Updates from: 01/30/2021 04:09:04
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-keyless https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-keyless.md
@@ -82,7 +82,7 @@ To configure an identity provider, follow these steps:
|Property | Value | |:--| :--| | Name | Keyless |
- | Metadata URL | Insert the URI of the hosted Keyless Authentication app, followed by the specific path such as https://keyless.auth/.well-known/openid-configuration |
+ | Metadata URL | Insert the URI of the hosted Keyless Authentication app, followed by the specific path such as 'https://keyless.auth/.well-known/openid-configuration' |
| Client Secret | The secret associated with the Keyless Authentication instance - not same as the one configured before. Insert a complex string of your choice. This secret will be used later in the Keyless Container configuration.| | Client ID | The ID of the client. This ID will be used later in the Keyless Container configuration.| | Scope | openid |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-signing-key-rollover.md
@@ -293,7 +293,7 @@ If you built an application on WIF v1.0, there is no provided mechanism to autom
Instructions to use the FedUtil to update your configuration:
-1. Verify that you have the WIF v1.0 SDK installed on your development machine for Visual Studio 2008 or 2010. You can [download it from here](https://www.microsoft.com/en-us/download/details.aspx?id=4451) if you have not yet installed it.
+1. Verify that you have the WIF v1.0 SDK installed on your development machine for Visual Studio 2008 or 2010. You can [download it from here](https://www.softpedia.com/get/Programming/Other-Programming-Files/Windows-Identity-Foundation-SDK.shtml) if you have not yet installed it.
2. In Visual Studio, open the solution, and then right-click the applicable project and select **Update federation metadata**. If this option is not available, FedUtil and/or the WIF v1.0 SDK has not been installed. 3. From the prompt, select **Update** to begin updating your federation metadata. If you have access to the server environment where the application is hosted, you can optionally use FedUtilΓÇÖs [automatic metadata update scheduler](/previous-versions/windows-identity-foundation/ee517272(v=msdn.10)). 4. Click **Finish** to complete the update process.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-logging-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-logging-python.md
@@ -50,5 +50,3 @@ For more information about logging in Python, please refer to Python's [Logging
## Next steps For more code samples, refer to [Microsoft identity platform code samples](sample-v2-code.md).--\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-remove-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-remove-app.md
@@ -46,7 +46,7 @@ To delete an application, be listed as an owner of the application or have admin
If you are viewing **App registrations** in the context of a tenant, a subset of the applications that appear under the **All apps** tab are from another tenant and were registered into your tenant during the consent process. More specifically, they are represented by only a service principal object in your tenant, with no corresponding application object. For more information on the differences between application and service principal objects, see [Application and service principal objects in Azure AD](./app-objects-and-service-principals.md).
-In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have global admin access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.
+In order to remove an applicationΓÇÖs access to your directory (after having granted consent), the company administrator must remove its service principal. The administrator must have Global Admininstrator access, and can remove the application through the Azure portal or use the [Azure AD PowerShell Cmdlets](/previous-versions/azure/jj151815(v=azure.100)) to remove access.
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-java-daemon https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/quickstart-v2-java-daemon.md /dev/null
@@ -0,0 +1,260 @@
+
+ Title: "Quickstart: Call Microsoft Graph from a Java daemon | Azure"
+
+description: In this quickstart, you learn how a Java app can get an access token and call an API protected by Microsoft identity platform endpoint, using the app's own identity
++++++++ Last updated : 01/22/2021++
+#Customer intent: As an application developer, I want to learn how my Java app can get an access token and call an API that's protected by Microsoft identity platform endpoint using client credentials flow.
++
+# Quickstart: Acquire a token and call Microsoft Graph API from a Java console app using app's identity
+
+In this quickstart, you download and run a code sample that demonstrates how a Java application can obtain an access token using the app's identity to call the Microsoft Graph API and display a [list of users](/graph/api/user-list) in the directory. The code sample demonstrates how an unattended job or Windows service can run with an application identity, instead of a user's identity.
+
+> [!div renderon="docs"]
+> ![Shows how the sample app generated by this quickstart works](media/quickstart-v2-netcore-daemon/netcore-daemon-intro.svg)
+
+## Prerequisites
+
+To run this sample you will need:
+
+- [Java Development Kit (JDK)](https://openjdk.java.net/) 8 or greater
+- [Maven](https://maven.apache.org/).
+
+> [!div renderon="docs"]
+> ## Register and download your quickstart app
+
+> [!div renderon="docs" class="sxs-lookup"]
+>
+> You have two options to start your quickstart application: Express (Option 1 below), and Manual (Option 2)
+>
+> ### Option 1: Register and auto configure your app and then download your code sample
+>
+> 1. Go to the new [Azure portal - App registrations](https://portal.azure.com/?Microsoft_AAD_RegisteredApps=true#blade/Microsoft_AAD_RegisteredApps/applicationsListBlade/quickStartType/JavaDaemonQuickstartPage/sourceType/docs) pane.
+> 1. Enter a name for your application and select **Register**.
+> 1. Follow the instructions to download and automatically configure your new application with just one click.
+>
+> ### Option 2: Register and manually configure your application and code sample
+
+> [!div renderon="docs"]
+> #### Step 1: Register your application
+> To register your application and add the app's registration information to your solution manually, follow these steps:
+>
+> 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+> 1. If your account gives you access to more than one tenant, select your account in the top right corner, and set your portal session to the desired Azure AD tenant.
+> 1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page.
+> 1. Select **New registration**.
+> 1. When the **Register an application** page appears, enter your application's registration information.
+> 1. In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `Daemon-console`, then select **Register** to create the application.
+> 1. Once registered, select the **Certificates & secrets** menu.
+> 1. Under **Client secrets**, select **+ New client secret**. Give it a name and select **Add**. Copy the secret on a safe location. You will need it to use in your code.
+> 1. Now, select the **API Permissions** menu, select **+ Add a permission** button, select **Microsoft Graph**.
+> 1. Select **Application permissions**.
+> 1. Under **User** node, select **User.Read.All**, then select **Add permissions**
+
+> [!div class="sxs-lookup" renderon="portal"]
+> ### Download and configure your quickstart app
+>
+> #### Step 1: Configure your application in Azure portal
+> For the code sample for this quickstart to work, you need to create a client secret, and add Graph API's **User.Read.All** application permission.
+> > [!div renderon="portal" id="makechanges" class="nextstepaction"]
+> > [Make these changes for me]()
+>
+> > [!div id="appconfigured" class="alert alert-info"]
+> > ![Already configured](media/quickstart-v2-netcore-daemon/green-check.png) Your application is configured with these attributes.
+
+#### Step 2: Download your Java project
+
+> [!div renderon="docs"]
+> [Download the Java daemon project](https://github.com/Azure-Samples/ms-identity-java-daemon/archive/master.zip)
+
+> [!div renderon="portal" id="autoupdate" class="sxs-lookup nextstepaction"]
+> [Download the code sample](https://github.com/Azure-Samples/ms-identity-java-daemon/archive/master.zip)
+
+> [!div class="sxs-lookup" renderon="portal"]
+> > [!NOTE]
+> > `Enter_the_Supported_Account_Info_Here`
++
+> [!div renderon="docs"]
+> #### Step 3: Configure your Java project
+>
+> 1. Extract the zip file to a local folder close to the root of the disk, for example, **C:\Azure-Samples**.
+> 1. Navigate to the sub folder **msal-client-credential-secret**.
+> 1. Edit **src\main\resources\application.properties** and replace the values of the fields `AUTHORITY`, `CLIENT_ID`, and `SECRET` with the following snippet:
+>
+> ```
+> AUTHORITY=https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/
+> CLIENT_ID=Enter_the_Application_Id_Here
+> SECRET=Enter_the_Client_Secret_Here
+> ```
+> Where:
+> - `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+> - `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+> - `Enter_the_Client_Secret_Here` - replace this value with the client secret created on step 1.
+>
+> > [!TIP]
+> > To find the values of **Application (client) ID**, **Directory (tenant) ID**, go to the app's **Overview** page in the Azure portal. To generate a new key, go to **Certificates & secrets** page.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 3: Admin consent
+
+> [!div renderon="docs"]
+> #### Step 4: Admin consent
+
+If you try to run the application at this point, you'll receive *HTTP 403 - Forbidden* error: `Insufficient privileges to complete the operation`. This error happens because any *app-only permission* requires Admin consent: a global administrator of your directory must give consent to your application. Select one of the options below depending on your role:
+
+##### Global tenant administrator
+
+> [!div renderon="docs"]
+> If you are a global tenant administrator, go to **API Permissions** page in the Azure Portal's Application Registration (Preview) and select **Grant admin consent for {Tenant Name}** (Where {Tenant Name} is the name of your directory).
+
+> [!div renderon="portal" class="sxs-lookup"]
+> If you are a global administrator, go to **API Permissions** page select **Grant admin consent for Enter_the_Tenant_Name_Here**
+> > [!div id="apipermissionspage"]
+> > [Go to the API Permissions page]()
+
+##### Standard user
+
+If you're a standard user of your tenant, then you need to ask a global administrator to grant admin consent for your application. To do this, give the following URL to your administrator:
+
+```url
+https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/adminconsent?client_id=Enter_the_Application_Id_Here
+```
+
+> [!div renderon="docs"]
+>> Where:
+>> * `Enter_the_Tenant_Id_Here` - replace this value with the **Tenant Id** or **Tenant name** (for example, contoso.microsoft.com)
+>> * `Enter_the_Application_Id_Here` - is the **Application (client) ID** for the application you registered.
+
+> [!div class="sxs-lookup" renderon="portal"]
+> #### Step 4: Run the application
+
+> [!div renderon="docs"]
+> #### Step 5: Run the application
+
+You can test the sample directly by running the main method of ClientCredentialGrant.java from your IDE.
+
+From your shell or command line:
+
+```
+$ mvn clean compile assembly:single
+```
+
+This will generate a msal-client-credential-secret-1.0.0.jar file in your /targets directory. Run this using your Java executable like below:
+
+```
+$ java -jar msal-client-credential-secret-1.0.0.jar
+```
+
+After running, the application should display the list of users in the configured tenant.
++
+> [!IMPORTANT]
+> This quickstart application uses a client secret to identify itself as confidential client. Because the client secret is added as a plain-text to your project files, for security reasons, it is recommended that you use a certificate instead of a client secret before considering the application as production application. For more information on how to use a certificate, see [these instructions](https://github.com/Azure-Samples/ms-identity-java-daemon/tree/master/msal-client-credential-certificate) in the same GitHub repository for this sample, but in the second folder **msal-client-credential-certificate**
+
+## More information
+
+### MSAL Java
+
+[MSAL Java](https://github.com/AzureAD/microsoft-authentication-library-for-java) is the library used to sign in users and request tokens used to access an API protected by Microsoft identity platform. As described, this quickstart requests tokens by using the application own identity instead of delegated permissions. The authentication flow used in this case is known as *[client credentials oauth flow](v2-oauth2-client-creds-grant-flow.md)*. For more information on how to use MSAL Java with daemon apps, see [this article](scenario-daemon-overview.md).
+
+Add MSAL4J to your application by using Maven or Gradle to manage your dependencies by making the following changes to the application's pom.xml (Maven) or build.gradle (Gradle) file.
+
+In pom.xml:
+
+```XML
+<dependency>
+ <groupId>com.microsoft.azure</groupId>
+ <artifactId>msal4j</artifactId>
+ <version>1.0.0</version>
+</dependency>
+```
+
+In build.gradle:
+
+```$xslt
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.0.0'
+```
+
+### MSAL initialization
+
+Add a reference to MSAL for Java by adding the following code to the top of the file where you will be using MSAL4J:
+
+```Java
+import com.microsoft.aad.msal4j.*;
+```
+
+Then, initialize MSAL using the following code:
+
+```Java
+IClientCredential credential = ClientCredentialFactory.createFromSecret(CLIENT_SECRET);
+
+ConfidentialClientApplication cca =
+ ConfidentialClientApplication
+ .builder(CLIENT_ID, credential)
+ .authority(AUTHORITY)
+ .build();
+```
+
+> | Where: |Description |
+> |||
+> | `CLIENT_SECRET` | Is the client secret created for the application in Azure Portal. |
+> | `CLIENT_ID` | Is the **Application (client) ID** for the application registered in the Azure portal. You can find this value in the app's **Overview** page in the Azure portal. |
+> | `AUTHORITY` | The STS endpoint for user to authenticate. Usually `https://login.microsoftonline.com/{tenant}` for public cloud, where {tenant} is the name of your tenant or your tenant Id.|
+
+### Requesting tokens
+
+To request a token using app's identity, use `acquireToken` method:
+
+```Java
+IAuthenticationResult result;
+ try {
+ SilentParameters silentParameters =
+ SilentParameters
+ .builder(SCOPE)
+ .build();
+
+ // try to acquire token silently. This call will fail since the token cache does not
+ // have a token for the application you are requesting an access token for
+ result = cca.acquireTokenSilently(silentParameters).join();
+ } catch (Exception ex) {
+ if (ex.getCause() instanceof MsalException) {
+
+ ClientCredentialParameters parameters =
+ ClientCredentialParameters
+ .builder(SCOPE)
+ .build();
+
+ // Try to acquire a token. If successful, you should see
+ // the token information printed out to console
+ result = cca.acquireToken(parameters).join();
+ } else {
+ // Handle other exceptions accordingly
+ throw ex;
+ }
+ }
+ return result;
+```
+
+> |Where:| Description |
+> |||
+> | `SCOPE` | Contains the scopes requested. For confidential clients, this should use the format similar to `{Application ID URI}/.default` to indicate that the scopes being requested are the ones statically defined in the app object set in the Azure Portal (for Microsoft Graph, `{Application ID URI}` points to `https://graph.microsoft.com`). For custom web APIs, `{Application ID URI}` is defined under **Expose an API** section in Azure Portal's Application Registration (Preview). |
+
+[!INCLUDE [Help and support](../../../includes/active-directory-develop-help-support-include.md)]
+
+## Next steps
+
+To learn more about daemon applications, see the scenario landing page
+
+> [!div class="nextstepaction"]
+> [Daemon application that calls web APIs](scenario-daemon-overview.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-daemon-production https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/scenario-daemon-production.md
@@ -65,6 +65,6 @@ Try the quickstart [Acquire a token and call Microsoft Graph API from a Python c
# [Java](#tab/java)
-MSAL Java is currently in public preview. For more info, see [MSAL Java dev samples](https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/src/samples).
+Try the quickstart [Acquire a token and call Microsoft Graph API from a Java console app using app's identity](./quickstart-v2-java-daemon.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/troubleshoot-publisher-verification https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/troubleshoot-publisher-verification.md
@@ -35,7 +35,7 @@ Below are some common issues that may occur during the process.
1. If an MPN account already exists, this will be recognized and you will be added to the account 1. Navigate to the [partner profile page](https://partner.microsoft.com/pcv/accountsettings/connectedpartnerprofile) where the MPN ID and primary account contact will be listed -- **I donΓÇÖt know who my Azure AD Global Administrator (also known as Company Admin or Tenant Admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**
+- **I donΓÇÖt know who my Azure AD Global Administrator (also known as company admin or tenant admin) is, how do I find them? What about the Application Administrator or Cloud Application Administrator?**
1. Sign in to the [Azure AD Portal](https://aad.portal.azure.com) using a user account in your organization's primary tenant 1. Navigate to [Role Management](https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) 1. Click the desired admin role
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-aspnet-daemon-web-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md
@@ -42,7 +42,7 @@ The app is built as an ASP.NET MVC application. It uses the OWIN OpenID Connect
The "daemon" component in this sample is an API controller, `SyncController.cs`. When the controller is called, it pulls in a list of users in the customer's Azure Active Directory (Azure AD) tenant from Microsoft Graph. `SyncController.cs` is triggered by an AJAX call in the web application. It uses the [Microsoft Authentication Library (MSAL) for .NET](msal-overview.md) to acquire an access token for Microsoft Graph.
-Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a company administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](v2-permissions-and-consent.md#using-the-admin-consent-endpoint) endpoint.
+Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a Global Administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](v2-permissions-and-consent.md#using-the-admin-consent-endpoint) endpoint.
![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Azure A D, AccountController getting admin consent to connect to Azure A D, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
@@ -44,7 +44,7 @@ Then you need to visit your app registration and update the redirect URI for you
## Request an authorization code
-The authorization code flow begins with the client directing the user to the `/authorize` endpoint. In this request, the client requests the `openid`, `offline_access`, and `https://graph.microsoft.com/mail.read ` permissions from the user. Some permissions are admin-restricted, for example writing data to an organization's directory by using `Directory.ReadWrite.All`. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. To request access to admin-restricted scopes, you should request them directly from a company administrator. For more information, read [Admin-restricted permissions](v2-permissions-and-consent.md#admin-restricted-permissions).
+The authorization code flow begins with the client directing the user to the `/authorize` endpoint. In this request, the client requests the `openid`, `offline_access`, and `https://graph.microsoft.com/mail.read ` permissions from the user. Some permissions are admin-restricted, for example writing data to an organization's directory by using `Directory.ReadWrite.All`. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they're not authorized to consent to your app's permissions. To request access to admin-restricted scopes, you should request them directly from a Global Administrator. For more information, read [Admin-restricted permissions](v2-permissions-and-consent.md#admin-restricted-permissions).
``` // Line breaks for legibility only
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-permissions-and-consent.md
@@ -160,7 +160,7 @@ If the application requests application permissions and an administrator grants
After you use the admin consent endpoint to grant admin consent, you're finished. Users don't need to take any further action. After admin consent is granted, users can get an access token through a typical auth flow. The resulting access token has the consented permissions.
-When a company administrator uses your application and is directed to the authorize endpoint, the Microsoft identity platform detects the user's role. It asks if the company administrator wants to consent on behalf of the entire tenant for the permissions you requested. You could instead use a dedicated admin consent endpoint to proactively request an administrator to grant permission on behalf of the entire tenant. This endpoint is also necessary for requesting application permissions. Application permissions can't be requested by using the authorize endpoint.
+When a Global Administrator uses your application and is directed to the authorize endpoint, the Microsoft identity platform detects the user's role. It asks if the Global Administrator wants to consent on behalf of the entire tenant for the permissions you requested. You could instead use a dedicated admin consent endpoint to proactively request an administrator to grant permission on behalf of the entire tenant. This endpoint is also necessary for requesting application permissions. Application permissions can't be requested by using the authorize endpoint.
If you follow these steps, your app can request permissions for all users in a tenant, including admin-restricted scopes. This operation is high privilege. Use the operation only if necessary for your scenario.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-restore-deleted https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/enterprise-users/groups-restore-deleted.md
@@ -26,7 +26,7 @@ The permissions required to restore a group can be any of the following:
Role | Permissions | Global administrator, Group administrator, Partner Tier2 support, and Intune administrator | Can restore any deleted Microsoft 365 group
-User administrator and Partner Tier1 support | Can restore any deleted Microsoft 365 group except those groups assigned to the Company Administrator role
+User administrator and Partner Tier1 support | Can restore any deleted Microsoft 365 group except those groups assigned to the Global Administrator role
User | Can restore any deleted Microsoft 365 group that they own ## View and manage the deleted Microsoft 365 groups that are available to restore
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/allow-deny-list https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/allow-deny-list.md
@@ -124,7 +124,7 @@ If the module is not installed, or you don't have a required version, do one of
### Use the AzureADPolicy cmdlets to configure the policy
-To create an allow or deny list, use the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview) cmdlet. The following example shows how to set a deny list that blocks the "live.com" domain.
+To create an allow or deny list, use the [New-AzureADPolicy](/powershell/module/azuread/new-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. The following example shows how to set a deny list that blocks the "live.com" domain.
```powershell $policyValue = @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}")
@@ -138,19 +138,19 @@ The following shows the same example, but with the policy definition inline.
New-AzureADPolicy -Definition @("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [],`"BlockedDomains`": [`"live.com`"]}}}") -DisplayName B2BManagementPolicy -Type B2BManagementPolicy -IsOrganizationDefault $true ```
-To set the allow or deny list policy, use the [Set-AzureADPolicy](/powershell/module/azuread/set-azureadpolicy?view=azureadps-2.0-preview) cmdlet. For example:
+To set the allow or deny list policy, use the [Set-AzureADPolicy](/powershell/module/azuread/set-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. For example:
```powershell Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id ```
-To get the policy, use the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview) cmdlet. For example:
+To get the policy, use the [Get-AzureADPolicy](/powershell/module/azuread/get-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. For example:
```powershell
-$currentpolicy = Get-AzureADPolicy | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
+$currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
```
-To remove the policy, use the [Remove-AzureADPolicy](/powershell/module/azuread/remove-azureadpolicy?view=azureadps-2.0-preview) cmdlet. For example:
+To remove the policy, use the [Remove-AzureADPolicy](/powershell/module/azuread/remove-azureadpolicy?view=azureadps-2.0-preview&preserve-view=true) cmdlet. For example:
```powershell Remove-AzureADPolicy -Id $currentpolicy.Id
@@ -159,4 +159,4 @@ Remove-AzureADPolicy -Id $currentpolicy.Id
## Next steps - For an overview of Azure AD B2B, see [What is Azure AD B2B collaboration?](what-is-b2b.md)-- For information about Conditional Access and B2B collaboration, see [Conditional Access for B2B collaboration users](conditional-access.md).\ No newline at end of file
+- For information about Conditional Access and B2B collaboration, see [Conditional Access for B2B collaboration users](conditional-access.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/troubleshoot.md
@@ -87,7 +87,7 @@ A user who has a guest account cannot log on, and is receiving the following err
AADSTS65005: Using application 'AppName' is currently not supported for your organization contoso.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of contoso.com before the application AppName can be provisioned. ```
-The user has an Azure user account and is a viral tenant who has been abandoned or unmanaged. Additionally, there are no global or company administrators in the tenant.
+The user has an Azure user account and is a viral tenant who has been abandoned or unmanaged. Additionally, there are no Global Administrators in the tenant.
To resolve this problem, you must take over the abandoned tenant. Refer to [Take over an unmanaged directory as administrator in Azure Active Directory](../enterprise-users/domains-admin-takeover.md). You must also access the internet-facing DNS for the domain suffix in question in order to provide direct evidence that you are in control of the namespace. After the tenant is returned to a managed state, please discuss with the customer whether leaving the users and verified domain name is the best option for their organization.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-whatis.md
@@ -91,7 +91,7 @@ To better understand Azure AD and its documentation, we recommend reviewing the
|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role has access to the [Azure Account Center](https://account.azure.com/Subscriptions) and enables you to manage all subscriptions in an account. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
-|Azure AD Global administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. Note that this administrator role is called Global administrator in the Azure portal, but it's called **Company administrator** in the Microsoft Graph API and Azure AD PowerShell. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).|
+|Azure AD Global administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).|
|Azure subscription| Used to pay for Azure cloud services. You can have many subscriptions and they're linked to a credit card.| |Azure tenant| A dedicated and trusted instance of Azure AD that's automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Microsoft 365. An Azure tenant represents a single organization.| |Single tenant| Azure tenants that access other services in a dedicated environment are considered single tenant.|
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new-archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
@@ -9,7 +9,7 @@
Previously updated : 12/18/2020 Last updated : 1/29/2021
@@ -29,6 +29,176 @@ The What's new in Azure Active Directory? release notes provide information abou
- Plans for changes
+## July 2020
+
+### As an IT Admin, I want to target client apps using Conditional Access
+
+**Type:** Plan for change
+**Service category:** Conditional Access
+**Product capability:** Identity Security & Protection
+
+With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the *Configure Yes/No* toggle will be removed from existing policies to easily see which client apps are applied to by the policy.
+
+When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked. [Learn more](../conditional-access/concept-conditional-access-conditions.md).
+
++
+### Upcoming SCIM compliance fixes
+
+**Type:** Plan for change
+**Service category:** App Provisioning
+**Product capability:** Identity Lifecycle Management
+
+The Azure AD provisioning service leverages the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations as well as set the property "active" on a resource. [Learn more](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md).
+
++
+### Group owner setting on Azure Admin portal will be changed
+
+**Type:** Plan for change
+**Service category:** Group Management
+**Product capability:** Collaboration
+
+Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We will soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.
+
+We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
+++
+### Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1
+
+**Type:** Plan for change
+**Service category:** Device Registration and Management
+**Product capability:** Platform
+
+Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:
+- On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)
+- On October 30, 2020, in all commercial clouds
+
+[Learn more](../devices/reference-device-registration-tls-1-2.md) about TLS 1.2 for the Azure AD Registration Service.
+++
+### Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs
+
+**Type:** Fixed
+**Service category:** Reporting
+**Product capability:** Monitoring & Reporting
+
+Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.
+
+Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md).
+
++
+### Fixes to group deletion behavior and performance improvements
+
+**Type:** Fixed
+**Service category:** App Provisioning
+**Product capability:** Identity Lifecycle Management
+
+Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or did not pass scoping filter). [Learn more](../app-provisioning/how-provisioning-works.md#incremental-cycles).
+
++
+### Public Preview: Admins can now add custom content in the email to reviewers when creating an access review
+
+**Type:** New feature
+**Service category:** Access Reviews
+**Product capability:** Identity Governance
+
+When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.
+
+Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md).
+
++
+### Authorization Code Flow for Single-page apps available
+
+**Type:** New feature
+**Service category:** Authentications (Logins)
+**Product capability:** Developer Experience
+
+Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow.
+
+There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See [Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md) for further guidance.
+
++
+### Azure AD Application Proxy now supports the Remote Desktop Services Web Client
+
+**Type:** New feature
+**Service category:** App Proxy
+**Product capability:** Access Control
+
+Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md).
+
++
+### Next generation Azure AD B2C user flows in public preview
+
+**Type:** New feature
+**Service category:** B2C - Consumer Identity Management
+**Product capability:** B2B/B2C
+
+Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by [creating a user flow](../../active-directory-b2c/tutorial-create-user-flows.md).
+
+For more information about users flows, see [User flow versions in Azure Active Directory B2C](../../active-directory-b2c/user-flow-versions.md).
+++
+### New Federated Apps available in Azure AD Application gallery - July 2020
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In July 2020 we have added following 55 new applications in our App gallery with Federation support:
+
+[Clap Your Hands](http://www.rmit.com.ar/), [Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://appfusions.alohacloud.com/auth), [Control Tower](https://bpm.tnxcorp.com/sso/microsoft), [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)
+
+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
+++
+### New provisioning connectors in the Azure AD Application Gallery - July 2020
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for the newly integrated app [LinkedIn Learning](../saas-apps/linkedin-learning-provisioning-tutorial.md).
+
+For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
+++
+### View role assignments across all scopes and ability to download them to a csv file
+
+**Type:** Changed feature
+**Service category:** Azure AD roles
+**Product capability:** Access Control
+
+You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md).
+
++
+### Azure Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation
+
+**Type:** Deprecated
+**Service category:** MFA
+**Product capability:** Identity Security & Protection
+
+The Azure Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.
+
+If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020:
+- Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure MFA Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim).
+- Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md).
+++ ## June 2020 ### User risk condition in Conditional Access policy
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
@@ -12,7 +12,7 @@
Previously updated : 12/18/2020 Last updated : 1/29/2021
@@ -34,6 +34,190 @@ Azure AD receives improvements on an ongoing basis. To stay up to date with the
This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).
+## January 2021
+
+### Secret token will be a mandatory field when configuring provisioning
+
+**Type:** Plan for change
+**Service category:** App Provisioning
+**Product capability:** Identity Lifecycle Management
+
+In the past, the secret token field could be kept empty when setting up provisioning on the custom / BYOA application. This function was intended to solely be used for testing. We'll update the UI to make the field required.
+
+Customers can work around this requirement for testing purposes by using a feature flag in the browser URL. [Learn more](../app-provisioning/use-scim-to-provision-users-and-groups.md#authorization-for-provisioning-connectors-in-the-application-gallery).
+
++
+### Public Preview - Customize and configure Android shared devices for Firstline Workers at scale
+
+**Type:** New feature
+**Service category:** Device Registration and Management
+**Product capability:** Identity Security & Protection
+
+Azure AD and Microsoft Endpoint Manager teams have combined to bring the capability to customize, scale, and secure your Firstline Worker devices.
+
+The following preview capabilities will allow you to:
+- Provision Android shared devices at scale with Microsoft Endpoint Manager
+- Secure your access for shift workers using device-based conditional access
+- Customize sign-in experiences for the shift workers with Managed Home Screen
+
+To learn more, refer to [Customize and configure shared devices for Firstline Workers at scale](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/customize-and-configure-shared-devices-for-firstline-workers-at/ba-p/1751708).
+++
+### Public preview - Provisioning logs can now be downloaded as a CSV or JSON
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** Identity Lifecycle Management
+
+Customers can download the provisioning logs as a CSV or JSON file through the UI and via graph API. To learn more, refer to [Provisioning reports in the Azure Active Directory portal](../reports-monitoring/concept-provisioning-logs.md).
+++
+### Public preview - Assign cloud groups to Azure AD custom roles and admin unit scoped roles
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Customers can assign a cloud group to Azure AD custom roles or an admin unit scoped role. To learn how to use this feature, refer to [Use cloud groups to manage role assignments in Azure Active Directory](../roles/groups-concept.md).
+++
+### General Availability - Azure AD Connect cloud sync (previously known as cloud provisioning)
+
+**Type:** New feature
+**Service category:** Azure AD Connect cloud sync
+**Product capability:** Identity Lifecycle Management
+
+Azure AD Connect cloud sync is now generally available to all customers.
+
+Azure AD Connect cloud moves the heavy lifting of transform logic to the cloud, reducing your on-premises footprint. Additionally, multiple light-weight agent deployments are available for higher sync availability. [Learn more](https://aka.ms/cloudsyncGA).
+
+
+### General Availability - Attack Simulation Administrator and Attack Payload Author built-in roles
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Two new roles in Role-Based Access Control are available to assign to users, Attack simulation Administrator and Attack Payload author.
+
+Users in the [Attack Simulation Administrator](../roles/permissions-reference.md#attack-simulation-administrator) role have access for all simulations in the tenant and can:
+- create and manage all aspects of attack simulation creation
+- launch/scheduling of a simulation
+- review simulation results.
+
+Users in the [Attack Payload Author](../roles/permissions-reference.md#attack-payload-author) role can create attack payloads but not actually launch or schedule them. Attack payloads are then available to all administrators in the tenant who can use them to create a simulation.
+++
+### General Availability - Usage Summary Reports Reader built-in role
+
+**Type:** New feature
+**Service category:** RBAC
+**Product capability:** Access Control
+
+Users with the Usage Summary Reports Reader role can access tenant level aggregated data and associated insights in Microsoft 365 Admin Center for Usage and Productivity Score. However, they cannot access any user level details or insights.
+
+In the Microsoft 365 Admin Center for the two reports, we differentiate between tenant level aggregated data and user level details. This role adds an extra layer of protection to individual user identifiable data. [Learn more](../roles/permissions-reference.md#usage-summary-reports-reader).
+++
+### General availability - Require App protection policy grant in Azure AD Conditional Access
+
+**Type:** New Feature
+**Service category:** Conditional Access
+**Product capability:** Identity Security & Protection
+
+Azure AD Conditional Access grant for "Require App Protection policy" is now GA.
+
+The policy provides the following capabilities:
+- Allows access only when using a mobile application that supports Intune App protection
+- Allows access only when a user has an Intune app protection policy delivered to the mobile application
+
+Learn more on how to set up a conditional access policy for app protection [here](../conditional-access/app-protection-based-conditional-access.md).
+
++
+### General availability - Email One-Time Passcode
+
+**Type:** New feature
+**Service category:** B2B
+**Product capability:** B2B/B2C
+
+Email OTP enables organizations around the world to collaborate with anyone by sending a link or invitation via email. Invited users can verify their identity with the one-time passcode sent to their email to access their partner's resources. [Learn more](../external-identities/one-time-passcode.md).
