:
- - For ServiceNow, Cherwell, and Provance connections:
- - Ensure that you correctly entered the user name, password, client ID, and client secret for each of the connections.
- - Ensure that you have sufficient privileges in the corresponding ITSM product to make the connection.
- - For Service Manager connections:
- - Ensure that the web app is successfully deployed and that the hybrid connection is created. To verify the connection is successfully established with the on-premises Service Manager computer, go to the web app URL as described in the documentation for making the [hybrid connection](./itsmc-connections-scsm.md#configure-the-hybrid-connection).
--- If Log Analytics alerts fire but work items aren't created in the ITSM product, if configuration items aren't created/linked to work items, or for other information, see these resources:
- - ITSMC: The solution shows a [summary of connections](itsmc-dashboard.md), work items, computers, and more. Select the tile that has the **Connector Status** label. Doing so takes you to **Log Search** with the relevant query. Look at log records with a `LogType_S` of `ERROR` for more information.
- You can see details about the messages in the table - [here](itsmc-dashboard-errors.md).
- - **Log Search** page: View the errors and related information directly by using the query `*ServiceDeskLog_CL*`.
- ## Common Symptoms - how should it be resolved? The list below contain common symptoms and how should it be resolved:
+* **Symptom**: If a connection fails to connect to the ITSM system and you get an **Error in saving connection** message.
+
+ **Cause**: the cause can be one of the options:
+ * Incorrect credentials
+ * Insufficient privileges
+ * Web app should be deployed correctly
+
+ **Resolution**:
+ * For ServiceNow, Cherwell, and Provance connections:
+ * Ensure that you correctly entered the user name, password, client ID, and client secret for each of the connections.
+ * For ServiceNow: Ensure that you have sufficient privileges in the corresponding ITSM product to make the connection as [specified](itsmc-connections-servicenow.md#install-the-user-app-and-create-the-user-role).
+ * For Service Manager connections:
+ * Ensure that the web app is successfully deployed and that the hybrid connection is created. To verify the connection is successfully established with the on-premises Service Manager computer, go to the web app URL as described in the documentation for making the [hybrid connection](./itsmc-connections-scsm.md#configure-the-hybrid-connection).
* **Symptom**: Duplicate work items are created **Cause**: the cause can be one of the two options:
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-custom-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/metrics-custom-overview.md a/articles/azure-monitor/platform/metrics-custom-overview.md
@@ -1,11 +1,11 @@
Title: Custom metrics in Azure Monitor (Preview) description: Learn about custom metrics in Azure Monitor and how they are modeled.-+ Previously updated : 06/01/2020 Last updated : 01/25/2021 # Custom metrics in Azure Monitor (Preview)
@@ -99,7 +99,6 @@ For example, if there were four sign-in transactions to your app during a given
|Transaction 1|Transaction 2|Transaction 3|Transaction 4| ||||| |7 ms|4 ms|13 ms|16 ms|
-|
Then the resulting metric publication to Azure Monitor would be as follows: * Min: 4
@@ -128,7 +127,8 @@ In the following example, you create a custom metric called **Memory Bytes in Us
"metric": "Memory Bytes in Use", "namespace": "Memory Profile", "dimNames": [
- "Process" ],
+ "Process"
+ ],
"series": [ { "dimValues": [
@@ -168,7 +168,7 @@ There's no need to predefine a custom metric in Azure Monitor before it's emitte
After custom metrics are submitted to Azure Monitor, you can browse them via the Azure portal and query them via the Azure Monitor REST APIs. You can also create alerts on them to notify you when certain conditions are met. > [!NOTE]
-> You need to be a reader or contributor role to view custom metrics.
+> You need to be a reader or contributor role to view custom metrics. See [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader).
### Browse your custom metrics via the Azure portal 1. Go to the [Azure portal](https://portal.azure.com).
@@ -178,34 +178,19 @@ After custom metrics are submitted to Azure Monitor, you can browse them via the
5. Select the metrics namespace for your custom metric. 6. Select the custom metric.
+> [!NOTE]
+> See [Getting started with Azure Metrics Explorer](./metrics-getting-started.md) for more info on viewing metrics in the Azure portal.
+ ## Supported regions
-During the public preview, the ability to publish custom metrics is available only in a subset of Azure regions. This restriction means that metrics can be published only for resources in one of the supported regions. The following table lists the set of supported Azure regions for custom metrics. It also lists the corresponding endpoints that metrics for resources in those regions should be published to:
+During the public preview, the ability to publish custom metrics is available only in a subset of Azure regions. This restriction means that metrics can be published only for resources in one of the supported regions. See [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/) for more info on Azure regions. The Azure region code used in the below endpoints is just the name of the region with whitespace removed The following table lists the set of supported Azure regions for custom metrics. It also lists the corresponding endpoints that metrics for resources in those regions should be published to:
|Azure region |Regional endpoint prefix| |||
-| **US and Canada** | |
-|West Central US | https:\//westcentralus.monitoring.azure.com |
-|West US 2 | https:\//westus2.monitoring.azure.com |
-|North Central US | https:\//northcentralus.monitoring.azure.com
-|South Central US| https:\//southcentralus.monitoring.azure.com |
-|Central US | https:\//centralus.monitoring.azure.com |
-|Canada Central | https:\//canadacentral.monitoring.azure.com |
-|East US| https:\//eastus.monitoring.azure.com |
-|East US 2 | https:\//eastus2.monitoring.azure.com |
-| **Europe** | |
-|North Europe | https:\//northeurope.monitoring.azure.com |
-|West Europe | https:\//westeurope.monitoring.azure.com |
-|UK South | https:\//uksouth.monitoring.azure.com
-|France Central | https:\//francecentral.monitoring.azure.com |
-| **Africa** | |
-|South Africa North | https:\//southafricanorth.monitoring.azure.com |
-| **Asia** | |
-|Central India | https:\//centralindia.monitoring.azure.com |
-|Australia East | https:\//australiaeast.monitoring.azure.com |
-|Japan East | https:\//japaneast.monitoring.azure.com |
-|Southeast Asia | https:\//southeastasia.monitoring.azure.com |
-|East Asia | https:\//eastasia.monitoring.azure.com |
-|Korea Central | https:\//koreacentral.monitoring.azure.com |
+| All Public Cloud Regions | https://<azure_region_code>.monitoring.azure.com |
+| **Azure Government** | |
+| US Gov Arizona | https:\//usgovarizona.monitoring.azure.us |
+| **China** | |
+| China East 2 | https:\//chinaeast2.monitoring.azure.cn |
## Latency and storage retention
azure-netapp-files https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-create-volumes-smb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md a/articles/azure-netapp-files/azure-netapp-files-create-volumes-smb.md
@@ -69,7 +69,7 @@ A subnet must be delegated to Azure NetApp Files.
See [Designing the site topology](/windows-server/identity/ad-ds/plan/designing-the-site-topology) about AD sites and services.
-* You can enable AES encryption for an SMB volume by checking the **AES Encryption** box in the [Join Active Directory](#create-an-active-directory-connection) window. Azure NetApp Files supports DES, Kerberos AES 128, and Kerberos AES 256 encryption types (from the least secure to the most secure). If you enable AES encryption, the user credentials used to join Active Directory must have the highest corresponding account option enabled that matches the capabilities enabled for your Active Directory.
+* You can enable AES encryption for AD Authentication by checking the **AES Encryption** box in the [Join Active Directory](#create-an-active-directory-connection) window. Azure NetApp Files supports DES, Kerberos AES 128, and Kerberos AES 256 encryption types (from the least secure to the most secure). If you enable AES encryption, the user credentials used to join Active Directory must have the highest corresponding account option enabled that matches the capabilities enabled for your Active Directory.
For example, if your Active Directory has only the AES-128 capability, you must enable the AES-128 account option for the user credentials. If your Active Directory has the AES-256 capability, you must enable the AES-256 account option (which also supports AES-128). If your Active Directory does not have any Kerberos encryption capability, Azure NetApp Files uses DES by default.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-name-rules.md a/articles/azure-resource-manager/management/resource-name-rules.md
@@ -628,9 +628,9 @@ In the following tables, the term alphanumeric refers to:
> [!div class="mx-tableFixed"] > | Entity | Scope | Length | Valid Characters | > | | | | |
-> | managedInstances | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. |
+> | managedInstances | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. <br><br> Can't have any special characters, such as `@`. |
> | servers | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. |
-> | servers / administrators | server | | Must be `ActiveDirectory`. |
+> | servers / administrators | server | | Must be `ActiveDirectory`. <br><br> Can't have any special characters, such as `@`.|
> | servers / databases | server | 1-128 | Can't use:<br>`<>*%&:\/?`<br><br>Can't end with period or space. | > | servers / databases / syncGroups | database | 1-150 | Alphanumerics, hyphens, and underscores. | > | servers / elasticPools | server | 1-128 | Can't use:<br>`<>*%&:\/?`<br><br>Can't end with period or space. |
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-github-actions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-github-actions.md a/articles/azure-resource-manager/templates/deploy-github-actions.md
@@ -8,7 +8,7 @@
# Deploy ARM templates by using GitHub Actions
-[GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions) is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.
+[GitHub Actions](https://docs.github.com/en/actions) is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.
Use the [Deploy Azure Resource Manager Template Action](https://github.com/marketplace/actions/deploy-azure-resource-manager-arm-template) to automate deploying an Azure Resource Manager template (ARM template) to Azure.
@@ -16,7 +16,7 @@ Use the [Deploy Azure Resource Manager Template Action](https://github.com/marke
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - A GitHub account. If you don't have one, sign up for [free](https://github.com/join).
- - A GitHub repository to store your Resource Manager templates and your workflow files. To create one, see [Creating a new repository](https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/creating-a-new-repository).
+ - A GitHub repository to store your Resource Manager templates and your workflow files. To create one, see [Creating a new repository](https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-new-repository).
## Workflow file overview
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/linked-templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md a/articles/azure-resource-manager/templates/linked-templates.md
@@ -2,7 +2,7 @@
Title: Link templates for deployment description: Describes how to use linked templates in an Azure Resource Manager template (ARM template) to create a modular template solution. Shows how to pass parameters values, specify a parameter file, and dynamically created URLs. Previously updated : 01/20/2021 Last updated : 01/25/2021 # Using linked and nested templates when deploying Azure resources
@@ -106,6 +106,10 @@ You set the scope through the `expressionEvaluationOptions` property. By default
... ```
+> [!NOTE]
+>
+> When scope is set to `outer`, you can't use the `reference` function in the outputs section of a nested template for a resource you have deployed in the nested template. To return the values for a deployed resource in a nested template, either use `inner` scope or convert your nested template to a linked template.
+ The following template demonstrates how template expressions are resolved according to the scope. It contains a variable named `exampleVar` that is defined in both the parent template and the nested template. It returns the value of the variable. ```json
@@ -394,10 +398,6 @@ The following excerpt shows which values are secure and which aren't secure.
} ```
-> [!NOTE]
->
-> When scope is set to `outer`, you can't use the `reference` function in the outputs section of a nested template for a resource you have deployed in the nested template. To return the values for a deployed resource in a nested template, either use `inner` scope or convert your nested template to a linked template.
- ## Linked template To link a template, add a [deployments resource](/azure/templates/microsoft.resources/deployments) to your main template. In the `templateLink` property, specify the URI of the template to include. The following example links to a template that is in a storage account.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/connect-github-actions-sql-db https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connect-github-actions-sql-db.md a/articles/azure-sql/database/connect-github-actions-sql-db.md
@@ -13,7 +13,7 @@
# Use GitHub Actions to connect to Azure SQL Database
-Get started with [GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions) by using a workflow to deploy database updates to [Azure SQL Database](../azure-sql-iaas-vs-paas-what-is-overview.md).
+Get started with [GitHub Actions](https://docs.github.com/en/actions) by using a workflow to deploy database updates to [Azure SQL Database](../azure-sql-iaas-vs-paas-what-is-overview.md).
## Prerequisites
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/dynamic-data-masking-overview.md a/articles/azure-sql/database/dynamic-data-masking-overview.md
@@ -10,7 +10,7 @@
Previously updated : 08/04/2020 Last updated : 01/25/2021 tags: azure-synpase # Dynamic data masking
@@ -20,16 +20,12 @@ Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics supp
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. ItΓÇÖs a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.
-For example, a service representative at a call center may identify callers by several digits of their credit card number, but those data items should not be fully exposed to the service representative. A masking rule can be defined that masks all but the last four digits of any credit card number in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.
+For example, a service representative at a call center may identify callers by several digits of their email address, but those data items should not be fully exposed to the service representative. A masking rule can be defined that masks all the email address in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.
## Dynamic data masking basics You set up a dynamic data masking policy in the Azure portal by selecting the **Dynamic Data Masking** blade under **Security** in your SQL Database configuration pane. This feature cannot be set using portal for SQL Managed Instance (use PowerShell or REST API). For more information, see [Dynamic Data Masking](/sql/relational-databases/security/dynamic-data-masking).
-### Dynamic data masking permissions
-
-Dynamic data masking can be configured by the Azure SQL Database admin, server admin, or [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) roles.
- ### Dynamic data masking policy * **SQL users excluded from masking** - A set of SQL users or Azure AD identities that get unmasked data in the SQL query results. Users with administrator privileges are always excluded from masking, and see the original data without any mask.
@@ -77,3 +73,11 @@ You can use the REST API to programmatically manage data masking policy and rule
- [Create Or Update](/rest/api/sql/datamaskingrules/createorupdate): Creates or updates a database data masking rule. - [List By Database](/rest/api/sql/datamaskingrules/listbydatabase): Gets a list of database data masking rules.+
+## Permissions
+
+Dynamic data masking can be configured by the Azure SQL Database admin, server admin, or the role-based access control (RBAC) [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role.
+
+## Next steps
+
+[Dynamic Data Masking](/sql/relational-databases/security/dynamic-data-masking)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/user-initiated-failover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/user-initiated-failover.md a/articles/azure-sql/managed-instance/user-initiated-failover.md
@@ -9,7 +9,7 @@
Previously updated : 12/16/2020 Last updated : 01/25/2021 # User-initiated manual failover on SQL Managed Instance
@@ -138,6 +138,7 @@ You will not be able to see the same output with GP service tier as the one abov
> - There could be one (1) failover initiated on the same Managed Instance every **15 minutes**. > - For BC instances there must exist quorum of replicas for the failover request to be accepted. > - For BC instances it is not possible to specify which readable secondary replica to initiate the failover on.
+> - Failover will not be allowed until the first full backup for a new database is completed by automated backup systems.
## Next steps
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/deploy-azure-vmware-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/deploy-azure-vmware-solution.md a/articles/azure-vmware/deploy-azure-vmware-solution.md
@@ -38,7 +38,7 @@ After you deploy Azure VMware Solution, you'll create the virtual network's jump
:::image type="content" source="media/pre-deployment/jump-box-diagram.png" alt-text="Create the Azure VMware Solution jump box" border="false" lightbox="media/pre-deployment/jump-box-diagram.png":::
-To create a virtual machine (VM) in the virtual network you [identified or created as part of the deployment process](production-ready-deployment-steps.md#azure-virtual-network-to-attach-azure-vmware-solution), follow these instructions:
+To create a virtual machine (VM) in the virtual network that you [identified or created as part of the deployment process](production-ready-deployment-steps.md#attach-virtual-network-to-azure-vmware-solution), follow these instructions:
[!INCLUDE [create-avs-jump-box-steps](includes/create-jump-box-steps.md)]
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/production-ready-deployment-steps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/production-ready-deployment-steps.md a/articles/azure-vmware/production-ready-deployment-steps.md
@@ -88,9 +88,9 @@ Keep in mind that:
- If you plan to extend networks from on-premises, those networks must connect to a [vSphere Distributed Switch (vDS)](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-B15C6A13-797E-4BCB-B9D9-5CBC5A60C3A6.html) in your on-premises VMware environment. - If the network(s) you wish to extend live on a [vSphere Standard Switch](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.networking.doc/GUID-350344DE-483A-42ED-B0E2-C811EE927D59.html), then they can't be extended.
-## Azure Virtual Network to attach Azure VMware Solution
+## Attach virtual network to Azure VMware Solution
-In this step, you'll identify an ExpressRoute virtual network gateway and supporting Azure virtual network used to connect the Azure VMware Solution ExpressRoute circuit. The ExpressRoute circuit facilitates connectivity to and from the Azure VMware Solution private cloud to other Azure services, Azure resources, and on-premises environments.
+In this step, you'll identify an ExpressRoute virtual network gateway and supporting Azure Virtual Network used to connect the Azure VMware Solution ExpressRoute circuit. The ExpressRoute circuit facilitates connectivity to and from the Azure VMware Solution private cloud to other Azure services, Azure resources, and on-premises environments.
You can use an *existing* OR *new* ExpressRoute virtual network gateway.
@@ -98,21 +98,23 @@ You can use an *existing* OR *new* ExpressRoute virtual network gateway.
### Use an existing ExpressRoute virtual network gateway
-If you use an *existing* ExpressRoute virtual network gateway, the Azure VMware Solution ExpressRoute circuit is established after you deploy the private cloud. So, you don't need to populate the **Virtual Network** field.
+If you use an *existing* ExpressRoute virtual network gateway, the Azure VMware Solution ExpressRoute circuit is established after you deploy the private cloud. In this case, leave the **Virtual Network** field blank.
Make note of which ExpressRoute virtual network gateway you'll use and continue to the next step. ### Create a new ExpressRoute virtual network gateway
-If creating a *new* ExpressRoute virtual network gateway, an existing Azure Virtual Network can be used, or a new Azure Virtual Network can be created.
+When you create a *new* ExpressRoute virtual network gateway, you can use an existing Azure Virtual Network or create a new one.
-If the choice is to use an existing Azure Virtual Network verify there are no pre-existing ExpressRoute virtual network gateways in the virtual network and select it in the Virtual Network dropdown of the Create a private cloud deployment screen.
+- For an existing Azure Virtual network:
+ 1. Verify there are no pre-existing ExpressRoute virtual network gateways in the virtual network.
+ 1. Select the existing Azure Virtual Network from the **Virtual Network** list.
-If the choice is to create a new Azure Virtual Network it can be created ahead of time or during deployment by clicking on the Create new option of Virtual Network section of the Create a private cloud deployment screen.
+- For a new Azure Virtual Network, you can create it in advance or during deployment. Select the **Create new** link under the **Virtual Network** list.
-For reference, below is an image of the **Create a private cloud** deployment screen and outlined in red is the Azure **Virtual Network** field that has been referred to throughout this section.
+The below image shows the **Create a private cloud** deployment screen with the **Virtual Network** field highlighted.
-:::image type="content" source="media/pre-deployment/azure-vmware-solution-deployment-screen-vnet-circle.png" alt-text="Screenshot of the Azure VMware Solution deployment screen with virtual network gateway circled.":::
+:::image type="content" source="media/pre-deployment/azure-vmware-solution-deployment-screen-vnet-circle.png" alt-text="Screenshot of the Azure VMware Solution deployment screen with Virtual Network field highlighted.":::
>[!NOTE] >Any virtual network that is going to be used or created may be seen by your on-premises environment and Azure VMware Solution, so make sure whatever IP segment you use in this virtual network and subnets do not overlap.
backup https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/about-azure-vm-restore.md a/articles/backup/about-azure-vm-restore.md
@@ -29,7 +29,7 @@ This article describes how the [Azure Backup service](./backup-overview.md) rest
- [Geo-redundant storage (GRS)](../storage/common/storage-redundancy.md#geo-redundant-storage) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there's a regional outage. - [Zone-redundant storage (ZRS)](../storage/common/storage-redundancy.md#zone-redundant-storage) replicates your data in [availability zones](../availability-zones/az-overview.md#availability-zones), guaranteeing data residency and resiliency in the same region. ZRS has no downtime. So your critical workloads that require [data residency](https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/), and must have no downtime, can be backed up in ZRS. -- **Cross-Region Restore (CRR)**: As one of the [restore options](./backup-azure-arm-restore-vms.md#restore-options), Cross Region Restore (CRR) allows you to restore Azure VMs in a secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions).
+- **Cross-Region Restore (CRR)**: As one of the [restore options](./backup-azure-arm-restore-vms.md#restore-options), Cross Region Restore (CRR) allows you to restore Azure VMs in a secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions) You can restore your data in the secondary region at anytime, during partial or full outages, or any other time you choose.
## Restore scenarios
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-arm-restore-vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-arm-restore-vms.md a/articles/backup/backup-azure-arm-restore-vms.md
@@ -18,7 +18,7 @@ Azure Backup provides a number of ways to restore a VM.
**Create a new VM** | Quickly creates and gets a basic VM up and running from a restore point.<br/><br/> You can specify a name for the VM, select the resource group and virtual network (VNet) in which it will be placed, and specify a storage account for the restored VM. The new VM must be created in the same region as the source VM.<br><br>If a VM restore fails because an Azure VM SKU wasn't available in the specified region of Azure, or because of any other issues, Azure Backup still restores the disks in the specified resource group. **Restore disk** | Restores a VM disk, which can then be used to create a new VM.<br/><br/> Azure Backup provides a template to help you customize and create a VM. <br/><br> The restore job generates a template that you can download and use to specify custom VM settings, and create a VM.<br/><br/> The disks are copied to the Resource Group you specify.<br/><br/> Alternatively, you can attach the disk to an existing VM, or create a new VM using PowerShell.<br/><br/> This option is useful if you want to customize the VM, add configuration settings that weren't there at the time of backup, or add settings that must be configured using the template or PowerShell. **Replace existing** | You can restore a disk, and use it to replace a disk on the existing VM.<br/><br/> The current VM must exist. If it's been deleted, this option can't be used.<br/><br/> Azure Backup takes a snapshot of the existing VM before replacing the disk, and stores it in the staging location you specify. Existing disks connected to the VM are replaced with the selected restore point.<br/><br/> The snapshot is copied to the vault, and retained in accordance with the retention policy. <br/><br/> After the replace disk operation, the original disk is retained in the resource group. You can choose to manually delete the original disks if they aren't needed. <br/><br/>Replace existing is supported for unencrypted managed VMs, including VMs [created using custom images](https://azure.microsoft.com/resources/videos/create-a-custom-virtual-machine-image-in-azure-resource-manager-with-powershell/). It's unsupported for classic VMs.<br/><br/> If the restore point has more or less disks than the current VM, then the number of disks in the restore point will only reflect the VM configuration.<br><br> Replace existing is also supported for VMs with linked resources, like [user-assigned managed-identity](../active-directory/managed-identities-azure-resources/overview.md) or [Key Vault](../key-vault/general/overview.md).
-**Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> This feature is available for the options below:<br> <li> [Create a VM](#create-a-vm) <br> <li> [Restore Disks](#restore-disks) <br><br> We don't currently support the [Replace existing disks](#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins.
+**Cross Region (secondary region)** | Cross Region restore can be used to restore Azure VMs in the secondary region, which is an [Azure paired region](../best-practices-availability-paired-regions.md#what-are-paired-regions).<br><br> You can restore all the Azure VMs for the selected recovery point if the backup is done in the secondary region.<br><br> During the backup, snapshots aren't replicated to the secondary region. Only the data stored in the vault is replicated. So secondary region restores are only [vault tier](about-azure-vm-restore.md#concepts) restores. The restore time for the secondary region will be almost the same as the vault tier restore time for the primary region. <br><br> This feature is available for the options below:<br> <li> [Create a VM](#create-a-vm) <br> <li> [Restore Disks](#restore-disks) <br><br> We don't currently support the [Replace existing disks](#replace-existing-disks) option.<br><br> Permissions<br> The restore operation on secondary region can be performed by Backup Admins and App admins.
> [!NOTE] > You can also recover specific files and folders on an Azure VM. [Learn more](backup-azure-restore-files-from-vm.md).