+
++
+ ### New provisioning connectors in the Azure AD Application Gallery - January 2021
+
+**Type:** New feature
+**Service category:** App Provisioning
+**Product capability:** 3rd Party Integration
+
+You can now automate creating, updating, and deleting user accounts for these newly integrated apps:
+- [Fortes Change Cloud](../saas-apps/fortes-change-cloud-provisioning-tutorial.md)
+- [Gtmhub](../saas-apps/gtmhub-provisioning-tutorial.md)
+- [monday.com](../saas-apps/mondaycom-provisioning-tutorial.md)
+- [Splashtop](../saas-apps/splashtop-provisioning-tutorial.md)
+- [Templafy OpenID Connect](../saas-apps/templafy-openid-connect-provisioning-tutorial.md)
+- [WEDO](../saas-apps/wedo-provisioning-tutorial.md)
+
+For more information, see [What is automated SaaS app user provisioning in Azure AD?](../app-provisioning/user-provisioning.md)
+++
+### New Federated Apps available in Azure AD Application gallery - January 2021
+
+**Type:** New feature
+**Service category:** Enterprise Apps
+**Product capability:** 3rd Party Integration
+
+In January 2021 we have added following 29 new applications in our App gallery with Federation support:
+
+[mySCView](https://dev.myscview.com/), [Talentech](https://talentech.com/contact/), [Bipsync](https://www.bipsync.com/), [OroTimesheet](https://app.orotimesheet.com/login.php), [Mio](https://app.m.io/auth/install/microsoft?scopetype=hub), [Sovelto Easy](https://login.soveltoeasy.fi/), [Supportbench](https://account.supportbench.net/agent/login/),[Bienvenue Formation](https://formation.bienvenue.pro/login), [AIDA Healthcare SSO](https://aidaforparents.com/login/organizations), [International SOS Assistance Products](../saas-apps/international-sos-assistance-products-tutorial.md), [NAVEX One](../saas-apps/navex-one-tutorial.md), [LabLog](../saas-apps/lablog-tutorial.md), [Oktopost SAML](../saas-apps/oktopost-saml-tutorial.md), [EPHOTO DAM](../saas-apps/ephoto-dam-tutorial.md), [Notion](../saas-apps/notion-tutorial.md), [Syndio](../saas-apps/syndio-tutorial.md), [Yello Enterprise](../saas-apps/yello-enterprise-tutorial.md), [Timeclock 365 SAML](../saas-apps/timeclock-365-saml-tutorial.md), [Nalco E-data](https://www.ecolab.com/), [Vacancy Filler](https://app.vacancy-filler.co.uk/VFMVC/Account/Login), [Synerise AI Growth Ecosystem](../saas-apps/synerise-ai-growth-ecosystem-tutorial.md), [Imperva Data Security](../saas-apps/imperva-data-security-tutorial.md), [Illusive Networks](../saas-apps/illusive-networks-tutorial.md), [Proware](../saas-apps/proware-tutorial.md), [Splan Visitor](../saas-apps/splan-visitor-tutorial.md), [Aruba User Experience Insight](../saas-apps/aruba-user-experience-insight-tutorial.md), [Contentsquare SSO](../saas-apps/contentsquare-sso-tutorial.md), [Perimeter 81](../saas-apps/perimeter-81-tutorial.md), [Burp Suite Enterprise Edition](https://docs.microsoft.com/azure/active-directory/saas-apps/burp-suite-enterprise-edition-tutorial)
+
+You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
+
+For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
+++
+### Public preview - Second level manager can be set as alternate approver
+
+**Type:** Changed feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+An extra option when you select approvers is now available in Entitlement Management. If you select "Manager as approver" for the First Approver, you will have another option, "Second level manager as alternate approver", available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager. [Learn more](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers)
+
++
+### General availability - Navigate to Teams directly from My Access portal
+
+**Type:** Changed feature
+**Service category:** User Access Management
+**Product capability:** Entitlement Management
+
+You can now launch Teams directly from the My Access portal.
+
+To do so, sign-in to My Access (https://myaccess.microsoft.com/), navigate to "Access packages", then go to the "Active" tab to see all of the access packages you already have access to. When you expand the selected access package and hover on Teams, you can launch it by clicking on the "Open" button. [Learn more](../governance/entitlement-management-request-access.md).
+
++
+### Improved Logging & End-User Prompts for Risky Guest Users
+
+**Type:** Changed feature
+**Service category:** Identity Protection
+**Product capability:** Identity Security & Protection
+
+
+The Logging and End-User Prompts for Risky Guest Users have been updated. Learn more in [Identity Protection and B2B users](../identity-protection/concept-identity-protection-b2b.md).
+
+
+
## December 2020 ### Public preview - Azure AD B2C Phone Sign-up and Sign-in using Built-in Policy
@@ -42,7 +226,7 @@ This page is updated monthly, so revisit it regularly. If you're looking for ite
**Service category:** B2C - Consumer Identity Management **Product capability:** B2B/B2C
-B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign-in and sign-up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more.
+B2C Phone Sign-up and Sign-in using Built-in Policy enable IT administrators and developers of organizations to allow their end-users to sign in and sign up using a phone number in user flows. Read [Set up phone sign-up and sign-in for user flows (preview)](../../active-directory-b2c/phone-authentication-user-flows.md) to learn more.
@@ -116,7 +300,7 @@ In December 2020 we have added following 18 new applications in our App gallery
You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
+For listing your application in the Azure AD app gallery, read the details here https://aka.ms/AzureADAppRequest
@@ -126,7 +310,7 @@ For listing your application in the Azure AD app gallery, please read the detail
**Service category:** User Access Management **Product capability:** Entitlement Management
-You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on a Teams, you can launch it by clicking on the **Open** button.
+You can now launch Teams directly from My Access portal. To do so, sign-in to [My Access](https://myaccess.microsoft.com/), navigate to **Access packages**, then go to the **Active** Tab to see all access packages you already have access to. When you expand the access package and hover on Teams, you can launch it by clicking on the **Open** button.
To learn more about using the My Access portal, go to [Request access to an access package in Azure AD entitlement management](../governance/entitlement-management-request-access.md#sign-in-to-the-my-access-portal).
@@ -138,7 +322,7 @@ To learn more about using the My Access portal, go to [Request access to an acce
**Service category:** User Access Management **Product capability:** Entitlement Management
-An additional option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you will have an additional option, Second level manager as alternate approver, available to choose in the alternate approver field. If you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.
+An extra option is now available in the approval process in Entitlement Management. If you select Manager as approver for the First Approver, you'll have an another option, Second level manager as alternate approver, available to choose in the alternate approver field. When you select this option, you need to add a fallback approver to forward the request to in case the system can't find the second level manager.
For more information, go to [Change approval settings for an access package in Azure AD entitlement management](../governance/entitlement-management-access-package-approval-policy.md#alternate-approvers).
@@ -146,7 +330,7 @@ For more information, go to [Change approval settings for an access package in A
## November 2020
-### Azure Active Directory TLS 1.0, TLS 1.1 and 3DES Deprecation
+### Azure Active Directory TLS 1.0, TLS 1.1, and 3DES deprecation
**Type:** Plan for change **Service category:** All Azure AD applications
@@ -959,173 +1143,5 @@ A [hotfix rollup package (build 4.6.263.0)](https://support.microsoft.com/help/4
-## July 2020
-
-### As an IT Admin, I want to target client apps using Conditional Access
-
-**Type:** Plan for change
-**Service category:** Conditional Access
-**Product capability:** Identity Security & Protection
-
-With the GA release of the client apps condition in Conditional Access, new policies will now apply by default to all client applications. This includes legacy authentication clients. Existing policies will remain unchanged, but the *Configure Yes/No* toggle will be removed from existing policies to easily see which client apps are applied to by the policy.
-
-When creating a new policy, make sure to exclude users and service accounts that are still using legacy authentication; if you don't, they will be blocked. [Learn more](../conditional-access/concept-conditional-access-conditions.md).
-
--
-### Upcoming SCIM compliance fixes
-
-**Type:** Plan for change
-**Service category:** App Provisioning
-**Product capability:** Identity Lifecycle Management
-
-The Azure AD provisioning service leverages the SCIM standard for integrating with applications. Our implementation of the SCIM standard is evolving, and we expect to make changes to our behavior around how we perform PATCH operations as well as set the property "active" on a resource. [Learn more](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md).
-
--
-### Group owner setting on Azure Admin portal will be changed
-
-**Type:** Plan for change
-**Service category:** Group Management
-**Product capability:** Collaboration
-
-Owner settings on Groups general setting page can be configured to restrict owner assignment privileges to a limited group of users in the Azure Admin portal and Access Panel. We will soon have the ability to assign group owner privilege not only on these two UX portals but also enforce the policy on the backend to provide consistent behavior across endpoints, such as PowerShell and Microsoft Graph.
-
-We will start to disable the current setting for the customers who are not using it and will offer an option to scope users for group owner privilege in the next few months. For guidance on updating group settings, see Edit your group information using [Azure Active Directory](./active-directory-groups-settings-azure-portal.md?context=azure%2factive-directory%2fusers-groups-roles%2fcontext%2fugr-context).
---
-### Azure Active Directory Registration Service is ending support for TLS 1.0 and 1.1
-
-**Type:** Plan for change
-**Service category:** Device Registration and Management
-**Product capability:** Platform
-
-Transport layer security (TLS) 1.2 and update servers and clients will soon communicate with Azure Active Directory Device Registration Service. Support for TLS 1.0 and 1.1 for communication with Azure AD Device Registration service will retire:
-- On August 31, 2020, in all sovereign clouds (GCC High, DoD, etc.)-- On October 30, 2020, in all commercial clouds-
-[Learn more](../devices/reference-device-registration-tls-1-2.md) about TLS 1.2 for the Azure AD Registration Service.
---
-### Windows Hello for Business Sign Ins visible in Azure AD Sign In Logs
-
-**Type:** Fixed
-**Service category:** Reporting
-**Product capability:** Monitoring & Reporting
-
-Windows Hello for Business allows end users to sign into Windows machines with a gesture (such as a PIN or biometric). Azure AD admins may want to differentiate Windows Hello for Business sign-ins from other Windows sign-ins as part of an organization's journey to passwordless authentication.
-
-Admins can now see whether a Windows authentication used Windows Hello for Business by checking the Authentication Details tab for a Windows sign-in event in the Azure AD Sign-Ins blade in the Azure portal. Windows Hello for Business authentications will include "WindowsHelloForBusiness" in the Authentication Method field. For more information on interpreting Sign-In Logs, please see the [Sign-In Logs documentation](../reports-monitoring/concept-sign-ins.md).
-
--
-### Fixes to group deletion behavior and performance improvements
-
-**Type:** Fixed
-**Service category:** App Provisioning
-**Product capability:** Identity Lifecycle Management
-
-Previously, when a group changed from "in-scope" to "out-of-scope" and an admin clicked restart before the change was completed, the group object was not being deleted. Now the group object will be deleted from the target application when it goes out of scope (disabled, deleted, unassigned, or did not pass scoping filter). [Learn more](../app-provisioning/how-provisioning-works.md#incremental-cycles).
-
--
-### Public Preview: Admins can now add custom content in the email to reviewers when creating an access review
-
-**Type:** New feature
-**Service category:** Access Reviews
-**Product capability:** Identity Governance
-
-When a new access review is created, the reviewer receives an email requesting them to complete the access review. Many of our customers asked for the ability to add custom content to the email, such as contact information, or other additional supporting content to guide the reviewer.
-
-Now available in public preview, administrators can specify custom content in the email sent to reviewers by adding content in the "advanced" section of Azure AD Access Reviews. For guidance on creating access reviews, see [Create an access review of groups and applications in Azure AD access reviews](../governance/create-access-review.md).
-
--
-### Authorization Code Flow for Single-page apps available
-
-**Type:** New feature
-**Service category:** Authentications (Logins)
-**Product capability:** Developer Experience
-
-Because of modern browser 3rd party cookie restrictions such as Safari ITP, SPAs will have to use the authorization code flow rather than the implicit flow to maintain SSO, and MSAL.js v 2.x will now support the authorization code flow.
-
-There are corresponding updates to the Azure portal so you can update your SPA to be type "spa" and use the auth code flow. See [Sign in users and get an access token in a JavaScript SPA using the auth code flow](../develop/quickstart-v2-javascript-auth-code.md) for further guidance.
-
--
-### Azure AD Application Proxy now supports the Remote Desktop Services Web Client
-
-**Type:** New feature
-**Service category:** App Proxy
-**Product capability:** Access Control
-
-Azure AD Application Proxy now supports the Remote Desktop Services (RDS) Web Client. The RDS web client allows users to access Remote Desktop infrastructure through any HTLM5-capable browser such as Microsoft Edge, Internet Explorer 11, Google Chrome, etc. Users can interact with remote apps or desktops like they would with a local device from anywhere. By using Azure AD Application Proxy you can increase the security of your RDS deployment by enforcing pre-authentication and Conditional Access policies for all types of rich client apps. For guidance, see [Publish Remote Desktop with Azure AD Application Proxy](../manage-apps/application-proxy-integrate-with-remote-desktop-services.md).
-
--
-### Next generation Azure AD B2C user flows in public preview
-
-**Type:** New feature
-**Service category:** B2C - Consumer Identity Management
-**Product capability:** B2B/B2C
-
-Simplified user flow experience offers feature parity with preview features and is the home for all new features. Users will be able to enable new features within the same user flow, reducing the need to create multiple versions with every new feature release. Lastly, the new, user-friendly UX simplifies the selection and creation of user flows. Try it now by [creating a user flow](../../active-directory-b2c/tutorial-create-user-flows.md).
-
-For more information about users flows, see [User flow versions in Azure Active Directory B2C](../../active-directory-b2c/user-flow-versions.md).
---
-### New Federated Apps available in Azure AD Application gallery - July 2020
-
-**Type:** New feature
-**Service category:** Enterprise Apps
-**Product capability:** 3rd Party Integration
-
-In July 2020 we have added following 55 new applications in our App gallery with Federation support:
-
-[Clap Your Hands](http://www.rmit.com.ar/), [Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://appfusions.alohacloud.com/auth), [Control Tower](https://bpm.tnxcorp.com/sso/microsoft), [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngageΓäó](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)
-
-You can also find the documentation of all the applications from here https://aka.ms/AppsTutorial
-
-For listing your application in the Azure AD app gallery, please read the details here https://aka.ms/AzureADAppRequest
---
-### New provisioning connectors in the Azure AD Application Gallery - July 2020
-
-**Type:** New feature
-**Service category:** App Provisioning
-**Product capability:** 3rd Party Integration
-
-You can now automate creating, updating, and deleting user accounts for the newly integrated app [LinkedIn Learning](../saas-apps/linkedin-learning-provisioning-tutorial.md).
-
-For more information about how to better secure your organization by using automated user account provisioning, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
---
-### View role assignments across all scopes and ability to download them to a csv file
-
-**Type:** Changed feature
-**Service category:** Azure AD roles
-**Product capability:** Access Control
-
-You can now view role assignments across all scopes for a role in the "Roles and administrators" tab in the Azure AD portal. You can also download those role assignments for each role into a CSV file. For guidance on viewing and adding role assignments, see [View and assign administrator roles in Azure Active Directory](../roles/manage-roles-portal.md).
-
-
-### Azure Multi-Factor Authentication Software Development (Azure MFA SDK) Deprecation
-
-**Type:** Deprecated
-**Service category:** MFA
-**Product capability:** Identity Security & Protection
-
-The Azure Multi-Factor Authentication Software Development (Azure MFA SDK) reached the end of life on November 14th, 2018, as first announced in November 2017. Microsoft will be shutting down the SDK service effective on September 30th, 2020. Any calls made to the SDK will fail.
-
-If your organization is using the Azure MFA SDK, you need to migrate by September 30th, 2020:
-- Azure MFA SDK for MIM: If you use the SDK with MIM, you should migrate to Azure MFA Server and activate Privileged Access Management (PAM) following these [instructions](/microsoft-identity-manager/working-with-mfaserver-for-mim). -- Azure MFA SDK for customized apps: Consider integrating your app into Azure AD and use Conditional Access to enforce MFA. To get started, review this [page](../manage-apps/plan-an-application-integration.md). --
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-faq.md
@@ -157,8 +157,8 @@ Synced users might be authored or mastered on premises. If the account is enable
**Q: Why doesn't the userPrincipalName (UPN) attribute in Azure AD match the on-premises UPN?** For information, see these articles:
-* [Usernames in Microsoft 365, Azure, or Intune don't match the on-premises UPN or alternate login ID](https://support.microsoft.com/kb/2523192)
-* [Changes aren't synced by the Azure Active Directory sync tool after you change the UPN of a user account to use a different federated domain](https://support.microsoft.com/kb/2669550)
+* [Usernames in Microsoft 365, Azure, or Intune don't match the on-premises UPN or alternate login ID](https://mskb.pkisolutions.com/kb/2523192)
+* [Changes aren't synced by the Azure Active Directory sync tool after you change the UPN of a user account to use a different federated domain](https://mskb.pkisolutions.com/kb/2669550)
You can also configure Azure AD to allow the sync engine to update the UPN, as described in [Azure AD Connect sync service features](how-to-connect-syncservice-features.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sync-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/tshoot-connect-sync-errors.md
@@ -200,7 +200,7 @@ If a user's UserPrincipalName suffix was updated from bob@**contoso.com** to bob
2. Allow the next sync cycle to attempt synchronization. This time synchronization will be successful and it will update the UserPrincipalName of Bob to bob@fabrikam.com as expected. #### Related Articles
-* [Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain](https://support.microsoft.com/help/2669550/changes-aren-t-synced-by-the-azure-active-directory-sync-tool-after-you-change-the-upn-of-a-user-account-to-use-a-different-federated-domain)
+* [Changes aren't synced by the Azure Active Directory Sync tool after you change the UPN of a user account to use a different federated domain](/azure/active-directory/hybrid/howto-troubleshoot-upn-changes)
## LargeObject ### Description
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-security.md
@@ -103,7 +103,7 @@ The connector uses a client certificate to authenticate to the Application Proxy
When the connector is first set up, the following flow events take place: 1. The connector registration to the service happens as part of the installation of the connector. Users are prompted to enter their Azure AD admin credentials. The token acquired from this authentication is then presented to the Azure AD Application Proxy service.
-2. The Application Proxy service evaluates the token. It checks whether the user is a company administrator in the tenant. If the user is not an administrator, the process is terminated.
+2. The Application Proxy service evaluates the token. It checks whether the user is a Global Administrator in the tenant. If the user is not an administrator, the process is terminated.
3. The connector generates a client certificate request and passes it, along with the token, to the Application Proxy service. The service in turn verifies the token and signs the client certificate request. 4. The connector uses the client certificate for future communication with the Application Proxy service. 5. The connector performs an initial pull of the system configuration data from the service using its client certificate, and it is now ready to take requests.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md
@@ -30,7 +30,7 @@ Certain conditions must be true for a user to consent to the permissions an appl
* **AADSTS90093:** &lt;clientAppDisplayName&gt; is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf. * **AADSTS90094:** &lt;clientAppDisplayName&gt; needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
-This error occurs when a user who is not a company administrator attempts to use an application that is requesting permissions that only an administrator can grant. This error can be resolved by an administrator granting access to the application on behalf of their organization.
+This error occurs when a user who is not a Global Administrator attempts to use an application that is requesting permissions that only an administrator can grant. This error can be resolved by an administrator granting access to the application on behalf of their organization.
This error can also occur when a user is prevented from consenting to an application due to Microsoft detecting that the permissions request is risky. In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
@@ -39,7 +39,7 @@ Another scenario in which this error might occur is when the user assignment is
## Policy prevents granting permissions error * **AADSTS90093:** An administrator of &lt;tenantDisplayName&gt; has set a policy that prevents you from granting &lt;name of app&gt; the permissions it is requesting. Contact an administrator of &lt;tenantDisplayName&gt;, who can grant permissions to this app on your behalf.
-This error occurs when a company administrator turns off the ability for users to consent to applications, then a non-administrator user attempts to use an application that requires consent. This error can be resolved by an administrator granting access to the application on behalf of their organization.
+This error occurs when a Global Administrator turns off the ability for users to consent to applications, then a non-administrator user attempts to use an application that requires consent. This error can be resolved by an administrator granting access to the application on behalf of their organization.
## Intermittent problem error * **AADSTS90090:** It looks like the sign-in process encountered an intermittent problem recording the permissions you attempted to grant to &lt;clientAppDisplayName&gt;. try again later.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-permission-classifications.md
@@ -29,7 +29,7 @@ Currently, only the "Low impact" permission classification is supported. Only de
Follow these steps to classify permissions using the Azure portal:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator), [Application Administrator](../roles/permissions-reference.md#application-administrator), or [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator), [Application Administrator](../roles/permissions-reference.md#application-administrator), or [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator)
1. Select **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **Permission classifications**. 1. Choose **Add permissions** to classify another permission as "Low impact". 1. Select the API and then select the delegated permission(s).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent-groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent-groups.md
@@ -26,7 +26,7 @@ You can configure which users are allowed to consent to apps accessing their gro
Follow these steps to manage group owner consent to apps accessing group data:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
2. Select **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **User consent settings**. 3. Under **Group owner consent for apps accessing data** select the option you'd like to enable. 4. Select **Save** to save your settings.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/configure-user-consent.md
@@ -43,7 +43,7 @@ By choosing which app consent policies apply for all users, you can set limits o
To configure user consent settings through the Azure portal:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator).
1. Select **Azure Active Directory** > **Enterprise applications** > **Consent and permissions** > **User consent settings**. 1. Under **User consent for applications**, select which consent setting you'd like to configure for all users. 1. Select **Save** to save your settings.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/grant-admin-consent.md
@@ -22,7 +22,7 @@ For more information on consenting to applications, see [Azure Active Directory
## Prerequisites
-Granting tenant-wide admin consent requires you to sign in as [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+Granting tenant-wide admin consent requires you to sign in as [Global Administrator](../roles/permissions-reference.md#global-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
> [!IMPORTANT] > When an application has been granted tenant-wide admin consent, all users will be able to sign in to the app unless it has been configured to require user assignment. To restrict which users can sign in to an application, require user assignment and then assign users or groups to the application. For more information, see [Methods for assigning users and groups](./assign-user-or-group-access-portal.md).
@@ -42,7 +42,7 @@ You can grant tenant-wide admin consent through *Enterprise applications* if the
To grant tenant-wide admin consent to an app listed in **Enterprise applications**:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
2. Select **Azure Active Directory** then **Enterprise applications**. 3. Select the application to which you want to grant tenant-wide admin consent. 4. Select **Permissions** and then click **Grant admin consent**.
@@ -58,7 +58,7 @@ For applications your organization has developed, or which are registered direct
To grant tenant-wide admin consent from **App registrations**:
-1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator--company-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Sign in to the [Azure portal](https://portal.azure.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator), an [Application Administrator](../roles/permissions-reference.md#application-administrator), or a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
2. Select **Azure Active Directory** then **App registrations**. 3. Select the application to which you want to grant tenant-wide admin consent. 4. Select **API permissions** and then click **Grant admin consent**.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md
@@ -13,7 +13,7 @@ ms.devlang: na
na Previously updated : 12/01/2017 Last updated : 01/29/2021
@@ -87,12 +87,7 @@ Responses such as the following may indicate that the VM's managed identity for
- PowerShell: *Invoke-WebRequest : Unable to connect to the remote server* - CLI: *MSI: Failed to retrieve a token from `http://localhost:50342/oauth2/token` with an error of 'HTTPConnectionPool(host='localhost', port=50342)*
-If you receive one of these errors, return to the Azure VM in the [Azure portal](https://portal.azure.com) and:
--- Go to the **Identity** page and ensure **System assigned** is set to "Yes."-- Go to the **Extensions** page and ensure the managed identities for Azure resources extension **(planned for deprecation in January 2019)** deployed successfully.-
-If either is incorrect, you may need to redeploy the managed identities for Azure resources on your resource again, or troubleshoot the deployment failure. See [Configure Managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md) if you need assistance with VM configuration.
+If you receive one of these errors, return to the Azure VM in the [Azure portal](https://portal.azure.com) and go to the **Identity** page and ensure **System assigned** is set to "Yes."
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/howto-assign-access-cli.md
@@ -13,7 +13,7 @@ ms.devlang: na
na Previously updated : 12/06/2017 Last updated : 01/29/2021
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/qs-configure-rest-vmss.md
@@ -13,7 +13,7 @@ ms.devlang: na
na Previously updated : 06/25/2018 Last updated : 01/29/2021
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
@@ -398,6 +398,15 @@ Refer to the following list to configure access to Azure Resource
| Azure Germany | `https://database.cloudapi.de/` | ![Available][check] | | Azure China 21Vianet | `https://database.chinacloudapi.cn/` | ![Available][check] |
+### Azure Data Explorer
+
+| Cloud | Resource ID | Status |
+|--||:-:|
+| Azure Global | `https://<account>.<region>.kusto.windows.net` | ![Available][check] |
+| Azure Government | `https://<account>.<region>.kusto.usgovcloudapi.net` | ![Available][check] |
+| Azure Germany | `https://<account>.<region>.kusto.cloudapi.de` | ![Available][check] |
+| Azure China 21Vianet | `https://<account>.<region>.kusto.chinacloudapi.cn` | ![Available][check] |
+ ### Azure Event Hubs | Cloud | Resource ID | Status |
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-provisioning-logs.md
@@ -14,7 +14,7 @@
na Previously updated : 1/19/2021 Last updated : 1/29/2021
@@ -44,7 +44,7 @@ This topic gives you an overview of the provisioning logs. The logs provide answ
These users can access the data in provisioning logs: * Application owners (logs for their own applications)
-* Users in the Security Administrator, Security Reader, Report Reader, Application Administrator, and Cloud Application Administrator roles
+* Users in the Security Administrator, Security Reader, Report Reader, Security Operator, Application Administrator, and Cloud Application Administrator roles
* Users in a custom role with the [provisioningLogs permission](../roles/custom-enterprise-app-permissions.md#full-list-of-permissions) * Global administrators
@@ -266,4 +266,4 @@ Use the following table to better understand how to resolve errors that you find
* [Check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) * [Problem configuring user provisioning to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem.md)
-* [Graph API for provisioning logs](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta)
\ No newline at end of file
+* [Graph API for provisioning logs](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/concept-understand-roles.md
@@ -57,7 +57,7 @@ The following table is offered as an aid to understanding these role categories.
Category | Role - | - Azure AD-specific roles | Application Administrator<br>Application Developer<br>Authentication Administrator<br>B2C IEF Keyset Administrator<br>B2C IEF Policy Administrator<br>Cloud Application Administrator<br>Cloud Device Administrator<br>Conditional Access Administrator<br>Device Administrators<br>Directory Readers<br>Directory Synchronization Accounts<br>Directory Writers<br>External ID User Flow Administrator<br>External ID User Flow Attribute Administrator<br>External Identity Provider Administrator<br>Groups Administrator<br>Guest Inviter<br>Helpdesk Administrator<br>Hybrid Identity Administrator<br>License Administrator<br>Partner Tier1 Support<br>Partner Tier2 Support<br>Password Administrator<br>Privileged Authentication Administrator<br>Privileged Role Administrator<br>Reports Reader<br>User Account Administrator
-Cross-service roles | Company Administrator<br>Compliance Administrator<br>Compliance Data Administrator<br>Global Reader<br>Security Administrator<br>Security Operator<br>Security Reader<br>Service Support Administrator
+Cross-service roles | Global Administrator<br>Compliance Administrator<br>Compliance Data Administrator<br>Global Reader<br>Security Administrator<br>Security Operator<br>Security Reader<br>Service Support Administrator
Service-specific roles | Azure DevOps Administrator<br>Azure Information Protection Administrator<br>Billing Administrator<br>CRM Service Administrator<br>Customer LockBox Access Approver<br>Desktop Analytics Administrator<br>Exchange Service Administrator<br>Insights Administrator<br>Insights Business Leader<br>Intune Service Administrator<br>Kaizala Administrator<br>Lync Service Administrator<br>Message Center Privacy Reader<br>Message Center Reader<br>Modern Commerce User<br>Network Administrator<br>Office Apps Administrator<br>Power BI Service Administrator<br>Power Platform Administrator<br>Printer Administrator<br>Printer Technician<br>Search Administrator<br>Search Editor<br>SharePoint Service Administrator<br>Teams Communications Administrator<br>Teams Communications Support Engineer<br>Teams Communications Support Specialist<br>Teams Devices Administrator<br>Teams Service Administrator ## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/delegate-app-roles.md
@@ -22,7 +22,7 @@
This article describes how to use permissions granted by custom roles in Azure Active Directory (Azure AD) to address your application management needs. In Azure AD, you can delegate Application creation and management permissions in the following ways: -- [Restricting who can create applications](#restrict-who-can-create-applications) and manage the applications they create. By default in Azure AD, all users can register application registrations and manage all aspects of applications they create. This can be restricted to only allow selected people that permission.
+- [Restricting who can create applications](#restrict-who-can-create-applications) and manage the applications they create. By default in Azure AD, all users can register applications and manage all aspects of applications they create. This can be restricted to only allow selected people that permission.
- [Assigning one or more owners to an application](#assign-application-owners). This is a simple way to grant someone the ability to manage all aspects of Azure AD configuration for a specific application. - [Assigning a built-in administrative role](#assign-built-in-application-admin-roles) that grants access to manage configuration in Azure AD for all applications. This is the recommended way to grant IT experts access to manage broad application configuration permissions without granting access to manage other parts of Azure AD not related to application configuration. - [Creating a custom role](#create-and-assign-a-custom-role-preview) defining very specific permissions and assigning it to someone either to the scope of a single application as a limited owner, or at the directory scope (all applications) as a limited administrator.
@@ -31,7 +31,7 @@ It's important to consider granting access using one of the above methods for tw
## Restrict who can create applications
-By default in Azure AD, all users can register application registrations and manage all aspects of applications they create. Everyone also has the ability to consent to apps accessing company data on their behalf. You can choose to selectively grant those permissions by setting the global switches to 'No' and adding the selected users to the Application Developer role.
+By default in Azure AD, all users can register applications and manage all aspects of applications they create. Everyone also has the ability to consent to apps accessing company data on their behalf. You can choose to selectively grant those permissions by setting the global switches to 'No' and adding the selected users to the Application Developer role.
### To disable the default ability to create application registrations or consent to applications
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/my-staff-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/my-staff-configure.md
@@ -84,7 +84,7 @@ The following roles have permission to reset a user's password:
- [Authentication administrator](permissions-reference.md#authentication-administrator) - [Privileged authentication administrator](permissions-reference.md#privileged-authentication-administrator)-- [Global administrator](permissions-reference.md#global-administrator--company-administrator)
+- [Global administrator](permissions-reference.md#global-administrator)
- [Helpdesk administrator](permissions-reference.md#helpdesk-administrator) - [User administrator](permissions-reference.md#user-administrator) - [Password administrator](permissions-reference.md#password-administrator)
@@ -112,7 +112,7 @@ To manage a user's phone number, you must be assigned one of the following roles
- [Authentication administrator](permissions-reference.md#authentication-administrator) - [Privileged authentication administrator](permissions-reference.md#privileged-authentication-administrator)-- [Global administrator](permissions-reference.md#global-administrator--company-administrator)
+- [Global administrator](permissions-reference.md#global-administrator)
## Search
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
@@ -9,7 +9,7 @@
Previously updated : 11/05/2020 Last updated : 01/29/2020
@@ -20,9 +20,9 @@
Using Azure Active Directory (Azure AD), you can designate limited administrators to manage identity tasks in less-privileged roles. Administrators can be assigned for such purposes as adding or changing users, assigning administrative roles, resetting user passwords, managing user licenses, and managing domain names. The [default user permissions](../fundamentals/users-default-permissions.md) can be changed only in user settings in Azure AD.
-## Limit use of Global administrator
+## Limit use of Global Administrator
-Users who are assigned to the Global administrator role can read and modify every administrative setting in your Azure AD organization. By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. When you add a subscription to an existing tenant, you aren't assigned to the Global Administrator role. Only Global administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
+Users who are assigned to the Global Administrator role can read and modify every administrative setting in your Azure AD organization. By default, when a user signs up for a Microsoft cloud service, an Azure AD tenant is created and the user is made a member of the Global Administrators role. When you add a subscription to an existing tenant, you aren't assigned to the Global Administrator role. Only Global Administrators and Privileged Role administrators can delegate administrator roles. To reduce the risk to your business, we recommend that you assign this role to the fewest possible people in your organization.
As a best practice, we recommend that you assign this role to fewer than five people in your organization. If you have more than five admins assigned to the Global Administrator role in your organization, here are some ways to reduce its use.
@@ -30,9 +30,9 @@ As a best practice, we recommend that you assign this role to fewer than five pe
If it's frustrating for you to find the role you need out of a list of many roles, Azure AD can show you subsets of the roles based on role categories. Check out our new **Type** filter for [Azure AD Roles and administrators](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RolesAndAdministrators) to show you only the roles in the selected type.
-### A role exists now that didn't exist when you assigned the Global administrator role
+### A role exists now that didn't exist when you assigned the Global Administrator role
-It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global administrator. Over time, we are rolling out additional roles that accomplish tasks that only the Global administrator role could do before. You can see these reflected in the following [Available roles](#available-roles).
+It's possible that a role or roles were added to Azure AD that provide more granular permissions that were not an option when you elevated some users to Global Administrator. Over time, we are rolling out additional roles that accomplish tasks that only the Global Administrator role could do before. You can see these reflected in the following [Available roles](#available-roles).