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-recovery-services-vault-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-recovery-services-vault-overview.md a/articles/backup/backup-azure-recovery-services-vault-overview.md
@@ -16,7 +16,7 @@ This article describes the features of a Recovery Services vault. A Recovery Ser
- **Soft Delete**: With soft delete, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days of retention for backup data in the "soft delete" state don't incur any cost to you. [Learn more](backup-azure-security-feature-cloud.md). -- **Cross Region Restore**: Cross Region Restore (CRR) allows you to restore Azure VMs in a secondary region, which is an Azure paired region. If Azure declares a disaster in the primary region, the data replicated in the secondary region is available to restore in the secondary region to mitigate real downtime disaster in the primary region for their environment. [Learn more](backup-azure-arm-restore-vms.md#cross-region-restore).
+- **Cross Region Restore**: Cross Region Restore (CRR) allows you to restore Azure VMs in a secondary region, which is an Azure paired region. By enabling this feature at the [vault level](backup-create-rs-vault.md#set-cross-region-restore), you can restore the replicated data in the secondary region any time, when you choose. This enables you to restore the secondary region data for audit-compliance, and during outage scenarios, without waiting for Azure to declare a disaster (unlike the GRS settings of the vault). [Learn more](backup-azure-arm-restore-vms.md#cross-region-restore).
## Storage settings in the Recovery Services vault
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vm-backup-faq.md a/articles/backup/backup-azure-vm-backup-faq.md
@@ -108,6 +108,10 @@ Azure Backup now supports selective disk backup and restore using the Azure Virt
If [tenant changes](/azure/devops/organizations/accounts/change-azure-ad-connection) occur, you're required to disable and re-enable [managed identities](../active-directory/managed-identities-azure-resources/overview.md) to make backups work again.
+### Does Azure Backup support backing up NFS files mounted from storage?
+
+Azure Backup doesn't support backing up NFS files that are mounted from storage, or from any other NFS server, to Linux or Windows machines. It only backs up disks which are locally attached to the VM.
+ ## Restore ### How do I decide whether to restore disks only or a full VM?
backup https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix-iaas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-support-matrix-iaas.md a/articles/backup/backup-support-matrix-iaas.md
@@ -76,6 +76,7 @@ For Azure VM Linux backups, Azure Backup supports the list of Linux [distributio
- Azure Backup doesn't support 32-bit operating systems. - Other bring-your-own Linux distributions might work as long as the [Azure VM agent for Linux](../virtual-machines/extensions/agent-linux.md) is available on the VM, and as long as Python is supported. - Azure Backup doesn't support a proxy-configured Linux VM if it doesn't have Python version 2.7 installed.
+- Azure Backup doesn't support backing up NFS files that are mounted from storage, or from any other NFS server, to Linux or Windows machines. It only backs up disks which are locally attached to the VM.
## Backup frequency and retention
@@ -139,10 +140,11 @@ Back up VMs that are deployed from a custom image (third-party) |Supported.<br/>
Back up VMs that are migrated to Azure| Supported.<br/><br/> To back up the VM, the VM agent must be installed on the migrated machine. Back up Multi-VM consistency | Azure Backup doesn't provide data and application consistency across multiple VMs. Backup with [Diagnostic Settings](../azure-monitor/platform/platform-logs-overview.md) | Unsupported. <br/><br/> If the restore of the Azure VM with diagnostic settings is triggered using [Create New](backup-azure-arm-restore-vms.md#create-a-vm) option, then the restore fails.
-Restore of Zone-pinned VMs | Supported (for a VM that's backed-up after Jan 2019 and where [availability zones](https://azure.microsoft.com/global-infrastructure/availability-zones/) are available).<br/><br/>We currently support restoring to the same zone that's pinned in VMs. However, if the zone is unavailable, restore fails.
+Restore of Zone-pinned VMs | Supported (for a VM that's backed-up after Jan 2019 and where [availability zones](https://azure.microsoft.com/global-infrastructure/availability-zones/) are available).<br/><br/>We currently support restoring to the same zone that's pinned in VMs. However, if the zone is unavailable due to an outage, the restore will fail.
Gen2 VMs | Supported <br> Azure Backup supports backup and restore of [Gen2 VMs](https://azure.microsoft.com/updates/generation-2-virtual-machines-in-azure-public-preview/). When these VMs are restored from Recovery point, they're restored as [Gen2 VMs](https://azure.microsoft.com/updates/generation-2-virtual-machines-in-azure-public-preview/). Backup of Azure VMs with locks | Unsupported for unmanaged VMs. <br><br> Supported for managed VMs. [Spot VMs](../virtual-machines/spot-vms.md) | Unsupported. Azure Backup restores Spot VMs as regular Azure VMs.
+[Azure Dedicated Host](https://docs.microsoft.com/azure/virtual-machines/dedicated-hosts) | Supported
## VM storage support
@@ -160,6 +162,7 @@ Resize disk on protected VM | Supported.
Shared storage| Backing up VMs using Cluster Shared Volume (CSV) or Scale-Out File Server isn't supported. CSV writers are likely to fail during backup. On restore, disks containing CSV volumes might not come-up. [Shared disks](../virtual-machines/disks-shared-enable.md) | Not supported. Ultra SSD disks | Not supported. For more details, see these [limitations](selective-disk-backup-restore.md#limitations).
+[Temporary disks](https://docs.microsoft.com/azure/virtual-machines/managed-disks-overview#temporary-disk) | Temporary disks aren't backed up by Azure Backup.
## VM network support
backup https://docs.microsoft.com/en-us/azure/backup/backup-support-matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-support-matrix.md a/articles/backup/backup-support-matrix.md
@@ -145,7 +145,7 @@ Azure Backup has added the Cross Region Restore feature to strengthen data avail
| Backup Management type | Supported | Supported Regions | | - | | -- |
-| Azure VM | Yes. Supported for encrypted VMs and VMs with lesser than 4-TB disks | All Azure public regions. |
+| Azure VM | Supported for Azure VMs with both managed and unmanaged disks. Not supported for classic VMs. | All Azure public regions. |
| SQL /SAP HANA | Yes | All public regions except France | | MARS Agent/On premises | No | N/A | | AFS (Azure file shares) | No | N/A |
backup https://docs.microsoft.com/en-us/azure/backup/disk-backup-support-matrix https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/disk-backup-support-matrix.md a/articles/backup/disk-backup-support-matrix.md
@@ -17,7 +17,7 @@ You can use [Azure Backup](./backup-overview.md) to protect Azure Disks. This ar
## Supported regions
-Azure Disk Backup is available in preview in the following regions: West Central US, Korea Central, Korea South.
+Azure Disk Backup is available in preview in the following regions: West Central US, East US2, Korea Central, Korea South, Japan West, UAE North.
More regions will be announced when they become available.
backup https://docs.microsoft.com/en-us/azure/backup/faq-backup-sql-server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/faq-backup-sql-server.md a/articles/backup/faq-backup-sql-server.md
@@ -95,7 +95,10 @@ You can select the database, which is now renamed and configure protection on it
A database that you [add to an autoprotected instance](backup-sql-server-database-azure-vms.md#enable-auto-protection) might not immediately appear under protected items. This is because the discovery typically runs every 8 hours. However, you can discover and protect new databases immediately if you manually run a discovery by selecting **Rediscover DBs**, as shown in the following image: ![Manually discover a newly added database](./media/backup-azure-sql-database/view-newly-added-database.png)
-
+
+## Can I protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled?
+Yes, you can protect databases on virtual machines that have Azure Disk Encryption (ADE) enabled.
+ ## Can I protect databases that have TDE (Transparent Data Encryption) turned on and will the database stay encrypted through the entire backup process? Yes, Azure Backup supports backup of SQL Server databases or server with TDE enabled. Backup supports [TDE](/sql/relational-databases/security/encryption/transparent-data-encryption) with keys managed by Azure, or with customer-managed keys (BYOK). Backup doesn't perform any SQL encryption as part of the backup process so the database will stay encrypted when backed up.
backup https://docs.microsoft.com/en-us/azure/backup/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/whats-new.md a/articles/backup/whats-new.md
@@ -14,20 +14,20 @@ You can learn more about the new releases by bookmarking this page or by [subscr
## Updates summary - January 2021
- - [Azure Disk Backup (in preview)](disk-backup-overview.md)
- - [Encryption at rest using customer-managed keys now generally available](encryption-at-rest-with-cmk.md)
+ - [Azure Disk Backup (in preview)](#azure-disk-backup-in-preview)
+ - [Encryption at rest using customer-managed keys (general availability)](#encryption-at-rest-using-customer-managed-keys)
- November 2020 - [Azure Resource Manager template for Azure file share (AFS) backup](#azure-resource-manager-template-for-afs-backup)
- - [Incremental backups for SAP HANA databases on Azure VMs](#incremental-backups-for-sap-hana-databases)
+ - [Incremental backups for SAP HANA databases on Azure VMs (in preview)](#incremental-backups-for-sap-hana-databases-in-preview)
- September 2020
- - [Backup Center](#backup-center)
- - [Backup Azure Database for PostgreSQL](#backup-azure-database-for-postgresql)
+ - [Backup Center (in preview)](#backup-center-in-preview)
+ - [Backup Azure Database for PostgreSQL (in preview)](#backup-azure-database-for-postgresql-in-preview)
- [Selective disk backup and restore](#selective-disk-backup-and-restore)
- - [Cross Region Restore for SQL Server and SAP HANA databases on Azure VMs](#cross-region-restore-for-sql-server-and-sap-hana)
- - [Support for backup of VMs with up to 32 disks](#support-for-backup-of-vms-with-up-to-32-disks)
+ - [Cross Region Restore for SQL Server and SAP HANA databases on Azure VMs (in preview)](#cross-region-restore-for-sql-server-and-sap-hana-in-preview)
+ - [Support for backup of VMs with up to 32 disks (general availability)](#support-for-backup-of-vms-with-up-to-32-disks)
- [Simplified backup configuration experience for SQL in Azure VMs](#simpler-backup-configuration-for-sql-in-azure-vms)
- - [Backup SAP HANA in RHEL Azure Virtual Machines](#backup-sap-hana-in-rhel-azure-virtual-machines)
- - [Zone redundant storage (ZRS) for backup data](#zone-redundant-storage-zrs-for-backup-data)
+ - [Backup SAP HANA in RHEL Azure Virtual Machines (in preview)](#backup-sap-hana-in-rhel-azure-virtual-machines-in-preview)
+ - [Zone redundant storage (ZRS) for backup data (in preview)](#zone-redundant-storage-zrs-for-backup-data-in-preview)
- [Soft delete for SQL Server and SAP HANA workloads in Azure VMs](#soft-delete-for-sql-server-and-sap-hana-workloads) ## Azure Disk Backup (in preview)
@@ -48,13 +48,13 @@ Azure Backup now supports configuring backup for existing Azure file shares usin
For more information, see [Azure Resource Manager templates for Azure Backup](backup-rm-template-samples.md).
-## Incremental backups for SAP HANA databases
+## Incremental backups for SAP HANA databases (in preview)
Azure Backup now supports incremental backups for SAP HANA databases hosted on Azure VMs. This allows for faster and more cost-efficient backups of your SAP HANA data. For more information, see [various options available during creation of a backup policy](sap-hana-faq-backup-azure-vm.md#policy) and [how to create a backup policy for SAP HANA databases](tutorial-backup-sap-hana-db.md#creating-a-backup-policy).
-## Backup Center
+## Backup Center (in preview)
Azure Backup has enabled a new native management capability to manage your entire backup estate from a central console. Backup Center provides you with the capability to monitor, operate, govern, and optimize data protection at scale in a unified manner consistent with AzureΓÇÖs native management experiences.
@@ -62,7 +62,7 @@ With Backup Center, you get an aggregated view of your inventory across subscrip
For more information, see [Overview of Backup Center](backup-center-overview.md).
-## Backup Azure Database for PostgreSQL
+## Backup Azure Database for PostgreSQL (in preview)
Azure Backup and Azure Database Services have come together to build an enterprise-class backup solution for Azure PostgreSQL (now in preview). Now you can meet your data protection and compliance needs with a customer-controlled backup policy that enables retention of backups for up to 10 years. With this, you have granular control to manage the backup and restore operations at the individual database level. Likewise, you can restore across PostgreSQL versions or to blob storage with ease.
@@ -74,7 +74,7 @@ Azure Backup supports backing up all the disks (operating system and data) in a
For more information, see [Selective disk backup and restore for Azure virtual machines](selective-disk-backup-restore.md).
-## Cross Region Restore for SQL Server and SAP HANA
+## Cross Region Restore for SQL Server and SAP HANA (in preview)
With the introduction of cross-region restore, you can now initiate restores in a secondary region at will to mitigate real downtime issues in a primary region for your environment. This makes the secondary region restores completely customer controlled. Azure Backup uses the backed-up data replicated to the secondary region for such restores.
@@ -94,13 +94,13 @@ Configuring backups for your SQL Server in Azure VMs is now even easier with inl
For more information, see [Back up a SQL Server from the VM pane](backup-sql-server-vm-from-vm-pane.md).
-## Backup SAP HANA in RHEL Azure virtual machines
+## Backup SAP HANA in RHEL Azure virtual machines (in preview)
Azure Backup is the native backup solution for Azure and is BackInt certified by SAP. Azure Backup has now added support for Red Hat Enterprise Linux (RHEL), one of the most widely used Linux operating systems running SAP HANA. For more information, see the [SAP HANA database backup scenario support matrix](sap-hana-backup-support-matrix.md#scenario-support).
-## Zone redundant storage (ZRS) for backup data
+## Zone redundant storage (ZRS) for backup data (in preview)
Azure Storage provides a great balance of high performance, high availability, and high data resiliency with its varied redundancy options. Azure Backup allows you to extend these benefits to backup data as well, with options to store your backups in locally redundant storage (LRS) and geo-redundant storage (GRS). Now, there are additional durability options with the added support for zone redundant storage (ZRS).
batch https://docs.microsoft.com/en-us/azure/batch/batch-customer-managed-key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/batch-customer-managed-key.md a/articles/batch/batch-customer-managed-key.md
@@ -1,9 +1,9 @@
Title: Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity
-description: Learn how to encrypt Batch data using keys
+description: Learn how to encrypt Batch data using customer-managed keys.
Previously updated : 07/17/2020 Last updated : 01/25/2021
@@ -12,25 +12,33 @@
By default Azure Batch uses platform-managed keys to encrypt all the customer data stored in the Azure Batch Service, like certificates, job/task metadata. Optionally, you can use your own keys, i.e., customer-managed keys, to encrypt data stored in Azure Batch.
-The keys you provide must be generated in [Azure Key Vault](../key-vault/general/basic-concepts.md), and the Batch accounts you want to configure with customer-managed keys have to be enabled with [Azure Managed Identity](../active-directory/managed-identities-azure-resources/overview.md).
+The keys you provide must be generated in [Azure Key Vault](../key-vault/general/basic-concepts.md), and they must be accessed with [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+
+There are two types of managed identities: [*system-assigned* and *user-assigned*](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types).
+
+You can either create your Batch account with system-assigned managed identity, or create a separate user-assigned managed identity that will have access to the customer-managed keys. Review the [comparison table](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) to understand the differences and consider which option works best for your solution. For example, if you want to use the same managed identity to access multiple Azure resources, a user-assigned managed identity will be needed. If not, a system-assigned managed identity associated with your Batch account may be sufficient. Using a user-assigned managed identity also gives you the option to enforce customer-managed keys at Batch account creation, as shown [in the example below](#create-a-batch-account-with-user-assigned-managed-identity-and-customer-managed-keys).
> [!IMPORTANT] > Support for customer-managed keys in Azure Batch is currently in public preview for the West Europe, North Europe, Switzerland North, Central US, South Central US, West Central US, East US, East US 2, West US 2, US Gov Virginia, and US Gov Arizona regions. > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-## Create a Batch Account with system-assigned managed identity
+## Create a Batch account with system-assigned managed identity
+
+If you don't need a separate user-assigned managed identity, you can enable system-assigned managed identity when you create your Batch account.
### Azure portal In the [Azure portal](https://portal.azure.com/), when you create Batch accounts, pick **System assigned** in the identity type under the **Advanced** tab.
-![New Batch account with system assigned identity type](./media/batch-customer-managed-key/create-batch-account.png)
+![Screenshot of a new Batch account with system assigned identity type.](./media/batch-customer-managed-key/create-batch-account.png)
+
+After the account is created, you can find a unique GUID in the **Identity principal Id** field under the **Properties** section. The **Identity Type** will show `System assigned`.
-After the account is created, you can find a unique GUID in the **Identity principal id** field under the **Property** section. The **Identity Type** will show `SystemAssigned`.
+![Screenshot showing a unique GUID in the Identity principal Id field.](./media/batch-customer-managed-key/linked-batch-principal.png)
+
+You will need this value in order to grant this Batch account access to the Key Vault.
-![Unique GUID in Identity principal id field](./media/batch-customer-managed-key/linked-batch-principal.png)
-
### Azure CLI When you create a new Batch account, specify `SystemAssigned` for the `--identity` parameter.
@@ -46,7 +54,7 @@ az batch account create \
--identity 'SystemAssigned' ```
-After the account is created, you can verify that system-assigned managed identity has been enabled on this account. Be sure to note the `PrincipalId`, as this value will be needed to grant this batch account access to the Key Vault.
+After the account is created, you can verify that system-assigned managed identity has been enabled on this account. Be sure to note the `PrincipalId`, as this value will be needed to grant this Batch account access to the Key Vault.
```azurecli az batch account show \
@@ -58,23 +66,34 @@ az batch account show \
> [!NOTE] > The system-assigned managed identity created in a Batch account is only used for retrieving customer-managed keys from the Key Vault. This identity is not available on Batch pools.
+## Create a user-assigned managed identity
+
+If you prefer, you can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) which can be used to access your customer-managed keys.
+
+You will need the **Client ID** value of this identity in order for it to access the Key Vault.
+ ## Configure your Azure Key Vault instance
+The Azure Key Vault in which your keys will be generated must be created in the same tenant as your Batch account. It does not need to be in the same resource group or even in the same subscription.
+ ### Create an Azure Key Vault
-When creating an Azure Key Vault instance with customer-managed keys for Azure Batch, make sure that **Soft Delete** and **Purge Protection** are both enabled.
+When [creating an Azure Key Vault instance](../key-vault/general/quick-create-portal.md) with customer-managed keys for Azure Batch, make sure that **Soft Delete** and **Purge Protection** are both enabled.
-![Key Vault creation screen](./media/batch-customer-managed-key/create-key-vault.png)
+![Screenshot of the Key Vault creation screen.](./media/batch-customer-managed-key/create-key-vault.png)
### Add an access policy to your Azure Key Vault instance
-In the Azure portal, after the Key Vault is created, In the **Access Policy** under **Setting**, add the Batch account access using managed identity. Under **Key Permissions**, select **Get**, **Wrap Key** and **Unwrap Key**.
+In the Azure portal, after the Key Vault is created, In the **Access Policy** under **Setting**, add the Batch account access using managed identity. Under **Key Permissions**, select **Get**, **Wrap Key** and **Unwrap Key**.
+
+![Screenshow showing the Add access policy screen.](./media/batch-customer-managed-key/key-permissions.png)
-![Add access policy](./media/batch-customer-managed-key/key-permissions.png)
+In the **Select** field under **Principal**, fill in one of the following:
-In the **Select** field under **Principal**, fill in the `principalId` that you previously retrieved, or the name of the batch account.
+- For system-assigned managed identity: Enter the `principalId` that you previously retrieved or the name of the Batch account.
+- For user-assigned managed identity: Enter the **Client ID** that you previously retrieved or the name of the user-assigned managed identity.
-![Enter principalId](./media/batch-customer-managed-key/principal-id.png)
+![Screenshot of the Principal screen.](./media/batch-customer-managed-key/principal-id.png)
### Generate a key in Azure Key Vault
@@ -84,13 +103,15 @@ In the Azure portal, go to the Key Vault instance in the **key** section, select
After the key is created, click on the newly created key and the current version, copy the **Key Identifier** under **properties** section. Be sure sure that under **Permitted Operations**, **Wrap Key** and **Unwrap Key** are both checked.
-## Enable customer-managed keys on Azure Batch Account
+## Enable customer-managed keys on a Batch account
+
+Once you have followed the steps above, you can enable customer-managed keys on your Batch account.
### Azure portal In the [Azure portal](https://portal.azure.com/), go to the Batch account page. Under the **Encryption** section, enable **Customer-managed key**. You can directly use the Key Identifier, or you can select the key vault and then click **Select a key vault and key**.
-![Under Encryption, enable Customer-managed key](./media/batch-customer-managed-key/encryption-page.png)
+![Screenshot showing the Encryption section and option to enable customer-managed key](./media/batch-customer-managed-key/encryption-page.png)
### Azure CLI
@@ -104,12 +125,40 @@ az batch account set \
--encryption_key_identifier {YourKeyIdentifier} ```
+## Create a Batch account with user-assigned managed identity and customer-managed keys
+
+Using the Batch management .NET client, you can create a Batch account that will have a user-assigned managed identity and customer-managed keys.
+
+```c#
+EncryptionProperties encryptionProperties = new EncryptionProperties()
+{
+ KeySource = KeySource.MicrosoftKeyVault,
+ KeyVaultProperties = new KeyVaultProperties()
+ {
+ KeyIdentifier = "Your Key Azure Resource Manager Resource ID"
+ }
+};
+
+BatchAccountIdentity identity = new BatchAccountIdentity()
+{
+ Type = ResourceIdentityType.UserAssigned,
+ UserAssignedIdentities = new Dictionary<string, BatchAccountIdentityUserAssignedIdentitiesValue>
+ {
+ ["Your Identity Azure Resource Manager ResourceId"] = new BatchAccountIdentityUserAssignedIdentitiesValue()
+ }
+};
+var parameters = new BatchAccountCreateParameters(TestConfiguration.ManagementRegion, encryption:encryptionProperties, identity: identity);
+
+var account = await batchManagementClient.Account.CreateAsync("MyResourceGroup",
+ "mynewaccount", parameters);
+```
+ ## Update the customer-managed key version When you create a new version of a key, update the Batch account to use the new version. Follow these steps: 1. Navigate to your Batch account in Azure portal and display the Encryption settings.
-2. Enter the URI for the new key version. Alternately, you can select the key vault and the key again to update the version.
+2. Enter the URI for the new key version. Alternately, you can select the Key Vault and the key again to update the version.
3. Save your changes. You can also use Azure CLI to update the version.
@@ -120,15 +169,16 @@ az batch account set \
-g $resourceGroupName \ --encryption_key_identifier {YourKeyIdentifierWithNewVersion} ```+ ## Use a different key for Batch encryption To change the key used for Batch encryption, follow these steps: 1. Navigate to your Batch account and display the Encryption settings.
-2. Enter the URI for the new key. Alternately, you can select the key vault and choose a new key.
+2. Enter the URI for the new key. Alternately, you can select the Key Vault and choose a new key.
3. Save your changes.
-You can also use Azure CLI to use a different key.
+You can also use Azure CLI to use a different key.
```azurecli az batch account set \
@@ -136,14 +186,21 @@ az batch account set \
-g $resourceGroupName \ --encryption_key_identifier {YourNewKeyIdentifier} ```+ ## Frequently asked questions
- * **Are customer-managed keys supported for existing Batch accounts?** No. Customer-managed keys are only supported for new Batch accounts.
- * **Can I select RSA key sizes larger than 2048 bits?** Yes, RSA key sizes of `3072` and `4096` bits are also supported.
- * **What operations are available after a customer-managed key is revoked?** The only operation allowed is account deletion if Batch loses access to the customer-managed key.
- * **How should I restore access to my Batch account if I accidentally delete the Key Vault key?** Since purge protection and soft delete are enabled, you could restore the existing keys. For more information, see [Recover an Azure Key Vault](../key-vault/general/key-vault-recovery.md).