## Assign or remove administrator roles
@@ -54,7 +54,7 @@ Users in this role can create and manage all aspects of enterprise applications,
This role also grants the ability to _consent_ to delegated permissions and application permissions, with the exception of application permissions on the Microsoft Graph API. > [!IMPORTANT]
-> This exception means that you can still consent to permissions for _other_ apps (for example, non-Microsoft apps or apps that you have registered), but not to permissions on Azure AD itself. You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a global admin.
+> This exception means that you can still consent to permissions for _other_ apps (for example, non-Microsoft apps or apps that you have registered), but not to permissions on Azure AD itself. You can still _request_ these permissions as part of the app registration, but _granting_ (that is, consenting to) these permissions requires an Azure AD admin. This means that a malicious user cannot easily elevate their permissions, for example by creating and consenting to an app that can write to the entire directory and through that app's permissions elevate themselves to become a Global Administrator.
> >This role grants the ability to manage application credentials. Users assigned this role can add credentials to an application, and use those credentials to impersonate the applicationΓÇÖs identity. If the applicationΓÇÖs identity has been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applicationΓÇÖs identity may be an elevation of privilege over what the user can do via their role assignments. It is important to understand that assigning a user to the Application Administrator role gives them the ability to impersonate an applicationΓÇÖs identity.
@@ -161,7 +161,7 @@ Users with this role have the ability to manage Azure Active Directory Condition
### [Customer Lockbox access approver](#customer-lockbox-access-approver-permissions)
-Manages [Customer Lockbox requests](/office365/admin/manage/customer-lockbox-requests) in your organization. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or off. Only global admins can reset the passwords of people assigned to this role.
+Manages [Customer Lockbox requests](/office365/admin/manage/customer-lockbox-requests) in your organization. They receive email notifications for Customer Lockbox requests and can approve and deny requests from the Microsoft 365 admin center. They can also turn the Customer Lockbox feature on or off. Only Global Administrators can reset the passwords of people assigned to this role.
### [Desktop Analytics Administrator](#desktop-analytics-administrator-permissions)
@@ -217,18 +217,13 @@ This administrator manages federation between Azure AD organizations and externa
* Azure AD organizations for employees and partners: The addition  of a federation (e.g. with Gmail) will immediately impact all guest invitations not yet redeemed. See [Adding Google as an identity provider for B2B guest users](../external-identities/google-federation.md). * Azure Active Directory B2C organizations: The addition of a federation (for example, with Facebook, or with another Azure AD organization) does not immediately impact end-user flows until the identity provider is added as an option in a user flow (also called a built-in policy). See [Configuring a Microsoft account as an identity provider](../../active-directory-b2c/identity-provider-microsoft-account.md) for an example. To change user flows, the limited role of "B2C User Flow Administrator" is required.
-### [Global Administrator / Company Administrator](#company-administrator-permissions)
+### [Global Administrator](#global-administrator-permissions)
-Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Admins can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Admins to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a global administrator. There can be more than one global administrator at your company. Global admins can reset the password for any user and all other administrators.
-
-> [!NOTE]
-> In the Microsoft Graph API and Azure AD PowerShell, this role is identified as "Company Administrator". It is "Global Administrator" in the [Azure portal](https://portal.azure.com).
->
->
+Users with this role have access to all administrative features in Azure Active Directory, as well as services that use Azure Active Directory identities like Microsoft 365 security center, Microsoft 365 compliance center, Exchange Online, SharePoint Online, and Skype for Business Online. Furthermore, Global Administrators can [elevate their access](../../role-based-access-control/elevate-access-global-admin.md) to manage all Azure subscriptions and management groups. This allows Global Administrators to get full access to all Azure resources using the respective Azure AD Tenant. The person who signs up for the Azure AD organization becomes a Global Administrator. There can be more than one Global Administrator at your company. Global Administrators can reset the password for any user and all other administrators.
### [Global Reader](#global-reader-permissions)
-Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global reader is the read-only counterpart to Global administrator. Assign Global reader instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
+Users in this role can read settings and administrative information across Microsoft 365 services but can't take management actions. Global reader is the read-only counterpart to Global Administrator. Assign Global reader instead of Global Administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center, SharePoint admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
> [!NOTE] > Global reader role has a few limitations right now -
@@ -316,13 +311,13 @@ Do not use. This role is automatically assigned from Commerce, and is not intend
The Modern Commerce User role gives certain users permission to access Microsoft 365 admin center and see the left navigation entries for **Home**, **Billing**, and **Support**. The content available in these areas is controlled by [commerce-specific roles](../../cost-management-billing/manage/understand-mca-roles.md) assigned to users to manage products that they bought for themselves or your organization. This might include tasks like paying bills, or for access to billing accounts and billing profiles.
-Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global administrator or Billing administrator roles used to access the admin center.
+Users with the Modern Commerce User role typically have administrative permissions in other Microsoft purchasing systems, but do not have Global Administrator or Billing administrator roles used to access the admin center.
**When is the Modern Commerce User role assigned?** * **Self-service purchase in Microsoft 365 admin center** ΓÇô Self-service purchase gives users a chance to try out new products by buying or signing up for them on their own. These products are managed in the admin center. Users who make a self-service purchase are assigned a role in the commerce system, and the Modern Commerce User role so they can manage their purchases in admin center. Admins can block self-service purchases (for Power BI, Power Apps, Power automate) through [PowerShell](/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell). For more information, see [Self-service purchase FAQ](/microsoft-365/commerce/subscriptions/self-service-purchase-faq).
-* **Purchases from Microsoft commercial marketplace** ΓÇô Similar to self-service purchase, when a user buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User role is assigned if they donΓÇÖt have the Global admin or Billing admin role. In some cases, users might be blocked from making these purchases. For more information, see [Microsoft commercial marketplace](../../marketplace/marketplace-faq-publisher-guide.md#what-could-block-a-customer-from-completing-a-purchase).
-* **Proposals from Microsoft** ΓÇô A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. When the person who is accepting the proposal doesnΓÇÖt have a Global admin or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the proposal and the Modern Commerce User role to access admin center. When they access the admin center they can only use features that are authorized by their commerce-specific role.
+* **Purchases from Microsoft commercial marketplace** ΓÇô Similar to self-service purchase, when a user buys a product or service from Microsoft AppSource or Azure Marketplace, the Modern Commerce User role is assigned if they donΓÇÖt have the Global Administrator or Billing admin role. In some cases, users might be blocked from making these purchases. For more information, see [Microsoft commercial marketplace](../../marketplace/marketplace-faq-publisher-guide.md#what-could-block-a-customer-from-completing-a-purchase).
+* **Proposals from Microsoft** ΓÇô A proposal is a formal offer from Microsoft for your organization to buy Microsoft products and services. When the person who is accepting the proposal doesnΓÇÖt have a Global Administrator or Billing admin role in Azure AD, they are assigned both a commerce-specific role to complete the proposal and the Modern Commerce User role to access admin center. When they access the admin center they can only use features that are authorized by their commerce-specific role.
* **Commerce-specific roles** ΓÇô Some users are assigned commerce-specific roles. If a user isn't a Global or Billing admin, they get the Modern Commerce User role so they can access the admin center. If the Modern Commerce User role is unassigned from a user, they lose access to Microsoft 365 admin center. If they were managing any products, either for themselves or for your organization, they wonΓÇÖt be able to manage them. This might include assigning licenses, changing payment methods, paying bills, or other tasks for managing subscriptions.
@@ -371,7 +366,7 @@ Users with this role can register printers and manage printer status in the Micr
### [Privileged Authentication Administrator](#privileged-authentication-administrator-permissions)
-Users with this role can set or reset non-password credentials for all users, including global administrators, and can update passwords for all users. Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users. The [Authentication administrator](#authentication-administrator) role can force re-registration and MFA for only non-admins and users assigned to the following Azure AD roles:
+Users with this role can set or reset non-password credentials for all users, including Global Administrators, and can update passwords for all users. Privileged Authentication Administrators can force users to re-register against existing non-password credential (such as MFA or FIDO) and revoke 'remember MFA on the device', prompting for MFA on the next sign-in of all users. The [Authentication administrator](#authentication-administrator) role can force re-registration and MFA for only non-admins and users assigned to the following Azure AD roles:
* Authentication Administrator * Directory Readers
@@ -440,7 +435,7 @@ In | Can do
| [Microsoft 365 security center](https://protection.office.com) | View security-related policies across Microsoft 365 services<br>View security threats and alerts<br>View reports Identity Protection Center | Read all security reports and settings information for security features<br><ul><li>Anti-spam<li>Encryption<li>Data loss prevention<li>Anti-malware<li>Advanced threat protection<li>Anti-phishing<li>Mailflow rules
-[Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.<br>**Cannot** sign up for Azure AD Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Admin or Privileged Role Administrator), if the user is eligible for them.
+[Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Has read-only access to all information surfaced in Azure AD Privileged Identity Management: Policies and reports for Azure AD role assignments and security reviews.<br>**Cannot** sign up for Azure AD Privileged Identity Management or make any changes to it. In the Privileged Identity Management portal or via PowerShell, someone in this role can activate additional roles (for example, Global Administrator or Privileged Role Administrator), if the user is eligible for them.
[Office 365 Security & Compliance Center](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) | View security policies<br>View and investigate security threats<br>View reports Windows Defender ATP and EDR | View and investigate alerts. When you turn on role-based access control in Windows Defender ATP, users with read-only permissions such as the Azure AD Security reader role lose access until they are assigned to a Windows Defender ATP role. [Intune](/intune/role-based-access-control) | Views user, device, enrollment, configuration, and application information. Cannot make changes to Intune.
@@ -742,9 +737,9 @@ Full access to manage devices in Azure AD.
| microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health. | | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Microsoft 365 Service Health. |
-### Company Administrator permissions
+### Global Administrator permissions
-Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. This role is also known as the Global Administrator role.
+Can manage all aspects of Azure AD and Microsoft services that use Azure AD identities.
> [!NOTE] > This role has additional permissions outside of Azure Active Directory. For more information, see role description above.
@@ -1744,11 +1739,13 @@ Creates and manages security events.
| microsoft.directory/cloudAppSecurity/allProperties/allTasks | Read and configure Microsoft Cloud App Security. | | microsoft.directory/identityProtection/allProperties/read | Read all resources in microsoft.aad.identityProtection. | | microsoft.directory/privilegedIdentityManagement/allProperties/read | Read all resources in microsoft.aad.privilegedIdentityManagement. |
+| microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs. |
| microsoft.intune/allEntities/allTasks | Manage all aspects of Intune. | | microsoft.office365.securityComplianceCenter/allEntities/allTasks | Read and configure Security & Compliance Center. | | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Office 365 support tickets. | | microsoft.windows.defenderAdvancedThreatProtection/allEntities/read | Read and configure Windows Defender Advanced Threat Protection. | + ### Security Reader permissions Can read security information and reports in Azure AD and Microsoft 365.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/security-planning.md
@@ -36,7 +36,7 @@ Securing privileged access requires changes to:
Secure your privileged access in a way that is managed and reported in the Microsoft services you care about. If you have on-premises admin accounts, see the guidance for on-premises and hybrid privileged access in Active Directory at [Securing Privileged Access](/windows-server/identity/securing-privileged-access/securing-privileged-access). > [!NOTE]
-> The guidance in this article refers primarily to features of Azure Active Directory that are included in Azure Active Directory Premium plans P1 and P2. Azure Active Directory Premium P2 is included in the EMS E5 suite and Microsoft 365 E5 suite. This guidance assumes your organization already has Azure AD Premium P2 licenses purchased for your users. If you do not have these licenses, some of the guidance might not apply to your organization. Also, throughout this article, the term global administrator (or global admin) means the same thing as "company administrator" or "tenant administrator."
+> The guidance in this article refers primarily to features of Azure Active Directory that are included in Azure Active Directory Premium plans P1 and P2. Azure Active Directory Premium P2 is included in the EMS E5 suite and Microsoft 365 E5 suite. This guidance assumes your organization already has Azure AD Premium P2 licenses purchased for your users. If you do not have these licenses, some of the guidance might not apply to your organization. Also, throughout this article, the term Global Administrator means the same thing as "company administrator" or "tenant administrator."
## Develop a roadmap
@@ -70,7 +70,7 @@ Azure AD Privileged Identity Management is included in Azure AD Premium P2 or EM
After you turn on Azure AD Privileged Identity Management:
-1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that is a global admin of your Azure AD production organization.
+1. Sign in to the [Azure portal](https://portal.azure.com/) with an account that is a Global Administrator of your Azure AD production organization.
2. To select the Azure AD organization where you want to use Privileged Identity Management, select your user name in the upper right-hand corner of the Azure portal.
@@ -89,7 +89,7 @@ After turning on Azure AD Privileged Identity Management, view the users who are
* Exchange administrator * SharePoint administrator
-If you don't have Azure AD Privileged Identity Management in your organization, you can use the [PowerShell API](/powershell/module/azuread/get-azureaddirectoryrolemember). Start with the global admin role because a global admin has the same permissions across all cloud services for which your organization has subscribed. These permissions are granted no matter where they were assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell.
+If you don't have Azure AD Privileged Identity Management in your organization, you can use the [PowerShell API](/powershell/module/azuread/get-azureaddirectoryrolemember). Start with the Global Administrator role because a Global Administrator has the same permissions across all cloud services for which your organization has subscribed. These permissions are granted no matter where they were assigned: in the Microsoft 365 admin center, the Azure portal, or by the Azure AD module for Microsoft PowerShell.
Remove any accounts that are no longer needed in those roles. Then, categorize the remaining accounts that are assigned to admin roles:
@@ -106,7 +106,7 @@ It's possible for a user to be accidentally locked out of their role. For exampl
Emergency access accounts help restrict privileged access within an Azure AD organization. These accounts are highly privileged and aren't assigned to specific individuals. Emergency access accounts are limited to emergency for "break glass" scenarios where normal administrative accounts can't be used. Ensure that you control and reduce the emergency account's usage to only that time for which it's necessary.
-Evaluate the accounts that are assigned or eligible for the global admin role. If you don't see any cloud-only accounts using the \*.onmicrosoft.com domain (for "break glass" emergency access), create them. For more information, see [Managing emergency access administrative accounts in Azure AD](security-emergency-access.md).
+Evaluate the accounts that are assigned or eligible for the Global Administrator role. If you don't see any cloud-only accounts using the \*.onmicrosoft.com domain (for "break glass" emergency access), create them. For more information, see [Managing emergency access administrative accounts in Azure AD](security-emergency-access.md).
#### Turn on multi-factor authentication and register all other highly privileged single-user non-federated admin accounts
@@ -137,14 +137,14 @@ The increase in "bring your own device" and work from home policies and the grow
#### Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts
-If your initial global administrators reuse their existing Microsoft account credentials when they began using Azure AD, replace the Microsoft accounts with individual cloud-based or synchronized accounts.
+If your initial Global Administrators reuse their existing Microsoft account credentials when they began using Azure AD, replace the Microsoft accounts with individual cloud-based or synchronized accounts.
-#### Ensure separate user accounts and mail forwarding for global administrator accounts
+#### Ensure separate user accounts and mail forwarding for Global Administrator accounts
-Personal email accounts are regularly phished by cyber attackers, a risk that makes personal email addresses unacceptable for global administrator accounts. To help separate internet risks from administrative privileges, create dedicated accounts for each user with administrative privileges.
+Personal email accounts are regularly phished by cyber attackers, a risk that makes personal email addresses unacceptable for Global Administrator accounts. To help separate internet risks from administrative privileges, create dedicated accounts for each user with administrative privileges.
-* Be sure to create separate accounts for users to do global admin tasks.
-* Make sure that your global admins don't accidentally open emails or run programs with their admin accounts.
+* Be sure to create separate accounts for users to do Global Administrator tasks.
+* Make sure that your Global Administrators don't accidentally open emails or run programs with their admin accounts.
* Be sure those accounts have their email forwarded to a working mailbox. * Global Administrator (and other privileged groups) accounts should be cloud-only accounts with no ties to on-premises Active Directory.
@@ -226,7 +226,7 @@ Stage 3 builds on the mitigations from Stage 2 and should be implemented in appr
#### Complete an access review of users in administrator roles
-More corporate users are gaining privileged access through cloud services, which can lead to un-managed access. Users today can become global admins for Microsoft 365, Azure subscription administrators, or have admin access to VMs or via SaaS apps.
+More corporate users are gaining privileged access through cloud services, which can lead to un-managed access. Users today can become Global Administrators for Microsoft 365, Azure subscription administrators, or have admin access to VMs or via SaaS apps.
Your organization should have all employees handle ordinary business transactions as unprivileged users, and then grant admin rights only as needed. Complete access reviews to identify and confirm the users who are eligible to activate admin privileges.
@@ -427,7 +427,7 @@ For more information about how Microsoft Office 365 handles security incidents,
**Q:** What do I do if I haven't implemented any secure access components yet?
-**Answer:** Define at least two break-glass account, assign MFA to your privileged admin accounts, and separate user accounts from Global admin accounts.
+**Answer:** Define at least two break-glass account, assign MFA to your privileged admin accounts, and separate user accounts from Global Administrator accounts.
**Q:** After a breach, what is the top issue that needs to be addressed first?
@@ -435,9 +435,9 @@ For more information about how Microsoft Office 365 handles security incidents,
**Q:** What happens if our privileged admins have been deactivated?
-**Answer:** Create a Global admin account that is always kept up to date.
+**Answer:** Create a Global Administrator account that is always kept up to date.
-**Q:** What happens if there's only one global administrator left and they can't be reached?
+**Q:** What happens if there's only one Global Administrator left and they can't be reached?
**Answer:** Use one of your break-glass accounts to gain immediate privileged access.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atea-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/atea-provisioning-tutorial.md /dev/null
@@ -0,0 +1,148 @@
+
+ Title: 'Tutorial: Configure Atea for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Atea.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: b788328b-10fd-4eaa-a4bc-909d738d8b8b
+++
+ na
+ms.devlang: na
+ Last updated : 01/25/2021+++
+# Tutorial: Configure Atea for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Atea and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Atea](https://www.atea.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in Atea
+> * Remove users in Atea when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Atea
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Atea with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Atea](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Atea to support provisioning with Azure AD
+
+To configure Atea to support provisioning with Azure AD, email servicedesk@atea.dk.
+
+## Step 3. Add Atea from the Azure AD application gallery
+
+Add Atea from the Azure AD application gallery to start managing provisioning to Atea. If you have previously setup Atea for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Atea, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Atea
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Atea in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Atea**.
+
+ ![The Atea link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. In the **Admin Credentials** section, select **Authorize**. It opens an Atea login dialog box in a new browser window.
+
+ ![Atea authorize](media/atea-provisioning-tutorial/provisioning-authorize.png)
+
+6. On the Atea's login dialog, sign in to your Atea's tenant and verify your identity.
+
+ ![Atea login dialog](media/atea-provisioning-tutorial/atea-login.png)
+
+7. Upon completing steps 5 and 6, click **Test Connection** to ensure Azure AD can connect to Atea. If the connection fails, ensure your Atea has Admin permissions and try again.
+
+ ![Atea test connection](media/atea-provisioning-tutorial/test-connection.png)
+
+8. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+9. Select **Save**.
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Atea**.
+
+11. Review the user attributes that are synchronized from Azure AD to Atea in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Atea for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Atea API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;|
+ |active|Boolean|
+ |emails[type eq "work"].value|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |name.formatted|String|
+ |phoneNumbers[type eq "mobile"].value|String|
+ |locale|String|
+ |nickName|String|
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Atea, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Atea by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bridge-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bridge-tutorial.md
@@ -102,7 +102,7 @@ To configure Azure AD single sign-on with Bridge, perform the following steps:
`https://<company name>.bridgeapp.com` > [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Bridge Client support team](https://community.bridgeapp.com/community/help) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Bridge Client support team](https://community.bridgeapp.com/hc/en-us/community/topics) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Raw)** from the given options as per your requirement and save it on your computer.
@@ -120,7 +120,7 @@ To configure Azure AD single sign-on with Bridge, perform the following steps:
### Configure Bridge Single Sign-On
-To configure single sign-on on **Bridge** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Bridge support team](https://community.bridgeapp.com/community/help). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on **Bridge** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Bridge support team](https://community.bridgeapp.com/hc/en-us/community/topics). They set this setting to have the SAML SSO connection set properly on both sides.
### Create an Azure AD test user
@@ -175,7 +175,7 @@ In this section, you enable Britta Simon to use Azure single sign-on by granting
### Create Bridge test user
-In this section, you create a user called Britta Simon in Bridge. Work with [Bridge support team](https://community.bridgeapp.com/community/help) to add the users in the Bridge platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in Bridge. Work with [Bridge support team](https://community.bridgeapp.com/hc/en-us/community/topics) to add the users in the Bridge platform. Users must be created and activated before you use single sign-on.
### Test single sign-on
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/canvas-lms-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/canvas-lms-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 01/02/2018 Last updated : 01/20/2021 # Tutorial: Azure Active Directory integration with Canvas
-In this tutorial, you learn how to integrate Canvas with Azure Active Directory (Azure AD).
-Integrating Canvas with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Canvas with Azure Active Directory (Azure AD). When you integrate Canvas with Azure AD, you can:
-* You can control in Azure AD who has access to Canvas.
-* You can enable your users to be automatically signed-in to Canvas (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Canvas.
+* Enable your users to be automatically signed-in to Canvas with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Canvas, you need the following items:
-
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Canvas single sign-on enabled subscription
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Canvas single sign-on (SSO)-enabled subscription.
## Scenario description
@@ -37,59 +33,39 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* Canvas supports **SP** initiated SSO
-## Adding Canvas from the gallery
+## Add Canvas from the gallery
To configure the integration of Canvas into Azure AD, you need to add Canvas from the gallery to your list of managed SaaS apps.
-**To add Canvas from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Canvas**, select **Canvas** from result panel then click **Add** button to add the application.
-
- ![Canvas in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Canvas based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Canvas needs to be established.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Canvas** in the search box.
+1. Select **Canvas** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-To configure and test Azure AD single sign-on with Canvas, you need to complete the following building blocks:
+## Configure and test Azure AD SSO for Canvas
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Canvas Single Sign-On](#configure-canvas-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Canvas test user](#create-canvas-test-user)** - to have a counterpart of Britta Simon in Canvas that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+Configure and test Azure AD SSO with Canvas using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Canvas.
-### Configure Azure AD single sign-on
+To configure and test Azure AD SSO with Canvas, perform the following steps:
-In this section, you enable Azure AD single sign-on in the Azure portal.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Canvas SSO](#configure-canvas-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Canvas test user](#create-canvas-test-user)** - to have a counterpart of B.Simon in Canvas that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-To configure Azure AD single sign-on with Canvas, perform the following steps:
+### Configure Azure AD SSO
-1. In the [Azure portal](https://portal.azure.com/), on the **Canvas** application integration page, select **Single sign-on**.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Configure single sign-on link](common/select-sso.png)
+1. In the Azure portal, on the **Canvas** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
@@ -116,13 +92,31 @@ To configure Azure AD single sign-on with Canvas, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure Ad Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Canvas.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Canvas**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Canvas Single Sign-On
+### Configure Canvas SSO
1. In a different web browser window, log in to your Canvas company site as an administrator.
@@ -136,7 +130,7 @@ To configure Azure AD single sign-on with Canvas, perform the following steps:
4. On the Current Integration page, perform the following steps:
- ![Current Integration](./media/canvas-lms-tutorial/ic775992.png "Current Integration")
+ ![Current Integration](./media/canvas-lms-tutorial/save.png "Current Integration")
a. In **IdP Entity ID** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure portal.
@@ -154,57 +148,6 @@ To configure Azure AD single sign-on with Canvas, perform the following steps:
h. Click **Save Authentication Settings**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Canvas.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Canvas**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Canvas**.
-
- ![The Canvas link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Canvas test user To enable Azure AD users to log in to Canvas, they must be provisioned into Canvas. In the case of Canvas, user provisioning is a manual task.
@@ -242,16 +185,16 @@ To enable Azure AD users to log in to Canvas, they must be provisioned into Canv
> [!NOTE] > You can use any other Canvas user account creation tools or APIs provided by Canvas to provision Azure AD user accounts.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Canvas tile in the Access Panel, you should be automatically signed in to the Canvas for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Canvas Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Canvas Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Canvas tile in the My Apps, you should be automatically signed in to the Canvas for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure Canvas you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/halogen-software-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/halogen-software-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 02/20/2020 Last updated : 01/22/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Saba TalentSpace with Azure Acti
* Enable your users to be automatically signed-in to Saba TalentSpace with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -35,24 +33,23 @@ To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment. * Saba TalentSpace supports **SP** initiated SSO
-* Once you configure Saba TalentSpace you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
-## Adding Saba TalentSpace from the gallery
+## Add Saba TalentSpace from the gallery
To configure the integration of Saba TalentSpace into Azure AD, you need to add Saba TalentSpace from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Saba TalentSpace** in the search box. 1. Select **Saba TalentSpace** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Saba TalentSpace
+## Configure and test Azure AD SSO for Saba TalentSpace
Configure and test Azure AD SSO with Saba TalentSpace using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Saba TalentSpace.
-To configure and test Azure AD SSO with Saba TalentSpace, complete the following building blocks:
+To configure and test Azure AD SSO with Saba TalentSpace, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -65,21 +62,21 @@ To configure and test Azure AD SSO with Saba TalentSpace, complete the following
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Saba TalentSpace** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Saba TalentSpace** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, perform the following steps:
- a. In the **Sign on URL** text box, type a URL using the following pattern:
+ a. In the **Sign on URL** text box, type the URL using the following pattern:
`https://global.hgncloud.com/[companyname]/saml/login`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type the URL using the following pattern:
`https://global.hgncloud.com/[companyname]/saml/metadata`
- c. In the **Reply URL (Assertion Consumer Service URL)** text box, type a URL using the following pattern:
+ c. In the **Reply URL (Assertion Consumer Service URL)** text box, type the URL using the following pattern:
`https://global.hgncloud.com/[companyname]/saml/SSO` > [!NOTE]
@@ -112,15 +109,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Saba TalentSpace**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Saba TalentSpace SSO
@@ -182,18 +173,14 @@ The objective of this section is to create a user called Britta Simon in Saba Ta
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Saba TalentSpace tile in the Access Panel, you should be automatically signed in to the Saba TalentSpace for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal. This will redirect to Saba TalentSpace Sign-on URL where you can initiate the login flow.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Go to Saba TalentSpace Sign-on URL directly and initiate the login flow from there.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Saba TalentSpace tile in the My Apps, you should be automatically signed in to the Saba TalentSpace for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [Try Saba TalentSpace with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)\ No newline at end of file
+ Once you configure Saba TalentSpace you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/navex-one-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/navex-one-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/13/2021 Last updated : 01/28/2021
@@ -72,11 +72,32 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<CLIENT_KEY>.navexglobal.com`
+ a. In the **Sign-on URL** text box, type a URL using one of the following patterns:
+
+ | Sign-on URL |
+ |--|
+ | `https://<CLIENT_KEY>.navexglobal.com` |
+ | `https://<CLIENT_KEY>.navexglobal.eu` |
+ |
+
+ b. In the **Identifier** text box, type one of the following URLs:
+
+ | Identifier |
+ |--|
+ | `https://doorman.navexglobal.com/Shibboleth` |
+ | `https://doorman.navexglobal.eu/Shibboleth` |
+ |
+
+ c. In the **Reply URL** text box, type one of the following URLs:
+
+ | Reply URL |
+ |--|
+ | `https://doorman.navexglobal.com/Shibboleth.sso/SAML2/POST` |
+ | `https://doorman.navexglobal.eu/Shibboleth.sso/SAML2/POST` |
+ |
> [!NOTE]
- > The value is not real. Update the value with the actual Sign-On URL. Contact [NAVEX One Client support team](mailto:ethicspoint@navexglobal.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > The Sign-on URL value is not real. Update the value with the actual Sign-on URL. Contact [NAVEX One Client support team](mailto:ethicspoint@navexglobal.com) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
@@ -125,4 +146,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
## Next steps
-Once you configure NAVEX One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure NAVEX One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/preciate-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/preciate-provisioning-tutorial.md /dev/null
@@ -0,0 +1,152 @@
+
+ Title: 'Tutorial: Configure Preciate for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Preciate.
+
+documentationcenter: ''
+
+writer: Zhchia
++
+ms.assetid: fa640971-87e7-49f2-933b-bc7c95fe51e2
+++
+ na
+ms.devlang: na
+ Last updated : 12/09/2020+++
+# Tutorial: Configure Preciate for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both Preciate and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Preciate](https://www.preciate.org/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
++
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in Preciate
+> * Remove users in Preciate when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Preciate
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
+* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* A user account in Preciate with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
+2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+3. Determine what data to [map between Azure AD and Preciate](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+
+## Step 2. Configure Preciate to support provisioning with Azure AD
+
+1. Log in to [Preciate Admin Portal](https://preciate.com/web/admin/keys) and navigate to the **Integrations** page.
+
+ ![Preciate secret](media/preciate-provisioning-tutorial/preciate-secret-path.png)
+
+2. Select the **Generate** button where it says Active Directory Integration Secret Key.
+
+ ![Preciate generate](media/preciate-provisioning-tutorial/preciate-secret-generate.png)
+
+3. A new **Secret Key** will appear. Copy and save the **Secret Key**. Also make a note that Tenant URL is `https://preciate.com/api/v1/scim`. These values will be entered in the **Secret Token** and **Tenant URL** field in the Provisioning tab of your Preciate's application in the Azure portal.
+
+> [!NOTE]
+>Every time you click the Generate button a new secret key is created. This will immediately invalidate the current one. If an integration is already actively using the current key, generating the new one will cause the integration to stop functioning until the Secret Token is updated in Preciate's application in the Azure porta.
++
+## Step 3. Add Preciate from the Azure AD application gallery
+
+Add Preciate from the Azure AD application gallery to start managing provisioning to Preciate. If you have previously setup Preciate for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the [gallery](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+
+## Step 4. Define who will be in scope for provisioning
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+
+* When assigning users and groups to Preciate, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
++
+## Step 5. Configure automatic user provisioning to Preciate
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Preciate in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+ ![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Preciate**.
+
+ ![The Preciate link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+ ![Provisioning tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Preciate Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Preciate. If the connection fails, ensure your Preciate account has Admin permissions and try again.
+
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+ ![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Preciate**.
+
+9. Review the user attributes that are synchronized from Azure AD to Preciate in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Preciate for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Preciate API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+ |Attribute|Type|Supported for filtering|
+ ||||
+ |userName|String|&check;|
+ |active|Boolean|
+ |displayName|String|
+ |title|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |name.formatted|String|
+ |externalId|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|
+
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+
+11. To enable the Azure AD provisioning service for Preciate, change the **Provisioning Status** to **On** in the **Settings** section.
+
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+12. Define the users and/or groups that you would like to provision to Preciate by choosing the desired values in **Scope** in the **Settings** section.
+
+ ![Provisioning Scope](common/provisioning-scope.png)
+
+13. When you are ready to provision, click **Save**.
+
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+
+## Additional resources
+
+* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/samsung-knox-and-business-services-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/samsung-knox-and-business-services-tutorial.md /dev/null
@@ -0,0 +1,145 @@
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Samsung Knox and Business Services | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Samsung Knox and Business Services.
++++++++ Last updated : 01/27/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Samsung Knox and Business Services
+
+In this tutorial, you'll learn how to integrate Samsung Knox and Business Services with Azure Active Directory (Azure AD). When you integrate Samsung Knox and Business Services with Azure AD, you can:
+
+* Control in Azure AD who has access to Samsung Knox and Business Services.
+* Enable your users to be automatically signed-in to Samsung Knox and Business Services with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Samsung Knox and Business Services single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Samsung Knox and Business Services supports **SP** initiated SSO
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Adding Samsung Knox and Business Services from the gallery
+
+To configure the integration of Samsung Knox and Business Services into Azure AD, you need to add Samsung Knox and Business Services from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Samsung Knox and Business Services** in the search box.
+1. Select **Samsung Knox and Business Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Samsung Knox and Business Services
+
+Configure and test Azure AD SSO with Samsung Knox and Business Services using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Samsung Knox and Business Services.
+
+To configure and test Azure AD SSO with Samsung Knox and Business Services, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Samsung Knox and Business Services SSO](#configure-samsung-knox-and-business-services-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Samsung Knox and Business Services test user](#create-samsung-knox-and-business-services-test-user)** - to have a counterpart of B.Simon in Samsung Knox and Business Services that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Samsung Knox and Business Services** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+ In the **Sign on URL** text box, type the URL:
+ `https://www.samsungknox.com`
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Samsung Knox and Business Services.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Samsung Knox and Business Services**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Samsung Knox and Business Services SSO
+
+1. In a different web browser window, sign in to your Samsung Knox and Business Services company site as an administrator.
+
+1. Click on the **Avatar** on the top right corner.
+
+ ![Samsung Knox avatar](./media/samsung-knox-and-business-services-tutorial/avatar.png)
+
+1. In the left sidebar, click **ACTIVE DIRECTORY SETTINGS** and perform the following steps.
+
+ ![ACTIVE DIRECTORY SETTINGS](./media/samsung-knox-and-business-services-tutorial/sso-settings.png)
+
+ a. In the **Identifier(entity ID)** textbox, paste the **Identifier** value which you have entered in the Azure portal.
+
+ b. In the **App federation metadata URL** textbox, paste the **App Federation Metadata Url** value which you have copied from the Azure portal.
+
+ c. click on **CONNECT TO AD SSO**.
+
+### Create Samsung Knox and Business Services test user
+
+In this section, you create a user called Britta Simon in Samsung Knox and Business Services. Work with [Samsung Knox and Business Services support team](mailto:noreplyk.sec@samsung.com) to add the users in the Samsung Knox and Business Services platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+* Click on **Test this application** in Azure portal. This will redirect to Samsung Knox and Business Services Sign-on URL where you can initiate the login flow.
+
+* Go to Samsung Knox and Business Services Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Samsung Knox and Business Services tile in the My Apps, this will redirect to Samsung Knox and Business Services Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
++
+## Next steps
+
+Once you configure Samsung Knox and Business Services you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
++
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicenow-tutorial.md
@@ -31,7 +31,7 @@ To get started, you need the following items:
* A ServiceNow single sign-on (SSO) enabled subscription. * For ServiceNow, an instance or tenant of ServiceNow supports Calgary, Kingston, London, Madrid, New York, Orlando and Paris versions or later. * For ServiceNow Express, an instance of ServiceNow Express, Helsinki version or later.
-* The ServiceNow tenant must have the [Multiple Provider Single Sign On Plugin](https://wiki.servicenow.com/index.php?title=Multiple_Provider_Single_Sign-On#gsc.tab=0) enabled.
+* The ServiceNow tenant must have the [Multiple Provider Single Sign On Plugin](https://old.wiki/index.php/Multiple_Provider_Single_Sign-On#gsc.tab=0) enabled.
* For automatic configuration, enable the multi-provider plugin for ServiceNow. * To install the ServiceNow Classic (Mobile) application, go to the appropriate store, and search for the ServiceNow Classic application. Then download it.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sugarcrm-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sugarcrm-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 09/17/2019 Last updated : 01/22/2021
@@ -21,8 +21,6 @@ In this tutorial, you'll learn how to integrate Sugar CRM with Azure Active Dire
* Enable your users to be automatically signed-in to Sugar CRM with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
@@ -39,22 +37,22 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Sugar CRM from the gallery
+## Add Sugar CRM from the gallery
To configure the integration of Sugar CRM into Azure AD, you need to add Sugar CRM from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Sugar CRM** in the search box. 1. Select **Sugar CRM** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Sugar CRM
+## Configure and test Azure AD SSO for Sugar CRM
Configure and test Azure AD SSO with Sugar CRM using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sugar CRM.
-To configure and test Azure AD SSO with Sugar CRM, complete the following building blocks:
+To configure and test Azure AD SSO with Sugar CRM, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
@@ -67,9 +65,9 @@ To configure and test Azure AD SSO with Sugar CRM, complete the following buildi
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Sugar CRM** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Sugar CRM** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
@@ -116,15 +114,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Sugar CRM**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Sugar CRM SSO
@@ -145,7 +137,7 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the **SAML Authentication** section, perform the following steps:
- ![SAML Authentication](./media/sugarcrm-tutorial/ic795891.png "SAML Authentication")
+ ![SAML Authentication](./media/sugarcrm-tutorial/save.png "SAML Authentication")
a. In the **Login URL** textbox, paste the value of **Login URL**, which you have copied from Azure portal.
@@ -196,16 +188,14 @@ In order to enable Azure AD users to sign in to Sugar CRM, they must be provisio
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Sugar CRM tile in the Access Panel, you should be automatically signed in to the Sugar CRM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to Sugar CRM Sign-on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to Sugar CRM Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* You can use Microsoft My Apps. When you click the Sugar CRM tile in the My Apps, this will redirect to Sugar CRM Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Sugar CRM with Azure AD](https://aad.portal.azure.com/)\ No newline at end of file
+Once you configure Sugar CRM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/talentlms-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/talentlms-tutorial.md
@@ -9,27 +9,23 @@
Previously updated : 04/10/2019 Last updated : 01/25/2021 # Tutorial: Azure Active Directory integration with TalentLMS
-In this tutorial, you learn how to integrate TalentLMS with Azure Active Directory (Azure AD).
-Integrating TalentLMS with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate TalentLMS with Azure Active Directory (Azure AD). When you integrate TalentLMS with Azure AD, you can:
-* You can control in Azure AD who has access to TalentLMS.
-* You can enable your users to be automatically signed-in to TalentLMS (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to TalentLMS.
+* Enable your users to be automatically signed-in to TalentLMS with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with TalentLMS, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* TalentLMS single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* TalentLMS single sign-on enabled subscription.
## Scenario description
@@ -37,59 +33,39 @@ In this tutorial, you configure and test Azure AD single sign-on in a test envir
* TalentLMS supports **SP** initiated SSO
-## Adding TalentLMS from the gallery
+## Add TalentLMS from the gallery
To configure the integration of TalentLMS into Azure AD, you need to add TalentLMS from the gallery to your list of managed SaaS apps.
-**To add TalentLMS from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **TalentLMS**, select **TalentLMS** from result panel then click **Add** button to add the application.
-
- ![TalentLMS in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with TalentLMS based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in TalentLMS needs to be established.
-
-To configure and test Azure AD single sign-on with TalentLMS, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **TalentLMS** in the search box.
+1. Select **TalentLMS** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure TalentLMS Single Sign-On](#configure-talentlms-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create TalentLMS test user](#create-talentlms-test-user)** - to have a counterpart of Britta Simon in TalentLMS that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for TalentLMS
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with TalentLMS using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in TalentLMS.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with TalentLMS, perform the following steps:
-To configure Azure AD single sign-on with TalentLMS, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure TalentLMS SSO](#configure-talentlms-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create TalentLMS test user](#create-talentlms-test-user)** - to have a counterpart of B.Simon in TalentLMS that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **TalentLMS** application integration page, select **Single sign-on**.
+### Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **TalentLMS** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
@@ -116,13 +92,31 @@ To configure Azure AD single sign-on with TalentLMS, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
- c. Logout URL
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TalentLMS.
-### Configure TalentLMS Single Sign-On
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **TalentLMS**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+### Configure TalentLMS SSO
1. In a different web browser window, sign in to your TalentLMS company site as an administrator.
@@ -134,7 +128,7 @@ To configure Azure AD single sign-on with TalentLMS, perform the following steps
1. In the Single Sign-On section, perform the following steps:
- ![Single Sign-On](./media/talentlms-tutorial/IC777297.png "Single Sign-On")
+ ![Single Sign-On](./media/talentlms-tutorial/saml.png "Single Sign-On")
a. From the **SSO integration type** list, select **SAML 2.0**.
@@ -158,56 +152,6 @@ To configure Azure AD single sign-on with TalentLMS, perform the following steps
1. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to TalentLMS.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **TalentLMS**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **TalentLMS**.
-
- ![The TalentLMS link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create TalentLMS test user To enable Azure AD users to sign in to TalentLMS, they must be provisioned into TalentLMS. In the case of TalentLMS, provisioning is a manual task.
@@ -233,16 +177,16 @@ To enable Azure AD users to sign in to TalentLMS, they must be provisioned into
> [!NOTE] > You can use any other TalentLMS user account creation tools or APIs provided by TalentLMS to provision Azure AD user accounts.
-### Test single sign-on
+### Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the TalentLMS tile in the Access Panel, you should be automatically signed in to the TalentLMS for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to TalentLMS Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to TalentLMS Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the TalentLMS tile in the My Apps, this will redirect to TalentLMS Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)\ No newline at end of file
+Once you configure TalentLMS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
aks https://docs.microsoft.com/en-us/azure/aks/availability-zones https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/availability-zones.md
@@ -200,4 +200,4 @@ This article detailed how to create an AKS cluster that uses availability zones.
<!-- LINKS - external --> [kubectl-describe]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#describe
-[kubectl-well_known_labels]: https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/
+[kubectl-well_known_labels]: https://kubernetes.io/docs/reference/labels-annotations-taints/
aks https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/configure-azure-cni.md
@@ -59,7 +59,7 @@ The maximum number of pods per node in an AKS cluster is 250. The *default* maxi
| -- | :--: | :--: | -- | | Azure CLI | 110 | 30 | Yes (up to 250) | | Resource Manager template | 110 | 30 | Yes (up to 250) |
-| Portal | 110 | 30 | No |
+| Portal | 110 | 110 (configured in the Node Pools tab) | No |
### Configure maximum - new clusters
aks https://docs.microsoft.com/en-us/azure/aks/enable-host-encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/enable-host-encryption.md
@@ -21,37 +21,7 @@ This feature can only be set at cluster creation or node pool creation time.
### Prerequisites -- Ensure you have the `aks-preview` CLI extension v0.4.73 or higher installed-- Ensure you have the `EnableEncryptionAtHostPreview` feature flag under `Microsoft.ContainerService` enabled.-
-In order to be able to use encryption at host for your VMs or virtual machine scale sets, you must get the feature enabled on your subscription. Send an email to encryptionAtHost@microsoft .com with your subscription Ids to get the feature enabled for your subscriptions.
-
-### Register `EncryptionAtHost` preview features
-
-> [!IMPORTANT]
-> You must email encryptionAtHost@microsoft .com with your subscription Ids to get the feature enabled for compute resources. You cannot enable it yourself for those resources. You can enable it yourself on the container service.
-
-To create an AKS cluster that uses host-based encryption, you must enable the `EncryptionAtHost` feature flag on your subscription.
-
-Register the `EncryptionAtHost` feature flag using the [az feature register][az-feature-register] command as shown in the following example:
-
-```azurecli-interactive
-az feature register --namespace "Microsoft.ContainerService" --name "EnableEncryptionAtHost"
-```
-
-It takes a few minutes for the status to show *Registered*. You can check on the registration status using the [az feature list][az-feature-list] command:
-
-```azurecli-interactive
-az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableEncryptionAtHost')].{Name:name,State:properties.state}"
-```
-
-When ready, refresh the registration of the `Microsoft.ContainerService` and `Microsoft.Compute` resource providers using the [az provider register][az-provider-register] command:
-
-```azurecli-interactive
-az provider register --namespace Microsoft.ContainerService
-```
-
-[!INCLUDE [preview features callout](./includes/preview/preview-callout.md)]
+- Ensure you have the `aks-preview` CLI extension v0.4.73 or higher version installed.
### Install aks-preview CLI extension
@@ -73,23 +43,23 @@ az extension update --name aks-preview
## Use host-based encryption on new clusters (preview)
-Configure the cluster agent nodes to use host-based encryption when the cluster is created. Use the `--aks-custom-headers` flag to set the `EnableEncryptionAtHost` header.
+Configure the cluster agent nodes to use host-based encryption when the cluster is created.
```azurecli-interactive
-az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers --enable-encryption-at-host
+az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
```
-If you want to create clusters without host-based encryption, you can do so by omitting the custom `--aks-custom-headers` parameter.
+If you want to create clusters without host-based encryption, you can do so by omitting the `--enable-encryption-at-host` parameter.
## Use host-based encryption on existing clusters (preview)
-You can enable host-based encryption on existing clusters by adding a new node pool to your cluster. Configure a new node pool to use host-based encryption by using the `--aks-custom-headers` flag.
+You can enable host-based encryption on existing clusters by adding a new node pool to your cluster. Configure a new node pool to use host-based encryption by using the `--enable-encryption-at-host` parameter.
```azurecli
-az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers --enable-encryption-at-host
+az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host
```
-If you want to create new node pools without the host-based encryption feature, you can do so by omitting the custom `--aks-custom-headers` parameter.
+If you want to create new node pools without the host-based encryption feature, you can do so by omitting the `--enable-encryption-at-host` parameter.
## Next steps
aks https://docs.microsoft.com/en-us/azure/aks/managed-aad https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/managed-aad.md
@@ -42,7 +42,6 @@ kubelogin --version
Use [these instructions](https://kubernetes.io/docs/tasks/tools/install-kubectl/) for other operating systems. - ## Before you begin For your cluster, you need an Azure AD group. This group is needed as admin group for the cluster to grant cluster admin permissions. You can use an existing Azure AD group, or create a new one. Record the object ID of your Azure AD group.
@@ -183,6 +182,50 @@ If you want to access the cluster, follow the steps [here][access-cluster].
There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with kubectl. You can use [`kubelogin`](https://github.com/Azure/kubelogin) to access the cluster with non-interactive service principal sign-in.
+## Use Conditional Access with Azure AD and AKS
+
+When integrating Azure AD with your AKS cluster, you can also use [Conditional Access][aad-conditional-access] to control access to your cluster.
+
+> [!NOTE]
+> Azure AD Conditional Access is an Azure AD Premium capability.
+
+To create an example Conditional Access policy to use with AKS, complete the following steps:
+
+1. At the top of the Azure portal, search for and select Azure Active Directory.
+1. In the menu for Azure Active Directory on the left-hand side, select *Enterprise applications*.
+1. In the menu for Enterprise applications on the left-hand side, select *Conditional Access*.
+1. In the menu for Conditional Access on the left-hand side, select *Policies* then *New policy*.
+ :::image type="content" source="./media/managed-aad/conditional-access-new-policy.png" alt-text="Adding a Conditional Access policy":::
+1. Enter a name for the policy such as *aks-policy*.
+1. Select *Users and groups*, then under *Include* select *Select users and groups*. Choose the users and groups where you want to apply the policy. For this example, choose the same Azure AD group that has administration access to your cluster.
+ :::image type="content" source="./media/managed-aad/conditional-access-users-groups.png" alt-text="Selecting users or groups to apply the Conditional Access policy":::
+1. Select *Cloud apps or actions*, then under *Include* select *Select apps*. Search for *Azure Kubernetes Service* and select *Azure Kubernetes Service AAD Server*.
+ :::image type="content" source="./media/managed-aad/conditional-access-apps.png" alt-text="Selecting Azure Kubernetes Service AD Server for applying the Conditional Access policy":::
+1. Under *Access controls*, select *Grant*. Select *Grant access* then *Require device to be marked as compliant*.
+ :::image type="content" source="./media/managed-aad/conditional-access-grant-compliant.png" alt-text="Selecting to only allow compliant devices for the Conditional Access policy":::
+1. Under *Enable policy*, select *On* then *Create*.
+ :::image type="content" source="./media/managed-aad/conditional-access-enable-policy.png" alt-text="Enabling the Conditional Access policy":::
+
+Get the user credentials to access the cluster, for example:
+
+```azurecli-interactive
+ az aks get-credentials --resource-group myResourceGroup --name myManagedCluster
+```
+
+Follow the instructions to sign in.
+
+Use the `kubectl get nodes` command to view nodes in the cluster:
+
+```azurecli-interactive
+kubectl get nodes
+```
+
+Follow the instructions to sign in again. Notice there is an error message stating you are successfully logged in, but your admin requires the device requesting access to be managed by your Azure AD to access the resource.
+
+In the Azure portal, navigate to Azure Active Directory, select *Enterprise applications* then under *Activity* select *Sign-ins*. Notice an entry at the top with a *Status* of *Failed* and a *Conditional Access* of *Success*. Select the entry then select *Conditional Access* in *Details*. Notice your Conditional Access policy is listed.
+
+:::image type="content" source="./media/managed-aad/conditional-access-sign-in-activity.png" alt-text="Failed sign-in entry due to Conditional Access policy":::
+ ## Next steps * Learn about [Azure RBAC integration for Kubernetes Authorization][azure-rbac-integration]
@@ -197,6 +240,7 @@ There are some non-interactive scenarios, such as continuous integration pipelin
[aks-arm-template]: /azure/templates/microsoft.containerservice/managedclusters <!-- LINKS - Internal -->
+[aad-conditional-access]: ../active-directory/conditional-access/overview.md
[azure-rbac-integration]: manage-azure-rbac.md [aks-concepts-identity]: concepts-identity.md [azure-ad-rbac]: azure-ad-rbac.md
aks https://docs.microsoft.com/en-us/azure/aks/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
aks https://docs.microsoft.com/en-us/azure/aks/troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/troubleshooting.md
@@ -15,11 +15,11 @@ When you create or manage Azure Kubernetes Service (AKS) clusters, you might occ
Try the [official guide to troubleshooting Kubernetes clusters](https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/). There's also a [troubleshooting guide](https://github.com/feiskyer/kubernetes-handbook/blob/master/en/troubleshooting/index.md), published by a Microsoft engineer for troubleshooting pods, nodes, clusters, and other features.
-## I'm getting a "quota exceeded" error during creation or upgrade. What should I do?
+## I'm getting a `quota exceeded` error during creation or upgrade. What should I do?
[Request more cores](../azure-portal/supportability/resource-manager-core-quotas-request.md).
-## I'm getting an insufficientSubnetSize error while deploying an AKS cluster with advanced networking. What should I do?
+## I'm getting an `insufficientSubnetSize` error while deploying an AKS cluster with advanced networking. What should I do?
This error indicates a subnet in use for a cluster no longer has available IPs within its CIDR for successful resource assignment. For Kubenet clusters, the requirement is sufficient IP space for each node in the cluster. For Azure CNI clusters, the requirement is sufficient IP space for each node and pod in the cluster. Read more about the [design of Azure CNI to assign IPs to pods](configure-azure-cni.md#plan-ip-addressing-for-your-cluster).
api-management https://docs.microsoft.com/en-us/azure/api-management/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/security-controls-policy.md /dev/null
@@ -0,0 +1,27 @@
+
+ Title: Azure Policy Regulatory Compliance controls for Azure API Management
+description: Lists Azure Policy Regulatory Compliance controls available for Azure API Management. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
Last updated : 01/29/2021++++++
+# Azure Policy Regulatory Compliance controls for Azure API Management
+
+[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md)
+provides Microsoft created and managed initiative definitions, known as _built-ins_, for the
+**compliance domains** and **security controls** related to different compliance standards. This
+page lists the **compliance domains** and **security controls** for Azure API Management. You can
+assign the built-ins for a **security control** individually to help make your Azure resources
+compliant with the specific standard.
+
+[!INCLUDE [azure-policy-compliancecontrols-introwarning](../../includes/policy/standards/intro-warning.md)]
+
+[!INCLUDE [azure-policy-compliancecontrols-apim](../../includes/policy/standards/byrp/microsoft.apimanagement.md)]
+
+## Next steps
+
+- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
app-service https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md
@@ -8,7 +8,7 @@
Previously updated : 12/16/2020 Last updated : 01/28/2021
@@ -122,9 +122,9 @@ The [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential)
To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/3-WebApp-graphapi-managed-identity).
-### Install the Microsoft.Graph client library package
+### Install the Microsoft.Identity.Web.MicrosoftGraph client library package
-Install the [Microsoft.Graph NuGet package](https://www.nuget.org/packages/Microsoft.Graph) in your project by using the .NET Core command-line interface or the Package Manager Console in Visual Studio.
+Install the [Microsoft.Identity.Web.MicrosoftGraph NuGet package](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) in your project by using the .NET Core command-line interface or the Package Manager Console in Visual Studio.
# [Command line](#tab/command-line)
@@ -133,7 +133,7 @@ Open a command line, and switch to the directory that contains your project file
Run the install commands. ```dotnetcli
-dotnet add package Microsoft.Graph
+dotnet add package Microsoft.Identity.Web.MicrosoftGraph
``` # [Package Manager](#tab/package-manager)
@@ -142,7 +142,7 @@ Open the project/solution in Visual Studio, and open the console by using the **
Run the install commands. ```powershell
-Install-Package Microsoft.Graph
+Install-Package Microsoft.Identity.Web.MicrosoftGraph
```
app-service https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scenario-secure-app-access-microsoft-graph-as-user.md
@@ -8,7 +8,7 @@
Previously updated : 11/30/2020 Last updated : 01/28/2021
@@ -82,7 +82,7 @@ To see this code as part of a sample application, see the [sample on GitHub](htt
### Install client library packages
-Install the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) and [Microsoft.Graph](https://www.nuget.org/packages/Microsoft.Graph) NuGet packages in your project by using the .NET Core command-line interface or the Package Manager Console in Visual Studio.
+Install the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) and [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) NuGet packages in your project by using the .NET Core command-line interface or the Package Manager Console in Visual Studio.
# [Command line](#tab/command-line)
@@ -91,7 +91,7 @@ Open a command line, and switch to the directory that contains your project file
Run the install commands. ```dotnetcli
-dotnet add package Microsoft.Graph
+dotnet add package Microsoft.Identity.Web.MicrosoftGraph
dotnet add package Microsoft.Identity.Web ```
@@ -102,7 +102,7 @@ Open the project/solution in Visual Studio, and open the console by using the **
Run the install commands. ```powershell
-Install-Package Microsoft.Graph
+Install-Package Microsoft.Identity.Web.MicrosoftGraph
Install-Package Microsoft.Identity.Web ```
app-service https://docs.microsoft.com/en-us/azure/app-service/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
attestation https://docs.microsoft.com/en-us/azure/attestation/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/overview.md
@@ -10,9 +10,9 @@
-# Microsoft Azure Attestation (preview)
+# Microsoft Azure Attestation
-Microsoft Azure Attestation (preview) is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves and [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves.
+Microsoft Azure Attestation is a unified solution for remotely verifying the trustworthiness of a platform and integrity of the binaries running inside it. The service supports attestation of the platforms backed by Trusted Platform Modules (TPMs) alongside the ability to attest to the state of Trusted Execution Environments (TEEs) such as [Intel® Software Guard Extensions](https://www.intel.com/content/www/us/en/architecture-and-technology/software-guard-extensions.html) (SGX) enclaves and [Virtualization-based Security](/windows-hardware/design/device-experiences/oem-vbs) (VBS) enclaves.
Attestation is a process for demonstrating that software binaries were properly instantiated on a trusted platform. Remote relying parties can then gain confidence that only such intended software is running on trusted hardware. Azure Attestation is a unified customer-facing service and framework for attestation.
automation https://docs.microsoft.com/en-us/azure/automation/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure App Configuration description: Lists Azure Policy Regulatory Compliance controls available for Azure App Configuration. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/27/2021 Last updated : 01/29/2021
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/deploy-azure-iot-edge-workloads https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/deploy-azure-iot-edge-workloads.md
@@ -26,7 +26,7 @@ Azure Arc and Azure IoT Edge complement each other's capabilities quite well. Az
* Use [IoT Edge's support for Kubernetes](https://aka.ms/edgek8sdoc) to deploy it via Azure Arc's Flux operator.
-* Download the [**values.yaml**](https://github.com/Azure/iotedge/blob/master/kubernetes/charts/edge-kubernetes/values.yaml) file for IoT Edge Helm chart and replace the **deviceConnectionString** placeholder at the end of the file with the one noted in Step 1. You can set any other supported chart installation options as required. Create a namespace for the IoT Edge workload and create a secret in it:
+* Download the [**values.yaml**](https://github.com/Azure/iotedge/blob/preview/iiot/kubernetes/charts/edge-kubernetes/values.yaml) file for IoT Edge Helm chart and replace the **deviceConnectionString** placeholder at the end of the file with the one noted in Step 1. You can set any other supported chart installation options as required. Create a namespace for the IoT Edge workload and create a secret in it:
``` $ kubectl create ns iotedge
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Arc enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/configure-monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/configure-monitoring.md
@@ -242,7 +242,7 @@ When you choose **Create**, an Application Insights resource is created with you
<a id="manually-connect-an-app-insights-resource"></a> ### Add to an existing function app
-If an Application Insights resources wasn't created with your function app, use the following steps to create the resource. You can then add the instrumentation key from that resource as an [application setting](functions-how-to-use-azure-function-app-settings.md#settings) in your function app.
+If an Application Insights resource wasn't created with your function app, use the following steps to create the resource. You can then add the instrumentation key from that resource as an [application setting](functions-how-to-use-azure-function-app-settings.md#settings) in your function app.
1. In the [Azure portal](https://portal.azure.com), search for and select **function app**, and then choose your function app.
@@ -268,6 +268,30 @@ If an Application Insights resources wasn't created with your function app, use
> [!NOTE] > Early versions of Functions used built-in monitoring, which is no longer recommended. When enabling Application Insights integration for such a function app, you must also [disable built-in logging](#disable-built-in-logging).
+## Query Scale Controller logs
+
+After enabling both Scale Controller logging and Application Insights integration, you can use the Application Insights log search to query for the emitted scale controller logs. Scale controller logs are saved in the `traces` collection under the **ScaleControllerLogs** category.
+
+The following query can be used to search for all scale controller logs for the current function app within the specified time period:
+
+```kusto
+traces
+| extend CustomDimensions = todynamic(tostring(customDimensions))
+| where CustomDimensions.Category == "ScaleControllerLogs"
+```
+
+The following query expands on the previous query to show how to get only logs indicating a change in scale:
+
+```kusto
+traces
+| extend CustomDimensions = todynamic(tostring(customDimensions))
+| where CustomDimensions.Category == "ScaleControllerLogs"
+| where message == "Instance count changed"
+| extend Reason = CustomDimensions.Reason
+| extend PreviousInstanceCount = CustomDimensions.PreviousInstanceCount
+| extend NewInstanceCount = CustomDimensions.CurrentInstanceCount
+```
+ ## Disable built-in logging When you enable Application Insights, disable the built-in logging that uses Azure Storage. The built-in logging is useful for testing with light workloads, but isn't intended for high-load production use. For production monitoring, we recommend Application Insights. If built-in logging is used in production, the logging record might be incomplete because of throttling on Azure Storage.
@@ -283,4 +307,4 @@ To learn more about monitoring, see:
+ [Application Insights](/azure/application-insights/)
-[host.json]: functions-host-json.md
\ No newline at end of file
+[host.json]: functions-host-json.md
azure-government https://docs.microsoft.com/en-us/azure/azure-government/compliance/azure-services-in-fedramp-auditscope https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md
@@ -3,7 +3,7 @@ Title: Azure Services in FedRAMP and DoD SRG Audit Scope
description: This article contains tables for Azure Public and Azure Government that illustrate what FedRAMP (Moderate vs. High) and DoD SRG (Impact level 2, 4, 5 or 6) audit scope a given service has reached. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -60,7 +60,7 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Database for MariaDB](https://azure.microsoft.com/services/mariadb/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Database Migration Service](https://azure.microsoft.com/services/database-migration/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| [Azure Databricks](https://azure.microsoft.com/services/databricks/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
+| [Azure Databricks](https://azure.microsoft.com/services/databricks/)| :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark:**&ast;&ast;** | |
| [Azure Data Lake Storage](https://azure.microsoft.com/services/storage/data-lake-storage/) | | | | :heavy_check_mark: | | [Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Azure Dedicated HSM](https://azure.microsoft.com/services/azure-dedicated-hsm/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
@@ -195,7 +195,9 @@ This article provides a detailed list of in-scope cloud services across Azure Pu
| [Windows 10 IoT Core Services](https://azure.microsoft.com/services/windows-10-iot-core/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | | [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-**&ast;** FedRAMP high certification covers Datacenter Infrastructure Services & Databox Pod and Disk Service which are the online software components supporting Data Box hardware appliance.
+**&ast;** FedRAMP high certification covers Datacenter Infrastructure Services & Databox Pod and Disk Service which are the online software components supporting Data Box hardware appliance.
+
+**&ast;&ast;** FedRAMP High certification for Azure Databricks is applicable for limited regions in Azure Commercial. To configure Azure Databricks for FedRAMP High use, please reach out to your Microsoft or Databricks Representative.
## Azure Government services by audit scope | _Last Updated: January 2021_ |
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/asp-net-troubleshoot-no-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/asp-net-troubleshoot-no-data.md
@@ -186,7 +186,7 @@ Performance data (CPU, IO rate, and so on) is available for [Java web services](
* Check that you actually copied all the Microsoft. ApplicationInsights DLLs to the server, together with Microsoft.Diagnostics.Instrumentation.Extensions.Intercept.dll * In your firewall, you might have to [open some TCP ports](./ip-addresses.md). * If you have to use a proxy to send out of your corporate network, set [defaultProxy](/previous-versions/dotnet/netframework-1.1/aa903360(v=vs.71)) in Web.config
-* Windows Server 2008: Make sure you have installed the following updates: [KB2468871](https://support.microsoft.com/kb/2468871), [KB2533523](https://support.microsoft.com/kb/2533523), [KB2600217](https://support.microsoft.com/kb/2600217).
+* Windows Server 2008: Make sure you have installed the following updates: [KB2468871](https://support.microsoft.com/kb/2468871), [KB2533523](https://support.microsoft.com/kb/2533523), [KB2600217](https://web.archive.org/web/20150129090641/http://support.microsoft.com/kb/2600217).
## I used to see data, but it has stopped * Have you hit your monthly quota of data points? Open the Settings/Quota and Pricing to find out. If so, you can upgrade your plan, or pay for additional capacity. See the [pricing scheme](https://azure.microsoft.com/pricing/details/application-insights/).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-new-resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/create-new-resource.md
@@ -32,8 +32,8 @@ Sign in to the [Azure portal](https://portal.azure.com), and create an Applicati
Enter the appropriate values into the required fields, and then select **Review + create**.
-[!div class="mx-imgBorder"]
-![Enter values into required fields, and then select "review + create".](./media/create-new-resource/review-create.png)
+> [!div class="mx-imgBorder"]
+> ![Enter values into required fields, and then select "review + create".](./media/create-new-resource/review-create.png)
When your app has been created, a new pane opens. This pane is where you see performance and usage data about your monitored application.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/create-workspace-resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/create-workspace-resource.md
@@ -29,8 +29,8 @@ Workspace-based Application Insights allows you to take advantage of the latest
Sign in to the [Azure portal](https://portal.azure.com), and create an Application Insights resource:
-[!div class="mx-imgBorder"]
-![Workspace-based Application Insights resource](./media/create-workspace-resource/create-workspace-based.png)
+> [!div class="mx-imgBorder"]
+> ![Workspace-based Application Insights resource](./media/create-workspace-resource/create-workspace-based.png)
If you don't already have an existing Log Analytics Workspace, [consult the Log Analytics workspace creation documentation](../learn/quick-create-workspace.md).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/agent-manage.md
@@ -239,7 +239,7 @@ The downloaded file for the agent is a self-contained installation package creat
1. Sign on to the computer with an account that has administrative rights.
-2. To extract the agent installation files, from an elevated command prompt run `extract MMASetup-<platform>.exe` and it will prompt you for the path to extract files to. Alternatively, you can specify the path by passing the arguments `extract MMASetup-<platform>.exe /c:<Path> /t:<Path>`. For more information on the command-line switches supported by IExpress, see [Command-line switches for IExpress](https://support.microsoft.com/help/197147/command-line-switches-for-iexpress-software-update-packages) and then update the example to suit your needs.
+2. To extract the agent installation files, from an elevated command prompt run `extract MMASetup-<platform>.exe` and it will prompt you for the path to extract files to. Alternatively, you can specify the path by passing the arguments `extract MMASetup-<platform>.exe /c:<Path> /t:<Path>`. For more information on the command-line switches supported by IExpress, see [Command-line switches for IExpress](https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/197147) and then update the example to suit your needs.
3. At the prompt, type `%WinDir%\System32\msiexec.exe /x <Path>:\MOMAgent.msi /qb`.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-connections-servicenow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-connections-servicenow.md
@@ -121,7 +121,7 @@ Use the following procedure to create a ServiceNow connection.
| **Server Url** | Enter the URL of the ServiceNow instance that you want to connect to ITSMC. The URL should point to a supported SaaS version with the suffix *.servicenow.com* (for example https://XXXXX.service-now.com/).| | **Username** | Enter the integration username that you created in the ServiceNow app to support the connection to ITSMC.| | **Password** | Enter the password associated with this username. **Note**: The username and password are used for generating authentication tokens only. They're not stored anywhere within the ITSMC service. |
- | **Client Id** | Enter the client ID that you want to use for OAuth2 authentication, which you generated earlier. For more information on generating a client ID and a secret, see [Set up OAuth](https://wiki.servicenow.com/index.php?title=OAuth_Setup). |
+ | **Client Id** | Enter the client ID that you want to use for OAuth2 authentication, which you generated earlier. For more information on generating a client ID and a secret, see [Set up OAuth](https://old.wiki/index.php/OAuth_Setup). |
| **Client Secret** | Enter the client secret generated for this ID. | | **Data Sync Scope (in Days)** | Enter the number of past days that you want the data from. The limit is 120 days. | | **Work Items To Sync** | Select the ServiceNow work items that you want to sync to Azure Log Analytics, through ITSMC. The selected values are imported into Log Analytics. Options are incidents and change requests.|
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-dashboard.md
@@ -1,6 +1,6 @@
Title: Error investigation using dashboard
-description: This document contain information about error investigation using the dashboard
+ Title: Investigate errors by using the dashboard
+description: This document contains information about errors on the ITSMC dashboard.