- * **Can I disable customer-managed keys?** You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. After this, you are free to delete or change the key.
- * **How can I rotate my keys?** Customer-managed keys are not automatically rotated. To rotate the key, update the Key Identifier that the account is associated with.
- * **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
- * **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to customer-managed keys is lost will continue to run. However, the nodes will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes will become available again and tasks will be restarted.
- * **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Service Configuration Pools, no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration Pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
- * **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. This managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key.
+
+- **Are customer-managed keys supported for existing Batch accounts?** No. Customer-managed keys are only supported for new Batch accounts.
+- **Can I select RSA key sizes larger than 2048 bits?** Yes, RSA key sizes of `3072` and `4096` bits are also supported.
+- **What operations are available after a customer-managed key is revoked?** The only operation allowed is account deletion if Batch loses access to the customer-managed key.
+- **How should I restore access to my Batch account if I accidentally delete the Key Vault key?** Since purge protection and soft delete are enabled, you could restore the existing keys. For more information, see [Recover an Azure Key Vault](../key-vault/general/key-vault-recovery.md).
+- **Can I disable customer-managed keys?** You can set the encryption type of the Batch Account back to "Microsoft managed key" at any time. After this, you are free to delete or change the key.
+- **How can I rotate my keys?** Customer-managed keys are not automatically rotated. To rotate the key, update the Key Identifier that the account is associated with.
+- **After I restore access how long will it take for the Batch account to work again?** It can take up to 10 minutes for the account to be accessible again once access is restored.
+- **While the Batch Account is unavailable what happens to my resources?** Any pools that are running when Batch access to customer-managed keys is lost will continue to run. However, the nodes will transition into an unavailable state, and tasks will stop running (and be requeued). Once access is restored, nodes will become available again and tasks will be restarted.
+- **Does this encryption mechanism apply to VM disks in a Batch pool?** No. For Cloud Service Configuration Pools, no encryption is applied for the OS and temporary disk. For Virtual Machine Configuration Pools, the OS and any specified data disks will be encrypted with a Microsoft platform managed key by default. Currently, you cannot specify your own key for these disks. To encrypt the temporary disk of VMs for a Batch pool with a Microsoft platform managed key, you must enable the [diskEncryptionConfiguration](/rest/api/batchservice/pool/add#diskencryptionconfiguration) property in your [Virtual Machine Configuration](/rest/api/batchservice/pool/add#virtualmachineconfiguration) Pool. For highly sensitive environments, we recommend enabling temporary disk encryption and avoiding storing sensitive data on OS and data disks. For more information, see [Create a pool with disk encryption enabled](./disk-encryption.md)
+- **Is the system-assigned managed identity on the Batch account available on the compute nodes?** No. The system-assigned managed identity is currently used only for accessing the Azure Key Vault for the customer-managed key.
+
+## Next steps
+
+- Learn more about [security best practices in Azure Batch](security-best-practices.md).
+- Learn more about[Azure Key Vault](../key-vault/general/basic-concepts.md).
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-powershell.md a/articles/cloud-services-extended-support/deploy-powershell.md
@@ -143,20 +143,20 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
19. Create Cloud Service deployment using profile objects & SAS URLs. ```powershell
- $cloudService = New-AzCloudService `
- -Name ΓÇ£ContosoCSΓÇ¥ `
- -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ `
- -Location ΓÇ£East USΓÇ¥ `
- -PackageUrl $cspkgUrl `
- -ConfigurationUrl $cscfgUrl `
- -UpgradeMode 'Auto' `
- -RoleProfile $roleProfile `
+ $cloudService = New-AzCloudService `
+ -Name ΓÇ£ContosoCSΓÇ¥ `
+ -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ `
+ -Location ΓÇ£East USΓÇ¥ `
+ -PackageUrl $cspkgUrl `
+ -ConfigurationUrl $cscfgUrl `
+ -UpgradeMode 'Auto' `
+ -RoleProfile $roleProfile `
-NetworkProfile $networkProfile ` -ExtensionProfile $extensionProfile `
- -OSProfile $osProfile
+ -OSProfile $osProfile `
-Tag $tag ``` ## Next steps - Review [frequently asked questions](faq.md) for Cloud Services (extended support).-- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).\ No newline at end of file
+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-prerequisite https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-prerequisite.md a/articles/cloud-services-extended-support/deploy-prerequisite.md
@@ -38,30 +38,30 @@ CloudServices Microsoft.Compute Registered
## Required Service Configuration (.cscfg) file updates ### 1) Virtual Network
-Cloud Service (extended support) deployments must be in a virtual network. Virtual network can be created through [Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal), [PowerShell](https://docs.microsoft.com/azure/virtual-network/quick-create-powershell), [Azure CLI](https://docs.microsoft.com/azure/virtual-network/quick-create-cli) or [ARM Template](https://docs.microsoft.com/azure/virtual-network/quick-create-template). The virtual network and subnets must also be referenced in the Service Configuration (.cscfg) under the `NetworkConfiguration` section.
+Cloud Service (extended support) deployments must be in a virtual network. Virtual network can be created through [Azure portal](https://docs.microsoft.com/azure/virtual-network/quick-create-portal), [PowerShell](https://docs.microsoft.com/azure/virtual-network/quick-create-powershell), [Azure CLI](https://docs.microsoft.com/azure/virtual-network/quick-create-cli) or [ARM Template](https://docs.microsoft.com/azure/virtual-network/quick-create-template). The virtual network and subnets must also be referenced in the Service Configuration (.cscfg) under the [NetworkConfiguration](schema-cscfg-networkconfiguration.md) section.
For a virtual networks belonging to the same resource group as the cloud service, referencing only the virtual network name in the Service Configuration (.cscfg) file is sufficient. If the virtual network and cloud service are in two different resource groups, then the complete Azure Resource Manager ID of the virtual network needs to be specified in the Service Configuration (.cscfg) file. #### Virtual Network located in same resource group
-```json
+```xml
<VirtualNetworkSite name="<vnet-name>"/>
-<AddressAssignments>
-<InstanceAddress roleName="<role-name>">
-<Subnets>
-<Subnet name="<subnet-name>"/>
-</Subnets>
-</InstanceAddress>
+ <AddressAssignments>
+ <InstanceAddress roleName="<role-name>">
+ <Subnets>
+ <Subnet name="<subnet-name>"/>
+ </Subnets>
+ </InstanceAddress>
``` #### Virtual network located in different resource group
-```json
-ΓÇ£/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/>
-<AddressAssignments>
-<InstanceAddress roleName="<role-name>">
-<Subnets>
-<Subnet name="<subnet-name>"/>
-</Subnets>
-</InstanceAddress>
+```xml
+<VirtualNetworkSite name="/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Network/virtualNetworks/<vnet-name>"/>
+ <AddressAssignments>
+ <InstanceAddress roleName="<role-name>">
+ <Subnets>
+ <Subnet name="<subnet-name>"/>
+ </Subnets>
+ </InstanceAddress>
``` ### 2) Remove the old plugins
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-template.md a/articles/cloud-services-extended-support/deploy-template.md
@@ -174,46 +174,44 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
"capacity": "1" } }
- }
+ }
+ }
``` 6. (Optional) Create an extension profile to add extensions to your cloud service. For this example, we are adding the remote desktop and Windows Azure diagnostics extension. ```json
- "extensionProfile": {
- "extensions": [
- {
- "name": "RDPExtension",
- "properties": {
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Windows.Azure.Extensions",
- "type": "RDP",
- "typeHandlerVersion": "1.2.1",
- "settings": " <PublicConfig>\r\n <UserName>>[Insert Password]</UserName>\r\n <Expiration>1/15/2022 12:00:00 AM</Expiration>\r\n</PublicConfig> ",
- "protectedSettings": "<PrivateConfig>\r\n <Password>[Insert Password]</Password>\r\n</PrivateConfig>"
- }
- }
- ]
- },
-
- "extensionProfile": {
- "extensions": [
- {
- "name": "Microsoft.Insights.VMDiagnosticsSettings_WebRole1",
- "properties": {
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Azure.Diagnostics",
- "type": "PaaSDiagnostics",
- "typeHandlerVersion": "1.5",
- "settings": "Include PublicConfig XML as a raw string",
- "protectedSettings": "Include PrivateConfig XML as a raw stringΓÇ¥",
- "rolesAppliedTo": [
- "WebRole1"
- ]
- }
- }
+ "extensionProfile": {
+ "extensions": [
+ {
+ "name": "RDPExtension",
+ "properties": {
+ "autoUpgradeMinorVersion": true,
+ "publisher": "Microsoft.Windows.Azure.Extensions",
+ "type": "RDP",
+ "typeHandlerVersion": "1.2.1",
+ "settings": "<PublicConfig>\r\n <UserName>[Insert Username]</UserName>\r\n <Expiration>1/21/2022 12:00:00 AM</Expiration>\r\n</PublicConfig>",
+ "protectedSettings": "<PrivateConfig>\r\n <Password>[Insert Password]</Password>\r\n</PrivateConfig>"
+ }
+ },
+ {
+ "name": "Microsoft.Insights.VMDiagnosticsSettings_WebRole1",
+ "properties": {
+ "autoUpgradeMinorVersion": true,
+ "publisher": "Microsoft.Azure.Diagnostics",
+ "type": "PaaSDiagnostics",
+ "typeHandlerVersion": "1.5",
+ "settings": "[parameters('wadPublicConfig_WebRole1')]",
+ "protectedSettings": "[parameters('wadPrivateConfig_WebRole1')]",
+ "rolesAppliedTo": [
+ "WebRole1"
] }
+ }
+ ]
+ }
+
+
``` 7. Review the full template.
@@ -259,17 +257,17 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
"description": "Roles created in the cloud service application" } },
- "rdpPublicConfig": {
+ "wadPublicConfig_WebRole1": {
"type": "string", "metadata": {
- "description": "Public config of remote desktop extension"
+ "description": "Public configuration of Windows Azure Diagnostics extension"
}
- },
- "rdpPrivateConfig": {
+ },
+ "wadPrivateConfig_WebRole1": {
"type": "securestring", "metadata": {
- "description": "Private config of remote desktop extension"
- }
+ "description": "Private configuration of Windows Azure Diagnostics extension"
+ }
}, "vnetName": { "type": "string",
@@ -409,11 +407,22 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
} ] },
- "extensionProfile": {ΓÇïΓÇïΓÇïΓÇï
+ "extensionProfile": {
"extensions": [
- {ΓÇïΓÇïΓÇïΓÇï
+ {
+ "name": "RDPExtension",
+ "properties": {
+ "autoUpgradeMinorVersion": true,
+ "publisher": "Microsoft.Windows.Azure.Extensions",
+ "type": "RDP",
+ "typeHandlerVersion": "1.2.1",
+ "settings": "<PublicConfig>\r\n <UserName>[Insert Username]</UserName>\r\n <Expiration>1/21/2022 12:00:00 AM</Expiration>\r\n</PublicConfig>",
+ "protectedSettings": "<PrivateConfig>\r\n <Password>[Insert Password]</Password>\r\n</PrivateConfig>"
+ }
+ },
+ {
"name": "Microsoft.Insights.VMDiagnosticsSettings_WebRole1",
- "properties": {ΓÇïΓÇïΓÇïΓÇï
+ "properties": {
"autoUpgradeMinorVersion": true, "publisher": "Microsoft.Azure.Diagnostics", "type": "PaaSDiagnostics",
@@ -422,25 +431,14 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
"protectedSettings": "[parameters('wadPrivateConfig_WebRole1')]", "rolesAppliedTo": [ "WebRole1"
- ]
- }ΓÇïΓÇïΓÇïΓÇï
- }ΓÇïΓÇïΓÇïΓÇï,
- {ΓÇïΓÇïΓÇïΓÇï
- "name": "RDPExtension",
- "properties": {ΓÇïΓÇïΓÇïΓÇï
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Windows.Azure.Extensions",
- "type": "RDP",
- "typeHandlerVersion": "1.2.1",
- "settings": "[parameters('rdpPublicConfig')]",
- "protectedSettings": "[parameters('rdpPrivateConfig')]"
- }ΓÇïΓÇïΓÇïΓÇï
- }ΓÇïΓÇïΓÇïΓÇï
- ]
- }ΓÇïΓÇïΓÇïΓÇï
- }ΓÇïΓÇïΓÇïΓÇï
- }ΓÇïΓÇïΓÇïΓÇï
- ]
+ ]
+ }
+ }
+ ]
+ }
+ }
+ }
+ }
``` 8. Deploy the template and create the Cloud Service (extended support) deployment.
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/extensions.md a/articles/cloud-services-extended-support/extensions.md
@@ -30,10 +30,10 @@ With basic monitoring, performance counter data from role instances is sampled a
With advanced monitoring, additional metrics are sampled and collected at intervals of 5 minutes, 1 hour, and 12 hours. The aggregated data is stored in a storage account, in tables, and is purged after 10 days. The storage account used is configured by role; you can use different storage accounts for different roles.
-Windows Azure Diagnostics extension can be enabled for Cloud Services (extended support) through [PowerShell](deploy-powershell.md) or [ARM template](deploy-template.md)
+For more information, see [Apply the Windows Azure diagnostics extension in Cloud Services (extended support)](enable-wad.md)
## Next steps - Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support). - Review [frequently asked questions](faq.md) for Cloud Services (extended support).-- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).\ No newline at end of file
+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/overview.md a/articles/cloud-services-extended-support/overview.md
@@ -22,9 +22,11 @@ With this change, the Azure Service Manager based deployment model for Cloud Ser
## What does not change - You create the code, define the configurations, and deploy it to Azure. Azure sets up the compute environment, runs your code then monitors and maintains it for you.-- Cloud Services (extended support) also supports two types of roles, [web and worker](../cloud-services/cloud-services-choose-me.md). -- The three components, the service definition (.csdef), the service config (.cscfg), and a service package (.cspkg) of a cloud service are carried forward and there is no change in the their [formats](cloud-services-model-and-package.md). -- No changes are required to runtime code as data plane is the same and control plane is only changing.
+- Cloud Services (extended support) also supports two types of roles, [web and worker](../cloud-services/cloud-services-choose-me.md). There are no changes to the design, architecture or components of web and worker roles.
+- The three components of a cloud service, the service definition (.csdef), the service config (.cscfg), and the service package (.cspkg) are carried forward and there is no change in the their [formats](cloud-services-model-and-package.md).
+- No changes are required to runtime code as data plane is the same and control plane is only changing.
+- Azure GuestOS releases and associated updates are aligned with Cloud Services (classic)
+- Underlying update process with respect to update domains, how upgrade proceeds, rollback and allowed service changes during an update don't change
## Changes in deployment model
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-concept-best-practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-concept-best-practices.md a/articles/cognitive-services/LUIS/luis-concept-best-practices.md
@@ -136,7 +136,7 @@ Use [active learning](luis-how-to-review-endpoint-utterances.md)'s **Review endp
## Do monitor the performance of your app
-Monitor the prediction accuracy using a [batch test](luis-concept-batch-test.md) set.
+Monitor the prediction accuracy using a [batch test](./luis-how-to-batch-test.md) set.
Keep a separate set of utterances that aren't used as [example utterances](luis-concept-utterance.md) or endpoint utterances. Keep improving the app for your test set. Adapt the test set to reflect real user utterances. Use this test set to evaluate each iteration or version of the app.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-concept-devops-sourcecontrol https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-concept-devops-sourcecontrol.md a/articles/cognitive-services/LUIS/luis-concept-devops-sourcecontrol.md
@@ -68,7 +68,7 @@ The following types of files for your LUIS application should be maintained unde
- [Unit Test definition files](luis-concept-devops-testing.md#writing-tests) (utterances and expected results) -- [Batch test files](./luis-concept-batch-test.md#batch-file-format) (utterances and expected results) used for performance testing
+- [Batch test files](./luis-how-to-batch-test.md#batch-test-file) (utterances and expected results) used for performance testing
### Credentials and keys are not checked in
@@ -210,4 +210,4 @@ When your changes in your PR are merged into main, that is when the versioning s
## Next steps * Learn about [testing for LUIS DevOps](luis-concept-devops-testing.md)
-* Learn how to [implement DevOps for LUIS with GitHub](luis-how-to-devops-with-github.md)
\ No newline at end of file
+* Learn how to [implement DevOps for LUIS with GitHub](luis-how-to-devops-with-github.md)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-concept-devops-testing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-concept-devops-testing.md a/articles/cognitive-services/LUIS/luis-concept-devops-testing.md
@@ -23,7 +23,7 @@ There are two different kinds of testing for a LUIS app that you need to perform
This kind of testing is similar to [Interactive testing](./luis-concept-test.md) that you can do in the [LUIS portal](https://www.luis.ai/). - **Batch tests** - Batch testing is a comprehensive test on your current trained model to measure its performance. Unlike unit tests, batch testing isn't pass|fail testing. The expectation with batch testing is not that every test will return the expected intent and expected entities. Instead, a batch test helps you view the accuracy of each intent and entity in your app and helps you to compare over time as you make improvements.
-This kind of testing is the same as the [Batch testing](./luis-concept-batch-test.md) that you can perform interactively in the LUIS portal.
+This kind of testing is the same as the [Batch testing](./luis-how-to-batch-test.md) that you can perform interactively in the LUIS portal.
You can employ unit testing from the beginning of your project. Batch testing is only really of value once you've developed the schema of your LUIS app and you're working on improving its accuracy.
@@ -37,7 +37,7 @@ When you write a set of tests, for each test you need to define:
* Expected intent * Expected entities.
-Use the LUIS [batch file syntax](./luis-concept-batch-test.md#batch-syntax-template-for-intents-with-entities) to define a group of tests in a JSON-formatted file. For example:
+Use the LUIS [batch file syntax](./luis-how-to-batch-test.md#batch-syntax-template-for-intents-with-entities) to define a group of tests in a JSON-formatted file. For example:
```JSON [
@@ -80,7 +80,7 @@ In unit tests, it's a good idea to test that your key entities have been returne
#### Designing Batch tests
-Batch test sets should contain a large number of test cases, designed to test across all intents and all entities in your LUIS app. See [Batch testing in the LUIS portal](./luis-concept-batch-test.md) for information on defining a batch test set.
+Batch test sets should contain a large number of test cases, designed to test across all intents and all entities in your LUIS app. See [Batch testing in the LUIS portal](./luis-how-to-batch-test.md) for information on defining a batch test set.
### Running tests
@@ -88,7 +88,7 @@ The LUIS portal offers features to help with interactive testing:
* [**Interactive testing**](./luis-concept-test.md) allows you to submit a sample utterance and get a response of LUIS-recognized intents and entities. You verify the success of the test by visual inspection.
-* [**Batch testing**](./luis-concept-batch-test.md) uses a batch test file as input to validate your active trained version to measure its prediction accuracy. A batch test helps you view the accuracy of each intent and entity in your active version, displaying results with a chart.
+* [**Batch testing**](./luis-how-to-batch-test.md) uses a batch test file as input to validate your active trained version to measure its prediction accuracy. A batch test helps you view the accuracy of each intent and entity in your active version, displaying results with a chart.
#### Running tests in an automated build workflow
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-concept-test https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-concept-test.md a/articles/cognitive-services/LUIS/luis-concept-test.md
@@ -30,7 +30,7 @@ See [Prediction score](luis-concept-prediction-score.md) concepts to learn more
Interactive testing is done from the **Test** panel of the LUIS portal. You can enter an utterance to see how intents and entities are identified and scored. If LUIS isn't predicting the intents and entities as you expect on an utterance in the testing panel, copy it to the **Intent** page as a new utterance. Then label the parts of that utterance for entities, and train LUIS. ## Batch testing
-See [batch testing](luis-concept-batch-test.md) if you are testing more than one utterance at a time.
+See [batch testing](./luis-how-to-batch-test.md) if you are testing more than one utterance at a time.
## Endpoint testing You can test using the [endpoint](luis-glossary.md#endpoint) with a maximum of two versions of your app. With your main or live version of your app set as the **production** endpoint, add a second version to the **staging** endpoint. This approach gives you three versions of an utterance: the current model in the Test pane of the [LUIS](luis-reference-regions.md) website, and the two versions at the two different endpoints.
@@ -53,4 +53,4 @@ Learn [best practices](luis-concept-best-practices.md).
## Next steps
-* Learn more about [testing](luis-interactive-test.md) your utterances.
+* Learn more about [testing](luis-interactive-test.md) your utterances.
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-glossary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-glossary.md a/articles/cognitive-services/LUIS/luis-glossary.md
@@ -45,12 +45,13 @@ The authoring resource has an Azure "kind" of `LUIS-Authoring`.
## Batch test
-Batch testing is the ability to validate a current LUIS app's models with a consistent and known test set of user utterances. The batch test is defined in a [JSON formatted file](luis-concept-batch-test.md#batch-file-format).
+Batch testing is the ability to validate a current LUIS app's models with a consistent and known test set of user utterances. The batch test is defined in a [JSON formatted file](./luis-how-to-batch-test.md#batch-test-file).
+ See also:
-* [Concepts](luis-concept-batch-test.md)
+* [Concepts](./luis-how-to-batch-test.md)
* [How-to](luis-how-to-batch-test.md) run a batch test
-* [Tutorial](luis-tutorial-batch-testing.md) - create and run a batch test
+* [Tutorial](./luis-how-to-batch-test.md) - create and run a batch test
### F-measure
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-how-to-batch-test https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-how-to-batch-test.md a/articles/cognitive-services/LUIS/luis-how-to-batch-test.md
@@ -96,7 +96,7 @@ The example JSON includes one utterance with a labeled entity to illustrate what
To review the batch test results, select **See results**. The test results show graphically how the test utterances were predicted against the active version.
-The batch chart displays four quadrants of results. To the right of the chart is a filter. The filter contains intents and entities. When you select a [section of the chart](luis-concept-batch-test.md#batch-test-results) or a point within the chart, the associated utterance(s) display below the chart.
+The batch chart displays four quadrants of results. To the right of the chart is a filter. The filter contains intents and entities. When you select a [section of the chart](#review-batch-results-for-intents) or a point within the chart, the associated utterance(s) display below the chart.
While hovering over the chart, a mouse wheel can enlarge or reduce the display in the chart. This is useful when there are many points on the chart clustered tightly together.
@@ -163,7 +163,7 @@ The two sections of the chart in green did match the expected prediction.
## Batch testing using the REST API
-LUIS lets you batch test using the LUIS portal and REST API. The endpoints for the REST API are listed below. For information on batch testing using the LUIS portal, see [Tutorial: batch test data sets](luis-tutorial-batch-testing.md). Use the complete URLs below, replacing the placeholder values with your own LUIS Prediction key and endpoint.
+LUIS lets you batch test using the LUIS portal and REST API. The endpoints for the REST API are listed below. For information on batch testing using the LUIS portal, see [Tutorial: batch test data sets](). Use the complete URLs below, replacing the placeholder values with your own LUIS Prediction key and endpoint.
Remember to add your LUIS key to `Ocp-Apim-Subscription-Key` in the header, and set `Content-Type` to `application/json`.
@@ -262,5 +262,3 @@ If testing indicates that your LUIS app doesn't recognize the correct intents an
* [Label suggested utterances with LUIS](luis-how-to-review-endpoint-utterances.md) * [Use features to improve your LUIS app's performance](luis-how-to-add-features.md)
-* [Understand batch testing with this tutorial](luis-tutorial-batch-testing.md)
-* [Learn batch testing concepts](luis-concept-batch-test.md).
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-how-to-train https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-how-to-train.md a/articles/cognitive-services/LUIS/luis-how-to-train.md
@@ -37,9 +37,15 @@ Training date and time are GMT + 2.