@@ -9,51 +9,50 @@ Last updated 01/15/2021
-# Error Investigation using the dashboard
+# Investigate errors by using the ITSMC dashboard
-This page contains information about the ITSM connector dashboard. This dashboard will help you to investigate the status of your ITSM connector.
+This article contains information about the IT Service Management Connector (ITSMC) dashboard. The dashboard helps you investigate the status of ITSMC.
-## How to view the dashboard
+## View the dashboard
-In order to view the errors in the dashboard, you should follow the next steps:
+Follow these steps to open the dashboard.
-1. In **All resources**, look for **ServiceDesk(*your workspace name*)**:
+1. Select **All resources**, and then find **ServiceDesk(*your workspace name*)**.
- ![Screenshot that shows recent resources in the Azure portal.](media/itsmc-definition/create-new-connection-from-resource.png)
+ ![Screenshot that shows the resources in Azure services.](media/itsmc-definition/create-new-connection-from-resource.png)
-2. Under **Workspace Data Sources** in the left pane, select **ITSM Connections**:
+1. In the left pane, select **Workspace Data Sources**, and then select **ITSM Connections**.
- ![Screenshot that shows the ITSM Connections menu item.](media/itsmc-overview/add-new-itsm-connection.png)
+ ![Screenshot that shows selecting ITSM Connections under Workplace Data Sources.](media/itsmc-overview/add-new-itsm-connection.png)
-3. Under **Summary** in the left box **IT Service Management Connector**, select **View Summary**:
+1. In the **Summary** section, select **View Summary** to view a summary graph.
- ![Screenshot that shows view summary.](media/itsmc-resync-servicenow/dashboard-view-summary.png)
+ ![Screenshot that shows the View Summary option in the Summary section.](media/itsmc-resync-servicenow/dashboard-view-summary.png)
-4. Under **Summary** in the left box **IT Service Management Connector**, click on the graph:
+1. Select the graph in the **Summary** section to open the dashboard.
- ![Screenshot that shows graph click.](media/itsmc-resync-servicenow/dashboard-graph-click.png)
+ ![Screenshot that shows selecting the Summary graph.](media/itsmc-resync-servicenow/dashboard-graph-click.png)
-5. Using this dashboard you will be able to review the status and the errors in your connector.
- ![Screenshot that shows connector status.](media/itsmc-resync-servicenow/connector-dashboard.png)
+1. Review the dashboard for status and any errors in your connector.
+ ![Screenshot that shows the dashboard.](media/itsmc-resync-servicenow/connector-dashboard.png)
-## Dashboard Elements
+## Understand dashboard elements
-The dashboard contains information on the alerts that were sent into the ITSM tool using this connector.
-The dashboard is split into four parts:
+The dashboard contains information on the alerts that were sent into the ITSM tool by using this connector.
-1. Work Item Created: The graph and the table below contain the count of the work item per type. If you click on the graph or on the table, you can see more details about the work items.
- ![Screenshot that shows work item created.](media/itsmc-resync-servicenow/itsm-dashboard-workitems.png)
-2. Impacted computers: The tables contain details about the configuration items that created configuration items.
- By clicking on rows in the tables, you can get further details on the configuration items.
- The table contains limited number of rows if you would like to see all the list you can click on "See all".
- ![Screenshot that shows impacted computers.](media/itsmc-resync-servicenow/itsm-dashboard-impacted-comp.png)
-3. Connector status: The graph and the table below contain messages about the status of the connector. By clicking on the graph on rows in the table, you can get further details on the messages of the connector status.
- The table contains limited number of rows if you would like to see all the list you can click on "See all".
+The dashboard is split into four sections:
- You can see details about the messages in the table - [here](itsmc-dashboard-errors.md).
+- **WORK ITEMS CREATED**: The graph and table show the number of the work items by type. Select the graph or the table to learn more about your work items.
+ ![Screenshot that shows the work items created section.](media/itsmc-resync-servicenow/itsm-dashboard-workitems.png)
+- **IMPACTED COMPUTERS**: The table contains details about the configuration items that created work items.
+ Select rows in the tables for more details about the configuration items.
+ The table contains a limited number of rows. To see the entire list, select **See all**.
+ ![Screenshot that shows the impacted computers section.](media/itsmc-resync-servicenow/itsm-dashboard-impacted-comp.png)
+- **CONNECTOR STATUS**: The graph and the table show information about the status of the connector. Select the graph or the messages in the table for more details. The table shows a limited number of rows. To see the entire list, select **See all**.
+ ![Screenshot that shows the connector status section.](media/itsmc-resync-servicenow/itsm-dashboard-connector-status.png)
+- **ALERT RULES**: This section shows information about the number of alert rules that were detected. Select rows in the tables for more details on the rules that were detected. The table has a limited number of rows. To see the entire list, select **See all**.
+ ![Screenshot that shows the alert rules section.](media/itsmc-resync-servicenow/itsm-dashboard-alert-rules.png)
- ![Screenshot that shows connector status.](media/itsmc-resync-servicenow/itsm-dashboard-connector-status.png)
-4. Alert rules: The tables contain the information on the number of alert rules that were detected.
- By clicking on rows in the tables, you can get further details on the rules that were detected.
- The table contains limited number of rows if you would like to see all the list you can click on "See all".
- ![Screenshot that shows alert rules.](media/itsmc-resync-servicenow/itsm-dashboard-alert-rules.png)
\ No newline at end of file
+## Next steps
+
+Check out [Common connector status errors](itsmc-dashboard-errors.md).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/resource-logs-categories https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/resource-logs-categories.md
@@ -3,7 +3,7 @@ Title: Azure Monitor Resource Logs supported services and categories
description: Reference of Azure Monitor Understand the supported services and event schema for Azure resource logs. Previously updated : 12/09/2020 Last updated : 01/29/2021 # Supported categories for Azure Resource Logs
@@ -18,7 +18,9 @@ A combination of the resource type (available in the `resourceId` property) and
## Costs
-There are costs associated with sending and storing any data into into Log Analytics, Azure Storage and/or Event hub. You may pay for the cost to get the data into these locations and for keeping it there. Resource logs are one type of data you can send to these locations. There is an additional [cost to export some categories of resource logs](https://azure.microsoft.com/pricing/details/monitor/) into these locations, while others are free of export costs. Export cost specifics are listed in the table below.
+There are costs associated with sending and storing any data into into Log Analytics, Azure Storage and/or Event hub. You may pay for the cost to get the data into these locations and for keeping it there. Resource logs are one type of data you can send to these locations.
+
+There is an additional cost to export some categories of resource logs into these locations. Those logs with export costs are listed in the table below. For more information on this pricing, see the Platform Logs section in the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).
## Supported log categories per resource type
@@ -26,859 +28,950 @@ Following is a list of the types of logs available for each resource type.
Some categories may only be supported for specific types of resources. See the resource-specific documentation if you feel you are missing a resource. For example, Microsoft.Sql/servers/databases categories aren't available for all types of databases. For more information, see [information on SQL Database diagnostic logging](../../azure-sql/database/metrics-diagnostic-telemetry-logging-streaming-export-configure.md).
-If you still something is missing, you can open a GitHub comment at the bottom of this article.
-## Microsoft.AnalysisServices/servers
+If you think there is something is missing, you can open a GitHub comment at the bottom of this article.
+## Microsoft.AAD/domainServices
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|AccountLogon|AccountLogon|No|
+|AccountManagement|AccountManagement|No|
+|DetailTracking|DetailTracking|No|
+|DirectoryServiceAccess|DirectoryServiceAccess|No|
+|LogonLogoff|LogonLogoff|No|
+|ObjectAccess|ObjectAccess|No|
+|PolicyChange|PolicyChange|No|
+|PrivilegeUse|PrivilegeUse|No|
+|SystemSecurity|SystemSecurity|No|
-|Category |Category Display Name|
-|||
-|Engine|Engine|
-|Service|Service|
+
+## Microsoft.AnalysisServices/servers
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Engine|Engine|No|
+|Service|Service|No|
## Microsoft.ApiManagement/service
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|GatewayLogs|Logs related to ApiManagement Gateway|No|
++
+## Microsoft.AppConfiguration/configurationStores
-|Category |Category Display Name|
-|||
-|GatewayLogs|Logs related to ApiManagement Gateway|
+|Category|Category Display Name|Costs To Export|
+||||
+|HttpRequest|HTTP Requests|Yes|
## Microsoft.AppPlatform/Spring
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|ApplicationConsole|Application Console|No|
+|SystemLogs|System Logs|No|
-|Category |Category Display Name|
-|||
-|ApplicationConsole|Application Console|
-|SystemLogs|System Logs|
+## Microsoft.Attestation/attestationProviders
+
+|Category|Category Display Name|Costs To Export|
+||||
+|AuditEvent|AuditEvent message log category.|No|
+|ERR|Error message log category.|No|
+|INF|Informational message log category.|No|
+|WRN|Warning message log category.|No|
-## Microsoft.Automation/automationAccounts
-Cost to export: Free
+## Microsoft.Automation/automationAccounts
-|Category |Category Display Name|
-|||
-|DscNodeStatus|Dsc Node Status|
-|JobLogs|Job Logs|
-|JobStreams|Job Streams|
+|Category|Category Display Name|Costs To Export|
+||||
+|DscNodeStatus|Dsc Node Status|No|
+|JobLogs|Job Logs|No|
+|JobStreams|Job Streams|No|
## Microsoft.Batch/batchAccounts
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|ServiceLog|Service Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|ServiceLog|Service Logs|No|
## Microsoft.BatchAI/workspaces
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|BaiClusterEvent|BaiClusterEvent|
-|BaiClusterNodeEvent|BaiClusterNodeEvent|
-|BaiJobEvent|BaiJobEvent|
+|Category|Category Display Name|Costs To Export|
+||||
+|BaiClusterEvent|BaiClusterEvent|No|
+|BaiClusterNodeEvent|BaiClusterNodeEvent|No|
+|BaiJobEvent|BaiJobEvent|No|
## Microsoft.Blockchain/blockchainMembers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|BlockchainApplication|Blockchain Application|
-|FabricOrderer|Fabric Orderer|
-|FabricPeer|Fabric Peer|
-|Proxy|Proxy|
+|Category|Category Display Name|Costs To Export|
+||||
+|BlockchainApplication|Blockchain Application|No|
+|FabricOrderer|Fabric Orderer|No|
+|FabricPeer|Fabric Peer|No|
+|Proxy|Proxy|No|
## Microsoft.Blockchain/cordaMembers
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|BlockchainApplication|Blockchain Application|No|
-|Category |Category Display Name|
-|||
-|BlockchainApplication|Blockchain Application|
+## microsoft.botservice/botservices
-## Microsoft.Cdn/cdnwebapplicationfirewallpolicies
+|Category|Category Display Name|Costs To Export|
+||||
+|BotRequest|Requests from the channels to the bot|No|
+|DependencyRequest|Requests to dependencies|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|WebApplicationFirewallLogs|Web Application Firewall Logs|
+## Microsoft.Cdn/cdnwebapplicationfirewallpolicies
+|Category|Category Display Name|Costs To Export|
+||||
+|WebApplicationFirewallLogs|Web Appliation Firewall Logs|No|
-## Microsoft.Cdn/profiles
-Cost to export: Free
+## Microsoft.Cdn/profiles
-|Category |Category Display Name|
-|||
-|AzureCdnAccessLog|Azure Cdn Access Log|
+|Category|Category Display Name|Costs To Export|
+||||
+|AzureCdnAccessLog|Azure Cdn Access Log|No|
+|FrontDoorAccessLog|FrontDoor Access Log|Yes|
+|FrontDoorHealthProbeLog|FrontDoor Health Probe Log|Yes|
+|FrontDoorWebApplicationFirewallLog|FrontDoor WebApplicationFirewall Log|Yes|
## Microsoft.Cdn/profiles/endpoints
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|CoreAnalytics|Gets the metrics of the endpoint, e.g., bandwidth, egress, etc.|
+|Category|Category Display Name|Costs To Export|
+||||
+|CoreAnalytics|Gets the metrics of the endpoint, e.g., bandwidth, egress, etc.|No|
## Microsoft.ClassicNetwork/networksecuritygroups
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Network Security Group Rule Flow Event|Network Security Group Rule Flow Event|
+|Category|Category Display Name|Costs To Export|
+||||
+|Network Security Group Rule Flow Event|Network Security Group Rule Flow Event|No|
## Microsoft.CognitiveServices/accounts
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit Logs|No|
+|RequestResponse|Request and Response Logs|No|
+|Trace|Trace Logs|No|
-|Category |Category Display Name|
-|||
-|Audit|Audit Logs|
-|RequestResponse|Request and Response Logs|
-|Trace|Trace Logs|
+## Microsoft.Communication/CommunicationServices
+
+|Category|Category Display Name|Costs To Export|
+||||
+|ChatOperational|Operational Chat Logs|No|
+|SMSOperational|Operational SMS Logs|No|
+|Usage|Usage Records|No|
-## Microsoft.ContainerRegistry/registries
-Cost to export: Free
+## Microsoft.ContainerRegistry/registries
-|Category |Category Display Name|
-|||
-|ContainerRegistryLoginEvents|Login Events|
-|ContainerRegistryRepositoryEvents|RepositoryEvent logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|ContainerRegistryLoginEvents|Login Events|No|
+|ContainerRegistryRepositoryEvents|RepositoryEvent logs|No|
## Microsoft.ContainerService/managedClusters
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|cluster-autoscaler|Kubernetes Cluster Autoscaler|
-|kube-apiserver|Kubernetes API Server|
-|kube-audit|Kubernetes Audit|
-|kube-controller-manager|Kubernetes Controller Manager|
-|kube-scheduler|Kubernetes Scheduler|
+|Category|Category Display Name|Costs To Export|
+||||
+|cluster-autoscaler|Kubernetes Cluster Autoscaler|No|
+|guard|guard|No|
+|kube-apiserver|Kubernetes API Server|No|
+|kube-audit|Kubernetes Audit|No|
+|kube-audit-admin|Kubernetes Audit Admin Logs|No|
+|kube-controller-manager|Kubernetes Controller Manager|No|
+|kube-scheduler|Kubernetes Scheduler|No|
## Microsoft.CustomProviders/resourceproviders
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|AuditLogs|Audit logs for MiniRP calls|No|
++
+## Microsoft.D365CustomerInsights/instances
-|Category |Category Display Name|
-|||
-|AuditLogs|Audit logs for MiniRP calls|
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit events|No|
+|Operational|Operational events|No|
## Microsoft.Databricks/workspaces
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|accounts|Databricks Accounts|No|
+|clusters|Databricks Clusters|No|
+|dbfs|Databricks File System|No|
+|instancePools|Instance Pools|No|
+|jobs|Databricks Jobs|No|
+|notebook|Databricks Notebook|No|
+|secrets|Databricks Secrets|No|
+|sqlPermissions|Databricks SQLPermissions|No|
+|ssh|Databricks SSH|No|
+|workspace|Databricks Workspace|No|
-|Category |Category Display Name|
-|||
-|accounts|Databricks Accounts|
-|clusters|Databricks Clusters|
-|dbfs|Databricks File System|
-|instancePools|Instance Pools|
-|jobs|Databricks Jobs|
-|notebook|Databricks Notebook|
-|secrets|Databricks Secrets|
-|sqlPermissions|Databricks SQLPermissions|
-|ssh|Databricks SSH|
-|workspace|Databricks Workspace|
+
+## Microsoft.DataCollaboration/workspaces
+
+|Category|Category Display Name|Costs To Export|
+||||
+|CollaborationAudit|Collaboration Audit|Yes|
+|DataAssets|Data Assets|No|
+|Pipelines|Pipelines|No|
+|Proposals|Proposals|No|
+|Scripts|Scripts|No|
## Microsoft.DataFactory/factories
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|ActivityRuns|Pipeline activity runs log|No|
+|PipelineRuns|Pipeline runs log|No|
+|SSISIntegrationRuntimeLogs|SSIS integration runtime logs|No|
+|SSISPackageEventMessageContext|SSIS package event message context|No|
+|SSISPackageEventMessages|SSIS package event messages|No|
+|SSISPackageExecutableStatistics|SSIS package executable statistics|No|
+|SSISPackageExecutionComponentPhases|SSIS package execution component phases|No|
+|SSISPackageExecutionDataStatistics|SSIS package exeution data statistics|No|
+|TriggerRuns|Trigger runs log|No|
-|Category |Category Display Name|
-|||
-|ActivityRuns|Pipeline activity runs log|
-|PipelineRuns|Pipeline runs log|
-|TriggerRuns|Trigger runs log|
+## Microsoft.DataLakeAnalytics/accounts
-## Microsoft.DataLakeStore/accounts
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit Logs|No|
+|Requests|Request Logs|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|Audit|Audit Logs|
-|Requests|Request Logs|
+## Microsoft.DataLakeStore/accounts
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit Logs|No|
+|Requests|Request Logs|No|
-## Microsoft.DataShare/accounts
-Cost to export: Free
+## Microsoft.DataShare/accounts
-|Category |Category Display Name|
-|||
-|ReceivedShareSnapshots|Received Share Snapshots|
-|SentShareSnapshots|Sent Share Snapshots|
-|Shares|Shares|
-|ShareSubscriptions|Share Subscriptions|
+|Category|Category Display Name|Costs To Export|
+||||
+|ReceivedShareSnapshots|Received Share Snapshots|No|
+|SentShareSnapshots|Sent Share Snapshots|No|
+|Shares|Shares|No|
+|ShareSubscriptions|Share Subscriptions|No|
## Microsoft.DBforMariaDB/servers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|MySqlAuditLogs|MariaDB Audit Logs|
-|MySqlSlowLogs|MariaDB Server Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|MySqlAuditLogs|MariaDB Audit Logs|No|
+|MySqlSlowLogs|MariaDB Server Logs|No|
## Microsoft.DBforMySQL/flexibleServers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|MySqlAuditLogs|MySQL Audit Logs|
-|MySqlSlowLogs|MySQL Slow Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|MySqlAuditLogs|MySQL Audit Logs|No|
+|MySqlSlowLogs|MySQL Slow Logs|No|
## Microsoft.DBforMySQL/servers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|MySqlAuditLogs|MySQL Audit Logs|
-|MySqlSlowLogs|MySQL Server Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|MySqlAuditLogs|MySQL Audit Logs|No|
+|MySqlSlowLogs|MySQL Server Logs|No|
## Microsoft.DBforPostgreSQL/flexibleServers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|PostgreSQLLogs|PostgreSQL Server Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|PostgreSQLLogs|PostgreSQL Server Logs|No|
## Microsoft.DBforPostgreSQL/servers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|PostgreSQLLogs|PostgreSQL Server Logs|
-|QueryStoreRuntimeStatistics|PostgreSQL Query Store Runtime Statistics|
-|QueryStoreWaitStatistics|PostgreSQL Query Store Wait Statistics|
+|Category|Category Display Name|Costs To Export|
+||||
+|PostgreSQLLogs|PostgreSQL Server Logs|No|
+|QueryStoreRuntimeStatistics|PostgreSQL Query Store Runtime Statistics|No|
+|QueryStoreWaitStatistics|PostgreSQL Query Store Wait Statistics|No|
## Microsoft.DBforPostgreSQL/serversv2
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|PostgreSQLLogs|PostgreSQL Server Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|PostgreSQLLogs|PostgreSQL Server Logs|No|
## Microsoft.DesktopVirtualization/applicationgroups
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Checkpoint|Checkpoint|
-|Error|Error|
-|Management|Management|
+|Category|Category Display Name|Costs To Export|
+||||
+|Checkpoint|Checkpoint|No|
+|Error|Error|No|
+|Management|Management|No|
## Microsoft.DesktopVirtualization/hostpools
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Checkpoint|Checkpoint|
-|Connection|Connection|
-|Error|Error|
-|HostRegistration|HostRegistration|
-|Management|Management|
+|Category|Category Display Name|Costs To Export|
+||||
+|AgentHealthStatus|AgentHealthStatus|No|
+|Checkpoint|Checkpoint|No|
+|Connection|Connection|No|
+|Error|Error|No|
+|HostRegistration|HostRegistration|No|
+|Management|Management|No|
## Microsoft.DesktopVirtualization/workspaces
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Checkpoint|Checkpoint|
-|Error|Error|
-|Feed|Feed|
-|Management|Management|
+|Category|Category Display Name|Costs To Export|
+||||
+|Checkpoint|Checkpoint|No|
+|Error|Error|No|
+|Feed|Feed|No|
+|Management|Management|No|
++
+## Microsoft.Devices/ElasticPools/IotHubTenants
+
+|Category|Category Display Name|Costs To Export|
+||||
+|C2DCommands|C2D Commands|No|
+|C2DTwinOperations|C2D Twin Operations|No|
+|Configurations|Configurations|No|
+|Connections|Connections|No|
+|D2CTwinOperations|D2CTwinOperations|No|
+|DeviceIdentityOperations|Device Identity Operations|No|
+|DeviceStreams|Device Streams (Preview)|No|
+|DeviceTelemetry|Device Telemetry|No|
+|DirectMethods|Direct Methods|No|
+|DistributedTracing|Distributed Tracing (Preview)|No|
+|FileUploadOperations|File Upload Operations|No|
+|JobsOperations|Jobs Operations|No|
+|Routes|Routes|No|
+|TwinQueries|Twin Queries|No|
## Microsoft.Devices/IotHubs
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|C2DCommands|C2D Commands|
-|C2DTwinOperations|C2D Twin Operations|
-|Configurations|Configurations|
-|Connections|Connections|
-|D2CTwinOperations|D2CTwinOperations|
-|DeviceIdentityOperations|Device Identity Operations|
-|DeviceStreams|Device Streams (Preview)|
-|DeviceTelemetry|Device Telemetry|
-|DirectMethods|Direct Methods|
-|DistributedTracing|Distributed Tracing (Preview)|
-|FileUploadOperations|File Upload Operations|
-|JobsOperations|Jobs Operations|
-|Routes|Routes|
-|TwinQueries|Twin Queries|
+|Category|Category Display Name|Costs To Export|
+||||
+|C2DCommands|C2D Commands|No|
+|C2DTwinOperations|C2D Twin Operations|No|
+|Configurations|Configurations|No|
+|Connections|Connections|No|
+|D2CTwinOperations|D2CTwinOperations|No|
+|DeviceIdentityOperations|Device Identity Operations|No|
+|DeviceStreams|Device Streams (Preview)|No|
+|DeviceTelemetry|Device Telemetry|No|
+|DirectMethods|Direct Methods|No|
+|DistributedTracing|Distributed Tracing (Preview)|No|
+|FileUploadOperations|File Upload Operations|No|
+|JobsOperations|Jobs Operations|No|
+|Routes|Routes|No|
+|TwinQueries|Twin Queries|No|
## Microsoft.Devices/provisioningServices
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|DeviceOperations|Device Operations|No|
+|ServiceOperations|Service Operations|No|
-|Category |Category Display Name|
-|||
-|DeviceOperations|Device Operations|
-|ServiceOperations|Service Operations|
+## Microsoft.DigitalTwins/digitalTwinsInstances
+
+|Category|Category Display Name|Costs To Export|
+||||
+|DigitalTwinsOperation|DigitalTwinsOperation|No|
+|EventRoutesOperation|EventRoutesOperation|No|
+|ModelsOperation|ModelsOperation|No|
+|QueryOperation|QueryOperation|No|
-## Microsoft.DocumentDB/databaseAccounts
-Cost to export: Free
+## Microsoft.DocumentDB/databaseAccounts
-|Category |Category Display Name|
-|||
-|CassandraRequests|CassandraRequests|
-|ControlPlaneRequests|ControlPlaneRequests|
-|DataPlaneRequests|DataPlaneRequests|
-|GremlinRequests|GremlinRequests|
-|MongoRequests|MongoRequests|
-|PartitionKeyRUConsumption|PartitionKeyRUConsumption|
-|PartitionKeyStatistics|PartitionKeyStatistics|
-|QueryRuntimeStatistics|QueryRuntimeStatistics|
+|Category|Category Display Name|Costs To Export|
+||||
+|CassandraRequests|CassandraRequests|No|
+|ControlPlaneRequests|ControlPlaneRequests|No|
+|DataPlaneRequests|DataPlaneRequests|No|
+|GremlinRequests|GremlinRequests|No|
+|MongoRequests|MongoRequests|No|
+|PartitionKeyRUConsumption|PartitionKeyRUConsumption|No|
+|PartitionKeyStatistics|PartitionKeyStatistics|No|
+|QueryRuntimeStatistics|QueryRuntimeStatistics|No|
## Microsoft.EventGrid/domains
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|DeliveryFailures|Delivery Failure Logs|No|
+|PublishFailures|Publish Failure Logs|No|
-|Category |Category Display Name|
-|||
-|DeliveryFailures|Delivery Failure Logs|
-|PublishFailures|Publish Failure Logs|
+## Microsoft.EventGrid/partnerNamespaces
-## Microsoft.EventGrid/systemTopics
+|Category|Category Display Name|Costs To Export|
+||||
+|DeliveryFailures|Delivery Failure Logs|No|
+|PublishFailures|Publish Failure Logs|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|DeliveryFailures|Delivery Failure Logs|
+## Microsoft.EventGrid/partnerTopics
+|Category|Category Display Name|Costs To Export|
+||||
+|DeliveryFailures|Delivery Failure Logs|No|
++
+## Microsoft.EventGrid/systemTopics
+
+|Category|Category Display Name|Costs To Export|
+||||
+|DeliveryFailures|Delivery Failure Logs|No|
-## Microsoft.EventGrid/topics
-Cost to export: Free
+## Microsoft.EventGrid/topics
-|Category |Category Display Name|
-|||
-|DeliveryFailures|Delivery Failure Logs|
-|PublishFailures|Publish Failure Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|DeliveryFailures|Delivery Failure Logs|No|
+|PublishFailures|Publish Failure Logs|No|
## Microsoft.EventHub/namespaces
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|ArchiveLogs|Archive Logs|No|
+|AutoScaleLogs|Auto Scale Logs|No|
+|CustomerManagedKeyUserLogs|Customer Managed Key Logs|No|
+|EventHubVNetConnectionEvent|VNet/IP Filtering Connection Logs|No|
+|KafkaCoordinatorLogs|Kafka Coordinator Logs|No|
+|KafkaUserErrorLogs|Kafka User Error Logs|No|
+|OperationalLogs|Operational Logs|No|
-|Category |Category Display Name|
-|||
-|ArchiveLogs|Archive Logs|
-|AutoScaleLogs|Auto Scale Logs|
-|CustomerManagedKeyUserLogs|Customer Managed Key Logs|
-|EventHubVNetConnectionEvent|VNet/IP Filtering Connection Logs|
-|KafkaCoordinatorLogs|Kafka Coordinator Logs|
-|KafkaUserErrorLogs|Kafka User Error Logs|
-|OperationalLogs|Operational Logs|
+## microsoft.experimentation/experimentWorkspaces
-## Microsoft.HealthcareApis/services
+|Category|Category Display Name|Costs To Export|
+||||
+|Request|Request|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|AuditLogs|Audit logs|
+## Microsoft.HealthcareApis/services
+|Category|Category Display Name|Costs To Export|
+||||
+|AuditLogs|Audit logs|No|
-## Microsoft.Insights/AutoscaleSettings
-Cost to export: Free
+## microsoft.insights/autoscalesettings
-|Category |Category Display Name|
-|||
-|AutoscaleEvaluations|Autoscale Evaluations|
-|AutoscaleScaleActions|Autoscale Scale Actions|
+|Category|Category Display Name|Costs To Export|
+||||
+|AutoscaleEvaluations|Autoscale Evaluations|No|
+|AutoscaleScaleActions|Autoscale Scale Actions|No|
## Microsoft.Insights/Components
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|AppAvailabilityResults|Availability results|No|
+|AppBrowserTimings|Browser timings|No|
+|AppDependencies|Dependencies|No|
+|AppEvents|Events|No|
+|AppExceptions|Exceptions|No|
+|AppMetrics|Metrics|No|
+|AppPageViews|Page views|No|
+|AppPerformanceCounters|Performance counters|No|
+|AppRequests|Requests|No|
+|AppSystemEvents|System events|No|
+|AppTraces|Traces|No|
-|Category |Category Display Name|
-|||
-|AppAvailabilityResults|Availability results|
-|AppBrowserTimings|Browser timings|
-|AppDependencies|Dependencies|
-|AppEvents|Events|
-|AppExceptions|Exceptions|
-|AppMetrics|Metrics|
-|AppPageViews|Page views|
-|AppPerformanceCounters|Performance counters|
-|AppRequests|Requests|
-|AppSystemEvents|System events|
-|AppTraces|Traces|
+## Microsoft.IoTSpaces/Graph
-## Microsoft.KeyVault/vaults
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit|No|
+|Egress|Egress|No|
+|Ingress|Ingress|No|
+|Operational|Operational|No|
+|Trace|Trace|No|
+|UserDefinedFunction|UserDefinedFunction|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|AuditEvent|Audit Logs|
+## microsoft.keyvault/managedhsms
+|Category|Category Display Name|Costs To Export|
+||||
+|AuditEvent|Audit Event|No|
-## Microsoft.Kusto/Clusters
-Cost to export: Free
+## Microsoft.KeyVault/vaults
-|Category |Category Display Name|
-|||
-|Command|Command|
-|FailedIngestion|Failed ingest operations|
-|IngestionBatching|Ingestion batching|
-|Query|Query|
-|SucceededIngestion|Successful ingest operations|
-|TableDetails|Table details|
-|TableUsageStatistics|Table usage statistics|
+|Category|Category Display Name|Costs To Export|
+||||
+|AuditEvent|Audit Logs|No|
-## Microsoft.Logic/integrationAccounts
+## Microsoft.Kusto/Clusters
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|Command|Command|No|
+|FailedIngestion|Failed ingest operations|No|
+|IngestionBatching|Ingestion batching|No|
+|Query|Query|No|
+|SucceededIngestion|Successful ingest operations|No|
+|TableDetails|Table details|No|
+|TableUsageStatistics|Table usage statistics|No|
-|Category |Category Display Name|
-|||
-|IntegrationAccountTrackingEvents|Integration Account track events|
+## Microsoft.Logic/integrationAccounts
-## Microsoft.Logic/workflows
+|Category|Category Display Name|Costs To Export|
+||||
+|IntegrationAccountTrackingEvents|Integration Account track events|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|WorkflowRuntime|Workflow runtime diagnostic events|
+## Microsoft.Logic/workflows
+|Category|Category Display Name|Costs To Export|
+||||
+|WorkflowRuntime|Workflow runtime diagnostic events|No|
-## Microsoft.MachineLearningServices/workspaces
-Cost to export: Free
+## Microsoft.MachineLearningServices/workspaces
-|Category |Category Display Name|
-|||
-|AmlComputeClusterEvent|AmlComputeClusterEvent|
-|AmlComputeClusterNodeEvent|AmlComputeClusterNodeEvent|
-|AmlComputeCpuGpuUtilization|AmlComputeCpuGpuUtilization|
-|AmlComputeJobEvent|AmlComputeJobEvent|
-|AmlRunStatusChangedEvent|AmlRunStatusChangedEvent|
+|Category|Category Display Name|Costs To Export|
+||||
+|AmlComputeClusterEvent|AmlComputeClusterEvent|No|
+|AmlComputeClusterNodeEvent|AmlComputeClusterNodeEvent|No|
+|AmlComputeCpuGpuUtilization|AmlComputeCpuGpuUtilization|No|
+|AmlComputeJobEvent|AmlComputeJobEvent|No|
+|AmlRunStatusChangedEvent|AmlRunStatusChangedEvent|No|
## Microsoft.Media/mediaservices
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|KeyDeliveryRequests|Key Delivery Requests|
+|Category|Category Display Name|Costs To Export|
+||||
+|KeyDeliveryRequests|Key Delivery Requests|No|
## Microsoft.Network/applicationGateways
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|ApplicationGatewayAccessLog|Application Gateway Access Log|
-|ApplicationGatewayFirewallLog|Application Gateway Firewall Log|
-|ApplicationGatewayPerformanceLog|Application Gateway Performance Log|
+|Category|Category Display Name|Costs To Export|
+||||
+|ApplicationGatewayAccessLog|Application Gateway Access Log|No|
+|ApplicationGatewayFirewallLog|Application Gateway Firewall Log|No|
+|ApplicationGatewayPerformanceLog|Application Gateway Performance Log|No|
## Microsoft.Network/azurefirewalls
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|AzureFirewallApplicationRule|Azure Firewall Application Rule|
-|AzureFirewallNetworkRule|Azure Firewall Network Rule|
+|Category|Category Display Name|Costs To Export|
+||||
+|AzureFirewallApplicationRule|Azure Firewall Application Rule|No|
+|AzureFirewallDnsProxy|Azure Firewall DNS Proxy|No|
+|AzureFirewallNetworkRule|Azure Firewall Network Rule|No|
## Microsoft.Network/bastionHosts
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|BastionAuditLogs|Bastion Audit Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|BastionAuditLogs|Bastion Audit Logs|No|
## Microsoft.Network/expressRouteCircuits
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|PeeringRouteLog|Peering Route Table Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|PeeringRouteLog|Peering Route Table Logs|No|
## Microsoft.Network/frontdoors
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|FrontdoorAccessLog|Frontdoor Access Log|
-|FrontdoorWebApplicationFirewallLog|Frontdoor Web Application Firewall Log|
+|Category|Category Display Name|Costs To Export|
+||||
+|FrontdoorAccessLog|Frontdoor Access Log|No|
+|FrontdoorWebApplicationFirewallLog|Frontdoor Web Application Firewall Log|No|