## Train with all data
-Training uses a small percentage of negative sampling. If you want to use all data instead of the small negative sampling, use the [API](#version-settings-api-use-of-usealltrainingdata).
+Training uses a small percentage of negative sampling. You can use all available data instead using either the portal or API.
-### Version settings API use of UseAllTrainingData
+### Using the LUIS portal
+
+Log into the [LUIS portal](https://www.luis.ai/) and click on your app. Select **Manage** at the top of the screen, then select **Settings** and enable or disable the **use-deterministic training** option. When disabled, training will use all available data.
+
+![A button for enabling or disabling non deterministic training](./media/non-determinstic-training.png)
+
+### Using the version settings API
Use the [Version settings API](https://westus.dev.cognitive.microsoft.com/docs/services/5890b47c39e2bb17b84a55ff/operations/versions-update-application-version-settings) with the `UseAllTrainingData` set to true to turn off this feature.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-interactive-test https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-interactive-test.md a/articles/cognitive-services/LUIS/luis-interactive-test.md
@@ -114,11 +114,11 @@ If you have several LUIS endpoints, use the **Additional Settings** link on the
## Batch testing
-See batch testing [concepts](luis-concept-batch-test.md) and learn [how to](luis-how-to-batch-test.md) test a batch of utterances.
+See batch testing [concepts](./luis-how-to-batch-test.md) and learn [how to](luis-how-to-batch-test.md) test a batch of utterances.
## Next steps If testing indicates that your LUIS app doesn't recognize the correct intents and entities, you can work to improve your LUIS app's accuracy by labeling more utterances or adding features. * [Label suggested utterances with LUIS](luis-how-to-review-endpoint-utterances.md)
-* [Use features to improve your LUIS app's performance](luis-how-to-add-features.md)
+* [Use features to improve your LUIS app's performance](luis-how-to-add-features.md)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/luis-migration-authoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/luis-migration-authoring.md a/articles/cognitive-services/LUIS/luis-migration-authoring.md
@@ -76,7 +76,7 @@ A `*` symbol will appear next to the application name if you have a prediction r
> ![Export your applications.](./media/migrate-authoring-key/migration-export-apps.png)
-4. In the window for migrating regions, you will be asked to migrate your applications to an Azure resource in the same region they were authored in. LUIS has three authoring regions [and portals](https://docs.microsoft.com/azure/cognitive-services/luis/luis-reference-regions#luis-authoring-regions). The window will show the regions where your owned applications were authored. The displayed migration regions may be different depending on the regional portal you use, and apps you've authored.
+4. In the window for migrating regions, you will be asked to migrate your applications to an Azure resource in the same region they were authored in. LUIS has three authoring regions [and portals](./luis-reference-regions.md#luis-authoring-regions). The window will show the regions where your owned applications were authored. The displayed migration regions may be different depending on the regional portal you use, and apps you've authored.
> [!div class="mx-imgBorder"] > ![Multi region migration.](./media/migrate-authoring-key/migration-regional-flow.png)
@@ -157,4 +157,4 @@ If you are having any issues with the migration that are not addressed in the tr
## Next steps * Review [concepts about authoring and runtime keys](luis-how-to-azure-subscription.md)
-* Review how to [assign keys](luis-how-to-azure-subscription.md) and [add contributors](luis-how-to-collaborate.md)
+* Review how to [assign keys](luis-how-to-azure-subscription.md) and [add contributors](luis-how-to-collaborate.md)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/sign-in-luis-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/sign-in-luis-portal.md a/articles/cognitive-services/LUIS/sign-in-luis-portal.md
@@ -42,8 +42,8 @@ Use this article to get started with the LUIS portal, and create an authoring re
* **Tenant Name** - the tenant your Azure subscription is associated with. You will not be able to switch tenants from the existing window. You can switch tenants by closing this window and selecting the avatar at the top right corner of the screen, containing your initials. Select **Choose a different authoring resource** from the top to re-open the window. * **Azure Resource group name** - a custom resource group name you choose in your subscription. Resource groups allow you to group Azure resources for access and management. If you currently do not have a resource group in your subscription, you will not be allowed to create one in the LUIS portal. Go to [Azure portal](https://ms.portal.azure.com/#create/Microsoft.ResourceGroup) to create one then go to LUIS to continue the sign-in process. * **Azure Resource name** - a custom name you choose, used as part of the URL for your authoring transactions. Your resource name can only include alphanumeric characters, `-`, and canΓÇÖt start or end with `-`. If any other symbols are included in the name, creating a resource will fail.
- * **Location** - Choose to author your applications in one of the [three authoring locations](https://docs.microsoft.com/azure/cognitive-services/luis/luis-reference-regions) that are currently supported by LUIS including: West Us, West Europe and East Australia
- * **Pricing tier** - By default, F0 authoring pricing tier is selected as it is the recommended. Create a [customer managed key](https://docs.microsoft.com/azure/cognitive-services/luis/luis-encryption-of-data-at-rest#customer-managed-keys-for-language-understanding) from the Azure portal if you are looking for an extra layer of security.
+ * **Location** - Choose to author your applications in one of the [three authoring locations](./luis-reference-regions.md) that are currently supported by LUIS including: West Us, West Europe and East Australia
+ * **Pricing tier** - By default, F0 authoring pricing tier is selected as it is the recommended. Create a [customer managed key](./luis-encryption-of-data-at-rest.md#customer-managed-keys-for-language-understanding) from the Azure portal if you are looking for an extra layer of security.
8. Now you have successfully signed in to LUIS. You can now start creating applications. ## Troubleshooting
@@ -53,4 +53,4 @@ Use this article to get started with the LUIS portal, and create an authoring re
## Next steps
-* Learn how to [start a new app](luis-how-to-start-new-app.md)
+* Learn how to [start a new app](luis-how-to-start-new-app.md)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/troubleshooting.md a/articles/cognitive-services/LUIS/troubleshooting.md
@@ -172,7 +172,7 @@ The errors indicate that there is some discrepancy between your labels and the p
* To help LUIS improve discrimination among intents, add more labels. * To help LUIS learn faster, add phrase-list features that introduce domain-specific vocabulary.
-See the [Batch testing](luis-tutorial-batch-testing.md) tutorial.
+See the [Batch testing](./luis-how-to-batch-test.md) tutorial.
### When an app is exported then reimported into a new app (with a new app ID), the LUIS prediction scores are different. Why does this happen?
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/LUIS/what-is-luis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/LUIS/what-is-luis.md a/articles/cognitive-services/LUIS/what-is-luis.md
@@ -61,7 +61,7 @@ Design your model with categories of user intentions called **[intents](luis-con
|`When does your store open?`|StoreHoursAndLocation|open| |`Schedule a meeting at 1pm with Bob in Distribution`|ScheduleMeeting|1pm, Bob|
-Build the model with the [authoring](https://go.microsoft.com/fwlink/?linkid=2092087 "authoring") APIs, or with the **[LUIS portal](https://www.luis.ai "LUIS portal")**, or both. Learn more how to build with the [portal](get-started-portal-build-app.md "portal") and the [SDK client libraries](azure-sdk-quickstart.md "SDK client libraries").
+Build the model with the [authoring](https://go.microsoft.com/fwlink/?linkid=2092087 "authoring") APIs, or with the **[LUIS portal](https://www.luis.ai "LUIS portal")**, or both. Learn more how to build with the [portal](get-started-portal-build-app.md "portal") and the [SDK client libraries](./client-libraries-rest-api.md?pivots=rest-api "SDK client libraries").
## Step 2: Get the query prediction
@@ -123,7 +123,7 @@ LUIS provides functionality from Text Analytics as part of your existing LUIS re
## Learn with the Quickstarts
-Learn about LUIS with hands-on quickstarts using the [portal](get-started-portal-build-app.md "portal") and the [SDK client libraries](azure-sdk-quickstart.md "SDK client libraries").
+Learn about LUIS with hands-on quickstarts using the [portal](get-started-portal-build-app.md "portal") and the [SDK client libraries](./client-libraries-rest-api.md?pivots=rest-api "SDK client libraries").
## Deploy on premises using Docker containers
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md a/articles/cognitive-services/QnAMaker/How-To/add-sharepoint-datasources.md
@@ -127,7 +127,7 @@ The Active Directory manager will get a pop-up window requesting permissions to
There is a workaround to add latest SharePoint content via API using Azure blob storage, below are the steps: 1. Download the SharePoint files locally. The user calling the API needs to have access to SharePoint.
-1. Upload them on the Azure blob stoarge. This will create a secure shared access by [using SAS token.](https://docs.microsoft.com/azure/storage/common/storage-sas-overview#how-a-shared-access-signature-works)
+1. Upload them on the Azure blob stoarge. This will create a secure shared access by [using SAS token.](../../../storage/common/storage-sas-overview.md#how-a-shared-access-signature-works)
1. Pass the blob URL generated with the SAS token to the QnA Maker API. To allow the Question Answers extraction from the files, you need to add the suffix file type as '&ext=pdf' or '&ext=doc' at the end of the URL before passing it to QnA Maker API>
@@ -187,4 +187,4 @@ Use the **@microsoft.graph.downloadUrl** from the previous section as the `fileu
## Next steps > [!div class="nextstepaction"]
-> [Collaborate on your knowledge base](../index.yml)
+> [Collaborate on your knowledge base](../index.yml)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/How-To/set-up-qnamaker-service-azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/How-To/set-up-qnamaker-service-azure.md a/articles/cognitive-services/QnAMaker/How-To/set-up-qnamaker-service-azure.md
@@ -124,12 +124,12 @@ Learn more about how to configure the App Service [General settings](../../../ap
### Configure App Service Environment to host QnA Maker App Service The App Service Environment(ASE) can be used to host QnA Maker App service. Please follow the steps below:
-1. Create an App Service Environment and mark it as ΓÇ£externalΓÇ¥. Please follow the [tutorial](https://docs.microsoft.com/azure/app-service/environment/create-external-ase) for instructions.
+1. Create an App Service Environment and mark it as ΓÇ£externalΓÇ¥. Please follow the [tutorial](../../../app-service/environment/create-external-ase.md) for instructions.
2. Create an App service inside the App Service Environment. * Check the configuration for the App service and add 'PrimaryEndpointKey' as an application setting. The value for 'PrimaryEndpointKey' should be set to ΓÇ£\<app-name\>-PrimaryEndpointKeyΓÇ¥. The App Name is defined in the App service URL. For instance, if the App service URL is "mywebsite.myase.p.azurewebsite.net", then the app-name is "mywebsite". In this case, the value for 'PrimaryEndpointKey' should be set to ΓÇ£mywebsite-PrimaryEndpointKeyΓÇ¥. * Create an Azure search service. * Ensure Azure Search and App Settings are appropriately configured.
- Please follow this [tutorial](https://docs.microsoft.com/azure/cognitive-services/qnamaker/reference-app-service?tabs=v1#app-service).
+ Please follow this [tutorial](../reference-app-service.md?tabs=v1#app-service).
3. Update the Network Security Group associated with the App Service Environment * Update pre-created Inbound Security Rules as per your requirements. * Add a new Inbound Security Rule with source as 'Service Tag' and source service tag as 'CognitiveServicesManagement'.
@@ -386,4 +386,4 @@ If you delete any of the Azure resources used for your QnA Maker knowledge bases
Learn more about the [App service](../../../app-service/index.yml) and [Search service](../../../search/index.yml). > [!div class="nextstepaction"]
-> [Learn how to author with others](../index.yml)
+> [Learn how to author with others](../index.yml)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/includes/quickstart-sdk-csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-csharp.md a/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-csharp.md
@@ -172,13 +172,13 @@ In the application's `Main` method, add variables and code, shown in the followi
# [QnA Maker GA (stable release)](#tab/version-1)
-[QnA Maker](https://docs.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker?view=azure-dotnet) uses two different object models:
+[QnA Maker](/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker?view=azure-dotnet) uses two different object models:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, and download the knowledgebase. * **[QnAMakerRuntime](#qnamakerruntimeclient-object-model)** is the object to query the knowledge base with the GenerateAnswer API and send new suggested questions using the Train API (as part of [active learning](../concepts/active-learning-suggestions.md)). # [QnA Maker managed (preview release)](#tab/version-2)
-[QnA Maker](https://docs.microsoft.com/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker?view=azure-dotnet) uses the following object model:
+[QnA Maker](/dotnet/api/microsoft.azure.cognitiveservices.knowledge.qnamaker?view=azure-dotnet) uses the following object model:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, download, and query the knowledgebase.
@@ -413,4 +413,4 @@ The source code for this sample can be found on [GitHub](https://github.com/Azur
The source code for this sample can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/tree/master/dotnet/QnAMaker/Preview-sdk-based-quickstart). -+\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/includes/quickstart-sdk-nodejs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-nodejs.md a/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-nodejs.md
@@ -19,7 +19,7 @@ Use the QnA Maker client library for Node.js to:
* Get an answer from a knowledgebase * Delete knowledge base
-[Reference documentation](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/cognitiveservices/cognitiveservices-qnamaker) | [Package (npm)](https://www.npmjs.com/package/@azure/cognitiveservices-qnamaker) | [Node.js Samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/QnAMaker/sdk/qnamaker_quickstart.js)
+[Reference documentation](/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/cognitiveservices/cognitiveservices-qnamaker) | [Package (npm)](https://www.npmjs.com/package/@azure/cognitiveservices-qnamaker) | [Node.js Samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/QnAMaker/sdk/qnamaker_quickstart.js)
# [QnA Maker managed (preview release)](#tab/version-2)
@@ -33,7 +33,7 @@ Use the QnA Maker client library for Node.js to:
* Get an answer from a knowledgebase * Delete knowledge base
-[Reference documentation](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/cognitiveservices/cognitiveservices-qnamaker) | [Package (npm)](https://www.npmjs.com/package/@azure/cognitiveservices-qnamaker) | [Node.js Samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/QnAMaker/sdk/preview-sdk/quickstart.js)
+[Reference documentation](/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) | [Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/cognitiveservices/cognitiveservices-qnamaker) | [Package (npm)](https://www.npmjs.com/package/@azure/cognitiveservices-qnamaker) | [Node.js Samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/QnAMaker/sdk/preview-sdk/quickstart.js)
@@ -144,13 +144,13 @@ Create a variable for your resource's Azure key and resource name.
# [QnA Maker GA (stable release)](#tab/version-1)
-[QnA Maker](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) uses two different object models:
+[QnA Maker](/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) uses two different object models:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, and download the knowledgebase. * **[QnAMakerRuntime](#qnamakerruntimeclient-object-model)** is the object to query the knowledge base with the GenerateAnswer API and send new suggested questions using the Train API (as part of [active learning](../concepts/active-learning-suggestions.md)). # [QnA Maker managed (preview release)](#tab/version-2)
-[QnA Maker](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) uses the following object model:
+[QnA Maker](/javascript/api/@azure/cognitiveservices-qnamaker/?view=azure-node-latest) uses the following object model:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, download, and query the knowledgebase.
@@ -171,7 +171,7 @@ The prediction QnA Maker client is a QnAMakerRuntimeClient object that authentic
# [QnA Maker managed (preview release)](#tab/version-2)
-A QnA Maker managed resource does not require the use of the QnAMakerRuntimeClient object. Instead, you call [generateAnswer](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/knowledgebase?view=azure-node-latest#generateAnswer_string__QueryDTO__msRest_RequestOptionsBase_) directly on the [QnAMakerClient](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/qnamakerclient?view=azure-node-latest) object.
+A QnA Maker managed resource does not require the use of the QnAMakerRuntimeClient object. Instead, you call [generateAnswer](/javascript/api/@azure/cognitiveservices-qnamaker/knowledgebase?view=azure-node-latest#generateAnswer_string__QueryDTO__msRest_RequestOptionsBase_) directly on the [QnAMakerClient](/javascript/api/@azure/cognitiveservices-qnamaker/qnamakerclient?view=azure-node-latest) object.
@@ -317,7 +317,7 @@ Use the QnAMakerRuntimeClient to get an answer from the knowledge or to send new
### Generate an answer from the knowledge base
-Generate an answer from a published knowledge base using the RuntimeClient.runtime.generateAnswer method. This method accepts the knowledge base ID and the [QueryDTO](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/querydto). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
+Generate an answer from a published knowledge base using the RuntimeClient.runtime.generateAnswer method. This method accepts the knowledge base ID and the [QueryDTO](/javascript/api/@azure/cognitiveservices-qnamaker/querydto). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
[!code-javascript[Generate an answer from a knowledge base](~/cognitive-services-quickstart-code/javascript/QnAMaker/sdk/qnamaker_quickstart.js?name=GenerateAnswer)]
@@ -325,7 +325,7 @@ Generate an answer from a published knowledge base using the RuntimeClient.runti
### Generate an answer from the knowledge base
-Generate an answer from a published knowledge base using the QnAMakerClient.knowledgebase.generateAnswer method. This method accepts the knowledge base ID and the [QueryDTO](https://docs.microsoft.com/javascript/api/@azure/cognitiveservices-qnamaker/querydto). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
+Generate an answer from a published knowledge base using the QnAMakerClient.knowledgebase.generateAnswer method. This method accepts the knowledge base ID and the [QueryDTO](/javascript/api/@azure/cognitiveservices-qnamaker/querydto). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
[!code-javascript[Generate an answer from a knowledge base](~/cognitive-services-quickstart-code/javascript/QnAMaker/sdk/preview-sdk/quickstart.js?name=GenerateAnswer)]
@@ -379,4 +379,4 @@ The source code for this sample can be found on [GitHub](https://github.com/Azur
The source code for this sample can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/javascript/QnAMaker/sdk/preview-sdk/quickstart.js). -+\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/QnAMaker/includes/quickstart-sdk-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-python.md a/articles/cognitive-services/QnAMaker/includes/quickstart-sdk-python.md
@@ -18,7 +18,7 @@ Use the QnA Maker client library for python to:
* Get an answer from a knowledgebase * Delete knowledge base
-[Reference documentation](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cognitiveservices/azure-cognitiveservices-knowledge-qnamaker) | [Package (PyPi)](https://pypi.org/project/azure-cognitiveservices-knowledge-qnamaker/0.2.0/) | [Python samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/QnAMaker/sdk/quickstart.py)
+[Reference documentation](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cognitiveservices/azure-cognitiveservices-knowledge-qnamaker) | [Package (PyPi)](https://pypi.org/project/azure-cognitiveservices-knowledge-qnamaker/0.2.0/) | [Python samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/QnAMaker/sdk/quickstart.py)
# [QnA Maker managed (preview release)](#tab/version-2)
@@ -32,7 +32,7 @@ Use the QnA Maker client library for python to:
* Get an answer from a knowledgebase * Delete knowledge base
-[Reference documentation](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cognitiveservices/azure-cognitiveservices-knowledge-qnamaker) | [Package (PyPi)](https://pypi.org/project/azure-cognitiveservices-knowledge-qnamaker/) | [Python samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/QnAMaker/sdk/preview-sdk/quickstart.py)
+[Reference documentation](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) | [Library source code](https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/cognitiveservices/azure-cognitiveservices-knowledge-qnamaker) | [Package (PyPi)](https://pypi.org/project/azure-cognitiveservices-knowledge-qnamaker/) | [Python samples](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/QnAMaker/sdk/preview-sdk/quickstart.py)
@@ -126,13 +126,13 @@ Create variables for your resource's Azure endpoint and key.
# [QnA Maker GA (stable release)](#tab/version-1)
-[QnA Maker](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) uses two different object models:
+[QnA Maker](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) uses two different object models:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, and download the knowledgebase. * **[QnAMakerRuntime](#qnamakerruntimeclient-object-model)** is the object to query the knowledge base with the GenerateAnswer API and send new suggested questions using the Train API (as part of [active learning](../concepts/active-learning-suggestions.md)). # [QnA Maker managed (preview release)](#tab/version-2)
-[QnA Maker](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) uses the following object model:
+[QnA Maker](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker?view=azure-python) uses the following object model:
* **[QnAMakerClient](#qnamakerclient-object-model)** is the object to create, manage, publish, download, and query the knowledgebase.
@@ -141,29 +141,29 @@ Create variables for your resource's Azure endpoint and key.
### QnAMakerClient object model
-The authoring QnA Maker client is a [QnAMakerClient](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object that authenticates to Azure using Microsoft.Rest.ServiceClientCredentials, which contains your key.
+The authoring QnA Maker client is a [QnAMakerClient](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object that authenticates to Azure using Microsoft.Rest.ServiceClientCredentials, which contains your key.
-Once the client is created, use the [Knowledge base](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python) property to create, manage, and publish your knowledge base.
+Once the client is created, use the [Knowledge base](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python) property to create, manage, and publish your knowledge base.
-Manage your knowledge base by sending a JSON object. For immediate operations, a method usually returns a JSON object indicating status. For long-running operations, the response is the operation ID. Call the [operations.get_details](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python#get-details-kb-id--custom-headers-none--raw-false-operation-config-) method with the operation ID to determine the [status of the request](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.operationstatetype?view=azure-python).
+Manage your knowledge base by sending a JSON object. For immediate operations, a method usually returns a JSON object indicating status. For long-running operations, the response is the operation ID. Call the [operations.get_details](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python#get-details-kb-id--custom-headers-none--raw-false-operation-config-) method with the operation ID to determine the [status of the request](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.operationstatetype?view=azure-python).
### QnAMakerRuntimeClient object model # [QnA Maker GA (stable release)](#tab/version-1)
-The prediction QnA Maker client is a `QnAMakerRuntimeClient` object that authenticates to Azure using Microsoft.Rest.ServiceClientCredentials, which contains your prediction runtime key, returned from the authoring client call, [client.EndpointKeysOperations.get_keys](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.endpoint_keys_operations.endpointkeysoperations?view=azure-python#get-keys-custom-headers-none--raw-false-operation-config-) after the knowledgebase is published.
+The prediction QnA Maker client is a `QnAMakerRuntimeClient` object that authenticates to Azure using Microsoft.Rest.ServiceClientCredentials, which contains your prediction runtime key, returned from the authoring client call, [client.EndpointKeysOperations.get_keys](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.endpoint_keys_operations.endpointkeysoperations?view=azure-python#get-keys-custom-headers-none--raw-false-operation-config-) after the knowledgebase is published.
Use the `generate_answer` method to get an answer from the query runtime. # [QnA Maker managed (preview release)](#tab/version-2)
-A QnA Maker managed resource does not require the use of the QnAMakerRuntimeClient object. Instead, you call [generate_answer](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python#generate-answer-kb-id--generate-answer-payload--custom-headers-none--raw-false-operation-config-) directly on the [QnAMakerClient](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object.
+A QnA Maker managed resource does not require the use of the QnAMakerRuntimeClient object. Instead, you call [generate_answer](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python#generate-answer-kb-id--generate-answer-payload--custom-headers-none--raw-false-operation-config-) directly on the [QnAMakerClient](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object.
## Authenticate the client for authoring the knowledge base
-Instantiate a client with your endpoint and key. Create an CognitiveServicesCredentials object with your key, and use it with your endpoint to create an [QnAMakerClient](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object.
+Instantiate a client with your endpoint and key. Create an CognitiveServicesCredentials object with your key, and use it with your endpoint to create an [QnAMakerClient](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.qn_amaker_client.qnamakerclient?view=azure-python) object.
# [QnA Maker GA (stable release)](#tab/version-1)
@@ -177,16 +177,16 @@ Instantiate a client with your endpoint and key. Create an CognitiveServicesCred
## Create a knowledge base
-Use the client object to get a [knowledge base operations](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python) object.
+Use the client object to get a [knowledge base operations](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python) object.
-A knowledge base stores question and answer pairs for the [CreateKbDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.createkbdto?view=azure-python) object from three sources:
+A knowledge base stores question and answer pairs for the [CreateKbDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.createkbdto?view=azure-python) object from three sources:
-* For **editorial content**, use the [QnADTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.qnadto?view=azure-python) object.