## Microsoft.Network/loadBalancers
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|LoadBalancerAlertEvent|Load Balancer Alert Events|
-|LoadBalancerProbeHealthStatus|Load Balancer Probe Health Status|
+|Category|Category Display Name|Costs To Export|
+||||
+|LoadBalancerAlertEvent|Load Balancer Alert Events|No|
+|LoadBalancerProbeHealthStatus|Load Balancer Probe Health Status|No|
## Microsoft.Network/networksecuritygroups
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|NetworkSecurityGroupEvent|Network Security Group Event|No|
+|NetworkSecurityGroupFlowEvent|Network Security Group Rule Flow Event|No|
+|NetworkSecurityGroupRuleCounter|Network Security Group Rule Counter|No|
-|Category |Category Display Name|
-|||
-|NetworkSecurityGroupEvent|Network Security Group Event|
-|NetworkSecurityGroupFlowEvent|Network Security Group Rule Flow Event|
-|NetworkSecurityGroupRuleCounter|Network Security Group Rule Counter|
+## Microsoft.Network/p2sVpnGateways
-## Microsoft.Network/publicIPAddresses
+|Category|Category Display Name|Costs To Export|
+||||
+|GatewayDiagnosticLog|Gateway Diagnostic Logs|No|
+|IKEDiagnosticLog|IKE Diagnostic Logs|No|
+|P2SDiagnosticLog|P2S Diagnostic Logs|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|DDoSMitigationFlowLogs|Flow logs of DDoS mitigation decisions|
-|DDoSMitigationReports|Reports of DDoS mitigations|
-|DDoSProtectionNotifications|DDoS protection notifications|
+## Microsoft.Network/publicIPAddresses
+|Category|Category Display Name|Costs To Export|
+||||
+|DDoSMitigationFlowLogs|Flow logs of DDoS mitigation decisions|No|
+|DDoSMitigationReports|Reports of DDoS mitigations|No|
+|DDoSProtectionNotifications|DDoS protection notifications|No|
-## Microsoft.Network/trafficManagerProfiles
-Cost to export: Free
+## Microsoft.Network/trafficManagerProfiles
-|Category |Category Display Name|
-|||
-|ProbeHealthStatusEvents|Traffic Manager Probe Health Results Event|
+|Category|Category Display Name|Costs To Export|
+||||
+|ProbeHealthStatusEvents|Traffic Manager Probe Health Results Event|No|
## Microsoft.Network/virtualNetworkGateways
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|GatewayDiagnosticLog|Gateway Diagnostic Logs|
-|IKEDiagnosticLog|IKE Diagnostic Logs|
-|P2SDiagnosticLog|P2S Diagnostic Logs|
-|RouteDiagnosticLog|Route Diagnostic Logs|
-|TunnelDiagnosticLog|Tunnel Diagnostic Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|GatewayDiagnosticLog|Gateway Diagnostic Logs|No|
+|IKEDiagnosticLog|IKE Diagnostic Logs|No|
+|P2SDiagnosticLog|P2S Diagnostic Logs|No|
+|RouteDiagnosticLog|Route Diagnostic Logs|No|
+|TunnelDiagnosticLog|Tunnel Diagnostic Logs|No|
## Microsoft.Network/virtualNetworks
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|VMProtectionAlerts|VM protection alerts|No|
++
+## Microsoft.Network/vpnGateways
+
+|Category|Category Display Name|Costs To Export|
+||||
+|GatewayDiagnosticLog|Gateway Diagnostic Logs|No|
+|IKEDiagnosticLog|IKE Diagnostic Logs|No|
+|RouteDiagnosticLog|Route Diagnostic Logs|No|
+|TunnelDiagnosticLog|Tunnel Diagnostic Logs|No|
++
+## Microsoft.NotificationHubs/namespaces
+
+|Category|Category Display Name|Costs To Export|
+||||
+|OperationalLogs|Operational Logs|No|
++
+## Microsoft.OperationalInsights/workspaces
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Audit|Audit Logs|No|
+
-|Category |Category Display Name|
-|||
-|VMProtectionAlerts|VM protection alerts|
+## Microsoft.PowerBI/tenants
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Engine|Engine|No|
++
+## Microsoft.PowerBI/tenants/workspaces
+
+|Category|Category Display Name|Costs To Export|
+||||
+|Engine|Engine|No|
## Microsoft.PowerBIDedicated/capacities
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|Engine|Engine|No|
++
+## Microsoft.ProjectBabylon/accounts
+
+|Category|Category Display Name|Costs To Export|
+||||
+|ScanStatusLogEvent|ScanStatus|No|
-|Category |Category Display Name|
-|||
-|Engine|Engine|
+
+## microsoft.purview/accounts
+
+|Category|Category Display Name|Costs To Export|
+||||
+|ScanStatusLogEvent|ScanStatus|No|
## Microsoft.RecoveryServices/Vaults
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|AddonAzureBackupAlerts|Addon Azure Backup Alert Data|
-|AddonAzureBackupJobs|Addon Azure Backup Job Data|
-|AddonAzureBackupPolicy|Addon Azure Backup Policy Data|
-|AddonAzureBackupProtectedInstance|Addon Azure Backup Protected Instance Data|
-|AddonAzureBackupStorage|Addon Azure Backup Storage Data|
-|AzureBackupReport|Azure Backup Reporting Data|
-|AzureSiteRecoveryEvents|Azure Site Recovery Events|
-|AzureSiteRecoveryJobs|Azure Site Recovery Jobs|
-|AzureSiteRecoveryProtectedDiskDataChurn|Azure Site Recovery Protected Disk Data Churn|
-|AzureSiteRecoveryRecoveryPoints|Azure Site Recovery Recovery Points|
-|AzureSiteRecoveryReplicatedItems|Azure Site Recovery Replicated Items|
-|AzureSiteRecoveryReplicationDataUploadRate|Azure Site Recovery Replication Data Upload Rate|
-|AzureSiteRecoveryReplicationStats|Azure Site Recovery Replication Stats|
-|CoreAzureBackup|Core Azure Backup Data|
+|Category|Category Display Name|Costs To Export|
+||||
+|AddonAzureBackupAlerts|Addon Azure Backup Alert Data|No|
+|AddonAzureBackupJobs|Addon Azure Backup Job Data|No|
+|AddonAzureBackupPolicy|Addon Azure Backup Policy Data|No|
+|AddonAzureBackupProtectedInstance|Addon Azure Backup Protected Instance Data|No|
+|AddonAzureBackupStorage|Addon Azure Backup Storage Data|No|
+|AzureBackupReport|Azure Backup Reporting Data|No|
+|AzureSiteRecoveryEvents|Azure Site Recovery Events|No|
+|AzureSiteRecoveryJobs|Azure Site Recovery Jobs|No|
+|AzureSiteRecoveryProtectedDiskDataChurn|Azure Site Recovery Protected Disk Data Churn|No|
+|AzureSiteRecoveryRecoveryPoints|Azure Site Recovery Recovery Points|No|
+|AzureSiteRecoveryReplicatedItems|Azure Site Recovery Replicated Items|No|
+|AzureSiteRecoveryReplicationDataUploadRate|Azure Site Recovery Replication Data Upload Rate|No|
+|AzureSiteRecoveryReplicationStats|Azure Site Recovery Replication Stats|No|
+|CoreAzureBackup|Core Azure Backup Data|No|
## Microsoft.Relay/namespaces
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|HybridConnectionsEvent|HybridConnections Events|
+|Category|Category Display Name|Costs To Export|
+||||
+|HybridConnectionsEvent|HybridConnections Events|No|
+|HybridConnectionsLogs|HybridConnectionsLogs|No|
## Microsoft.Search/searchServices
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|OperationLogs|Operation Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|OperationLogs|Operation Logs|No|
## Microsoft.ServiceBus/namespaces
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|OperationalLogs|Operational Logs|
+|Category|Category Display Name|Costs To Export|
+||||
+|OperationalLogs|Operational Logs|No|
## Microsoft.SignalRService/SignalR
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|AllLogs|Azure SignalR Service Logs.|
+|Category|Category Display Name|Costs To Export|
+||||
+|AllLogs|Azure SignalR Service Logs.|No|
## Microsoft.Sql/managedInstances
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|DevOpsOperationsAudit|Devops operations Audit Logs|
-|ResourceUsageStats|Resource Usage Statistics|
-|SQLSecurityAuditEvents|SQL Security Audit Event|
+|Category|Category Display Name|Costs To Export|
+||||
+|DevOpsOperationsAudit|Devops operations Audit Logs|No|
+|ResourceUsageStats|Resource Usage Statistics|No|
+|SQLSecurityAuditEvents|SQL Security Audit Event|No|
## Microsoft.Sql/managedInstances/databases
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Errors|Errors|
-|QueryStoreRuntimeStatistics|Query Store Runtime Statistics|
-|QueryStoreWaitStatistics|Query Store Wait Statistics|
-|SQLInsights|SQL Insights|
+|Category|Category Display Name|Costs To Export|
+||||
+|Errors|Errors|No|
+|QueryStoreRuntimeStatistics|Query Store Runtime Statistics|No|
+|QueryStoreWaitStatistics|Query Store Wait Statistics|No|
+|SQLInsights|SQL Insights|No|
## Microsoft.Sql/servers/databases
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|AutomaticTuning|Automatic tuning|
-|Blocks|Blocks|
-|DatabaseWaitStatistics|Database Wait Statistics|
-|Deadlocks|Deadlocks|
-|DevOpsOperationsAudit|Devops operations Audit Logs|
-|DmsWorkers|Dms Workers|
-|Errors|Errors|
-|ExecRequests|Exec Requests|
-|QueryStoreRuntimeStatistics|Query Store Runtime Statistics|
-|QueryStoreWaitStatistics|Query Store Wait Statistics|
-|RequestSteps|Request Steps|
-|SQLInsights|SQL Insights|
-|SqlRequests|Sql Requests|
-|SQLSecurityAuditEvents|SQL Security Audit Event|
-|Timeouts|Timeouts|
-|Waits|Waits|
+|Category|Category Display Name|Costs To Export|
+||||
+|AutomaticTuning|Automatic tuning|No|
+|Blocks|Blocks|No|
+|DatabaseWaitStatistics|Database Wait Statistics|No|
+|Deadlocks|Deadlocks|No|
+|DevOpsOperationsAudit|Devops operations Audit Logs|No|
+|DmsWorkers|Dms Workers|No|
+|Errors|Errors|No|
+|ExecRequests|Exec Requests|No|
+|QueryStoreRuntimeStatistics|Query Store Runtime Statistics|No|
+|QueryStoreWaitStatistics|Query Store Wait Statistics|No|
+|RequestSteps|Request Steps|No|
+|SQLInsights|SQL Insights|No|
+|SqlRequests|Sql Requests|No|
+|SQLSecurityAuditEvents|SQL Security Audit Event|No|
+|Timeouts|Timeouts|No|
+|Waits|Waits|No|
## Microsoft.Storage/storageAccounts/blobServices
-Cost to export: Paid as outlined in Platform Logs section of [Azure Monitor Pricing page.](https://azure.microsoft.com/pricing/details/monitor/)
-
-|Category |Category Display Name|
-|||
-|StorageDelete|StorageDelete|
-|StorageRead|StorageRead|
-|StorageWrite|StorageWrite|
+|Category|Category Display Name|Costs To Export|
+||||
+|StorageDelete|StorageDelete|Yes|
+|StorageRead|StorageRead|Yes|
+|StorageWrite|StorageWrite|Yes|
## Microsoft.Storage/storageAccounts/fileServices
-Cost to export: Paid as outlined in Platform Logs section of [Azure Monitor Pricing page.](https://azure.microsoft.com/pricing/details/monitor/)
-
-|Category |Category Display Name|
-|||
-|StorageDelete|StorageDelete|
-|StorageRead|StorageRead|
-|StorageWrite|StorageWrite|
+|Category|Category Display Name|Costs To Export|
+||||
+|StorageDelete|StorageDelete|Yes|
+|StorageRead|StorageRead|Yes|
+|StorageWrite|StorageWrite|Yes|
## Microsoft.Storage/storageAccounts/queueServices
-Cost to export: Paid as outlined in Platform Logs section of [Azure Monitor Pricing page.](https://azure.microsoft.com/pricing/details/monitor/)
-
-|Category |Category Display Name|
-|||
-|StorageDelete|StorageDelete|
-|StorageRead|StorageRead|
-|StorageWrite|StorageWrite|
+|Category|Category Display Name|Costs To Export|
+||||
+|StorageDelete|StorageDelete|Yes|
+|StorageRead|StorageRead|Yes|
+|StorageWrite|StorageWrite|Yes|
## Microsoft.Storage/storageAccounts/tableServices
-Cost to export: Paid as outlined in Platform Logs section of [Azure Monitor Pricing page.](https://azure.microsoft.com/pricing/details/monitor/)
-
-|Category |Category Display Name|
-|||
-|StorageDelete|StorageDelete|
-|StorageRead|StorageRead|
-|StorageWrite|StorageWrite|
+|Category|Category Display Name|Costs To Export|
+||||
+|StorageDelete|StorageDelete|Yes|
+|StorageRead|StorageRead|Yes|
+|StorageWrite|StorageWrite|Yes|
## Microsoft.StreamAnalytics/streamingjobs
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|Authoring|Authoring|
-|Execution|Execution|
+|Category|Category Display Name|Costs To Export|
+||||
+|Authoring|Authoring|No|
+|Execution|Execution|No|
## Microsoft.Synapse/workspaces
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|BuiltinSqlReqsEnded|Built-in Sql Pool Requests Ended|
-|GatewayApiRequests|Synapse Gateway Api Requests|
-|SQLSecurityAuditEvents|SQL Security Audit Event|
-|SynapseRbacOperations|Synapse RBAC Operations|
+|Category|Category Display Name|Costs To Export|
+||||
+|BuiltinSqlReqsEnded|Built-in Sql Pool Requests Ended|No|
+|GatewayApiRequests|Synapse Gateway Api Requests|No|
+|SQLSecurityAuditEvents|SQL Security Audit Event|No|
+|SynapseRbacOperations|Synapse RBAC Operations|No|
## Microsoft.Synapse/workspaces/bigDataPools
-Cost to export: Free
-
-|Category |Category Display Name|
-|||
-|BigDataPoolAppsEnded|Big Data Pool Applications Ended|
+|Category|Category Display Name|Costs To Export|
+||||
+|BigDataPoolAppsEnded|Big Data Pool Applications Ended|No|
## Microsoft.Synapse/workspaces/sqlPools
-Cost to export: Free
+|Category|Category Display Name|Costs To Export|
+||||
+|DmsWorkers|Dms Workers|No|
+|ExecRequests|Exec Requests|No|
+|RequestSteps|Request Steps|No|
+|SqlRequests|Sql Requests|No|
+|SQLSecurityAuditEvents|Sql Security Audit Event|No|
+|Waits|Waits|No|
-|Category |Category Display Name|
-|||
-|DmsWorkers|Dms Workers|
-|ExecRequests|Exec Requests|
-|RequestSteps|Request Steps|
-|SqlRequests|Sql Requests|
-|SQLSecurityAuditEvents|Sql Security Audit Event|
-|Waits|Waits|
+## Microsoft.TimeSeriesInsights/environments
-## microsoft.web/hostingenvironments
+|Category|Category Display Name|Costs To Export|
+||||
+|Ingress|Ingress|No|
+|Management|Management|No|
-Cost to export: Free
-|Category |Category Display Name|
-|||
-|AppServiceEnvironmentPlatformLogs|App Service Environment Platform Logs|
+## Microsoft.TimeSeriesInsights/environments/eventsources
+|Category|Category Display Name|Costs To Export|
+||||
+|Ingress|Ingress|No|
+|Management|Management|No|
-## microsoft.web/sites
-Cost to export: Free
+## microsoft.web/hostingenvironments
+
+|Category|Category Display Name|Costs To Export|
+||||
+|AppServiceEnvironmentPlatformLogs|App Service Environment Platform Logs|No|
-|Category |Category Display Name|
-|||
-|AppServiceAppLogs|App Service Application Logs|
-|AppServiceAuditLogs|Access Audit Logs|
-|AppServiceConsoleLogs|App Service Console Logs|
-|AppServiceFileAuditLogs|Site Content Change Audit Logs|
-|AppServiceHTTPLogs|HTTP logs|
-|FunctionAppLogs|Function Application Logs|
+## microsoft.web/sites
+|Category|Category Display Name|Costs To Export|
+||||
+|AppServiceAntivirusScanAuditLogs|Report Antivirus Audit Logs|No|
+|AppServiceAppLogs|App Service Application Logs|No|
+|AppServiceAuditLogs|Access Audit Logs|No|
+|AppServiceConsoleLogs|App Service Console Logs|No|
+|AppServiceFileAuditLogs|Site Content Change Audit Logs|No|
+|AppServiceHTTPLogs|HTTP logs|No|
+|AppServiceIPSecAuditLogs|IPSecurity Audit logs|No|
+|AppServicePlatformLogs|App Service Platform logs|No|
+|FunctionAppLogs|Function Application Logs|No|
-## microsoft.web/sites/slots
-Cost to export: Free
+## microsoft.web/sites/slots
+|Category|Category Display Name|Costs To Export|
+||||
+|AppServiceAntivirusScanAuditLogs|Report Antivirus Audit Logs|No|
+|AppServiceAppLogs|App Service Application Logs|No|
+|AppServiceAuditLogs|Access Audit Logs|No|
+|AppServiceConsoleLogs|App Service Console Logs|No|
+|AppServiceFileAuditLogs|Site Content Change Audit Logs|No|
+|AppServiceHTTPLogs|HTTP logs|No|
+|AppServiceIPSecAuditLogs|IPSecurity Audit Logs|No|
+|AppServicePlatformLogs|App Service Platform logs|No|
+|FunctionAppLogs|Function Application Logs|No|
-|Category |Category Display Name|
-|||
-|AppServiceAppLogs|App Service Application Logs|
-|AppServiceAuditLogs|Access Audit Logs|
-|AppServiceConsoleLogs|App Service Console Logs|
-|AppServiceFileAuditLogs|Site Content Change Audit Logs|
-|AppServiceHTTPLogs|HTTP logs|
-|FunctionAppLogs|Function Application Logs|
## Next Steps
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/workbooks-data-sources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/workbooks-data-sources.md
@@ -55,7 +55,7 @@ To make a query control use this data source, use the Data source drop-down to c
## Azure Data Explorer
-Workbooks now have support for querying from [Azure Data Explorer](/azure/data-explorer/) clusters with the powerful [Kusto](/azure/kusto/query/index) query language.
+Workbooks now have support for querying from [Azure Data Explorer](/azure/data-explorer/) clusters with the powerful [Kusto](/azure/kusto/query/index) query language.
![Screenshot of Kusto query window](./media/workbooks-overview/data-explorer.png)
@@ -75,10 +75,44 @@ To make a query control use this data source, use the **Query type** drop-down t
![Screenshot of alerts query that shows the health filter lists.](./media/workbooks-overview/resource-health.png)
+## Change Analysis (preview)
+
+To make a query control using [Application Change Analysis](../app/change-analysis.md) as the data source, use the *Data source* drop down and choose *Change Analysis (preview)* and select a single resource. Changes for up to the last 14 days can be shown. The *Level* drop down can be used to filter between "Important", "Normal", and "Noisy" changes, and this drop down supports workbook parameters of type [drop down](workbooks-dropdowns.md).
+
+> [!div class="mx-imgBorder"]
+> ![A screenshot of a workbook with Change Analysis](./media/workbooks-data-sources/change-analysis-data-source.png)
+
+## Merge data from different sources
+
+It is often necessary to bring together data from different sources that enhance the insights experience. An example is augmenting active alert information with related metric data. This allows users to see not just the effect (an active alert), but also potential causes (for example, high CPU usage). The monitoring domain has numerous such correlatable data sources that are often critical to the triage and diagnostic workflow.
+
+Workbooks allows not just the querying of different data sources, but also provides simple controls that allow you to merge or join the data to provide rich insights. The `merge` control is the way to achieve it.
+
+The example below combines alerting data with log analytics VM performance data to get a rich insights grid.
+
+> [!div class="mx-imgBorder"]
+> ![A screenshot of a workbook with a merge control that combines alert and log analytics data](./media/workbooks-data-sources/merge-control.png)
+
+Workbooks support a variety of merges:
+
+* Inner unique join
+* Full inner join
+* Full outer join
+* Left outer join
+* Right outer join
+* Left semi-join
+* Right semi-join
+* Left anti-join
+* Right anti-join
+* Union
+* Duplicate table
+ ## JSON The JSON provider allows you to create a query result from static JSON content. It is most commonly used in Parameters to create dropdown parameters of static values. Simple JSON arrays or objects will automatically be converted into grid rows and columns. For more specific behaviors, you can use the Results tab and JSONPath settings to configure columns.
+This provider supports [JSONPath](workbooks-jsonpath.md).
+ ## Alerts (preview) > [!NOTE]
@@ -91,7 +125,7 @@ The JSON provider allows you to create a query result from static JSON content.
Workbooks allow users to visualize the active alerts related to their resources. Limitations: the alerts data source requires read access to the Subscription in order to query resources, and may not show newer kinds of alerts.
-To make a query control use this data source, use the _Data source_ drop-down to choose _Alerts (preview)_ and select the subscriptions, resource groups or resources to target. Use the alert filter drop downs to select an interesting subset of alerts for your analytic needs.
+To make a query control use this data source, use the _Data source_ drop-down to choose _Alerts (preview)_ and select the subscriptions, resource groups, or resources to target. Use the alert filter drop downs to select an interesting subset of alerts for your analytic needs.
## Custom endpoint
@@ -99,11 +133,13 @@ Workbooks support getting data from any external source. If your data lives outs
To make a query control use this data source, use the _Data source_ drop-down to choose _Custom Endpoint_. Provide the appropriate parameters such as `Http method`, `url`, `headers`, `url parameters` and/or `body`. Make sure your data source supports [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) otherwise the request will fail.
-To avoid automatically making calls to untrusted hosts when using templates, the user needs to mark the used hosts as trusted. This can be done by either clicking on the _Add as trusted_ button, or by adding it as a trusted host in Workbook settings. These settings will be saved in browsers that support IndexDb with web workers, more info [here](https://caniuse.com/#feat=indexeddb).
+To avoid automatically making calls to untrusted hosts when using templates, the user needs to mark the used hosts as trusted. This can be done by either clicking on the _Add as trusted_ button, or by adding it as a trusted host in Workbook settings. These settings will be saved in [browsers that support IndexDb with web workers](https://caniuse.com/#feat=indexeddb).
> [!NOTE] > Do not write any secrets in any of the fields (`headers`, `parameters`, `body`, `url`), since they will be visible to all of the Workbook users.
+This provider supports [JSONPath](workbooks-jsonpath.md).
+ ## Next steps * [Get started](./workbooks-overview.md#visualizations) learning more about workbooks many rich visualizations options.
azure-netapp-files https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-resource-limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-resource-limits.md
@@ -13,7 +13,7 @@
na ms.devlang: na Previously updated : 12/01/2020 Last updated : 01/29/2021 # Resource limits for Azure NetApp Files
@@ -44,6 +44,8 @@ The following table describes resource limits for Azure NetApp Files:
| Maximum assigned throughput for a manual QoS volume | 4,500 MiB/s | No | | Number of cross-region replication data protection volumes (destination volumes) | 5 | Yes |
+To see whether a directory is approaching the maximum size limit for directory metadata (320 MB), see [How do I determine if a directory is approaching the limit size](azure-netapp-files-faqs.md#how-do-i-determine-if-a-directory-is-approaching-the-limit-size).
+ For more information, see [Capacity management FAQs](azure-netapp-files-faqs.md#capacity-management-faqs). ## Maxfiles limits <a name="maxfiles"></a>
azure-portal https://docs.microsoft.com/en-us/azure/azure-portal/set-preferences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/set-preferences.md
@@ -86,7 +86,7 @@ If your admin has enabled an inactivity timeout policy, you can still set your o
### Change the directory timeout setting (admin)
-Admins in the [Global Administrator role](../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) can enforce the maximum idle time before a session is signed out. The inactivity timeout setting applies at the directory level. The setting takes effect for new sessions. It won't apply immediately to any users who are already signed in. For more information about directories, see [Active Directory Domain Services Overview](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview).
+Admins in the [Global Administrator role](../active-directory/roles/permissions-reference.md#global-administrator) can enforce the maximum idle time before a session is signed out. The inactivity timeout setting applies at the directory level. The setting takes effect for new sessions. It won't apply immediately to any users who are already signed in. For more information about directories, see [Active Directory Domain Services Overview](/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview).
If you're a Global Administrator, and you want to enforce an idle timeout setting for all users of the Azure portal, follow these steps:
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/security-baseline.md
@@ -159,7 +159,7 @@ Azure Advanced Threat Protection (ATP) is a security solution that can use Activ
### PA-1: Protect and limit highly privileged users **Guidance**: Azure Managed Applications uses Azure Active Directory (Azure AD) for identity and access. The most critical built-in roles are Azure AD are Global Administrator and the Privileged Role Administrator as users assigned to these two roles can delegate administrator roles:-- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
+- Global Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. Note: You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-signalr https://docs.microsoft.com/en-us/azure/azure-signalr/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/security-baseline.md
@@ -223,7 +223,7 @@ Azure Advanced Threat Protection (ATP) is a security solution that can use Activ
**Guidance**: The most critical built-in roles are Azure Active Directory (Azure AD) are Global Administrator and the Privileged Role Administrator as users assigned to these two roles can delegate administrator roles: -- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
+- Global Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure Active Directory (Azure AD), as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units.
azure-signalr https://docs.microsoft.com/en-us/azure/azure-signalr/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/security-controls-policy.md /dev/null
@@ -0,0 +1,27 @@
+
+ Title: Azure Policy Regulatory Compliance controls for Azure SignalR
+description: Lists Azure Policy Regulatory Compliance controls available for Azure SignalR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
Last updated : 01/29/2021++++++
+# Azure Policy Regulatory Compliance controls for Azure SignalR
+
+[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md)
+provides Microsoft created and managed initiative definitions, known as _built-ins_, for the
+**compliance domains** and **security controls** related to different compliance standards. This
+page lists the **compliance domains** and **security controls** for Azure SignalR. You can assign
+the built-ins for a **security control** individually to help make your Azure resources compliant
+with the specific standard.
+
+[!INCLUDE [azure-policy-compliancecontrols-introwarning](../../includes/policy/standards/intro-warning.md)]
+
+[!INCLUDE [azure-policy-compliancecontrols-signalr](../../includes/policy/standards/byrp/microsoft.signalrservice.md)]
+
+## Next steps
+
+- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-configure.md
@@ -66,7 +66,7 @@ When using Azure Active Directory with geo-replication, the Azure Active Directo
## Provision Azure AD admin (SQL Managed Instance) > [!IMPORTANT]
-> Only follow these steps if you are provisioning an Azure SQL Managed Instance. This operation can only be executed by Global/Company administrator or a Privileged Role Administrator in Azure AD.
+> Only follow these steps if you are provisioning an Azure SQL Managed Instance. This operation can only be executed by Global Administrator or a Privileged Role Administrator in Azure AD.
> > In **public preview**, you can assign the **Directory Readers** role to a group in Azure AD. The group owners can then add the managed instance identity as a member of this group, which would allow you to provision an Azure AD admin for the SQL Managed Instance. For more information on this feature, see [Directory Readers role in Azure Active Directory for Azure SQL](authentication-aad-directory-readers-role.md).
@@ -74,7 +74,7 @@ Your SQL Managed Instance needs permissions to read Azure AD to successfully acc
### Azure portal
-To grant your SQL Managed Instance Azure AD read permission using the Azure portal, log in as Global/Company administrator in Azure AD and follow these steps:
+To grant your SQL Managed Instance Azure AD read permission using the Azure portal, log in as Global Administrator in Azure AD and follow these steps:
1. In the [Azure portal](https://portal.azure.com), in the upper-right corner, select your connection from a drop-down list of possible Active Directories.
@@ -121,7 +121,7 @@ To grant your SQL Managed Instance Azure AD read permission by using the PowerSh
```powershell # Gives Azure Active Directory read permission to a Service Principal representing the SQL Managed Instance.
-# Can be executed only by a "Company Administrator", "Global Administrator", or "Privileged Role Administrator" type of user.
+# Can be executed only by a "Global Administrator" or "Privileged Role Administrator" type of user.
$aadTenant = "<YourTenantId>" # Enter your tenant ID $managedInstanceName = "MyManagedInstance"
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-directory-readers-role-tutorial.md
@@ -18,7 +18,7 @@ Last updated 08/14/2020
> [!NOTE] > The **Directory Readers** role assignment to a group in this article is in **public preview**.
-This article guides you through creating a group in Azure Active Directory (Azure AD), and assigning that group the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) role. The Directory Readers permissions allow the group owners to add additional members to the group, such as a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) of [Azure SQL Database](sql-database-paas-overview.md), [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md), and [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md). This bypasses the need for a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) to assign the Directory Readers role directly for each Azure SQL logical server identity in the tenant.
+This article guides you through creating a group in Azure Active Directory (Azure AD), and assigning that group the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) role. The Directory Readers permissions allow the group owners to add additional members to the group, such as a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) of [Azure SQL Database](sql-database-paas-overview.md), [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md), and [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md). This bypasses the need for a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) to assign the Directory Readers role directly for each Azure SQL logical server identity in the tenant.
This tutorial uses the feature introduced in [Use cloud groups to manage role assignments in Azure Active Directory (preview)](../../active-directory/roles/groups-concept.md).
@@ -33,7 +33,7 @@ For more information on the benefits of assigning the Directory Readers role to
### Create a new group and assign owners and role
-1. A user with [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) permissions is required for this initial setup.
+1. A user with [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) permissions is required for this initial setup.
1. Have the privileged user sign into the [Azure portal](https://portal.azure.com). 1. Go to the **Azure Active Directory** resource. Under **Managed**, go to **Groups**. Select **New group** to create a new group. 1. Select **Security** as the group type, and fill in the rest of the fields. Make sure that the setting **Azure AD roles can be assigned to the group (Preview)** is switched to **Yes**. Then assign the Azure AD **Directory readers** role to the group.
@@ -89,7 +89,7 @@ Assigning the **Directory Readers** role to the server identity isn't required f
## Directory Readers role assignment using PowerShell > [!IMPORTANT]
-> A [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) will need to run these initial steps. In addition to PowerShell, Azure AD offers Microsoft Graph API to [Create a role-assignable group in Azure AD](../../active-directory/roles/groups-create-eligible.md#using-microsoft-graph-api).
+> A [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) will need to run these initial steps. In addition to PowerShell, Azure AD offers Microsoft Graph API to [Create a role-assignable group in Azure AD](../../active-directory/roles/groups-create-eligible.md#using-microsoft-graph-api).
1. Download the Azure AD Preview PowerShell module using the following commands. You may need to run PowerShell as an administrator.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/authentication-aad-directory-readers-role.md
@@ -32,7 +32,7 @@ The **Directory Readers** role is necessary to:
## Assigning the Directory Readers role
-In order to assign the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) role to an identity, a user with [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) permissions is needed. Users who often manage or deploy SQL Database, SQL Managed Instance, or Azure Synapse may not have access to these highly privileged roles. This can often cause complications for users that create unplanned Azure SQL resources, or need help from highly privileged role members that are often inaccessible in large organizations.