+* For **editorial content**, use the [QnADTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.qnadto?view=azure-python) object.
* To use metadata and follow-up prompts, use the editorial context, because this data is added at the individual QnA pair level.
-* For **files**, use the [FileDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.filedto?view=azure-python) object. The FileDTO includes the filename as well as the public URL to reach the file.
+* For **files**, use the [FileDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.filedto?view=azure-python) object. The FileDTO includes the filename as well as the public URL to reach the file.
* For **URLs**, use a list of strings to represent publicly available URLs.
-Call the [create](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#create-create-kb-payload--custom-headers-none--raw-false-operation-config-) method then pass the returned operation ID to the [Operations.getDetails](#get-status-of-an-operation) method to poll for status.
+Call the [create](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#create-create-kb-payload--custom-headers-none--raw-false-operation-config-) method then pass the returned operation ID to the [Operations.getDetails](#get-status-of-an-operation) method to poll for status.
The final line of the following code returns the knowledge base ID from the response from MonitorOperation.
@@ -204,7 +204,7 @@ Make sure the include the [`_monitor_operation`](#get-status-of-an-operation) fu
## Update a knowledge base
-You can update a knowledge base by passing in the knowledge base ID and an [UpdateKbOperationDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdto?view=azure-python) containing [add](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtoadd?view=azure-python), [update](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtoupdate?view=azure-python), and [delete](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtodelete?view=azure-python) DTO objects to the [update](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python) method. Use the [Operation.getDetail](#get-status-of-an-operation) method to determine if the update succeeded.
+You can update a knowledge base by passing in the knowledge base ID and an [UpdateKbOperationDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdto?view=azure-python) containing [add](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtoadd?view=azure-python), [update](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtoupdate?view=azure-python), and [delete](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.updatekboperationdtodelete?view=azure-python) DTO objects to the [update](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebase_operations.knowledgebaseoperations?view=azure-python) method. Use the [Operation.getDetail](#get-status-of-an-operation) method to determine if the update succeeded.
# [QnA Maker GA (stable release)](#tab/version-1)
@@ -220,7 +220,7 @@ Make sure the include the [`_monitor_operation`](#get-status-of-an-operation) fu
## Download a knowledge base
-Use the [download](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python) method to download the database as a list of [QnADocumentsDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.qnadocumentsdto?view=azure-python). This is _not_ equivalent to the QnA Maker portal's export from the **Settings** page because the result of this method is not a TSV file.
+Use the [download](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python) method to download the database as a list of [QnADocumentsDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.qnadocumentsdto?view=azure-python). This is _not_ equivalent to the QnA Maker portal's export from the **Settings** page because the result of this method is not a TSV file.
# [QnA Maker GA (stable release)](#tab/version-1)
@@ -234,7 +234,7 @@ Use the [download](https://docs.microsoft.com/python/api/azure-cognitiveservices
## Publish a knowledge base
-Publish the knowledge base using the [publish](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#publish-kb-id--custom-headers-none--raw-false-operation-config-) method. This takes the current saved and trained model, referenced by the knowledge base ID, and publishes that at an endpoint.
+Publish the knowledge base using the [publish](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#publish-kb-id--custom-headers-none--raw-false-operation-config-) method. This takes the current saved and trained model, referenced by the knowledge base ID, and publishes that at an endpoint.
# [QnA Maker GA (stable release)](#tab/version-1)
@@ -254,7 +254,7 @@ Publish the knowledge base using the [publish](https://docs.microsoft.com/python
Once a knowledgebase is published, you need the query runtime key to query the runtime. This isn't the same key used to create the original client object.
-Use the [EndpointKeysOperations.get_keys](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.endpointkeysoperations?view=azure-python#get-keys-custom-headers-none--raw-false-operation-config-) method to get the [EndpointKeysDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.endpointkeysdto?view=azure-python) class.
+Use the [EndpointKeysOperations.get_keys](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.endpointkeysoperations?view=azure-python#get-keys-custom-headers-none--raw-false-operation-config-) method to get the [EndpointKeysDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.endpointkeysdto?view=azure-python) class.
Use either of the key properties returned in the object to query the knowledgebase.
@@ -270,7 +270,7 @@ Use the QnAMakerRuntimeClient to get an answer from the knowledge or to send new
### Generate an answer from the knowledge base
-Generate an answer from a published knowledge base using the QnAMakerRuntimeClient.runtime.generate_answer method. This method accepts the knowledge base ID and the [QueryDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.querydto?view=azure-python). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
+Generate an answer from a published knowledge base using the QnAMakerRuntimeClient.runtime.generate_answer method. This method accepts the knowledge base ID and the [QueryDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.querydto?view=azure-python). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
[!code-python[Generate an answer from a knowledge base](~/cognitive-services-quickstart-code/python/QnAMaker/sdk/quickstart.py?name=GenerateAnswer)]
@@ -278,7 +278,7 @@ Generate an answer from a published knowledge base using the QnAMakerRuntimeClie
### Generate an answer from the knowledge base
-Generate an answer from a published knowledge base using the [generate_answer](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#generate-answer-kb-id--generate-answer-payload--custom-headers-none--raw-false-operation-config-) method. This method accepts the knowledge base ID and the [QueryDTO](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.querydto?view=azure-python). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
+Generate an answer from a published knowledge base using the [generate_answer](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#generate-answer-kb-id--generate-answer-payload--custom-headers-none--raw-false-operation-config-) method. This method accepts the knowledge base ID and the [QueryDTO](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.querydto?view=azure-python). Access additional properties of the QueryDTO, such a Top and Context to use in your chat bot.
[!code-python[Generate an answer from a knowledge base](~/cognitive-services-quickstart-code/python/QnAMaker/sdk/preview-sdk/quickstart.py?name=GenerateAnswer)]
@@ -288,7 +288,7 @@ This is a simple example of querying the knowledge base. To understand advanced
## Delete a knowledge base
-Delete the knowledge base using the [delete](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#delete-kb-id--custom-headers-none--raw-false-operation-config-) method with a parameter of the knowledge base ID.
+Delete the knowledge base using the [delete](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.operations.knowledgebaseoperations?view=azure-python#delete-kb-id--custom-headers-none--raw-false-operation-config-) method with a parameter of the knowledge base ID.
# [QnA Maker GA (stable release)](#tab/version-1)
@@ -302,7 +302,7 @@ Delete the knowledge base using the [delete](https://docs.microsoft.com/python/a
## Get status of an operation
-Some methods, such as create and update, can take enough time that instead of waiting for the process to finish, an [operation](https://docs.microsoft.com/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.operation(class)?view=azure-python) is returned. Use the operation ID from the operation to poll (with retry logic) to determine the status of the original method.
+Some methods, such as create and update, can take enough time that instead of waiting for the process to finish, an [operation](/python/api/azure-cognitiveservices-knowledge-qnamaker/azure.cognitiveservices.knowledge.qnamaker.models.operation(class)?view=azure-python) is returned. Use the operation ID from the operation to poll (with retry logic) to determine the status of the original method.
The _setTimeout_ call in the following code block is used to simulate asynchronous code. Replace this with retry logic.
@@ -332,4 +332,4 @@ The source code for this sample can be found on [GitHub](https://github.com/Azur
The source code for this sample can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/QnAMaker/sdk/preview-sdk/quickstart.py). -+\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/includes/how-to/keyword-recognition/keyword-basics-csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/includes/how-to/keyword-recognition/keyword-basics-csharp.md a/articles/cognitive-services/Speech-Service/includes/how-to/keyword-recognition/keyword-basics-csharp.md
@@ -31,6 +31,6 @@ object for authentication context, and does not contact the back-end. However, y
Other classes in the Speech SDK support continuous recognition (for both speech and intent recognition) with keyword recognition. This allows you to use the same code you would normally use for continuous recognition, with the ability to reference a `.table` file for your keyword model.
-For speech-to-text, follow the same design pattern shown in the [quickstart](https://docs.microsoft.com/azure/cognitive-services/speech-service/get-started-speech-to-text?tabs=script%2Cbrowser%2Cwindowsinstall&pivots=programming-language-csharp#continuous-recognition) to set up continuous recognition. Then, replace the call to `recognizer.StartContinuousRecognitionAsync()` with `recognizer.StartKeywordRecognitionAsync(KeywordRecognitionModel)`, and pass your `KeywordRecognitionModel` object. To stop continuous recognition with keyword spotting, use `recognizer.StopKeywordRecognitionAsync()` instead of `recognizer.StopContinuousRecognitionAsync()`.
+For speech-to-text, follow the same design pattern shown in the [quickstart](../../../get-started-speech-to-text.md?pivots=programming-language-csharp&tabs=script%2cbrowser%2cwindowsinstall#continuous-recognition) to set up continuous recognition. Then, replace the call to `recognizer.StartContinuousRecognitionAsync()` with `recognizer.StartKeywordRecognitionAsync(KeywordRecognitionModel)`, and pass your `KeywordRecognitionModel` object. To stop continuous recognition with keyword spotting, use `recognizer.StopKeywordRecognitionAsync()` instead of `recognizer.StopContinuousRecognitionAsync()`.
-Intent recognition uses an identical pattern with the [`StartKeywordRecognitionAsync`](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.intent.intentrecognizer.startkeywordrecognitionasync?view=azure-dotnet#Microsoft_CognitiveServices_Speech_Intent_IntentRecognizer_StartKeywordRecognitionAsync_Microsoft_CognitiveServices_Speech_KeywordRecognitionModel_) and [`StopKeywordRecognitionAsync`](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.intent.intentrecognizer.stopkeywordrecognitionasync?view=azure-dotnet#Microsoft_CognitiveServices_Speech_Intent_IntentRecognizer_StopKeywordRecognitionAsync) functions.
\ No newline at end of file
+Intent recognition uses an identical pattern with the [`StartKeywordRecognitionAsync`](/dotnet/api/microsoft.cognitiveservices.speech.intent.intentrecognizer.startkeywordrecognitionasync?view=azure-dotnet#Microsoft_CognitiveServices_Speech_Intent_IntentRecognizer_StartKeywordRecognitionAsync_Microsoft_CognitiveServices_Speech_KeywordRecognitionModel_) and [`StopKeywordRecognitionAsync`](/dotnet/api/microsoft.cognitiveservices.speech.intent.intentrecognizer.stopkeywordrecognitionasync?view=azure-dotnet#Microsoft_CognitiveServices_Speech_Intent_IntentRecognizer_StopKeywordRecognitionAsync) functions.
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/quickstart-custom-commands-application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/quickstart-custom-commands-application.md a/articles/cognitive-services/Speech-Service/quickstart-custom-commands-application.md
@@ -134,4 +134,4 @@ In the scope of this article, we will be using the Windows Voice Assistant clien
## Next steps
-In this article, you used an existing application. Next, in the [how-to sections](how-to-custom-commands-create-application-with-simple-commands.md), you learn how to design, develop, debug, test and integrate a Custom Commands application from scratch.
+In this article, you used an existing application. Next, in the [how-to sections](./how-to-develop-custom-commands-application.md), you learn how to design, develop, debug, test and integrate a Custom Commands application from scratch.
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/regions.md a/articles/cognitive-services/Speech-Service/regions.md
@@ -65,7 +65,7 @@ This is a subset of the publishing regions supported by the [Language Understand
### Voice assistants
-The [Speech SDK](speech-sdk.md) supports **voice assistant** capabilities through [Direct Line Speech](https://docs.microsoft.com/azure/cognitive-services/speech-service/direct-line-speech) in these regions:
+The [Speech SDK](speech-sdk.md) supports **voice assistant** capabilities through [Direct Line Speech](./direct-line-speech.md) in these regions:
| Global region | Region | Region identifier | | - | - | -- |
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/rest-speech-to-text https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/rest-speech-to-text.md a/articles/cognitive-services/Speech-Service/rest-speech-to-text.md
@@ -18,7 +18,7 @@
Speech-to-text has two different REST APIs. Each API serves its special purpose and uses different sets of endpoints. The Speech-to-text REST APIs are:-- [Speech-to-text REST API v3.0](#speech-to-text-rest-api-v30) is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). v3.0 is a [successor of v2.0](/azure/cognitive-services/speech-service/migrate-v2-to-v3).
+- [Speech-to-text REST API v3.0](#speech-to-text-rest-api-v30) is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). v3.0 is a [successor of v2.0](./migrate-v2-to-v3.md).
- [Speech-to-text REST API for short audio](#speech-to-text-rest-api-for-short-audio) is used for OnLine transcription as an alternative to the [Speech SDK](speech-sdk.md). Requests using this API can transmit only up to 60 seconds of audio per request. ## Speech-to-text REST API v3.0
@@ -40,7 +40,7 @@ REST API v3.0 includes such features as:
See examples on using REST API v3.0 with the Batch transcription is [this article](batch-transcription.md).
-If you are using Speech-to-text REST API v2.0, see how you can migrate to v3.0 in [this guide](/azure/cognitive-services/speech-service/migrate-v2-to-v3).
+If you are using Speech-to-text REST API v2.0, see how you can migrate to v3.0 in [this guide](./migrate-v2-to-v3.md).
See the full Speech-to-text REST API v3.0 Reference [here](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0).
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/rest-text-to-speech https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/rest-text-to-speech.md a/articles/cognitive-services/Speech-Service/rest-text-to-speech.md
@@ -273,5 +273,5 @@ If the HTTP status is `200 OK`, the body of the response contains an audio file
## Next steps - [Create a free Azure account](https://azure.microsoft.com/free/cognitive-services/)-- [Asynchronous synthesis for long-form audio](quickstarts/text-to-speech/async-synthesis-long-form-audio.md)-- [Get started with Custom Voice](how-to-custom-voice.md)
+- [Asynchronous synthesis for long-form audio](./long-audio-api.md)
+- [Get started with Custom Voice](how-to-custom-voice.md)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/speech-services-private-link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/speech-services-private-link.md a/articles/cognitive-services/Speech-Service/speech-services-private-link.md
@@ -290,7 +290,7 @@ Speech Services has REST APIs for [Speech-to-Text](rest-speech-to-text.md) and [
Speech-to-Text has two REST APIs. Each API serves a different purpose, uses different endpoints, and requires a different approach when you're using it in the private-endpoint-enabled scenario. The Speech-to-Text REST APIs are:-- [Speech-to-Text REST API v3.0](rest-speech-to-text.md#speech-to-text-rest-api-v30), which is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). v3.0 is a [successor of v2.0](/azure/cognitive-services/speech-service/migrate-v2-to-v3)
+- [Speech-to-Text REST API v3.0](rest-speech-to-text.md#speech-to-text-rest-api-v30), which is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). v3.0 is a [successor of v2.0](./migrate-v2-to-v3.md)
- [Speech-to-Text REST API for short audio](rest-speech-to-text.md#speech-to-text-rest-api-for-short-audio), which is used for online transcription Usage of the Speech-to-Text REST API for short audio and the text-to-speech REST API in the private endpoint scenario is the same. It's equivalent to the [Speech SDK case](#speech-resource-with-a-custom-domain-name-and-a-private-endpoint-usage-with-the-speech-sdk) described later in this article.
@@ -608,4 +608,4 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
* [Azure Private Link](../../private-link/private-link-overview.md) * [Speech SDK](speech-sdk.md) * [Speech-to-Text REST API](rest-speech-to-text.md)
-* [Text-to-Speech REST API](rest-text-to-speech.md)
+* [Text-to-Speech REST API](rest-text-to-speech.md)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/voice-assistants https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/voice-assistants.md a/articles/cognitive-services/Speech-Service/voice-assistants.md
@@ -61,7 +61,7 @@ Sample code for creating a voice assistant is available on GitHub. These samples
* [Voice assistant samples on GitHub](https://github.com/Azure-Samples/Cognitive-Services-Voice-Assistant) * [Tutorial: Voice enable your assistant built using Azure Bot Service with the C# Speech SDK](tutorial-voice-enable-your-bot-speech-sdk.md)
-* [Tutorial: Create a Custom Commands application with simple voice commands](how-to-custom-commands-create-application-with-simple-commands.md)
+* [Tutorial: Create a Custom Commands application with simple voice commands](./how-to-develop-custom-commands-application.md)
## Customization
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Translator/language-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/language-support.md a/articles/cognitive-services/Translator/language-support.md
@@ -85,7 +85,7 @@ Translator supports the following languages for text to text translation.
| Pashto | `ps` | | Persian | `fa` | | Polish | `pl` |
-| Portuguese (Brazil) | `pt-br` |
+| Portuguese (Brazil) | `pt` |
| Portuguese (Portugal) | `pt-pt` | | Punjabi | `pa` | | Queretaro Otomi | `otq` |
@@ -337,7 +337,7 @@ The following languages are available for customization to or from English using
| Norwegian | `nb` | | Persian | `fa` | | Polish | `pl` |
-| Portuguese (Brazil) | `pt-br` |
+| Portuguese (Brazil) | `pt` |
| Punjabi|`pa`| | Romanian | `ro` | | Russian | `ru` |
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/concept-receipts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/concept-receipts.md a/articles/cognitive-services/form-recognizer/concept-receipts.md
@@ -15,7 +15,7 @@
# Form Recognizer prebuilt receipt model
-Azure Form Recognizer can analyze and extract information from sales receipts using its prebuilt receipt model. It combines our powerful [Optical Character Recognition (OCR)](https://docs.microsoft.com/azure/cognitive-services/computer-vision/concept-recognizing-text) capabilities with receipt understanding deep learning models to extract key information from receipts in English. The Receipt API extracts key information from sales receipts in English, such as merchant name, transaction date, transaction total, line items, and more.
+Azure Form Recognizer can analyze and extract information from sales receipts using its prebuilt receipt model. It combines our powerful [Optical Character Recognition (OCR)](../computer-vision/concept-recognizing-text.md) capabilities with receipt understanding deep learning models to extract key information from receipts in English. The Receipt API extracts key information from sales receipts in English, such as merchant name, transaction date, transaction total, line items, and more.
## Understanding Receipts
@@ -469,4 +469,4 @@ The Receipt API also powers the [AI Builder Receipt Processing feature](/ai-buil
## See also * [What is Form Recognizer?](./overview.md)
-* [REST API reference docs](./index.yml)
+* [REST API reference docs](./index.yml)
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/form-recognizer/deploy-label-tool https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/form-recognizer/deploy-label-tool.md a/articles/cognitive-services/form-recognizer/deploy-label-tool.md
@@ -96,7 +96,7 @@ Follow these steps to create a new resource using the Azure portal:
> When creating your web app, you can also configure authorization/authentication. This is not necessary to get started. > [!IMPORTANT]
-> You may need to enable TLS for your web app in order to view it at its `https` address. Follow the instructions in [Enable a TLS endpoint](https://docs.microsoft.com/azure/container-instances/container-instances-container-group-ssl) to set up a sidecar container than enables TLS/SSL for your web app.
+> You may need to enable TLS for your web app in order to view it at its `https` address. Follow the instructions in [Enable a TLS endpoint](../../container-instances/container-instances-container-group-ssl.md) to set up a sidecar container than enables TLS/SSL for your web app.
### Azure CLI
@@ -155,4 +155,4 @@ The OCR Form Labeling Tool is also available as an open-source project on GitHub
## Next steps
-Use the [Train with labels](./quickstarts/label-tool.md) quickstart to learn how to use the tool to manually label training data and perform supervised learning.
+Use the [Train with labels](./quickstarts/label-tool.md) quickstart to learn how to use the tool to manually label training data and perform supervised learning.
\ No newline at end of file
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/plan-manage-costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/plan-manage-costs.md a/articles/cognitive-services/plan-manage-costs.md
@@ -16,7 +16,7 @@ This article describes how you plan for and manage costs for Azure Cognitive Ser
## Prerequisites
-Cost analysis in Cost Management supports most Azure account types, but not all of them. To view the full list of supported account types, see [Understand Cost Management data](../cost-management-billing/costs/understand-cost-mgt-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). To view cost data, you need at least read access for an Azure account. For information about assigning access to Azure Cost Management data, see [Assign access to data](../cost-management/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+Cost analysis in Cost Management supports most Azure account types, but not all of them. To view the full list of supported account types, see [Understand Cost Management data](../cost-management-billing/costs/understand-cost-mgt-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). To view cost data, you need at least read access for an Azure account. For information about assigning access to Azure Cost Management data, see [Assign access to data](../cost-management-billing/costs/assign-access-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
<!--Note for Azure service writer: If you have other prerequisites for your service, insert them here -->
@@ -62,7 +62,7 @@ You can pay for Cognitive Services charges with your Azure Prepayment (previousl
## Create budgets
-You can create [budgets](../cost-management/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../cost-management/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.
+You can create [budgets](../cost-management-billing/costs/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.
Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you additional money. For more about the filter options when you when create a budget, see [Group and filter options](../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
@@ -81,5 +81,5 @@ Work with Dean to complete this section in 2021.
- Learn [how to optimize your cloud investment with Azure Cost Management](../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Learn more about managing costs with [cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Learn about how to [prevent unexpected costs](../cost-management-billing/manage/getting-started.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Take the [Cost Management](https://docs.microsoft.com/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
+- Learn about how to [prevent unexpected costs](../cost-management-billing/cost-management-billing-overview.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+- Take the [Cost Management](/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
\ No newline at end of file
communication-services https://docs.microsoft.com/en-us/azure/communication-services/samples/calling-hero-sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/samples/calling-hero-sample.md a/articles/communication-services/samples/calling-hero-sample.md
@@ -106,6 +106,7 @@ For more information, see the following articles:
- Familiarize yourself with [using the calling client library](../quickstarts/voice-video-calling/calling-client-samples.md) - Learn more about [how calling works](../concepts/voice-video-calling/about-call-types.md)
+- Review the [Contoso Med App](https://github.com/Azure-Samples/communication-services-contoso-med-app) sample
## Additional reading
communication-services https://docs.microsoft.com/en-us/azure/communication-services/samples/chat-hero-sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/samples/chat-hero-sample.md a/articles/communication-services/samples/chat-hero-sample.md
@@ -109,6 +109,7 @@ For more information, see the following articles:
- Learn about [chat concepts](../concepts/chat/concepts.md) - Familiarize yourself with our [chat client library](../concepts/chat/sdk-features.md)
+- Review the [Contoso Med App](https://github.com/Azure-Samples/communication-services-contoso-med-app) sample
## Additional reading
communication-services https://docs.microsoft.com/en-us/azure/communication-services/samples/web-calling-sample https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/samples/web-calling-sample.md a/articles/communication-services/samples/web-calling-sample.md
@@ -92,6 +92,7 @@ For more information, see the following articles:
- Familiarize yourself with [using the calling client library](../quickstarts/voice-video-calling/calling-client-samples.md) - Learn more about [how calling works](../concepts/voice-video-calling/about-call-types.md) - Review the [API Reference docs](/javascript/api/azure-communication-services/@azure/communication-calling/?view=azure-communication-services-js)
+- Review the [Contoso Med App](https://github.com/Azure-Samples/communication-services-contoso-med-app) sample
## Additional reading
container-instances https://docs.microsoft.com/en-us/azure/container-instances/container-instances-github-action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-instances-github-action.md a/articles/container-instances/container-instances-github-action.md
@@ -8,7 +8,7 @@
# Configure a GitHub action to create a container instance
-[GitHub Actions](https://docs.github.com/en/free-pro-team@latest/actions) is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.
+[GitHub Actions](https://docs.github.com/en/actions) is a suite of features in GitHub to automate your software development workflows in the same place you store code and collaborate on pull requests and issues.
Use the [Deploy to Azure Container Instances](https://github.com/azure/aci-deploy) GitHub action to automate deployment of a single container to Azure Container Instances. The action allows you to set properties for a container instance similar to those in the [az container create][az-container-create] command.
@@ -172,7 +172,7 @@ After you commit the workflow file, the workflow is triggered. To review workflo
![View workflow progress](./media/container-instances-github-action/github-action-progress.png)
-See [Viewing workflow run history](https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/viewing-workflow-run-history) for information about viewing the status and results of each step in your workflow. If the workflow doesn't complete, see [Viewing logs to diagnose failures](https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/using-workflow-run-logs#viewing-logs-to-diagnose-failures).
+See [Viewing workflow run history](https://docs.github.com/en/actions/managing-workflow-runs/viewing-workflow-run-history) for information about viewing the status and results of each step in your workflow. If the workflow doesn't complete, see [Viewing logs to diagnose failures](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#viewing-logs-to-diagnose-failures).
When the workflow completes successfully, get information about the container instance named *aci-sampleapp* by running the [az container show][az-container-show] command. Substitute the name of your resource group:
@@ -232,7 +232,7 @@ az container app up \
### Command progress
-* When prompted, provide your GitHub credentials or provide a [GitHub personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) (PAT) that has *repo* and *user* scopes to authenticate with your GitHub account. If you provide GitHub credentials, the command creates a PAT for you. Follow additional prompts to configure the workflow.
+* When prompted, provide your GitHub credentials or provide a [GitHub personal access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) (PAT) that has *repo* and *user* scopes to authenticate with your GitHub account. If you provide GitHub credentials, the command creates a PAT for you. Follow additional prompts to configure the workflow.
* The command creates repo secrets for the workflow:
@@ -253,7 +253,7 @@ Workflow succeeded
Your app is deployed at: http://acr-build-helloworld-node.eastus.azurecontainer.io:8080/ ```
-To view the workflow status and results of each step in the GitHub UI, see [Viewing workflow run history](https://docs.github.com/en/free-pro-team@latest/actions/managing-workflow-runs/viewing-workflow-run-history).
+To view the workflow status and results of each step in the GitHub UI, see [Viewing workflow run history](https://docs.github.com/en/actions/managing-workflow-runs/viewing-workflow-run-history).
### Validate workflow
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/create-mongodb-rust https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/create-mongodb-rust.md new file mode 100644 /dev/null
@@ -0,0 +1,323 @@
+
+ Title: Connect a Rust application to Azure Cosmos DB's API for MongoDB
+description: This quickstart demonstrates how to build a Rust application backed by Azure Cosmos DB's API for MongoDB.
++++
+ms.devlang: rust
+ Last updated : 01/12/2021++
+# Quickstart: Connect a Rust application to Azure Cosmos DB's API for MongoDB
+[!INCLUDE[appliesto-mongodb-api](includes/appliesto-mongodb-api.md)]
+
+> [!div class="op_single_selector"]
+> * [.NET](create-mongodb-dotnet.md)
+> * [Java](create-mongodb-java.md)
+> * [Node.js](create-mongodb-nodejs.md)
+> * [Python](create-mongodb-flask.md)
+> * [Xamarin](create-mongodb-xamarin.md)
+> * [Golang](create-mongodb-go.md)
+> * [Rust](create-mongodb-rust.md)
+>
+
+Azure Cosmos DB is a multi-model database service that lets you quickly create and query document, table, key-value, and graph databases with global distribution and horizontal scale capabilities. The sample presented in this article is a simple command-line based application that uses the [Rust driver for MongoDB](https://github.com/mongodb/mongo-rust-driver). Since Azure Cosmos DB's API for MongoDB is [compatible with the MongoDB wire protocol](./mongodb-introduction.md#wire-protocol-compatibility), it is possible for any MongoDB client driver to connect to it.
+
+You will learn how to use the MongoDB Rust driver to interact with Azure Cosmos DB's API for MongoDB by exploring CRUD (create, read, update, delete) operations implemented in the sample code. Finally, you can run the application locally to see it in action.
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create one for free](https://azure.microsoft.com/free). Or [try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/) without an Azure subscription. You can also use the [Azure Cosmos DB Emulator](https://aka.ms/cosmosdb-emulator) with the connection string `.mongodb://localhost:C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==@localhost:10255/admin?ssl=true`.
+- [Rust](https://www.rust-lang.org/tools/install) (version 1.39 or above)
+- [Git](https://git-scm.com/downloads)
+
+## Set up Azure Cosmos DB
+
+To set up an Azure Cosmos DB account, follow the [instructions here](create-mongodb-dotnet.md). The application will need the MongoDB connection string which you can fetch using the Azure portal. For details, see [Get the MongoDB connection string to customize](connect-mongodb-account.md#get-the-mongodb-connection-string-to-customize).
+
+## Run the application
+
+### Clone the sample application
+
+Run the following commands to clone the sample repository.
+
+1. Open a command prompt, create a new folder named `git-samples`, then close the command prompt.
+
+ ```bash
+ mkdir "C:\git-samples"
+ ```
+
+1. Open a git terminal window, such as git bash, and use the `cd` command to change to the new folder to install the sample app.
+
+ ```bash
+ cd "C:\git-samples"
+ ```
+
+1. Run the following command to clone the sample repository. This command creates a copy of the sample app on your computer.
+
+ ```bash
+ git clone https://github.com/Azure-Samples/cosmosdb-rust-mongodb-quickstart
+ ```
+
+### Build the application
+
+To build the binary:
+
+```bash
+cargo build --release
+```
+
+### Configure the application
+
+Export the connection string, MongoDB database, and collection names as environment variables.
+
+```bash
+export MONGODB_URL="mongodb://<COSMOSDB_ACCOUNT_NAME>:<COSMOSDB_PASSWORD>@<COSMOSDB_ACCOUNT_NAME>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&maxIdleTimeMS=120000&appName=@<COSMOSDB_ACCOUNT_NAME>@"
+```
+
+> [!NOTE]
+> The `ssl=true` option is important because of Cosmos DB requirements. For more information, see [Connection string requirements](connect-mongodb-account.md#connection-string-requirements).
+>
+
+For the `MONGODB_URL` environment variable, replace the placeholders for `<COSMOSDB_ACCOUNT_NAME>` and `<COSMOSDB_PASSWORD>`
+
+- `<COSMOSDB_ACCOUNT_NAME>`: The name of the Azure Cosmos DB account you created
+- `<COSMOSDB_PASSWORD>`: The database key extracted in the previous step
+
+```bash
+export MONGODB_DATABASE=todos_db
+export MONGODB_COLLECTION=todos
+```
+
+You can choose your preferred values for `MONGODB_DATABASE` and `MONGODB_COLLECTION` or leave them as is.
+
+To run the application, change to the correct folder (where the application binary exists):
+
+```bash
+cd target/release
+```
+
+To create a `todo`
+
+```bash
+./todo create "Create an Azure Cosmos DB database account"
+```
+
+If successful, you should see an output with the MongoDB `_id` of the newly created document:
+
+```bash
+inserted todo with id = ObjectId("5ffd1ca3004cc935004a0959")
+```
+
+Create another `todo`
+
+```bash
+./todo create "Get the MongoDB connection string using the Azure CLI"
+```
+
+List all the `todo`s
+
+```bash
+./todo list all
+```
+
+You should see the ones you just added:
+
+```bash
+todo_id: 5ffd1ca3004cc935004a0959 | description: Create an Azure Cosmos DB database account | status: pending
+todo_id: 5ffd1cbe003bcec40022c81c | description: Get the MongoDB connection string using the Azure CLI | status: pending
+```
+
+To update the status of a `todo` (for example, change it to `completed` status), use the `todo` ID as such:
+
+```bash
+./todo update 5ffd1ca3004cc935004a0959 completed
+
+#output
+updating todo_id 5ffd1ca3004cc935004a0959 status to completed
+updated status for todo id 5ffd1ca3004cc935004a0959
+```
+
+List only the completed `todo`s
+
+```bash
+./todo list completed
+```
+
+You should see the one you just updated
+
+```bash
+listing 'completed' todos
+
+todo_id: 5ffd1ca3004cc935004a0959 | description: Create an Azure Cosmos DB database account | status: completed
+```
+
+Delete a `todo` using it's ID
+
+```bash
+./todo delete 5ffd1ca3004cc935004a0959
+```
+
+List the `todo`s to confirm
+
+```bash
+./todo list all
+```
+
+The `todo` you just deleted should not be present.
+
+### View data in Data Explorer
+
+Data stored in Azure Cosmos DB is available to view and query in the Azure portal.
+
+To view, query, and work with the user data created in the previous step, login to the [Azure portal](https://portal.azure.com) in your web browser.
+
+In the top Search box, enter **Azure Cosmos DB**. When your Cosmos account blade opens, select your Cosmos account. In the left navigation, select **Data Explorer**. Expand your collection in the Collections pane, and then you can view the documents in the collection, query the data, and even create and run stored procedures, triggers, and UDFs.
+
+## Review the code (optional)
+
+If you're interested in learning how the application works, you can review the code snippets in this section. The following snippets are taken from the `src/main.rs` file.
+
+The `main` function is the entry point for the `todo` application. It expects the connection URL for Azure Cosmos DB's API for MongoDB to be provided by the `MONGODB_URL` environment variable. A new instance of `TodoManager` is created, followed by a [`match` expression](https://doc.rust-lang.org/book/ch06-02-match.html) that delegates to the appropriate `TodoManager` method based on the operation chosen by the user - `create`, `update`, `list`, or `delete`.
+
+```rust
+fn main() {
+ let conn_string = std::env::var_os("MONGODB_URL").expect("missing environment variable MONGODB_URL").to_str().expect("failed to get MONGODB_URL").to_owned();
+ let todos_db_name = std::env::var_os("MONGODB_DATABASE").expect("missing environment variable MONGODB_DATABASE").to_str().expect("failed to get MONGODB_DATABASE").to_owned();
+ let todos_collection_name = std::env::var_os("MONGODB_COLLECTION").expect("missing environment variable MONGODB_COLLECTION").to_str().expect("failed to get MONGODB_COLLECTION").to_owned();
+
+ let tm = Todo
+
+ let ops: Vec<String> = std::env::args().collect();
+ let op = ops[1].as_str();
+
+ match op {
+ CREATE_OPERATION_NAME => tm.add_todo(ops[2].as_str()),
+ LIST_OPERATION_NAME => tm.list_todos(ops[2].as_str()),
+ UPDATE_OPERATION_NAME => tm.update_todo_status(ops[2].as_str(), ops[3].as_str()),
+ DELETE_OPERATION_NAME => tm.delete_todo(ops[2].as_str()),
+ _ => panic!(INVALID_OP_ERR_MSG)
+ }
+}
+```
+
+`TodoManager` is a `struct` that encapsulates a [mongodb::sync::Collection](https://docs.rs/mongodb/1.1.1/mongodb/sync/struct.Collection.html). When you try to instantiate a `TodoManager` using the `new` function, it initiates a connection to Azure Cosmos DB's API for MongoDB.
+
+```rust
+struct TodoManager {
+ coll: Collection
+}
+....
+impl TodoManager{
+ fn new(conn_string: String, db_name: &str, coll_name: &str) -> Self{
+ let mongo_client = Client::with_uri_str(&*conn_string).expect("failed to create client");
+ let todo_coll = mongo_client.database(db_name).collection(coll_name);
+
+ TodoManager{coll: todo_coll}
+ }
+....
+```
+
+Most importantly, `TodoManager` has methods to help manage `todo`s. Let's go over them one by one.
+
+The `add_todo` method takes in a `todo` description provided by the user and creates an instance of `Todo` struct, which looks like below. The [serde](https://github.com/serde-rs/serde) framework is used to map (serialize/de-serialize) BSON data into instances of `Todo` structs. Notice how `serde` field attributes are used to customize the serialization/de-serialzation process. For example, `todo_id` field in the Todo `struct` is an `ObjectId` and it is stored in MongoDB as `_id`.
+
+```rust
+#[derive(Serialize, Deserialize)]
+struct Todo {
+ #[serde(rename = "_id", skip_serializing_if = "Option::is_none")]
+ todo_id: Option<bson::oid::ObjectId>,
+ #[serde(rename = "description")]
+ desc: String,
+ status: String,
+}
+```
+
+[Collection.insert_one](https://docs.rs/mongodb/1.1.1/mongodb/struct.Collection.html#method.insert_one) accepts a [Document](https://docs.rs/bson/1.1.0/bson/document/struct.Document.html) representing the `todo` details to be added. Note that the conversion from `Todo` to a `Document` is a two-step process, achieved using a combination of [to_bson](https://docs.rs/bson/1.1.0/bson/ser/fn.to_bson.html) and [as_document](https://docs.rs/bson/1.1.0/bson/enum.Bson.html#method.as_document).
+
+```rust
+fn add_todo(self, desc: &str) {
+ let new_todo = Todo {
+ todo_id: None,
+ desc: String::from(desc),
+ status: String::from(TODO_PENDING_STATUS),
+ };
+
+ let todo_doc = mongodb::bson::to_bson(&new_todo).expect("struct to BSON conversion failed").as_document().expect("BSON to Document conversion failed").to_owned();
+
+ let r = self.coll.insert_one(todo_doc, None).expect("failed to add todo");
+ println!("inserted todo with id = {}", r.inserted_id);
+}
+```
+
+[Collection.find](https://docs.rs/mongodb/1.1.1/mongodb/struct.Collection.html#method.find) is used to get the retrieve *all* the `todo`s or filters them based on the user provided status (`pending` or `completed`). Note how in the `while` loop, each `Document` obtained as a result of the search is converted into a `Todo` struct using [bson::from_bson](https://docs.rs/bson/1.1.0/bson/de/fn.from_bson.html). This is the opposite of what was done in the `add_todo` method.
+
+```rust
+fn list_todos(self, status_filter: &str) {
+ let mut filter = doc!{};
+ if status_filter == TODO_PENDING_STATUS || status_filter == TODO_COMPLETED_STATUS{
+ println!("listing '{}' todos",status_filter);
+ filter = doc!{"status": status_filter}
+ } else if status_filter != "all" {
+ panic!(INVALID_FILTER_ERR_MSG)
+ }
+
+ let mut todos = self.coll.find(filter, None).expect("failed to find todos");
+
+ while let Some(result) = todos.next() {
+ let todo_doc = result.expect("todo not present");
+ let todo: Todo = bson::from_bson(Bson::Document(todo_doc)).expect("BSON to struct conversion failed");
+ println!("todo_id: {} | description: {} | status: {}", todo.todo_id.expect("todo id missing"), todo.desc, todo.status);
+ }
+}
+```
+
+A `todo` status can be updated (from `pending` to `completed` or vice versa) using. The `todo` is converted to a
+[bson::oid::ObjectId](https://docs.rs/bson/1.1.0/bson/oid/struct.ObjectId.html) which then used by the[Collection.update_one](https://docs.rs/mongodb/1.1.1/mongodb/struct.Collection.html#method.update_one) method to locate the document that needs to be
+updated.
+
+```rust
+fn update_todo_status(self, todo_id: &str, status: &str) {
+
+ if status != TODO_COMPLETED_STATUS && status != TODO_PENDING_STATUS {
+ panic!(INVALID_FILTER_ERR_MSG)
+ }
+
+ println!("updating todo_id {} status to {}", todo_id, status);
+
+ let id_filter = doc! {"_id": bson::oid::ObjectId::with_string(todo_id).expect("todo_id is not valid ObjectID")};
+
+ let r = self.coll.update_one(id_filter, doc! {"$set": { "status": status }}, None).expect("update failed");
+ if r.modified_count == 1 {
+ println!("updated status for todo id {}",todo_id);
+ } else if r.matched_count == 0 {
+ println!("could not update. check todo id {}",todo_id);
+ }
+}
+```
+
+Deleting a `todo` is straightforward using the [Collection.delete_one](https://docs.rs/mongodb/1.1.1/mongodb/struct.Collection.html#method.delete_one) method.
++
+```rust
+fn delete_todo(self, todo_id: &str) {
+ println!("deleting todo {}", todo_id);
+
+ let id_filter = doc! {"_id": bson::oid::ObjectId::with_string(todo_id).expect("todo_id is not valid ObjectID")};
+
+ self.coll.delete_one(id_filter, None).expect("delete failed").deleted_count;
+}
+```
+
+## Clean up resources
+
+[!INCLUDE [cosmosdb-delete-resource-group](../../includes/cosmos-db-delete-resource-group.md)]
+
+## Next steps
+
+In this quickstart, you learned how to create an Azure Cosmos DB MongoDB API account using the Azure Cloud Shell, and create and run a Rust command-line app to manage `todo`s. You can now import additional data to your Azure Cosmos DB account.
+
+> [!div class="nextstepaction"]
+> [Import MongoDB data into Azure Cosmos DB](../dms/tutorial-mongodb-cosmos-db.md?toc=%2fazure%2fcosmos-db%2ftoc.json%253ftoc%253d%2fazure%2fcosmos-db%2ftoc.json)
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/sql-query-getting-started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/sql-query-getting-started.md a/articles/cosmos-db/sql-query-getting-started.md
@@ -182,10 +182,10 @@ The preceding examples show several aspects of the Cosmos DB query language:
* Azure Cosmos DB supports strict JSON items only. The type system and expressions are restricted to deal only with JSON types. For more information, see the [JSON specification](https://www.json.org/).
-* A Cosmos container is a schema-free collection of JSON items. The relations within and across container items are implicitly captured by containment, not by primary key and foreign key relations. This feature is important for the intra-item joins discussed later in this article.
+* A Cosmos container is a schema-free collection of JSON items. The relations within and across container items are implicitly captured by containment, not by primary key and foreign key relations. This feature is important for the intra-item joins that are described in [Joins in Azure Cosmos DB](sql-query-join.md).
## Next steps - [Introduction to Azure Cosmos DB](introduction.md) - [Azure Cosmos DB .NET samples](https://github.com/Azure/azure-cosmos-dotnet-v3)-- [SELECT clause](sql-query-select.md)\ No newline at end of file
+- [SELECT clause](sql-query-select.md)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/control-flow-power-query-activity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/control-flow-power-query-activity.md a/articles/data-factory/control-flow-power-query-activity.md
@@ -18,6 +18,8 @@ The Power Query activity allows you to build and execute Power Query mash-ups to
Previously, data wrangling in Azure Data Factory was authored from the Data Flow menu option. This has been changed to authoring from a new Power Query activity. You can work directly inside of the Power Query mash-up editor to perform interactive data exploration and then save your work. Once complete, you can take your Power Query activity and add it to a pipeline. Azure Data Factory will automatically scale it out and operationalize your data wrangling using Azure Data Factory's data flow Spark environment.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4MFYn]
+ ## Translation to data flow script To achieve scale with your Power Query activity, Azure Data Factory translates your ```M``` script into a data flow script so that you can execute your Power Query at scale using the Azure Data Factory data flow Spark environment. Author your wrangling data flow using code-free data preparation. For the list of available functions, see [transformation functions](wrangling-functions.md).
data-factory https://docs.microsoft.com/en-us/azure/data-factory/self-hosted-integration-runtime-troubleshoot-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/self-hosted-integration-runtime-troubleshoot-guide.md a/articles/data-factory/self-hosted-integration-runtime-troubleshoot-guide.md
@@ -5,7 +5,7 @@
Previously updated : 11/17/2020 Last updated : 01/25/2021
@@ -63,31 +63,6 @@ A new activity can throw an OOM error if the IR machine experiences momentary hi
Check the resource usage and concurrent activity execution on the IR node. Adjust the internal and trigger time of activity runs to avoid too much execution on a single IR node at the same time. -
-### SSL/TLS certificate issue
-
-#### Symptoms
-
-When you try to enable a Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificate (advanced) by choosing the certificate (after you select **Self-hosted IR Configuration Manager** > **Remote access from intranet**), you get the following error:
-
-"Remote access settings are invalid. Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'abc.microsoft.com' but the remote endpoint provided DNS claim 'microsoft.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'microsoft.com' as the Identity property of EndpointAddress when creating channel proxy."
-
-In the preceding example, the chosen certificate has "microsoft.com" appended to it.
-
-#### Cause
-
-This is a known issue in Windows Communication Foundation (WCF). The WCF SSL/TLS validation checks only for the last DNSName in the **Subject Alternative Name** (SAN) field.
-
-#### Resolution
-
-A wildcard certificate is supported in the Azure Data Factory v2 self-hosted IR. This issue normally happens because the SSL certificate is incorrect. The last DNSName in the SAN should be valid.
-
-To verify and correct the DNSName, do the following:
-
-1. Open Management Console.
-1. Under **Certificate Details**, double-check the value in both the **Subject** and **Subject Alternative Name** boxes. For example, "DNS Name= microsoft.com.com" is not a valid name.
-1. Contact the certificate issuing company to have the incorrect DNSName removed.
- ### Concurrent jobs limit issue #### Symptoms
@@ -371,7 +346,7 @@ Go to the integration runtime event log to check the error.
![Screenshot of the "Log On" pane for the service account.](media/self-hosted-integration-runtime-troubleshoot-guide/logon-service-account.png)
- 1. Check to see whether the logon service account has **Log on as a service** permissions to start the Windows service:
+ 1. Check to see whether the logon service account has **Log on as a service** permission to start the Windows service:
![Screenshot of the "Log on as service" properties pane.](media/self-hosted-integration-runtime-troubleshoot-guide/logon-as-service.png)
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-deploy-provision-hyperv https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-deploy-provision-hyperv.md a/articles/databox-gateway/data-box-gateway-deploy-provision-hyperv.md
@@ -80,7 +80,7 @@ To create a virtual device, you need:
## BitLocker Considerations * We recommend that you enable BitLocker on your Data Box Gateway virtual machine. By default, BitLocker is not enabled. For more information, see:
- * [Encryption support settings in Hyper-V Manager](hhttps://docs.microsoft.com/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#encryption-support-settings-in-hyper-v-manager)
+ * [Encryption support settings in Hyper-V Manager](/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#encryption-support-settings-in-hyper-v-manager)
* [BitLocker support in a virtual machine](https://kb.vmware.com/s/article/2036142) ## Provision a virtual device in hypervisor
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-manage-access-power-connectivity-mode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-manage-access-power-connectivity-mode.md a/articles/databox-gateway/data-box-gateway-manage-access-power-connectivity-mode.md
@@ -64,7 +64,7 @@ When generating the activation key for the device, or performing any operations
You should have `User` access on the Active Directory tenant so you can `Read all directory objects`. A Guest user doesn't have permissions to `Read all directory objects`. If you're a guest, operations like generating an activation key, creating a share on your device, and creating a user will fail.
-For more information on how to provide access to users to Microsoft Graph API, see [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference).
+For more information on how to provide access to users to Microsoft Graph API, see [Microsoft Graph permissions reference](/graph/permissions-reference).
### Register resource providers
@@ -91,7 +91,7 @@ For a Data Box Gateway device, `Microsoft.DataBoxEdge` should be registered. To
Register-AzResourceProvider -ProviderNamespace Microsoft.DataBoxEdge ```
-For more information on how to register a resource provider, see [Resolve errors for resource provider registration](https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-register-provider-errors).
+For more information on how to register a resource provider, see [Resolve errors for resource provider registration](../azure-resource-manager/templates/error-register-resource-provider.md).
## Manage connectivity mode
@@ -129,4 +129,4 @@ You can shut down or restart your virtual device using the local web UI. We reco
3. When prompted for confirmation, click **Yes** to proceed. > [!NOTE]
-> If you shut down the virtual device, you will need to start the device through the hypervisor management.
+> If you shut down the virtual device, you will need to start the device through the hypervisor management.
\ No newline at end of file
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-manage-shares https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-manage-shares.md a/articles/databox-gateway/data-box-gateway-manage-shares.md
@@ -45,7 +45,7 @@ Do the following steps in the Azure portal to create a share.