+In order to assign the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) role to an identity, a user with [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) permissions is needed. Users who often manage or deploy SQL Database, SQL Managed Instance, or Azure Synapse may not have access to these highly privileged roles. This can often cause complications for users that create unplanned Azure SQL resources, or need help from highly privileged role members that are often inaccessible in large organizations.
For SQL Managed Instance, the **Directory Readers** role must be assigned to managed instance identity before you can [set up an Azure AD admin for the managed instance](authentication-aad-configure.md#provision-azure-ad-admin-sql-managed-instance).
@@ -40,7 +40,7 @@ Assigning the **Directory Readers** role to the server identity isn't required f
## Granting the Directory Readers role to an Azure AD group
-Currently in **public preview**, you can now have a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator--company-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) create an Azure AD group and assign the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) permission to the group. This will allow access to the Azure AD Graph API for members of this group. In addition, Azure AD users who are owners of this group are allowed to assign new members for this group, including identities of the Azure SQL logical servers.
+Currently in **public preview**, you can now have a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) create an Azure AD group and assign the [**Directory Readers**](../../active-directory/roles/permissions-reference.md#directory-readers) permission to the group. This will allow access to the Azure AD Graph API for members of this group. In addition, Azure AD users who are owners of this group are allowed to assign new members for this group, including identities of the Azure SQL logical servers.
This solution still requires a high privilege user (Global Administrator or Privileged Role Administrator) to create a group and assign users as a one time activity, but the Azure AD group owners will be able to assign additional members going forward. This eliminates the need to involve a high privilege user in the future to configure all SQL Databases, SQL Managed Instances, or Azure Synapse servers in their Azure AD tenant.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/file-space-manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/file-space-manage.md
@@ -213,7 +213,7 @@ Shrink commands impact database performance while running, and if possible shou
You should also be aware of the potential negative performance impact of shrinking database files, see [**Rebuild indexes**](#rebuild-indexes) section below.
-For more information about this command, see [SHRINKDATABASE](/sql/t-sql/database-console-commands/dbcc-shrinkdatabase-transact-sql.md).
+For more information about this command, see [SHRINKDATABASE](/sql/t-sql/database-console-commands/dbcc-shrinkdatabase-transact-sql).
### Auto-shrink
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/secure-database-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/secure-database-tutorial.md
@@ -118,7 +118,7 @@ To set the Azure AD administrator:
![select active directory](./media/secure-database-tutorial/admin-settings.png) > [!IMPORTANT]
- > You need to be either a "Company Administrator" or "Global Administrator" to perform this task.
+ > You need to be a "Global Administrator" to perform this task.
1. On the **Add admin** page, search and select the AD user or group and choose **Select**. All members and groups of your Active Directory are listed, and entries grayed out are not supported as Azure AD administrators. See [Azure AD features and limitations](authentication-aad-overview.md#azure-ad-features-and-limitations).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/troubleshoot-common-connectivity-issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/troubleshoot-common-connectivity-issues.md
@@ -327,7 +327,7 @@ Enterprise Library 6 (EntLib60) is a framework of .NET classes that helps you im
Retry logic for handling transient errors is one area in which EntLib60 can assist. For more information, see [4 - Perseverance, secret of all triumphs: Use the Transient Fault Handling Application Block](/previous-versions/msp-n-p/dn440719(v=pandp.60)). > [!NOTE]
-> The source code for EntLib60 is available for public download from the [Download Center](https://go.microsoft.com/fwlink/p/?LinkID=290898). Microsoft has no plans to make further feature updates or maintenance updates to EntLib.
+> The source code for EntLib60 is available for public download from the [Download Center](https://github.com/MicrosoftArchive/enterprise-library). Microsoft has no plans to make further feature updates or maintenance updates to EntLib.
<a id="entlib60-classes-for-transient-errors-and-retry" name="entlib60-classes-for-transient-errors-and-retry"></a>
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/understand-resolve-blocking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/understand-resolve-blocking.md
@@ -370,7 +370,7 @@ The following scenarios will expand on these scenarios.
## See also
-* [Monitoring and performance tuning in Azure SQL Database and Azure SQL Managed Instance](/monitor-tune-overview.md)
+* [Monitoring and performance tuning in Azure SQL Database and Azure SQL Managed Instance](/azure/azure-sql/database/monitor-tune-overview)
* [Monitoring performance by using the Query Store](/sql/relational-databases/performance/monitoring-performance-by-using-the-query-store) * [Transaction Locking and Row Versioning Guide](/sql/relational-databases/sql-server-transaction-locking-and-row-versioning-guide) * [SET TRANSACTION ISOLATION LEVEL](/sql/t-sql/statements/set-transaction-isolation-level-transact-sql)
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/vnet-service-endpoint-rule-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/vnet-service-endpoint-rule-overview.md
@@ -16,7 +16,7 @@ Last updated 11/14/2019
[!INCLUDE[appliesto-sqldb-asa](../includes/appliesto-sqldb-asa.md)]
-*Virtual network rules* are a firewall security feature that controls whether the server for your databases and elastic pools in [Azure SQL Database](sql-database-paas-overview.md) or for your databases in [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md) accepts communications that are sent from particular subnets in virtual networks. This article explains why virtual network rules are sometimes your best option for securely allowing communication to your database in SQL Database and Azure Synapse Analytics.
+*Virtual network rules* are a firewall security feature that controls whether the server for your databases and elastic pools in [Azure SQL Database](sql-database-paas-overview.md) or for your dedicated SQL pool (formerly SQL DW) databases in [Azure Synapse Analytics](../../synapse-analytics/sql-data-warehouse/sql-data-warehouse-overview-what-is.md) accepts communications that are sent from particular subnets in virtual networks. This article explains why virtual network rules are sometimes your best option for securely allowing communication to your database in SQL Database and Azure Synapse Analytics.
> [!NOTE] > This article applies to both SQL Database and Azure Synapse Analytics. For simplicity, the term *database* refers to both databases in SQL Database and Azure Synapse Analytics. Likewise, any references to *server* refer to the [logical SQL server](logical-servers.md) that hosts SQL Database and Azure Synapse Analytics.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/instance-create-quickstart https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/instance-create-quickstart.md
@@ -1,5 +1,5 @@
Title: "Quickstart: Create a managed instance of SQL Managed Instance (portal)"
+ Title: "Quickstart: Create an Azure SQL Managed Instance (portal)"
description: Create a managed instance, network environment, and client VM for access using the Azure portal in this quickstart.
@@ -10,19 +10,19 @@
Previously updated : 09/26/2019 Last updated : 1/29/2021
-# Quickstart: Create a managed instance of SQL Managed Instance
+# Quickstart: Create an Azure SQL Managed Instance
[!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
-This quickstart teaches you to create a managed instance of [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md) in the Azure portal.
+This quickstart teaches you to create an [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md) in the Azure portal.
> [!IMPORTANT] > For limitations, see [Supported regions](resource-limits.md#supported-regions) and [Supported subscription types](resource-limits.md#supported-subscription-types).
-## Create a managed instance
+## Create an Azure SQL Managed Instance
-To create a managed instance, follow these steps:
+To create a SQL Managed Instance, follow these steps:
### Sign in to the Azure portal
@@ -33,15 +33,15 @@ If you don't have an Azure subscription, [create a free account](https://azure.m
1. Select **+Add** to open the **Select SQL deployment option** page. You can view additional information about Azure SQL Managed Instance by selecting **Show details** on the **SQL managed instances** tile. 1. Select **Create**.
- ![Create a managed instance](./media/instance-create-quickstart/create-managed-instance.png)
+ ![Create a managed instance](./media/instance-create-quickstart/create-azure-sql-managed-instance.png)
4. Use the tabs on the **Create Azure SQL Managed Instance** provisioning form to add required and optional information. The following sections describe these tabs. ### Basics tab -- Fill out mandatory information required on the **Basics** tab. This is a minimum set of information required to provision a managed instance.
+- Fill out mandatory information required on the **Basics** tab. This is a minimum set of information required to provision a SQL Managed Instance.
- !["Basics" tab for creating a managed instance](./media/instance-create-quickstart/mi-create-tab-basics.png)
+ !["Basics" tab for creating a SQL Managed Instance](./media/instance-create-quickstart/azure-sql-managed-instance-create-tab-basics.png)
Use the table below as a reference for information required at this tab.
@@ -56,7 +56,17 @@ If you don't have an Azure subscription, [create a free account](https://azure.m
- Select **Configure Managed Instance** to size compute and storage resources and to review the pricing tiers. Use the sliders or text boxes to specify the amount of storage and the number of virtual cores. When you're finished, select **Apply** to save your selection.
- ![Managed instance form](./media/instance-create-quickstart/mi-create-tab-configure-performance.png)
+ ![Managed instance form](./media/instance-create-quickstart/azure-sql-managed-instance-create-tab-configure-performance.png)
+
+| Setting| Suggested value | DescriptionΓÇ»|
+| | | -- |
+| **Service Tier** | Select one of the options. | Based on your scenario, select one of the following options: </br> <ul><li>**General Purpose**: for most production workloads, and the default option.</li><li>**Business Critical**: designed for low-latency workloads with high resiliency to failures and fast failovers.</li></ul><BR>For more information, see [Azure SQL Database and Azure SQL Managed Instance service tiers](../../azure-sql/database/service-tiers-general-purpose-business-critical.md) and review [Overview of Azure SQL Managed Instance resource limits](../../azure-sql/managed-instance/resource-limits.md).|
+| **Hardware Generation** | Select one of the options. | The hardware generation generally defines the compute and memory limits and other characteristics that impact the performance of the workload. **Gen5** is the default.|
+| **vCore compute model** | Select an option. | vCores represent exact amount of compute resources that are always provisioned for your workload. **Eight vCores** is the default.|
+| **Storage in GB** | Select an option. | Storage size in GB, select based on expected data size. If migrating existing data from on-premises or on various cloud platforms, see [Migration overview: SQL Server to SQL Managed Instance](../../azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview.md).|
+| **Azure Hybrid Benefit** | Check option if applicable. | For leveraging an existing license for Azure. For more information, see [Azure Hybrid Benefit - Azure SQL Database & SQL Managed Instance](../../azure-sql/azure-hybrid-benefit.md). |
+| **Backup storage redundancy** | Select **Geo-redundant backup storage**. | Storage redundancy inside Azure for backup storage. Note that this value cannot be changed later. Geo-redundant backup storage is default and recommended, though Zone and Local redundancy allow for more cost flexibility and single region data residency. For more information, see [Backup Storage redundancy](../database/automated-backups-overview.md?tabs=managed-instance#backup-storage-redundancy).|
+ - To review your choices before you create a SQL Managed Instance, you can select **Review + create**. Or, configure networking options by selecting **Next: Networking**.
@@ -64,7 +74,7 @@ If you don't have an Azure subscription, [create a free account](https://azure.m
- Fill out optional information on the **Networking** tab. If you omit this information, the portal will apply default settings.
- !["Networking" tab for creating a managed instance](./media/instance-create-quickstart/mi-create-tab-networking.png)
+ !["Networking" tab for creating a managed instance](./media/instance-create-quickstart/azure-sql-managed-instance-create-tab-networking.png)
Use the table below as a reference for information required at this tab.
@@ -72,16 +82,17 @@ If you don't have an Azure subscription, [create a free account](https://azure.m
| | | -- | | **Virtual network** | Select either **Create new virtual network** or a valid virtual network and subnet.| If a network or subnet is unavailable, it must be [modified to satisfy the network requirements](vnet-existing-add-subnet.md) before you select it as a target for the new managed instance. For information about the requirements for configuring the network environment for SQL Managed Instance, see [Configure a virtual network for SQL Managed Instance](connectivity-architecture-overview.md). | | **Connection type** | Choose between a proxy and a redirect connection type.|For more information about connection types, see [Azure SQL Managed Instance connection type](../database/connectivity-architecture.md#connection-policy).|
- | **Public endpoint** | Select **Enable**. | For a managed instance to be accessible through the public data endpoint, you need to enable this option. |
- | **Allow access from** (if **Public endpoint** is enabled) | Select one of the options. |The portal experience enables configuring a security group with a public endpoint. </br> </br> Based on your scenario, select one of the following options: </br> <ul> <li>**Azure services**: We recommend this option when you're connecting from Power BI or another multitenant service. </li> <li> **Internet**: Use for test purposes when you want to quickly spin up a managed instance. We don't recommend it for production environments. </li> <li> **No access**: This option creates a **Deny** security rule. Modify this rule to make a managed instance accessible through a public endpoint. </li> </ul> </br> For more information on public endpoint security, see [Using Azure SQL Managed Instance securely with a public endpoint](public-endpoint-overview.md).|
+ | **Public endpoint** | Select **Disable**. | For a managed instance to be accessible through the public data endpoint, you need to enable this option. |
+ | **Allow access from** (if **Public endpoint** is enabled) | Select **No Access** |The portal experience enables configuring a security group with a public endpoint. </br> </br> Based on your scenario, select one of the following options: </br> <ul> <li>**Azure services**: We recommend this option when you're connecting from Power BI or another multitenant service. </li> <li> **Internet**: Use for test purposes when you want to quickly spin up a managed instance. We don't recommend it for production environments. </li> <li> **No access**: This option creates a **Deny** security rule. Modify this rule to make a managed instance accessible through a public endpoint. </li> </ul> </br> For more information on public endpoint security, see [Using Azure SQL Managed Instance securely with a public endpoint](public-endpoint-overview.md).|
- Select **Review + create** to review your choices before you create a managed instance. Or, configure more custom settings by selecting **Next: Additional settings**. + ### Additional settings - Fill out optional information on the **Additional settings** tab. If you omit this information, the portal will apply default settings.
- !["Additional settings" tab for creating a managed instance](./media/instance-create-quickstart/mi-create-tab-additional-settings.png)
+ !["Additional settings" tab for creating a managed instance](./media/instance-create-quickstart/azure-sql-managed-instance-create-tab-additional-settings.png)
Use the table below as a reference for information required at this tab.
@@ -92,33 +103,40 @@ If you don't have an Azure subscription, [create a free account](https://azure.m
| **Use as failover secondary** | Select **Yes**. | Enable this option to use the managed instance as a failover group secondary.| | **Primary SQL Managed Instance** (if **Use as failover secondary** is set to **Yes**) | Choose an existing primary managed instance that will be joined in the same DNS zone with the managed instance you're creating. | This step will enable post-creation configuration of the failover group. For more information, see [Tutorial: Add a managed instance to a failover group](failover-group-add-instance-tutorial.md).|
+- Select **Review + create** to review your choices before you create a managed instance. Or, configure Azure Tags by selecting **Next: Tags** (recommended).
+
+### Tags
+
+- Add tags to resources in your Azure Resource Manager template (ARM template). [Tags](/azure/azure-resource-manager/management/tag-resources) help you logically organize your resources. The tag values show up in cost reports and allow for other management activities by tag.
+
+- Consider at least tagging your new SQL Managed Instance with the Owner tag to identify who created, and the Environment tag to identify whether this system is Production, Development, etc. For more information, see [Develop your naming and tagging strategy for Azure resources](/azure/cloud-adoption-framework/ready/azure-best-practices/naming-and-tagging).
+
+- Select **Review + create** to proceed.
+ ## Review + create 1. Select **Review + create** tab to review your choices before you create a managed instance.
- ![Tab for reviewing and creating a managed instance](./media/instance-create-quickstart/mi-create-tab-review-create.png)
+ ![Tab for reviewing and creating a managed instance](./media/instance-create-quickstart/azure-sql-managed-instance-create-tab-review-create.png)
1. Select **Create** to start provisioning the managed instance. > [!IMPORTANT]
-> Deploying a managed instance is a long-running operation. Deployment of the first instance in the subnet typically takes much longer than deploying into a subnet with existing managed instances. For average provisioning times, see [SQL Managed Instance management operations](sql-managed-instance-paas-overview.md#management-operations).
+> Deploying a managed instance is a long-running operation. Deployment of the first instance in the subnet typically takes much longer than deploying into a subnet with existing managed instances. For average provisioning times, see [Overview of Azure SQL Managed Instance management operations](management-operations-overview.md#duration).
## Monitor deployment progress 1. Select the **Notifications** icon to view the status of the deployment.
- ![Deployment progress of a SQL Managed Instance deployment](./media/instance-create-quickstart/mi-create-deployment-in-progress.png)
+ ![Deployment progress of a SQL Managed Instance deployment](./media/instance-create-quickstart/azure-sql-managed-instance-create-deployment-in-progress.png)
1. Select **Deployment in progress** in the notification to open the SQL Managed Instance window and further monitor the deployment progress. > [!TIP]
-> If you closed your web browser or moved away from the deployment progress screen, follow these steps to locate the deployment progress screen:
-> 1. In the Azure portal, open the resource group (on the **Basics** tab) to which you're deploying SQL Managed Instance.
-> 2. Select **Deployments**.
-> 3. Select the SQL Managed Instance deployment operation in progress.
+> - If you closed your web browser or moved away from the deployment progress screen, you can monitor the provisioning operation via the managed instance's **Overview** page, or via PowerShell or the Azure CLI. For more information, see [Monitor operations](management-operations-monitor.md#monitor-operations).
+> - You can cancel the provisioning process through Azure portal, or via PowerShell or the Azure CLI or other tooling using the REST API. See [Canceling Azure SQL Managed Instance management operations](management-operations-cancel.md).
> [!IMPORTANT]
-> - Creation of SQL Managed Instance is a long-running operation that might take a few hours at a time, depending on specific circumstances. See [Management operations duration](management-operations-overview.md#duration) for typical creation times.
> - Start of SQL Managed Instance creation could be delayed in cases when there exist other impacting operations, such are long-running restore or scaling operations on other Managed Instances in the same subnet. To learn more, see [Management operations cross-impact](management-operations-overview.md#management-operations-cross-impact). > - In order to be able to get the status of managed instance creation, you need to have **read permissions** over the resource group. If you don't have this permission or revoke it while the managed instance is in creation process, this can cause SQL Managed Instance not to be visible in the list of resource group deployments. >
@@ -129,43 +147,41 @@ Upon successful deployment of a managed instance, to view resources created:
1. Open the resource group for your managed instance.
- ![SQL Managed Instance resources](./media/instance-create-quickstart/resources.png)
+ ![SQL Managed Instance resources](./media/instance-create-quickstart/azure-sql-managed-instance-resources.png)
## View and fine-tune network settings To optionally fine-tune networking settings, inspect the following:
-1. Select the route table to review the user-defined route (UDR) that was created for you.
-
- ![Route table](./media/instance-create-quickstart/route-table.png)
+1. In the list of resources, select the route table to review the user-defined Route table (UDR) object that was created.
-2. In the route table, review the entries to route traffic from and within the SQL Managed Instance virtual network. If you create or configure your route table manually, ensure to create these entries in the SQL Managed Instance route table.
+2. In the route table, review the entries to route traffic from and within the SQL Managed Instance virtual network. If you create or configure your route table manually, create these entries in the SQL Managed Instance route table.
- ![Entry for a SQL Managed Instance subnet to local](./media/instance-create-quickstart/udr.png)
+ ![Entry for a SQL Managed Instance subnet to local](./media/instance-create-quickstart/azure-sql-managed-instance-route-table-user-defined-route.png)
-3. Return to the resource group, and select the network security group.
+ To change or add routes, open the **Routes** in the Route table settings.
- ![Network security group](./media/instance-create-quickstart/network-security-group.png)
+3. Return to the resource group, and select the network security group (NSG) object that was created.
4. Review the inbound and outbound security rules.
- ![Security rules](./media/instance-create-quickstart/security-rules.png)
+ ![Security rules](./media/instance-create-quickstart/azure-sql-managed-instance-security-rules.png)
+
+ To change or add rules, open the **Inbound Security Rules** and **Outbound security rules** in the Network security group settings.
> [!IMPORTANT]
-> If you have configured a public endpoint for SQL Managed Instance, you need to open ports to allow network traffic allowing connections to SQL Managed Instance from the public internet. See [Configure a public endpoint for SQL Managed Instance](public-endpoint-configure.md#allow-public-endpoint-traffic-on-the-network-security-group) for more information.
+> If you have configured a public endpoint for SQL Managed Instance, you need to open ports to allow network traffic allowing connections to SQL Managed Instance from the public internet. For more information, see [Configure a public endpoint for SQL Managed Instance](public-endpoint-configure.md#allow-public-endpoint-traffic-on-the-network-security-group).
> ## Retrieve connection details to SQL Managed Instance To connect to SQL Managed Instance, follow these steps to retrieve the host name and fully qualified domain name (FQDN):
-1. Return to the resource group and select your managed instance.
-
- ![Managed instance in the resource group](./media/instance-create-quickstart/managed-instance.png)
+1. Return to the resource group and select the SQL managed instance object that was created.
-2. On the **Overview** tab, locate the **Host** property. Copy the host name for the managed instance for use in the next quickstart.
+2. On the **Overview** tab, locate the **Host** property. Copy the host name to your clipboard for the managed instance for use in the next quickstart by clicking the **Copy to clipboard** button.
- ![Host name](./media/instance-create-quickstart/host-name.png)
+ ![Host name](./media/instance-create-quickstart/azure-sql-managed-instance-host-name.png)
The value copied represents a fully qualified domain name (FQDN) that can be used to connect to SQL Managed Instance. It is similar to the following address example: *your_host_name.a1b2c3d4e5f6.database.windows.net*.
@@ -180,4 +196,4 @@ To restore an existing SQL Server database from on-premises to SQL Managed Insta
- Use the [Azure Database Migration Service for migration](../../dms/tutorial-sql-server-to-managed-instance.md) to restore from a database backup file. - Use the [T-SQL RESTORE command](restore-sample-database-quickstart.md) to restore from a database backup file.
-For advanced monitoring of SQL Managed Instance database performance with built-in troubleshooting intelligence, see [Monitor Azure SQL Managed Instance by using Azure SQL Analytics](../../azure-monitor/insights/azure-sql.md).
\ No newline at end of file
+For advanced monitoring of SQL Managed Instance database performance with built-in troubleshooting intelligence, see [Monitor Azure SQL Managed Instance by using Azure SQL Analytics](../../azure-monitor/insights/azure-sql.md).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/scripts/create-powershell-azure-resource-manager-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/scripts/create-powershell-azure-resource-manager-template.md
@@ -1,138 +0,0 @@
- Title: "Create a managed instance (ARM template & PowerShell)"-
-description: Use this Azure PowerShell example script to create a managed instance.
-------- Previously updated : 03/12/2019--
-# Use PowerShell with an Azure Resource Manager template to create a managed instance
-
-[!INCLUDE[appliesto-sqldb](../../includes/appliesto-sqlmi.md)]
-
-You can create a managed instance by using the Azure PowerShell library and Azure Resource Manager templates.
-
-[!INCLUDE [quickstarts-free-trial-note](../../../../includes/quickstarts-free-trial-note.md)]
-[!INCLUDE [updated-for-az](../../../../includes/updated-for-az.md)]
-[!INCLUDE [cloud-shell-try-it.md](../../../../includes/cloud-shell-try-it.md)]
-
-If you choose to install and use PowerShell locally, this tutorial requires Azure PowerShell 1.4.0 or later. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-az-ps). If you are running PowerShell locally, run `Connect-AzAccount` to create a connection to Azure.
-
-Azure PowerShell commands can start deployment using a predefined Azure Resource Manager template. The following properties can be specified in the template:
--- Managed instance name-- SQL administrator username and password.-- Size of the instance (number of cores and max storage size).-- VNet and subnet where the instance will be placed.-- Server-level collation of the instance (preview).-
-Instance name, SQL administrator username, VNet/subnet, and collation cannot be changed later. Other instance properties can be changed.
-
-## Prerequisites
-
-This sample assumes that you have [created a valid network environment](../virtual-network-subnet-create-arm-template.md) or [modified an existing VNet](../vnet-existing-add-subnet.md) for your managed instance. You can prepare the network environment using a separate [Azure Resource Manager template](https://github.com/Azure/azure-quickstart-templates/tree/master/101-sql-managed-instance-azure-environment), if necessary.
--
-The sample uses the cmdlets [New-AzResourceGroupDeployment](/powershell/module/az.resources/new-azresourcegroupdeployment) and [Get-AzVirtualNetwork](/powershell/module/az.network/get-azvirtualnetwork), so make sure that you have installed the following PowerShell modules:
-
-```powershell
-Install-Module Az.Network
-Install-Module Az.Resources
-```
-
-## Azure Resource Manager template
--
-Save the following script into a .json file, and note the file location:
-
-```json
-{
- "$schema": "https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",
- "contentVersion": "1.0.0.1",
- "parameters": {
- "instance": {
- "type": "string"
- },
- "user": {
- "type": "string"
- },
- "pwd": {
- "type": "securestring"
- },
- "subnetId": {
- "type": "string"
- }
- },
- "resources": [
- {
- "name": "[parameters('instance')]",
- "location": "West Central US",
- "tags": {
- "Description":"GP Instance with custom instance collation - Serbian_Cyrillic_100_CS_AS"
- },
- "sku": {
- "name": "GP_Gen5",
- "tier": "GeneralPurpose"
- },
- "properties": {
- "administratorLogin": "[parameters('user')]",
- "administratorLoginPassword": "[parameters('pwd')]",
- "subnetId": "[parameters('subnetId')]",
- "storageSizeInGB": 256,
- "vCores": 8,
- "licenseType": "LicenseIncluded",
- "hardwareFamily": "Gen5",
- "collation": "Serbian_Cyrillic_100_CS_AS"
- },
- "type": "Microsoft.Sql/managedInstances",
- "identity": {
- "type": "SystemAssigned"
- },
- "apiVersion": "2015-05-01-preview"
- }
- ]
-}
-```
-
-Update the following PowerShell script with the correct file path for the .json file you saved previously, and change the names of the objects in the script:
-
-```powershell
-$subscriptionId = "ed827499-xxxx-xxxx-xxxx-xxxxxxxxxx"
-Select-AzSubscription -SubscriptionId $subscriptionId
-
-# Managed instance properties
-$resourceGroup = "rg_mi"
-$location = "West Central US"
-$name = "managed-instance-name"
-$user = "miSqlAdmin"
-$secpasswd = ConvertTo-SecureString "<Put some strong password here>" -AsPlainText -Force
-
-# Network configuration
-$vNetName = "my_vnet"
-$vNetResourceGroup = "rg_mi_vnet"
-$subnetName = "ManagedInstances"
-$vNet = Get-AzVirtualNetwork -Name $vNetName -ResourceGroupName $vNetResourceGroup
-$subnet = Get-AzVirtualNetworkSubnetConfig -Name $SubnetName -VirtualNetwork $vNet
-$subnetId = $subnet.Id
-
-# Deploy instance using Azure Resource Manager template:
-New-AzResourceGroupDeployment -Name MyDeployment -ResourceGroupName $resourceGroup `
- -TemplateFile 'C:\...\create-managed-instance.json' `
- -instance $name -user $user -pwd $secpasswd -subnetId $subnetId
-```
-
-Once the script completes, the managed instance can be accessed from all Azure services and the configured IP address.
-
-## Next steps
-
-For more information on Azure PowerShell, see [Azure PowerShell documentation](/powershell/azure/).
-
-Additional PowerShell script samples for Azure SQL Managed Instance can be found in [Azure SQL Managed Instance PowerShell scripts](../../database/powershell-script-content-guide.md).
\ No newline at end of file
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/virtual-cluster-delete https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/virtual-cluster-delete.md
@@ -1,6 +1,6 @@
Title: Delete a subnet after deleting a managed instance of SQL Managed Instance
-description: Learn how to delete an Azure virtual network after deleting a managed instance of Azure SQL Managed Instance.
+ Title: Delete a subnet after deleting a SQL Managed Instance
+description: Learn how to delete an Azure virtual network after deleting an Azure SQL Managed Instance.
@@ -13,18 +13,18 @@
Last updated 06/26/2019
-# Delete a subnet after deleting a managed instance of SQL Managed Instance
+# Delete a subnet after deleting an Azure SQL Managed Instance
[!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
-This article provides guidelines on how to manually delete a subnet after deleting the last managed instance of Azure SQL Managed Instance residing in it.
+This article provides guidelines on how to manually delete a subnet after deleting the last Azure SQL Managed Instance residing in it.
-Managed instances are deployed into [virtual clusters](connectivity-architecture-overview.md#virtual-cluster-connectivity-architecture). Each virtual cluster is associated with a subnet. The virtual cluster persists by design for 12 hours after the last instance deletion to enable you to more quickly create managed instances in the same subnet. There's no charge for keeping an empty virtual cluster. During this period, the subnet associated with the virtual cluster can't be deleted.
+SQL Managed Instances are deployed into [virtual clusters](connectivity-architecture-overview.md#virtual-cluster-connectivity-architecture). Each virtual cluster is associated with a subnet. The virtual cluster persists by design for 12 hours after the last instance deletion to enable you to more quickly create SQL Managed Instances in the same subnet. There's no charge for keeping an empty virtual cluster. During this period, the subnet associated with the virtual cluster can't be deleted.
If you don't want to wait 12 hours and prefer to delete the virtual cluster and its subnet sooner, you can do so manually. Delete the virtual cluster manually by using the Azure portal or the Virtual Clusters API. > [!IMPORTANT]
-> - The virtual cluster should contain no managed instances for the deletion to be successful.
-> - Deletion of a virtual cluster is a long-running operation lasting for about 1.5 hours (see [Managed instance management operations](./sql-managed-instance-paas-overview.md#management-operations) for up-to-date virtual cluster delete time). The virtual cluster will still be visible in the portal until this process is completed.
+> - The virtual cluster should contain no SQL Managed Instances for the deletion to be successful.
+> - Deletion of a virtual cluster is a long-running operation lasting for about 1.5 hours (see [SQL Managed Instance management operations](./sql-managed-instance-paas-overview.md#management-operations) for up-to-date virtual cluster delete time). The virtual cluster will still be visible in the portal until this process is completed.
## Delete a virtual cluster from the Azure portal
@@ -39,7 +39,7 @@ After you locate the virtual cluster you want to delete, select this resource, a
Azure portal notifications will show you a confirmation that the request to delete the virtual cluster has been successfully submitted. The deletion operation itself will last for about 1.5 hours, during which the virtual cluster will still be visible in portal. Once the process is completed, the virtual cluster will no longer be visible and the subnet associated with it will be released for reuse. > [!TIP]
-> If there are no managed instances shown in the virtual cluster, and you are unable to delete the virtual cluster, ensure that you do not have an ongoing instance deployment in progress. This includes started and canceled deployments that are still in progress. This is because these operations will still use the virtual cluster, locking it from deletion. Reviewing the **Deployments** tab of the resource group the instance was deployed to will indicate any deployments in progress. In this case, wait for the deployment to complete, delete the managed instance, and then delete the virtual cluster.
+> If there are no SQL Managed Instances shown in the virtual cluster, and you are unable to delete the virtual cluster, ensure that you do not have an ongoing instance deployment in progress. This includes started and canceled deployments that are still in progress. This is because these operations will still use the virtual cluster, locking it from deletion. Reviewing the **Deployments** tab of the resource group the instance was deployed to will indicate any deployments in progress. In this case, wait for the deployment to complete, delete the SQL Managed Instance, and then delete the virtual cluster.
## Delete a virtual cluster by using the API
@@ -50,5 +50,5 @@ To delete a virtual cluster through the API, use the URI parameters specified in
- For an overview, see [What is Azure SQL Managed Instance?](sql-managed-instance-paas-overview.md). - Learn about [connectivity architecture in SQL Managed Instance](connectivity-architecture-overview.md). - Learn how to [modify an existing virtual network for SQL Managed Instance](vnet-existing-add-subnet.md).-- For a tutorial that shows how to create a virtual network, create a managed instance, and restore a database from a database backup, see [Create a managed instance](instance-create-quickstart.md).
+- For a tutorial that shows how to create a virtual network, create an Azure SQL Managed Instance, and restore a database from a database backup, see [Create an Azure SQL Managed Instance (portal)](instance-create-quickstart.md).
- For DNS issues, see [Configure a custom DNS](custom-dns-configure.md).\ No newline at end of file
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/managed-instance/sql-server-to-managed-instance-overview.md
@@ -166,7 +166,7 @@ SQL logins from the source SQL Server can be moved to Azure SQL Managed Instance
By default, Azure Database Migration Service only supports migrating SQL logins. However, you can enable the ability to migrate Windows logins by:
-Ensuring that the target SQL Managed Instance has Azure AD read access, which can be configured via the Azure portal by a user with the **Company Administrator** or a **Global Administrator**" role.