5. Choose the **Storage service** from block blob, page blob, or files. The type of the service chosen depends on which format you want the data to reside in Azure. For example, in this instance, we want the data to reside as blob blocks in Azure, hence we select **Block Blob**. If choosing**Page Blob**, you must ensure that your data is 512 bytes aligned. For example, a VHDX is always 512 bytes aligned. > [!IMPORTANT]
- > Make sure that the Azure Storage account that you use does not have immutability policies set on it if you are using it with a Data Box Gateway device. For more information, see [Set and manage immutability policies for blob storage](https://docs.microsoft.com/azure/storage/blobs/storage-blob-immutability-policies-manage).
+ > Make sure that the Azure Storage account that you use does not have immutability policies set on it if you are using it with a Data Box Gateway device. For more information, see [Set and manage immutability policies for blob storage](../storage/blobs/storage-blob-immutability-policies-manage.md).
6. This step depends on whether you are creating an SMB or an NFS share. - **If creating an SMB share** - In the **All privilege local user** field, choose from **Create new** or **Use existing**. If creating a new local user, provide the **username**, **password**, and then confirm password. This assigns the permissions to the local user. After you have assigned the permissions here, you can then use File Explorer to modify these permissions.
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-overview.md a/articles/databox-gateway/data-box-gateway-overview.md
@@ -85,7 +85,7 @@ The Data Box Gateway solution comprises of Data Box Gateway resource, Data Box G
Data Box Gateway physical device, Azure resource, and target storage account to which you transfer data do not all have to be in the same region. -- **Resource availability** - For a list of all the regions where the Azure Data Box Gateway resource is available, go to [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=databox). Data Box Gateway can also be deployed in the Azure Government Cloud. For more information, see [What is Azure Government?](https://docs.microsoft.com/azure/azure-government/documentation-government-welcome).
+- **Resource availability** - For a list of all the regions where the Azure Data Box Gateway resource is available, go to [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?regions=all&products=databox). Data Box Gateway can also be deployed in the Azure Government Cloud. For more information, see [What is Azure Government?](../azure-government/documentation-government-welcome.md).
- **Destination Storage accounts** - The storage accounts that store the data are available in all Azure regions.
@@ -96,5 +96,4 @@ Data Box Gateway physical device, Azure resource, and target storage account to
- Review the [Data Box Gateway system requirements](data-box-gateway-system-requirements.md). - Understand the [Data Box Gateway limits](data-box-gateway-limits.md).-- Deploy [Azure Data Box Gateway](data-box-gateway-deploy-prep.md) in Azure portal.-
+- Deploy [Azure Data Box Gateway](data-box-gateway-deploy-prep.md) in Azure portal.
\ No newline at end of file
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-security.md a/articles/databox-gateway/data-box-gateway-security.md
@@ -81,7 +81,7 @@ This section describes the Data Box Gateway security features that protect in-tr
To secure the virtual disks on your Data Box Gateway virtual machine, we recommend that you enable BitLocker. By default, BitLocker is not enabled. For more information, see: -- [Encryption support settings in Hyper-V Manager](hhttps://docs.microsoft.com/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#encryption-support-settings-in-hyper-v-manager)
+- [Encryption support settings in Hyper-V Manager](/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#encryption-support-settings-in-hyper-v-manager)
- [BitLocker support in a virtual machine](https://kb.vmware.com/s/article/2036142) ## Manage personal information
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-use-cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-use-cases.md a/articles/databox-gateway/data-box-gateway-use-cases.md
@@ -36,7 +36,7 @@ As the device fills up with data, it starts throttling the ingress rate (as need
Use Data Box Gateway when you want to retain your data for long term in the cloud. You can use the Archive tier of storage for long-term retention.
-The Archive tier is optimized to store rarely accessed data for at least 180 days. The Archive tier offers the lowest storage costs but has the highest access costs. For more information, go to [Archive access tier](/azure/storage/blobs/storage-blob-storage-tiers#archive-access-tier).
+The Archive tier is optimized to store rarely accessed data for at least 180 days. The Archive tier offers the lowest storage costs but has the highest access costs. For more information, go to [Archive access tier](../storage/blobs/storage-blob-storage-tiers.md#archive-access-tier).
### Move data to the Archive tier
@@ -44,14 +44,14 @@ Before you begin, make sure that you have a running Data Box Gateway device. Fol
- Use the Data Box Gateway device to upload data to Azure through the usual transfer procedure as described in [Transfer data via Data Box Gateway](data-box-gateway-deploy-add-shares.md). - After the data is uploaded, you will need to move it to Archive tier. You can set the blob tier in two ways: by using an Azure PowerShell script or an Azure Storage Lifecycle Management policy.
- - If using Azure PowerShell, follow these [steps](/azure/databox/data-box-how-to-set-data-tier#use-azure-powershell-to-set-the-blob-tier) to move the data to the Archive tier.
+ - If using Azure PowerShell, follow these [steps](../databox/data-box-how-to-set-data-tier.md#use-azure-powershell-to-set-the-blob-tier) to move the data to the Archive tier.
- If using Azure Lifecycle Management, follow these steps to move the data to the Archive tier.
- - [Register](/azure/storage/common/storage-lifecycle-management-concepts) for the preview of the Blob Lifecycle Management service to use the Archive tier.
- - Use the following policy to [Archive data on ingest](/azure/storage/blobs/storage-lifecycle-management-concepts#archive-data-after-ingest).
+ - [Register](../storage/blobs/storage-lifecycle-management-concepts.md) for the preview of the Blob Lifecycle Management service to use the Archive tier.
+ - Use the following policy to [Archive data on ingest](../storage/blobs/storage-lifecycle-management-concepts.md#archive-data-after-ingest).
- Once the blobs are marked as Archive, they can no longer be modified by the gateway unless they are moved to the hot or cold tier. If the file is in the local storage, any changes made to the local copy (including deletes) are not uploaded to the Archive tier. - To read data in Archive storage, you must rehydrate the data by changing the blob tier to hot or cool. [Refreshing the share](data-box-gateway-manage-shares.md#refresh-shares) on the gateway does not rehydrate the blob.
-For more information, learn more about how to [Manage Azure Blob Storage Lifecycle](/azure/storage/common/storage-lifecycle-management-concepts).
+For more information, learn more about how to [Manage Azure Blob Storage Lifecycle](../storage/blobs/storage-lifecycle-management-concepts.md).
## Initial bulk transfer followed by incremental transfer
@@ -61,10 +61,10 @@ Use Data Box and Data Box Gateway together when you want to do a bulk upload of
Follow these steps to copy the data to Data Box and upload to Azure Storage.
-1. [Order your Data Box](/azure/databox/data-box-deploy-ordered).
-2. [Set up your Data Box](/azure/databox/data-box-deploy-set-up).
-3. [Copy data to Data Box via SMB](/azure/databox/data-box-deploy-copy-data).
-4. [Return the Data Box, verify the data upload to Azure](/azure/databox/data-box-deploy-picked-up).
+1. [Order your Data Box](../databox/data-box-deploy-ordered.md).
+2. [Set up your Data Box](../databox/data-box-deploy-set-up.md).
+3. [Copy data to Data Box via SMB](../databox/data-box-deploy-copy-data.md).
+4. [Return the Data Box, verify the data upload to Azure](../databox/data-box-deploy-picked-up.md).
5. Once the data upload to Azure is complete, all the data should be in Azure storage containers. In the storage account for Data Box, go to the Blob (and File) container to make sure that all the data is copied. Make a note of the container name as you will use this name later. For instance, in the following screenshot, `databox` container will be used for the incremental transfer. ![Container with data on Data Box](media/data-box-gateway-use-cases/data-container.png)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-contact-microsoft-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-contact-microsoft-support.md a/articles/databox-online/azure-stack-edge-contact-microsoft-support.md
@@ -94,4 +94,4 @@ After creating a support ticket, you can manage the lifecycle of the ticket from
## Next steps Learn how to [Troubleshoot issues related to Azure Stack Edge Pro](azure-stack-edge-troubleshoot.md).
-Learn how to [Troubleshoot issues related to Data Box Gateway](data-box-gateway-troubleshoot.md).
+Learn how to [Troubleshoot issues related to Data Box Gateway](../databox-gateway/data-box-gateway-troubleshoot.md).
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-deploy-prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-deploy-prep.md a/articles/databox-online/azure-stack-edge-deploy-prep.md
@@ -7,13 +7,13 @@
Previously updated : 01/06/2021 Last updated : 01/22/2021 Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro so I can use it to transfer data to Azure. # Tutorial: Prepare to deploy Azure Stack Edge Pro
-This is the first tutorial in the series of deployment tutorials that are required to completely deploy Azure Stack Edge Pro. This tutorial describes how to prepare the Azure portal to deploy a Azure Stack Edge resource.
+This is the first tutorial in the series of deployment tutorials that are required to completely deploy Azure Stack Edge Pro. This tutorial describes how to prepare the Azure portal to deploy an Azure Stack Edge resource.
You need administrator privileges to complete the setup and configuration process. The portal preparation takes less than 10 minutes.
@@ -32,7 +32,7 @@ To deploy Azure Stack Edge Pro, refer to the following tutorials in the prescrib
| **#** | **In this step** | **Use these documents** | | | | |
-| 1. |**[Prepare the Azure portal for Azure Stack Edge Pro](azure-stack-edge-deploy-prep.md)** |Create and configure your Azure Stack Edge resource before you install a Azure Stack Box Edge physical device. |
+| 1. |**[Prepare the Azure portal for Azure Stack Edge Pro](azure-stack-edge-deploy-prep.md)** |Create and configure your Azure Stack Edge resource before you install an Azure Stack Box Edge physical device. |
| 2. |**[Install Azure Stack Edge Pro](azure-stack-edge-deploy-install.md)**|Unpack, rack, and cable the Azure Stack Edge Pro physical device. | | 3. |**[Connect, set up, and activate Azure Stack Edge Pro](azure-stack-edge-deploy-connect-setup-activate.md)** |Connect to the local web UI, complete the device setup, and activate the device. The device is ready to set up SMB or NFS shares. | | 4. |**[Transfer data with Azure Stack Edge Pro](azure-stack-edge-deploy-add-shares.md)** |Add shares and connect to shares via SMB or NFS. |
@@ -55,7 +55,7 @@ Before you begin, make sure that:
* You should be an **Owner** at the subscription level to grant contributor access. To give contributor access to someone else, in Azure portal, go to **All Services** > **Subscriptions** > **Access control (IAM)** > **+Add** > **Add role assignment**. For more information, see [Tutorial: Grant a user access to Azure resources using the Azure portal](../role-based-access-control/quickstart-assign-role-user-portal.md). * To create any Azure Stack Edge / Data Box Gateway resource, you should have permissions as a contributor (or higher) scoped at resource group level. You also need to make sure that the `Microsoft.DataBoxEdge` resource provider is registered. For information on how to register a resource provider, see [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
- * To create any IoT Hub resource, make sure that Microsoft.Devices provider is registered. For information on how to register, go to [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
+ * To create any IoT Hub resource, make sure that the Microsoft.Devices provider is registered. For information on how to register, go to [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
* To create a Storage account resource, again you need contributor or higher access scoped at the resource group level. Azure Storage is by default a registered resource provider. * You have admin or user access to Azure Active Directory Graph API. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-). * You have your Microsoft Azure storage account with access credentials.
@@ -86,7 +86,7 @@ Before you begin, make sure that:
If you have an existing Azure Stack Edge resource to manage your physical device, skip this step and go to [Get the activation key](#get-the-activation-key).
-To create a Azure Stack Edge resource, take the following steps in the Azure portal.
+To create an Azure Stack Edge resource, take the following steps in the Azure portal.
1. Use your Microsoft Azure credentials to sign in to
@@ -113,14 +113,14 @@ To create a Azure Stack Edge resource, take the following steps in the Azure por
|Setting |Value | |||
- |Name | A friendly name to identify the resource.<br>The name has between 2 and 50 characters containing letter, numbers, and hyphens.<br> Name starts and ends with a letter or a number. |
+ |Name | A friendly name to identify the resource.<br>The name has from 2 and 50 characters, including letters, numbers, and hyphens.<br> Name starts and ends with a letter or a number. |
|Region |For a list of all the regions where the Azure Stack Edge resource is available, see [Azure products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=databox&regions=all). If using Azure Government, all the government regions are available as shown in the [Azure regions](https://azure.microsoft.com/global-infrastructure/regions/).<br> Choose a location closest to the geographical region where you want to deploy your device.| ![Project and instance details](media/azure-stack-edge-deploy-prep/data-box-edge-resource.png) 5. Select **Next: Shipping address**.
- - If you already have a device, select the combo box for **I have a Azure Stack Edge Pro device**.
+ - If you already have a device, select the combo box for **I have an Azure Stack Edge device**.
- If this is the new device that you are ordering, enter the contact name, company, address to ship the device, and contact information. ![Shipping address for new device](media/azure-stack-edge-deploy-prep/data-box-edge-resource1.png)
@@ -133,19 +133,23 @@ To create a Azure Stack Edge resource, take the following steps in the Azure por
8. Select **Create**.
-The resource creation takes a few minutes. After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
+ The resource creation takes a few minutes. After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
-![Go to the Azure Stack Edge resource](media/azure-stack-edge-deploy-prep/data-box-edge-resource3.png)
+ ![Go to the Azure Stack Edge resource](media/azure-stack-edge-deploy-prep/data-box-edge-resource3.png)
After the order is placed, Microsoft reviews the order and reaches out to you (via email) with shipping details. ![Notification for review of the Azure Stack Edge Pro order](media/azure-stack-edge-deploy-prep/data-box-edge-resource4.png) +
+> [!NOTE]
+> If you want to create multiple orders at one time or clone an existing order, you can use the [scripts in Azure Samples](https://github.com/Azure-Samples/azure-stack-edge-order). For more information, see the README file.
+ ## Get the activation key After the Azure Stack Edge resource is up and running, you'll need to get the activation key. This key is used to activate and connect your Azure Stack Edge Pro device with the resource. You can get this key now while you are in the Azure portal.
-1. Go to the resource that you created and select **Overview**. You'll see a notification to the effect that your order is being processed.
+1. Go to the resource that you created, and select **Overview**. You'll see a notification to the effect that your order is being processed.
![Select Overview](media/azure-stack-edge-deploy-prep/data-box-edge-select-devicesetup.png)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-2101-release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-2101-release-notes.md new file mode 100644 /dev/null
@@ -0,0 +1,85 @@
+
+ Title: Azure Stack Edge Pro 2101 release notes
+description: Describes critical open issues and resolutions for the Azure Stack Edge Pro running 2101 release.
++
+
+++ Last updated : 01/19/2021+++
+# Azure Stack Edge 2101 release notes
+
+The following release notes identify the critical open issues and the resolved issues for the 2101 release for your Azure Stack Edge devices. These release notes are applicable for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R devices. Features and issues that correspond to a specific model are called out wherever applicable.
+
+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they are added. Before you deploy your device, carefully review the information contained in the release notes.
+
+This article applies to the **Azure Stack Edge 2101** release, which maps to software version number **2.2.1473.2521**.
+
+## What's new
+
+The following new features are available in the Azure Stack Edge 2101 release.
+
+- **General availability of Azure Stack Edge Pro R and Azure Stack Edge Mini R devices** - Starting with this release, Azure Stack Edge Pro R and Azure Stack Edge Mini R devices will be available. For more information, see [What is Azure Stack Edge Pro R](azure-stack-edge-j-series-overview.md) and [What is Azure Stack Edge Mini R](azure-stack-edge-k-series-overview.md).
+- **Cloud management of Virtual Machines** - Beginning this release, you can create and manage the virtual machines on your device via the Azure portal. For more information, see [Deploy VMs via the Azure portal](azure-stack-edge-gpu-deploy-virtual-machine-portal.md).
+- **Integration with Azure Monitor** - You can now use Azure Monitor to monitor containers from the compute applications that run on your device. The Azure Monitor metrics store is not supported in this release. For more information, see how to [Enable Azure Monitor on your device](azure-stack-edge-gpu-enable-azure-monitor.md).
+- **Edge container registry** - In this release, an Edge container registry is available that provides a repository at the edge on your device. You can use this registry to store and manage container images. For more information, see [Enable Edge container registry](azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md).
+- **Virtual Private Network (VPN)** - Use VPN to provide another layer of encryption for the data that flows between the devices and the cloud. VPN is available only on Azure Stack Edge Pro R and Azure Stack Edge Mini R. For more information, see how to [Configure VPN on your device](azure-stack-edge-mini-r-configure-vpn-powershell.md).
+- **Rotate encryption-at-rest keys** - You can now rotate the encryption-at-rest keys that are used to protect the drives on your device. This feature is available only for Azure Stack Edge Pro R and Azure Stack Edge Mini R devices. For more information, see [Rotate encryption-at-rest keys](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#manage-access-to-device-data).
+- **Proactive logging** - Starting this release, you can enable proactive log collection on your device based on the system health indicators to help efficiently troubleshoot any device issues. For more information, see [Proactive log collection on your device](azure-stack-edge-gpu-proactive-log-collection.md).
++
+## Known issues in 2101 release
+
+The following table provides a summary of known issues in the 2101 release.
+
+| No. | Feature | Issue | Workaround/comments |
+| | | | |
+|**1.**|Preview features |For this release, the following features: Local Azure Resource Manager, VMs, Cloud management of VMs, Azure Arc enabled Kubernetes, VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R, Multi-process service (MPS) for Azure Stack Edge Pro GPU - are all available in preview. |These features will be generally available in later releases. |
+|**2.**|Kubernetes Dashboard | *Https* endpoint for Kubernetes Dashboard with SSL certificate is not supported. | |
+|**3.**|Kubernetes |Edge container registry doesn't work when web proxy is enabled.|The functionality will be available in a future release. |
+|**4.**|Kubernetes |Edge container registry doesn't work with IoT Edge modules.| |
+|**5.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. That is also required for Event grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration&view=aspnetcore-3.1&preserve-view=true#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|
+|**6.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |You need to set `--sync-garbage-collection` in Arc OperatorParams to allow the deletion of resources when they're deleted from the git repository. For more information, see [Delete a configuration](../azure-arc/kubernetes/use-gitops-connected-cluster.md#additional-parameters). |
+|**7.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. Using Exclusive write ensures that the writes are written to the disk.| |
+|**8.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |
+|**9.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it's not possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create 1 VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available 1 GPU. |
++
+## Known issues from previous releases
+
+The following table provides a summary of known issues carried over from the previous releases.
+
+| No. | Feature | Issue | Workaround/comments |
+| | | | |
+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [https://docs.microsoft.com/azure/iot-edge/tutorial-store-data-sql-server#create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <ul><li>In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**</li><li>Download `sqlcmd` on your client machine from https://docs.microsoft.com/sql/tools/sqlcmd-utility </li><li>Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.</li><li>Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd".</li>After this, steps 3-4 from the current documentation should be identical. </li></ul> |
+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<ul><li>Create blob in cloud. Or delete a previously uploaded blob from the device.</li><li>Refresh blob from the cloud into the appliance using the refresh functionality.</li><li>Update only a portion of the blob using Azure SDK REST APIs.</li></ul>These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|
+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: cannot create directory 'test': Permission deniedΓÇï|
+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|
+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<ul><li> Only block blobs are supported. Page blobs are not supported.</li><li>There is no snapshot or copy API support.</li><li> Hadoop workload ingestion through `distcp` is not supported as it uses the copy operation heavily.</li></ul>||
+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|
+|**7.**|Kubernetes cluster|When applying an update on your device that is running a kubernetes cluster, the kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You will need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|
+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|
+|**9.**|Azure Arc enabled Kubernetes |For the GA release, Azure Arc enabled Kubernetes is updated from version 0.1.18 to 0.2.9. As the Azure Arc enabled Kubernetes update is not supported on Azure Stack Edge device, you will need to redeploy Azure Arc enabled Kubernetes.|Follow these steps:<ol><li>[Apply device software and Kubernetes updates](azure-stack-edge-gpu-install-update.md).</li><li>Connect to the [PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md).</li><li>Remove the existing Azure Arc agent. Type: `Remove-HcsKubernetesAzureArcAgent`.</li><li>Deploy [Azure Arc to a new resource](azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md). Do not use an existing Azure Arc resource.</li></ol>|
+|**10.**|Azure Arc enabled Kubernetes|Azure Arc deployments are not supported if web proxy is configured on your Azure Stack Edge Pro device.||
+|**11.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Do not use reserved IPs.|
+|**12.**|Kubernetes |Kubernetes does not currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|
+|**13.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see Modify Azure IoT Edge modules from marketplace to run on Azure Stack Edge device.<!-- insert link-->|
+|**14.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts cannot be bound to paths in IoT Edge containers. If possible, map the parent directory.|
+|**15.**|Kubernetes |If you bring your own certificates for IoT Edge and add those on your Azure Stack Edge device after the compute is configured on the device, the new certificates are not picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|
+|**16.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected.<ul><li>**Status** column in **Certificates** page.</li><li>**Security** tile in **Get started** page.</li><li>**Configuration** tile in **Overview** page.</li></ul> |
+|**17.**|IoT Edge |Modules deployed through IoT Edge can't use host network. | |
+|**18.**|Compute + Kubernetes |Compute/Kubernetes does not support NTLM web proxy. ||
+|**19.**|Compute + web proxy + update |If you have compute configured with web proxy, then compute update may fail. |We recommend that you disable compute before the update. |
+|**20.**|Kubernetes + update |Earlier software versions such as 2008 releases have a race condition update issue that causes the update to fail with ClusterConnectionException. |Using the newer builds should help avoid this issue. If you still see this issue, the workaround is to retry the upgrade, and it should work.|
++
+<!--|**18.**|Azure Private Edge Zone (Preview) |There is a known issue with Virtual Network Function VM if the VM was created on Azure Stack Edge device running earlier preview builds such as 2006/2007b and then the device was updated to 2009 GA release. The issue is that the VNF information can't be retrieved or any new VNFs can't be created unless the VNF VMs are deleted before the device is updated. |Before you update Azure Stack Edge device to 2009 release, use the PowerShell command `get-mecvnf` followed by `remove-mecvnf <VNF guid>` to remove all Virtual Network Function VMs one at a time. After the upgrade, you will need to redeploy the same VNFs.|-->
++
+## Next steps
+
+- [Update your device](azure-stack-edge-gpu-install-update.md)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-arc-kubernetes-cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md a/articles/databox-online/azure-stack-edge-gpu-deploy-arc-kubernetes-cluster.md
@@ -35,7 +35,7 @@ Before you can enable Azure Arc on Kubernetes cluster, make sure that you have c
1. You have a Windows client system that will be used to access the Azure Stack Edge Pro device.
- - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](https://docs.microsoft.com/powershell/scripting/install/installing-powershell-core-on-windows).
+ - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-powershell-core-on-windows).
- You can have any other client with a [Supported operating system](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device) as well. This article describes the procedure when using a Windows client.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-prep.md a/articles/databox-online/azure-stack-edge-gpu-deploy-prep.md
@@ -7,7 +7,7 @@
Previously updated : 01/05/2021 Last updated : 01/22/2021 Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro so I can use it to transfer data to Azure.
@@ -152,18 +152,18 @@ To create an Azure Stack Edge resource, take the following steps in the Azure po
11. Select **Create**.
-The resource creation takes a few minutes. An MSI is also created that lets the Azure Stack Edge device communicate with the resource provider in Azure.
+ The resource creation takes a few minutes. An MSI is also created that lets the Azure Stack Edge device communicate with the resource provider in Azure.
-After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
+ After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
-![Go to the Azure Stack Edge Pro resource](media/azure-stack-edge-gpu-deploy-prep/azure-stack-edge-resource-1.png)
+ ![Go to the Azure Stack Edge Pro resource](media/azure-stack-edge-gpu-deploy-prep/azure-stack-edge-resource-1.png)
After the order is placed, Microsoft reviews the order and reaches out to you (via email) with shipping details. <!--![Notification for review of the Azure Stack Edge Pro order](media/azure-stack-edge-gpu-deploy-prep/azure-stack-edge-resource-2.png)--> > [!NOTE]
->If you want to create multiple orders at one time or clone an existing order, you can use the [scripts in Azure Samples](https://github.com/Azure-Samples/azure-stack-edge-order). For more information, see the README file.
+> If you want to create multiple orders at one time or clone an existing order, you can use the [scripts in Azure Samples](https://github.com/Azure-Samples/azure-stack-edge-order). For more information, see the README file.
If you run into any issues during the order process, see [Troubleshoot order issues](azure-stack-edge-troubleshoot-ordering.md).
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-install-update https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-install-update.md a/articles/databox-online/azure-stack-edge-gpu-install-update.md
@@ -7,23 +7,23 @@
Previously updated : 12/11/2020 Last updated : 01/19/2021 # Update your Azure Stack Edge Pro GPU
-This article describes the steps required to install update on your Azure Stack Edge Pro with GPU via the local web UI and via the Azure portal. You apply the software updates or hotfixes to keep your Azure Stack Edge Pro device and the associated Kubernetes cluster on the device up-to-date.
+This article describes the steps required to install update on your Azure Stack Edge Pro with GPU via the local web UI and via the Azure portal. You apply the software updates or hotfixes to keep your Azure Stack Edge Pro device and the associated Kubernetes cluster on the device up-to-date.
The procedure described in this article was performed using a different version of software, but the process remains the same for the current software version. > [!IMPORTANT]
-> - Update **2012** is the current update and corresponds to:
-> - Device software version - **2.2.1438.2470**
+> - Update **2101** is the current update and corresponds to:
+> - Device software version - **2.2.1473.2521**
> - Kubernetes server version - **v1.17.3** > - IoT Edge version: **0.1.0-beta10** >
-> For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2012-release-notes.md).
-> - To apply 2012 update, your device must be running 2010.
+> For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2101-release-notes.md).
+> - To apply 2101 update, your device must be running 2010.
> - Keep in mind that installing an update or hotfix restarts your device. This update contains the device software updates and the Kubernetes updates. Given that the Azure Stack Edge Pro is a single node device, any I/O in progress is disrupted and your device experiences a downtime of up to 1.5 hours for the update. To install updates on your device, you first need to configure the location of the update server. After the update server is configured, you can apply the updates via the Azure portal UI or the local web UI.
@@ -32,7 +32,7 @@ Each of these steps is described in the following sections.
## Configure update server
-1. In the local web UI, go to **Configuration** > **Update server**.
+1. In the local web UI, go to **Configuration** > **Update server**.
![Configure updates 1](./media/azure-stack-edge-gpu-install-update/configure-update-server-1.png)
@@ -48,7 +48,7 @@ Each of these steps is described in the following sections.
## Use the Azure portal
-We recommend that you install updates through the Azure portal. The device automatically scans for updates once a day. Once the updates are available, you see a notification in the portal. You can then download and install the updates.
+We recommend that you install updates through the Azure portal. The device automatically scans for updates once a day. Once the updates are available, you see a notification in the portal. You can then download and install the updates.
> [!NOTE] > Make sure that the device is healthy and status shows as **Online** before you proceed to install the updates.
@@ -61,23 +61,23 @@ We recommend that you install updates through the Azure portal. The device autom
You can choose to **Download and install** the updates or just **Download** the updates. You can then choose to install these updates later.
- ![Software version after update 2](./media/azure-stack-edge-gpu-install-update/portal-update-2a.png)
+ ![Software version after update 2](./media/azure-stack-edge-gpu-install-update/portal-update-2-a.png)
If you want to download and install the updates, check the option that updates install automatically after the download completes.
- ![Software version after update 3](./media/azure-stack-edge-gpu-install-update/portal-update-2b.png)
+ ![Software version after update 3](./media/azure-stack-edge-gpu-install-update/portal-update-2-b.png)
3. The download of updates starts. You see a notification that the download is in progress. ![Software version after update 4](./media/azure-stack-edge-gpu-install-update/portal-update-3.png)
- A notification banner is also displayed in the Azure portal. This indicates the download progress.
+ A notification banner is also displayed in the Azure portal. This indicates the download progress.
![Software version after update 5](./media/azure-stack-edge-gpu-install-update/portal-update-4.png) You can select this notification or select **Update device** to see the detailed status of the update.
- ![Software version after update 6](./media/azure-stack-edge-gpu-install-update/portal-update-5.png)
+ ![Software version after update 6](./media/azure-stack-edge-gpu-install-update/portal-update-5.png)
4. After the download is complete, the notification banner updates to indicate the completion. If you chose to download and install the updates, the installation will begin automatically.
@@ -88,7 +88,7 @@ We recommend that you install updates through the Azure portal. The device autom
![Software version after update 8](./media/azure-stack-edge-gpu-install-update/portal-update-7.png)
-5. You see a notification that the install is in progress.
+5. You see a notification that the install is in progress.
![Software version after update 9](./media/azure-stack-edge-gpu-install-update/portal-update-8.png)
@@ -161,9 +161,9 @@ Do the following steps to download the update from the Microsoft Update Catalog.
2. In the search box of the Microsoft Update Catalog, enter the Knowledge Base (KB) number of the hotfix or terms for the update you want to download. For example, enter **Azure Stack Edge Pro**, and then click **Search**.
- The update listing appears as **Azure Stack Edge Update 2012**.
+ The update listing appears as **Azure Stack Edge Update 2101**.
- <!--![Search catalog 2](./media/azure-stack-edge-gpu-install-update/download-update-2b.png)-->
+ <!--![Search catalog 2](./media/azure-stack-edge-gpu-install-update/download-update-2-b.png)-->
4. Select **Download**. There are two files to download with *SoftwareUpdatePackage.exe* and *Kubernetes_Package.exe* suffixes that correspond to device software updates and Kubernetes updates respectively. Download the files to a folder on the local system. You can also copy the folder to a network share that is reachable from the device.
@@ -174,7 +174,7 @@ Prior to the update or hotfix installation, make sure that:
- You have the update or the hotfix downloaded either locally on your host or accessible via a network share. - Your device status is healthy as shown in the **Overview** page of the local web UI.
- ![update device](./media/azure-stack-edge-gpu-install-update/local-ui-update-1.png)
+ ![update device](./media/azure-stack-edge-gpu-install-update/local-ui-update-1.png)
This procedure takes around 20 minutes to complete. Perform the following steps to install the update or hotfix.
@@ -184,9 +184,9 @@ This procedure takes around 20 minutes to complete. Perform the following steps
2. Provide the path to the update file. You can also browse to the update installation file if placed on a network share. Select the software update file with *SoftwareUpdatePackage.exe* suffix.
- ![update device 3](./media/azure-stack-edge-gpu-install-update/local-ui-update-3a.png)
+ ![update device 3](./media/azure-stack-edge-gpu-install-update/local-ui-update-3-a.png)
-3. Select **Apply**.
+3. Select **Apply**.
![update device 4](./media/azure-stack-edge-gpu-install-update/local-ui-update-4.png)
@@ -196,21 +196,21 @@ This procedure takes around 20 minutes to complete. Perform the following steps
5. The update starts. After the device is successfully updated, it restarts. The local UI is not accessible in this duration.
-6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2012**.
+6. After the restart is complete, you are taken to the **Sign in** page. To verify that the device software has been updated, in the local web UI, go to **Maintenance** > **Software update**. For the current release, the displayed software version should be **Azure Stack Edge 2101**.
- <!--![update device 6](./media/azure-stack-edge-gpu-install-update/local-ui-update-6.png)-->
+ <!--![update device 6](./media/azure-stack-edge-gpu-install-update/local-ui-update-6.png)-->
7. You will now update the Kubernetes software version. Repeat the above steps. Provide a path to the Kubernetes update file with the *Kubernetes_Package.exe* suffix.
- <!--![update device](./media/azure-stack-edge-gpu-install-update/local-ui-update-7.png)-->
+ <!--![update device](./media/azure-stack-edge-gpu-install-update/local-ui-update-7.png)-->
-8. Select **Apply**.
+8. Select **Apply Update**.
![update device 7](./media/azure-stack-edge-gpu-install-update/local-ui-update-8.png)
-9. When prompted for confirmation, select **Yes** to proceed.
+9. When prompted for confirmation, select **Yes** to proceed.
-10. After the Kubernetes update is successfully installed, there is no change to the displayed software in **Maintenance** > **Software update**.
+10. After the Kubernetes update is successfully installed, there is no change to the displayed software in **Maintenance** > **Software update**.
## Next steps
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-troubleshoot.md a/articles/databox-online/azure-stack-edge-gpu-troubleshoot.md
@@ -7,7 +7,7 @@
Previously updated : 10/07/2020 Last updated : 01/21/2021 # Troubleshoot issues on your Azure Stack Edge Pro GPU device
@@ -21,7 +21,7 @@ This article describes how to troubleshoot issues on your Azure Stack Edge Pro G
To diagnose and troubleshoot any device errors, you can run the diagnostics tests. Do the following steps in the local web UI of your device to run diagnostic tests.
-1. In the local web UI, go to **Troubleshooting > Diagnostic tests**. Select the test you want to run and select **Run test**. This runs the tests to diagnose any possible issues with your network, device, web proxy, time, or cloud settings. You are notified that the device is running tests.
+1. In the local web UI, go to **Troubleshooting > Diagnostic tests**. Select the test you want to run and select **Run test**. The test diagnoses any possible issues with your network, device, web proxy, time, or cloud settings. You are notified that the device is running tests.
![Select tests ](media/azure-stack-edge-gpu-troubleshoot/run-diag-1.png)
@@ -92,7 +92,7 @@ To detect any hardware intrusion into the device, currently all the chassis even
- The system event log from the device is read using the `racadm` cmdlet. These events are then filtered for chassis-related event in to a `HWIntrusion.txt` file. -- To get only the hardware intrusion log in the support package, use `-Include HWSelLog` option when creating the support package.
+- To get only the hardware intrusion log in the support package, use the `-Include HWSelLog` option when you create the support package.
- If no specific include option is provided, the hardware intrusion log is included as a default in the support package.
@@ -138,11 +138,11 @@ Here are the errors that may show up during the configuration of Azure Resource
| **Issue / Errors** | **Resolution** | ||--| |General issues|<li>[Verify that the Edge device is configured properly](#verify-the-device-is-configured-properly).<li> [Verify that the client is configured properly](#verify-the-client-is-configured-properly)|
-|Add-AzureRmEnvironment : An error occurred while sending the request.<br>At line:1 char:1<br>+ Add-AzureRmEnvironment -Name Az3 -ARMEndpoint "https://management.dbe ...|This error means that your Azure Stack Edge Pro device is not reachable or configured properly. Verify that the Edge device and the client are configured correctly. For guidance, see the **General issues** row in this table.|
+|Add-AzureRmEnvironment: An error occurred while sending the request.<br>At line:1 char:1<br>+ Add-AzureRmEnvironment -Name Az3 -ARMEndpoint "https://management.dbe ...|This error means that your Azure Stack Edge Pro device is not reachable or configured properly. Verify that the Edge device and the client are configured correctly. For guidance, see the **General issues** row in this table.|
|Service returned error. Check InnerException for more details: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. | This error is likely due to one or more bring your own certificate steps incorrectly performed. You can find guidance [here](./azure-stack-edge-j-series-connect-resource-manager.md#step-2-create-and-install-certificates). | |Operation returned an invalid status code 'ServiceUnavailable' <br> Response status code does not indicate success: 503 (Service Unavailable). | This error could be the result of any of these conditions.<li>ArmStsPool is in stopped state.</li><li>Either of the Azure Resource Manager/Security token services websites are down.</li><li>The Azure Resource Manager cluster resource is down.</li><br><strong>Note:</strong> Restarting the appliance might fix the issue, but you should collect the support package so that you can debug it further.| |AADSTS50126: Invalid username or password.<br>Trace ID: 29317da9-52fc-4ba0-9778-446ae5625e5a<br>Correlation ID: 1b9752c4-8cbf-4304-a714-8a16527410f4<br>Timestamp: 2019-11-15 09:21:57Z: The remote server returned an error: (400) Bad Request.<br>At line:1 char:1 |This error could be the result of any of these conditions.<li>For an invalid username and password, validate that the customer has changed the password from Azure portal by following the steps [here](./azure-stack-edge-j-series-set-azure-resource-manager-password.md) and then by using the correct password.<li>For an invalid tenant ID, the tenant ID is a fixed GUID and should be set to `c0257de7-538f-415c-993a-1b87a031879d`</li>|
-|connect-AzureRmAccount : AADSTS90056: The resource is disabled or does not exist. Check your app's code to ensure that you have specified the exact resource URL for the resource you are trying to access.<br>Trace ID: e19bdbc9-5dc8-4a74-85c3-ac6abdfda115<br>Correlation ID: 75c8ef5a-830e-48b5-b039-595a96488ff9 Timestamp: 2019-11-18 07:00:51Z: The remote server returned an error: (400) Bad |The resource endpoints used in the `Add-AzureRmEnvironment` command is incorrect.|
+|connect-AzureRmAccount: AADSTS90056: The resource is disabled or does not exist. Check your app's code to ensure that you have specified the exact resource URL for the resource you are trying to access.<br>Trace ID: e19bdbc9-5dc8-4a74-85c3-ac6abdfda115<br>Correlation ID: 75c8ef5a-830e-48b5-b039-595a96488ff9 Timestamp: 2019-11-18 07:00:51Z: The remote server returned an error: (400) Bad |The resource endpoints used in the `Add-AzureRmEnvironment` command are incorrect.|
|Unable to get endpoints from the cloud.<br>Please ensure you have network connection. Error detail: HTTPSConnectionPool(host='management.dbg-of4k6suvm.microsoftdatabox.com', port=30005): Max retries exceeded with url: /metadata/endpoints?api-version=2015-01-01 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),)) |This error appears mostly in a Mac/Linux environment, and is due to the following issues:<li>A PEM format certificate wasn't added to the python certificate store.</li> | ### Verify the device is configured properly
@@ -182,7 +182,7 @@ Here are the errors related to blob storage on Azure Stack Edge Pro/ Data Box Ga
| **Issue / Errors** | **Resolution** | |--|--| |Unable to retrieve child resources. The value for one of the HTTP headers is not in the correct format.| From the **Edit** menu, select **Target Azure Stack APIs**. Then, restart Azure Storage Explorer.|
-|getaddrinfo ENOTFOUND <accountname>.blob.<serialnumber>.microsoftdatabox.com|Check that the endpoint name `<accountname>.blob.<serialnumber>.microsoftdatabox.com` is added to the hosts file at this path: `C:\Windows\System32\drivers\etc\hosts` on Windows, or `/etc/hosts` on Linux.|
+|`getaddrinfo ENOTFOUND <accountname>.blob.<serialnumber>.microsoftdatabox.com`|Check that the endpoint name `<accountname>.blob.<serialnumber>.microsoftdatabox.com` is added to the hosts file at this path: `C:\Windows\System32\drivers\etc\hosts` on Windows, or `/etc/hosts` on Linux.|
|Unable to retrieve child resources.<br> Details: self-signed certificate |Import the SSL certificate for your device into Azure Storage Explorer: <ol><li>Download the certificate from the Azure portal. For more information, see [Download the certificate](../databox/data-box-deploy-copy-data-via-rest.md#download-certificate).</li><li>From the **Edit** menu, select SSL Certificates and then select **Import Certificates**.</li></ol>| |AzCopy command appears to stop responding for a minute before displaying this error:<br>`Failed to enumerate directory https://… The remote name could not be resolved <accountname>.blob.<serialnumber>.microsoftdatabox.com`|Check that the endpoint name `<accountname>.blob.<serialnumber>.microsoftdatabox.com` is added to the hosts file at: `C:\Windows\System32\drivers\etc\hosts`.| |AzCopy command appears to stop responding for a minute before displaying this error:<br>`Error parsing source location. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel`. |Import the SSL certificate for your device into the system's certificate store. For more information, see [Download the certificate](../databox/data-box-deploy-copy-data-via-rest.md#download-certificate).|
@@ -192,8 +192,11 @@ Here are the errors related to blob storage on Azure Stack Edge Pro/ Data Box Ga
|AzCopy command appears to stop responding for 20 minutes before displaying this error: `Error parsing source location… The SSL connection could not be established`.|Import the SSL certificate for your device into the system's certificate store. For more information, see [Download the certificate](../databox/data-box-deploy-copy-data-via-rest.md#download-certificate).| |The value for one of the HTTP headers is not in the correct format.|The installed version of the Microsoft Azure Storage Library for Python is not supported by Data Box. See Azure Data Box Blob storage requirements for supported versions.| |… [SSL: CERTIFICATE_VERIFY_FAILED] …| Before running Python, set the REQUESTS_CA_BUNDLE environment variable to the path of the Base64-encoded SSL certificate file (see how to [Download the certificate](../databox/data-box-deploy-copy-data-via-rest.md#download-certificate). For example:<br>`export REQUESTS_CA_BUNDLE=/tmp/mycert.cer`<br>`python`<br>Alternately, add the certificate to the system's certificate store, and then set this environment variable to the path of that store. For example, on Ubuntu:<br>`export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`<br>`python`.|
-|The connection times out.|Sign into the Azure Stack Edge Pro and then check that it's unlocked. Any time the device restarts, it stays locked until someone signs in.|
+|The connection times out.|Sign into the Azure Stack Edge Pro and then check that it's unlocked. Anytime the device restarts, it stays locked until someone signs in.|
+## Troubleshoot IoT Edge errors
+
+[!INCLUDE [Troubleshoot IoT Edge runtime](../../includes/azure-stack-edge-iot-troubleshoot-compute.md)]
## Next steps
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-mini-r-deploy-prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-mini-r-deploy-prep.md a/articles/databox-online/azure-stack-edge-mini-r-deploy-prep.md
@@ -7,7 +7,7 @@
Previously updated : 01/05/2021 Last updated : 01/22/2021 Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Mini R device so I can use it to transfer data to Azure.
@@ -117,11 +117,11 @@ To create an Azure Stack Edge resource, take the following steps in the Azure po
7. Select **Next: Shipping address**.
- - If you already have a device, select the combo box for **I already have a device**.
+ - If you already have a device, select the combo box for **I already have a device**.
![Create a resource 5](media/azure-stack-edge-mini-r-deploy-prep/create-resource-5.png)
- - If this is the new device that you are ordering, enter the contact name, company, address to ship the device to, and contact information.
+ - If this is the new device that you are ordering, enter the contact name, company, address to ship the device to, and contact information.
![Create a resource 6](media/azure-stack-edge-mini-r-deploy-prep/create-resource-6.png)
@@ -141,9 +141,12 @@ To create an Azure Stack Edge resource, take the following steps in the Azure po
![Go to the Azure Stack Edge Pro resource](media/azure-stack-edge-mini-r-deploy-prep/azure-stack-edge-resource-1.png)
- After the order is placed, Microsoft reviews the order and reaches out to you (via email) with shipping details.
+After the order is placed, Microsoft reviews the order and reaches out to you (via email) with shipping details.
- If you run into any issues during the order process, see [Troubleshoot order issues](azure-stack-edge-troubleshoot-ordering.md).
+> [!NOTE]
+> If you want to create multiple orders at one time or clone an existing order, you can use the [scripts in Azure Samples](https://github.com/Azure-Samples/azure-stack-edge-order). For more information, see the README file.
+
+If you run into any issues during the order process, see [Troubleshoot order issues](azure-stack-edge-troubleshoot-ordering.md).
## Get the activation key
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-pro-r-deploy-prep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-pro-r-deploy-prep.md a/articles/databox-online/azure-stack-edge-pro-r-deploy-prep.md
@@ -7,7 +7,7 @@
Previously updated : 01/04/2021 Last updated : 01/22/2021 Customer intent: As an IT admin, I need to understand how to prepare the portal to deploy Azure Stack Edge Pro R so I can use it to transfer data to Azure.
@@ -137,16 +137,19 @@ To create an Azure Stack Edge resource, take the following steps in the Azure po
11. Select **Create**.
-The resource creation takes a few minutes. An MSI is also created that lets the Azure Stack Edge device communicate with the resource provider in Azure.
+ The resource creation takes a few minutes. An MSI is also created that lets the Azure Stack Edge device communicate with the resource provider in Azure.
-After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
+ After the resource is successfully created and deployed, you're notified. Select **Go to resource**.
-![Go to the Azure Stack Edge Pro resource](media/azure-stack-edge-pro-r-deploy-prep/azure-stack-edge-resource-1.png)
+ ![Go to the Azure Stack Edge Pro resource](media/azure-stack-edge-pro-r-deploy-prep/azure-stack-edge-resource-1.png)
After the order is placed, Microsoft reviews the order and reaches out to you (via email) with shipping details. <!--![Notification for review of the Azure Stack Edge Pro order](media/azure-stack-edge-gpu-deploy-prep/azure-stack-edge-resource-2.png) - If this is restored, it must go above "After the resource is successfully created." The azure-stack-edge-resource-1.png would seem superfluous in that case.-->
+> [!NOTE]
+> If you want to create multiple orders at one time or clone an existing order, you can use the [scripts in Azure Samples](https://github.com/Azure-Samples/azure-stack-edge-order). For more information, see the README file.
+ If you run into any issues during the order process, see [Troubleshoot order issues](azure-stack-edge-troubleshoot-ordering.md). ## Get the activation key
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-return-device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-return-device.md a/articles/databox-online/azure-stack-edge-return-device.md
@@ -97,7 +97,7 @@ To begin the return process, take the following steps.
To schedule a pickup, take the following steps. 1. Shut down the device. In the local web UI, go to **Maintenance > Power settings**.
-2. Select **Shut down**. When prompted for confirmation, click **Yes** to continue. For more information, see [Manage power](data-box-gateway-manage-access-power-connectivity-mode.md#manage-power).
+2. Select **Shut down**. When prompted for confirmation, click **Yes** to continue. For more information, see [Manage power](../databox-gateway/data-box-gateway-manage-access-power-connectivity-mode.md#manage-power).
3. Unplug the power cables and remove all the network cables from the device. 4. Prepare the shipment package by using your own box or the empty box you received from Azure. Place the device and the power cords that were shipped with the device in the box. 5. Affix the shipping label that you received from Azure on the package.
@@ -140,4 +140,4 @@ You're notified after the device and the associated resource is successfully del
## Next steps -- Learn how to [Get a replacement Azure Stack Edge Pro device](azure-stack-edge-replace-device.md).
+- Learn how to [Get a replacement Azure Stack Edge Pro device](azure-stack-edge-replace-device.md).
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-troubleshoot.md a/articles/databox-online/azure-stack-edge-troubleshoot.md
@@ -7,7 +7,7 @@
Previously updated : 08/11/2020 Last updated : 01/21/2021 # Troubleshoot your Azure Stack Edge Pro issues
@@ -21,6 +21,7 @@ In this article, you learn how to:
> * Run diagnostics > * Collect Support package > * Use logs to troubleshoot
+> * Troubleshoot IoT Edge errors
## Run diagnostics
@@ -77,6 +78,10 @@ Any errors experienced during the upload and refresh processes are included in t
[!INCLUDE [data-box-edge-edge-upload-error-reference](../../includes/data-box-edge-gateway-upload-error-reference.md)]
+## Troubleshoot IoT Edge errors
+
+[!INCLUDE [Troubleshoot IoT Edge runtime](../../includes/azure-stack-edge-iot-troubleshoot-compute.md)]
+ ## Next steps
-* Learn more about the [known issues in this release](data-box-gateway-release-notes.md).
+* Learn more about the [known issues in this release](../databox-gateway/data-box-gateway-release-notes.md).
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/security-baseline.md a/articles/databox-online/security-baseline.md
@@ -20,7 +20,7 @@ To see how Azure Stack Edge completely maps to the Azure Security Benchma