+Ensuring that the target SQL Managed Instance has Azure AD read access, which can be configured via the Azure portal by a user with the **Global Administrator** role.
Configuring your Azure Database Migration Service instance to enable Windows user/group login migrations, which is set up via the Azure portal, on the Configuration page. After enabling this setting, restart the service for the changes to take effect. After restarting the service, Windows user/group logins appear in the list of logins available for migration. For any Windows user/group logins you migrate, you are prompted to provide the associated domain name. Service user accounts (account with domain name NT AUTHORITY) and virtual user accounts (account name with domain name NT SERVICE) are not supported.
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/azure-security-integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/azure-security-integration.md
@@ -40,7 +40,7 @@ You can configure the Log Analytics workspace with Azure Sentinel for alert dete
## Create a Log Analytics workspace
-You will need a Log Analytics workspace to collect data from various sources. See the steps in [Create a Log Analytics workspace from the Azure portal](../azure-monitor/learn/quick-create-workspace.md).
+You will need a Log Analytics workspace to collect data from various sources. For more information, see [Create a Log Analytics workspace from the Azure portal](../azure-monitor/learn/quick-create-workspace.md).
## Deploy Security Center and configure Azure VMware Solution VMs
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-hub-and-spoke https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-hub-and-spoke.md
@@ -71,7 +71,7 @@ Because an ExpressRoute gateway doesn't provide transitive routing between its c
:::image type="content" source="./media/hub-spoke/azure-vmware-solution-hub-vnet-traffic-flow.png" alt-text="Azure VMware Solution to Hub virtual network traffic flow" border="false" lightbox="./media/hub-spoke/azure-vmware-solution-hub-vnet-traffic-flow.png":::
-You can find more details about Azure VMware Solution networking and connectivity concepts in the [Azure VMware Solution product documentation](./concepts-networking.md).
+For more information on Azure VMware Solution networking and connectivity concepts, see the [Azure VMware Solution product documentation](./concepts-networking.md).
### Traffic segmentation
@@ -98,7 +98,7 @@ A second level of traffic segmentation using the network security groups within
Azure Application Gateway V1 and V2 have been tested with web apps that run on Azure VMware Solution VMs as a backend pool. Application Gateway is currently the only supported method to expose web apps running on Azure VMware Solution VMs to the internet. It can also expose the apps to internal users securely.
-Review Azure VMware Solution-specific article on [Application Gateway](./protect-azure-vmware-solution-with-application-gateway.md) for the details and requirements.
+For more information, see the Azure VMware Solution-specific article on [Application Gateway](./protect-azure-vmware-solution-with-application-gateway.md).
:::image type="content" source="media/hub-spoke/azure-vmware-solution-second-level-traffic-segmentation.png" alt-text="Second level of traffic segmentation using the Network Security Groups" border="false":::
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-networking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-networking.md
@@ -50,9 +50,7 @@ The diagram below shows the on-premises to private cloud interconnectivity, whic
:::image type="content" source="media/concepts/adjacency-overview-drawing-double.png" alt-text="Virtual network and on-premises full private cloud connectivity" border="false":::
-For full interconnectivity to your private cloud, enable ExpressRoute Global Reach and then request an authorization key and private peering ID for Global Reach in the Azure portal. The authorization key and peering ID are used to establish Global Reach between an ExpressRoute circuit in your subscription and the ExpressRoute circuit for your new private cloud. Once linked, the two ExpressRoute circuits route network traffic between your on-premises environments to your private cloud. See the [tutorial for creating an ExpressRoute Global Reach peering to a private cloud](tutorial-expressroute-global-reach-private-cloud.md) for the procedures to request and use the authorization key and peering ID.
--
+For full interconnectivity to your private cloud, enable ExpressRoute Global Reach and then request an authorization key and private peering ID for Global Reach in the Azure portal. The authorization key and peering ID are used to establish Global Reach between an ExpressRoute circuit in your subscription and the ExpressRoute circuit for your new private cloud. Once linked, the two ExpressRoute circuits route network traffic between your on-premises environments to your private cloud. For more information on the procedures to request and use the authorization key and peering ID, see the [tutorial for creating an ExpressRoute Global Reach peering to a private cloud](tutorial-expressroute-global-reach-private-cloud.md).
## Next steps Learn about [private cloud storage concepts](concepts-storage.md).
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/concepts-storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/concepts-storage.md
@@ -27,7 +27,7 @@ vSAN datastores use data-at-rest encryption by default. The encryption solution
## Scaling
-Native cluster storage capacity is scaled by adding hosts to a cluster. For clusters that use HE hosts, the raw cluster-wide capacity is increased by 15.4 TB with each additional host. Clusters that are built with GP hosts have their raw capacity increased by 7.7 TB with each additional host. In both types of clusters, hosts take about 10 minutes to be added to a cluster. See the [scale private cloud tutorial][tutorial-scale-private-cloud] for instructions on scaling clusters.
+Native cluster storage capacity is scaled by adding hosts to a cluster. For clusters that use HE hosts, the raw cluster-wide capacity is increased by 15.4 TB with each additional host. Clusters that are built with GP hosts have their raw capacity increased by 7.7 TB with each additional host. In both types of clusters, hosts take about 10 minutes to be added to a cluster. For instructions on scaling clusters, see the [scale private cloud tutorial][tutorial-scale-private-cloud].
## Azure storage integration
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/faq.md
@@ -2,7 +2,7 @@
Title: Frequently asked questions description: Provides answers to some of the common questions about Azure VMware Solution. Previously updated : 1/14/2021 Last updated : 1/27/2021 # Frequently asked questions about Azure VMware Solution
@@ -75,6 +75,12 @@ No. Azure Load Balancer internal-only supports Azure IaaS VMs. Azure Load Balanc
### Can an existing ExpressRoute Gateway be used to connect to Azure VMware Solution? Yes. Use an existing ExpressRoute Gateway to connect to Azure VMware Solution as long as it doesn't exceed the limit of four ExpressRoute circuits per virtual network. To access Azure VMware Solution from on-premises through ExpressRoute, you must have ExpressRoute Global Reach since the ExpressRoute Gateway doesn't provide transitive routing between its connected circuits.
+### Why does Azure VMware Solution use a Public 4-byte Autonomous System Number (ASN)?
+Azure VMware Solution uses the officially registered Public 4-byte ASNs to ensure there is never a conflict with your on-premises use of Private ASNs in the customer's routing path to Azure VMware Solution.
+
+### How can I use ExpressRoute to connect to Azure VMware Solution if the on-premises ExpressRoute-carrier partners/ISPs don't support 4-byte ASN?
+The only way to connect to Azure VMware Solution through ExpressRoute is for your environment and the on-premises ExpressRoute-carrier partners/ISPs support 4-byte ASN or have backward compatibility from 4 byte to 2-byte ASN in the BGP prefix ASN path advertisement.
+ ## Compute, network, storage, and backup ### Is there more than one type of host available?
@@ -253,7 +259,7 @@ VMware HCX Enterprise is available with Azure VMware Solution as a *Preview* fun
### How do I request a host quota increase for Azure VMware Solution?
-For CSP-managed subscriptions, the customer must submit the request to the partner. The partner team then engages with Microsoft to get the quota increased for the subscription. See [How to enable Azure VMware Solution resource article](enable-azure-vmware-solution.md) for the details.
+For CSP-managed subscriptions, the customer must submit the request to the partner. The partner team then engages with Microsoft to get the quota increased for the subscription. For more information, see [How to enable Azure VMware Solution resource](enable-azure-vmware-solution.md).
For EA subscriptions, use the following procedure. First, you'll need:
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/lifecycle-management-of-azure-vmware-solution-vms https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/lifecycle-management-of-azure-vmware-solution-vms.md
@@ -76,13 +76,13 @@ Azure Security Center does not require deployment. For more information, see a l
Azure Arc extends Azure management to any infrastructure, including Azure VMware Solution, on-premises, or other cloud platforms. -- See [Connect hybrid machines to Azure at scale](../azure-arc/servers/onboard-service-principal.md) to enable Azure Arc enabled servers for multiple Windows or Linux VMs.
+- For information on enabling Azure Arc enabled servers for multiple Windows or Linux VMs, see [Connect hybrid machines to Azure at scale](../azure-arc/servers/onboard-service-principal.md).
### Onboard hybrid Kubernetes clusters with Arc enabled Kubernetes You can attach a Kubernetes cluster hosted in your Azure VMware Solution environment using Azure Arc enabled Kubernetes. -- See [Create an Azure Arc-enabled onboarding Service Principal](../azure-arc/kubernetes/create-onboarding-service-principal.md).
+- For more information, see [Create an Azure Arc-enabled onboarding Service Principal](../azure-arc/kubernetes/create-onboarding-service-principal.md).
### Deploy the Log Analytics agent
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/netapp-files-with-azure-vmware-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/netapp-files-with-azure-vmware-solution.md
@@ -97,7 +97,7 @@ The following are just a few compelling Azure NetApp Files use cases.
- File shares on Azure VMware Solution ## Next steps-- Learn about [resource limits for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-resource-limits.md#resource-limits).-- See [Guidelines for Azure NetApp Files network planning](../azure-netapp-files/azure-netapp-files-network-topologies.md).-- Learn about [Cross-region replication of Azure NetApp Files volumes](../azure-netapp-files/cross-region-replication-introduction.md). -- See [FAQs about Azure NetApp Files](../azure-netapp-files/azure-netapp-files-faqs.md).
+- [Resource limits for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-resource-limits.md#resource-limits)
+- [Guidelines for Azure NetApp Files network planning](../azure-netapp-files/azure-netapp-files-network-topologies.md)
+- [Cross-region replication of Azure NetApp Files volumes](../azure-netapp-files/cross-region-replication-introduction.md)
+- [FAQs about Azure NetApp Files](../azure-netapp-files/azure-netapp-files-faqs.md)
backup https://docs.microsoft.com/en-us/azure/backup/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
batch https://docs.microsoft.com/en-us/azure/batch/budget https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/budget.md
@@ -1,27 +1,39 @@
Title: Cost analysis and budgets
+ Title: Get cost analysis and set budgets for Azure Batch
description: Learn how to get a cost analysis, set a budget, and reduce costs for the underlying compute resources and software licenses used to run your Batch workloads. Previously updated : 01/21/2021 Last updated : 01/29/2021
-# Cost analysis and budgets for Azure Batch
+# Get cost analysis and set budgets for Azure Batch
-There are no costs for using Azure Batch itself, although there can be charges for the underlying compute resources and software licenses used to run Batch workloads. Costs may be incurred from virtual machines (VMs) in a pool, data transfer from the VM, or any input or output data stored in the cloud. This topic will help you understand where costs come from, how to set a budget for a Batch pool or account, and ways to reduce the costs for Batch workloads.
+This topic will help you understand costs that may be associated with Azure Batch, how to set a budget for a Batch pool or account, and ways to reduce the costs for Batch workloads.
-## Batch resources
+## Understand costs associated with Batch resources
+
+There are no costs for using Azure Batch itself, although there can be charges for the underlying compute resources and software licenses used to run Batch workloads. Costs may be incurred from virtual machines (VMs) in a pool, data transfer from the VM, or any input or output data stored in the cloud.
+
+### Virtual machines
Virtual machines are the most significant resource used for Batch processing. The cost of using VMs for Batch is calculated based on the type, quantity, and the duration of use. VM billing options include [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) or [reservation](../cost-management-billing/reservations/save-compute-costs-reservations.md) (pay in advance). Both payment options have different benefits depending on your compute workload and will affect your bill differently.
-When applications are deployed to Batch nodes (VMs) using [application packages](batch-application-packages.md), you are billed for the Azure Storage resources that your application packages consume. You are also billed for the storage of any input or output files, such as resource files and other log data. In general, the cost of storage data associated with Batch is much lower than the cost of compute resources. Each VM in a pool created with [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration) has an associated OS disk that uses Azure-managed disks. Azure-managed disks have an additional cost, and other disk performance tiers have different costs as well.
+Each VM in a pool created with [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration) has an associated OS disk that uses Azure-managed disks. Azure-managed disks have an additional cost, and other disk performance tiers have different costs as well.
-Batch pools use networking resources. In particular, for **VirtualMachineConfiguration** pools, standard load balancers are used, which require static IP addresses. The load balancers used by Batch are visible for **User Subscription** accounts, but are not visible for **Batch Service** accounts. Standard load balancers incur charges for all data passed to and from Batch pool VMs; select Batch APIs that retrieve data from pool nodes (such as Get Task/Node File), task application packages, resource/output files, and container images will incur charges.
+### Storage
-### Additional services
+When applications are deployed to Batch nodes (VMs) using [application packages](batch-application-packages.md), you are billed for the Azure Storage resources that your application packages consume. You're also billed for the storage of any input or output files, such as resource files and other log data.
+
+In general, the cost of storage data associated with Batch is much lower than the cost of compute resources.
+
+### Networking resources
+
+Batch pools use networking resources, some of which have associated costs. In particular, for Virtual Machine Configuration pools, standard load balancers are used, which require static IP addresses. The load balancers used by Batch are visible for [accounts](accounts.md#batch-accounts) configured in user subscription mode, but not those in Batch service mode.
-Services not including VMs and storage can factor in to the cost of your Batch account.
+Standard load balancers incur charges for all data passed to and from Batch pool VMs. Select Batch APIs that retrieve data from pool nodes (such as Get Task/Node File), task application packages, resource/output files, and container images will also incur charges.
-Other services commonly used with Batch can include:
+### Additional services
+
+Depending on which services you use with your Batch solution, you may incur additional fees. Refer to the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) to determine the cost of each additional service. Services commonly used with Batch that may have associated costs include:
- Application Insights - Data Factory
@@ -29,13 +41,14 @@ Other services commonly used with Batch can include:
- Virtual Network - VMs with graphics applications
-Depending on which services you use with your Batch solution, you may incur additional fees. Refer to the [Pricing Calculator](https://azure.microsoft.com/pricing/calculator/) to determine the cost of each additional service.
-
-## Cost analysis and budget for a pool
+## View cost analysis and create a budget for a pool
In the Azure portal, you can create budgets and spending alerts for your Batch pools or Batch accounts. Budgets and alerts are useful for notifying stakeholders of any risks of overspending, although it's possible for there to be a delay in spending alerts and to slightly exceed a budget.
-In this example, we'll view cost analysis of an individual Batch pool.
+> [!NOTE]
+> The pool in this example uses **Virtual Machine Configuration**, which is recommended for most pools and has charges based on the Virtual Machines pricing structure. Pools that use **Cloud Services Configuration** are charged based on the Cloud Services pricing structure.
+
+### View cost analysis for a Batch pool
1. In the Azure portal, type in or select **Cost Management + Billing** . 1. Select your subscription in the **Billing scopes** section.
@@ -46,34 +59,35 @@ In this example, we'll view cost analysis of an individual Batch pool.
The resulting cost analysis shows the cost of the pool as well as the resources that contribute to this cost. In this example, the VMs used in the pool are the most costly resource.
-To create a budget for the pool select **Budget: none**, then select **Create new budget >**. Now use the window to [configure a budget](../cost-management-billing/costs/tutorial-acm-create-budgets.md) specifically for your pool.
+### Create a budget for a Batch pool
-> [!NOTE]
-> Azure Batch is built on Azure Cloud Services and Azure Virtual Machines technology. When you choose **Cloud Services Configuration**, you are charged based on the Cloud Services pricing structure. When you choose **Virtual Machine Configuration**, you are charged based on the Virtual Machines pricing structure. The example on this page uses the **Virtual Machine Configuration**, which is recommended for most Batch pools.
+1. From the **Cost analysis** page, select **Budget: none**.
+1. Select **Create new budget >**.
+1. Use the resulting window to configure a budget specifically for your pool. For more information, see [Tutorial: Create and manage Azure budgets](../cost-management-billing/costs/tutorial-acm-create-budgets.md).
-## Minimize cost
+## Minimize costs associated with Azure Batch
-Using several VMs and Azure services for extended periods of time can be costly. Consider using these strategies to maximize the efficiency of your workloads and reduce your costs.
+Depending on your scenario, you may want to reduce costs as much as possible. Consider using one or more of these strategies to maximize the efficiency of your workloads and reduce potential costs.
-### Low-priority virtual machines
+### Use low-priority virtual machines
[Low-priority VMs](batch-low-pri-vms.md) reduce the cost of Batch workloads by taking advantage of surplus computing capacity in Azure. When you specify low-priority VMs in your pools, Batch uses this surplus to run your workload. There can be substantial cost savings when you use low-priority VMs instead of dedicated VMs.
-### Virtual machine OS disk type
+### Select a standard virtual machine OS disk type
Azure offers multiple [VM OS disk types](../virtual-machines/disks-types.md). Most VM-series have sizes that support both premium and standard storage. When an 's' VM size is selected for a pool, Batch configures premium SSD OS disks. When the 'non-s' VM size is selected, then the cheaper, standard HDD disk type is used. For example, premium SSD OS disks are used for `Standard_D2s_v3` and standard HDD OS disks are used for `Standard_D2_v3`. Premium SSD OS disks are more expensive, but have higher performance. VMs with premium disks can start slightly quicker than VMs with standard HDD OS disks. With Batch, the OS disk is often not used much, since the applications and task files are located on the VM's temporary SSD disk. Because of this, you can often select the 'non-s' VM size to avoid paying the increased cost for the premium SSD that is provisioned when an 's' VM size is specified.
-### Reserved virtual machine instances
+### Purchase reservations for virtual machine instances
If you intend to use Batch for a long period of time, you can reduce the cost of VMs by using [Azure Reservations](../cost-management-billing/reservations/save-compute-costs-reservations.md) for your workloads. A reservation rate is considerably lower than a pay-as-you-go rate. Virtual machine instances used without a reservation are charged at the pay-as-you-go rate. When you purchase a reservation, the reservation discount is applied.
-### Automatic scaling
+### Use automatic scaling
[Automatic scaling](batch-automatic-scaling.md) dynamically scales the number of VMs in your Batch pool based on demands of the current job. By scaling the pool based on the lifetime of a job, automatic scaling ensures that VMs are scaled up and used only when there is a job to perform. When the job is complete, or when there are no jobs, the VMs are automatically scaled down to save compute resources. Scaling allows you to lower the overall cost of your Batch solution by using only the resources you need. ## Next steps -- Learn more about the [Batch APIs and tools](batch-apis-tools.md) available for building and monitoring Batch solutions.
+- Learn more about [Azure Cost Management + Billing](../cost-management-billing/cost-management-billing-overview.md)
- Learn about [using low-priority VMs with Batch](batch-low-pri-vms.md).
batch https://docs.microsoft.com/en-us/azure/batch/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
cloud-services https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-dotnet-install-dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-dotnet-install-dotnet.md
@@ -27,7 +27,7 @@ To install .NET on your web and worker roles, include the .NET web installer as
## Add the .NET installer to your project To download the web installer for the .NET Framework, choose the version that you want to install:
-* [.NET Framework 4.8 web installer](https://dotnet.microsoft.com/download/thank-you/net48)
+* [.NET Framework 4.8 Web installer](https://go.microsoft.com/fwlink/?LinkId=2150985)
* [.NET Framework 4.7.2 web installer](https://go.microsoft.com/fwlink/?LinkId=863262) * [.NET Framework 4.6.2 web installer](https://www.microsoft.com/download/details.aspx?id=53345)
cloud-services https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-msrc-releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md
@@ -1573,7 +1573,7 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
| N/A | [4014511] |May .NET non-security rollup |2.63 |May 9, 2017 | | N/A | [4014514] |May .NET non-security rollup |2.63 |May 9, 2017 | | N/A | [4019216] |May non-security rollup |3.50 |May 9, 2017 |
-| N/A | [4014503] |May .NET non-security rollup |3.50 |May 9, 2017 |
+| N/A | 4014503 |May .NET non-security rollup |3.50 |May 9, 2017 |
| N/A | [4014506] |May .NET non-security rollup |3.50 |May 9, 2017 | | N/A | [4014509] |May .NET non-security rollup |3.50 |May 9, 2017 | | N/A | [4014513] |May .NET non-security rollup |3.50 |May 9, 2017 |
@@ -2322,7 +2322,6 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
[4014511]: https://support.microsoft.com/kb/4014511 [4014514]: https://support.microsoft.com/kb/4014514 [4019216]: https://support.microsoft.com/kb/4019216
-[4014503]: https://support.microsoft.com/kb/4014503
[4014506]: https://support.microsoft.com/kb/4014506 [4014509]: https://support.microsoft.com/kb/4014509 [4014513]: https://support.microsoft.com/kb/4014513
@@ -2674,7 +2673,7 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
[3035126]: https://support.microsoft.com/kb/3035126 [3049563]:https://support.microsoft.com/kb/3049563
-[3057110]:https://support.microsoft.com/kb/3057110
+[3057110]:https://mskb.pkisolutions.com/kb/3057110
[3046002]:https://support.microsoft.com/kb/3046002 [3057134]:https://support.microsoft.com/kb/3057134 [3055642]:https://support.microsoft.com/kb/3055642
@@ -2684,7 +2683,7 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
[3051768]:https://support.microsoft.com/kb/3051768 [3061518]:https://support.microsoft.com/kb/3061518
-[3038314]:https://support.microsoft.com/kb/3038314
+[3038314]:https://web.archive.org/web/20180920122209/https:/support.microsoft.com/en-us/help/3038314/ms15-032-cumulative-security-update-for-internet-explorer-april-14-201
[3042553]:https://support.microsoft.com/kb/3042553 [3046306]:https://support.microsoft.com/kb/3046306 [3046269]:https://support.microsoft.com/kb/3046269
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/includes/spx-setup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/includes/spx-setup.md
@@ -14,9 +14,16 @@
Follow these steps to install the Speech CLI on Windows: 1. On Windows, you need the [Microsoft Visual C++ Redistributable for Visual Studio 2019](https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads) for your platform. Installing this for the first time may require a restart.
-2. Download the Speech CLI [zip archive](https://aka.ms/speech/spx-zips.zip), then extract it.
-3. Go to the directory where you extracted `spx-zips`. This folder contains program files for the Speech CLI on a variety of platforms.
-4. Extract the files for your platform (`spx-net471` for .NET Framework 4.7, or `spx-netcore-win-x64` for .NET Core 3.0 on an x64 CPU). Keep in mind that you'll run `spx` from this directory.
+1. Install [.NET Core 3.1](/dotnet/core/install/linux.md).
+2. Install the Speech CLI using NuGet by entering this command:
+
+ `dotnet tool install --global Microsoft.CognitiveServices.Speech.CLI --version 1.15.0`
+
+Type `spx` to see help for the Speech CLI.
+
+> [!NOTE]
+> As an alternative to NuGet, you can download and extract the Speech CLI [zip archive](https://aka.ms/speech/spx-zips.zip),
+> find and extract your platform from the `spx-zips` directory, and add the `spx` path to your system **PATH** variable.
### Run the Speech CLI
@@ -38,16 +45,20 @@ If you output to a file, a text editor like Notepad or a web browser like Micros
Follow these steps to install the Speech CLI on Linux on an x64 CPU:
-1. Install [.NET Core 3.0](https://dotnet.microsoft.com/download/dotnet-core/3.0).
-2. Download the Speech CLI [zip archive](https://aka.ms/speech/spx-zips.zip), then extract it.
-3. Go to the root directory `spx-zips` that you extracted from the download, and extract `spx-netcore-30-linux-x64` to a new `~/spx` directory.
-4. In a terminal, type these commands:
- 1. `cd ~/spx`
- 2. `sudo chmod +r+x spx`
- 3. `PATH=~/spx:$PATH`
+1. Install [.NET Core 3.1](/dotnet/core/install/linux.md).
+2. Install the Speech CLI using NuGet by entering this command:
+
+ `dotnet tool install --global Microsoft.CognitiveServices.Speech.CLI --version 1.15.0`
Type `spx` to see help for the Speech CLI.
+> [!NOTE]
+> As an alternative to NuGet,
+> you can download the binaries at [zip archive](https://aka.ms/speech/spx-zips.zip),
+> extract `spx-netcore-30-linux-x64` to a new `~/spx` directory, type `sudo chmod +r+x spx` on the binary,
+> and add the `~/spx` path to your PATH system variable.
++ #### [Docker Install (Windows, Linux, macOS)](#tab/dockerinstall) Follow these steps to install the Speech CLI in a Docker container:
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Speech-Service/releasenotes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/releasenotes.md
@@ -19,24 +19,35 @@
**Note**: The Speech SDK on Windows depends on the shared Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019. Download it [here](https://support.microsoft.com/help/2977003/the-latest-supported-visual-c-downloads).
+**Highlights summary**
+- Smaller memory and disk footprint making the SDK more efficient.
+- Improved Custom Voice quality and ease of use.
+- Intent Recognizer can now get return more than the top intent, giving you the ability to make a separate assessment about your customer's intent.
+- Your voice assistant or bot are now easier to set up, and you can make it stop listening immediately, and exercise greater control over how it responds to errors.
+- Improved on device performance through making compression optional.
+- Use the Speech SDK on Windows ARM/ARM64.
+- Improved low level debugging.
+- Pronunciation assessment feature is now more widely available.
+- Several Bug fixes to address issues YOU, our valued customers, have flagged on GitHub! THANK YOU! Keep the feedback coming!
+ **Improvements**-- We have started a multi release effort to reduce the Speech SDK's memory usage and disk footprint. As a first step we made significant file size reductions in shared libraries on most platforms. Compared to the 1.14 release:
- - 64-bit UWP-compatible Windows libraries are about 30% smaller;
+- The Speech SDK is now more efficient and lightweight. We have started a multi release effort to reduce the Speech SDK's memory usage and disk footprint. As a first step we made significant file size reductions in shared libraries on most platforms. Compared to the 1.14 release:
+ - 64-bit UWP-compatible Windows libraries are about 30% smaller.
- 32-bit Windows libraries are not yet seeing a size improvements.
- - Linux libraries are 20-25% smaller;
- - Android libraries are 3-5% smaller;
+ - Linux libraries are 20-25% smaller.
+ - Android libraries are 3-5% smaller.
**New features**-- **All**: Added 48kHz format for custom TTS voices, improving the audio quality of custom voices whose native output sample rates are higher than 24kHz.-- **All**: Added support for setting custom voice via `EndpointId` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/speechconfig#setendpointid), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.speechconfig.endpointid?view=azure-dotnet#Microsoft_CognitiveServices_Speech_SpeechConfig_EndpointId), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.speechconfig.setendpointid?view=azure-java-stable#com_microsoft_cognitiveservices_speech_SpeechConfig_setEndpointId_String_), [JavaScript](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/speechconfig?view=azure-node-latest#endpointId), [Objective-C](https://docs.microsoft.com/objectivec/cognitive-services/speech/spxspeechconfiguration#endpointid), [Python](https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechconfig?view=azure-python#endpoint-id)). Before this change, custom voice users needed to set the endpoint URL via the `FromEndpoint` method. Now customers can use the `FromSubscription` method just like public voices, and then provide the deployment id by setting `EndpointId`. This simplifies setting up custom voices. -- **C++/C#/Java/Objective-C/Python**: `IntentRecognizer` now supports configuring the JSON result containing all intents and not only the top scoring intent via `LanguageUnderstandingModel FromEndpoint` method by using `verbose=true` uri parameter. This addresses [GitHub issue #880](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/880). See updated documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstarts/intent-recognition/#add-a-languageunderstandingmodel-and-intents).-- **C++/C#/Java**: `DialogServiceConnector` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/dialog-dialogserviceconnector), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-dotnet), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-java-stable)) now has a `StopListeningAsync()` method to accompany `ListenOnceAsync()`. This will immediately stop audio capture and gracefully wait for a result, making it perfect for use with "stop now" button-press scenarios.-- **C++/C#/Java/JavaScript**: `DialogServiceConnector` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/dialog-dialogserviceconnector), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-dotnet), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-java-stable), [JavaScript](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/dialogserviceconnector?view=azure-node-latest)) now has a new `TurnStatusReceived` event handler. These optional events correspond to every [`ITurnContext`](https://docs.microsoft.com/dotnet/api/microsoft.bot.builder.iturncontext?view=botbuilder-dotnet-stable) resolution on the Bot and will report turn execution failures when they happen, e.g. as a result of an unhandled exception, timeout, or network drop between Direct Line Speech and the bot. `TurnStatusReceived` makes it easier to respond to failure conditions. For example, if a bot takes too long on a backend database query (e.g. looking up a product), `TurnStatusReceived` allows the client to know to reprompt with "sorry, I didn't quite get that, could you please try again" or something similar.-- **C++/C#**: The [Speech SDK nuget package](https://www.nuget.org/packages/Microsoft.CognitiveServices.Speech) now supports Windows ARM/ARM64 desktop native binaries (UWP was already supported) to make the Speech SDK more useful on more machine types.
+- **All**: Custom voice quality keeps getting better. Added 48kHz format for custom TTS voices, improving the audio quality of custom voices whose native output sample rates are higher than 24kHz.
+- **All**: Custom voice is also easier to use. Added support for setting custom voice via `EndpointId` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/speechconfig#setendpointid), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.speechconfig.endpointid?view=azure-dotnet#Microsoft_CognitiveServices_Speech_SpeechConfig_EndpointId), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.speechconfig.setendpointid?view=azure-java-stable#com_microsoft_cognitiveservices_speech_SpeechConfig_setEndpointId_String_), [JavaScript](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/speechconfig?view=azure-node-latest#endpointId), [Objective-C](https://docs.microsoft.com/objectivec/cognitive-services/speech/spxspeechconfiguration#endpointid), [Python](https://docs.microsoft.com/python/api/azure-cognitiveservices-speech/azure.cognitiveservices.speech.speechconfig?view=azure-python#endpoint-id)). Before this change, custom voice users needed to set the endpoint URL via the `FromEndpoint` method. Now customers can use the `FromSubscription` method just like public voices, and then provide the deployment id by setting `EndpointId`. This simplifies setting up custom voices.
+- **C++/C#/Java/Objective-C/Python**: Get more than the top intent from`IntentRecognizer`. It now supports configuring the JSON result containing all intents and not only the top scoring intent via `LanguageUnderstandingModel FromEndpoint` method by using `verbose=true` uri parameter. This addresses [GitHub issue #880](https://github.com/Azure-Samples/cognitive-services-speech-sdk/issues/880). See updated documentation [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/quickstarts/intent-recognition/#add-a-languageunderstandingmodel-and-intents).
+- **C++/C#/Java**: Make your voice assistant or bot stop listening immediatedly. `DialogServiceConnector` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/dialog-dialogserviceconnector), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-dotnet), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-java-stable)) now has a `StopListeningAsync()` method to accompany `ListenOnceAsync()`. This will immediately stop audio capture and gracefully wait for a result, making it perfect for use with "stop now" button-press scenarios.
+- **C++/C#/Java/JavaScript**: Make your voice assistant or bot react better to underlying system errors. `DialogServiceConnector` ([C++](https://docs.microsoft.com/cpp/cognitive-services/speech/dialog-dialogserviceconnector), [C#](https://docs.microsoft.com/dotnet/api/microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-dotnet), [Java](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-java-stable), [JavaScript](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/dialogserviceconnector?view=azure-node-latest)) now has a new `TurnStatusReceived` event handler. These optional events correspond to every [`ITurnContext`](https://docs.microsoft.com/dotnet/api/microsoft.bot.builder.iturncontext?view=botbuilder-dotnet-stable) resolution on the Bot and will report turn execution failures when they happen, e.g. as a result of an unhandled exception, timeout, or network drop between Direct Line Speech and the bot. `TurnStatusReceived` makes it easier to respond to failure conditions. For example, if a bot takes too long on a backend database query (e.g. looking up a product), `TurnStatusReceived` allows the client to know to reprompt with "sorry, I didn't quite get that, could you please try again" or something similar.
+- **C++/C#**: Use the Speech SDK on more platforms. The [Speech SDK nuget package](https://www.nuget.org/packages/Microsoft.CognitiveServices.Speech) now supports Windows ARM/ARM64 desktop native binaries (UWP was already supported) to make the Speech SDK more useful on more machine types.
- **Java**: [`DialogServiceConnector`](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.dialog.dialogserviceconnector?view=azure-java-stable) now has a `setSpeechActivityTemplate()` method that was unintentionally excluded from the language previously. This is equivalent to setting the `Conversation_Speech_Activity_Template` property and will request that all future Bot Framework activities originated by the Direct Line Speech service merge the provided content into their JSON payloads.-- **Java**: The [`Connection`](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.connection?view=azure-java-stable) class now has a `MessageReceived` event, similar to other programing languages (C++, C#). This event provides low-level access to incoming data from the service and can be useful for diagnostics and debugging.-- **JavaScript**: [`BotFrameworkConfig`](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/botframeworkconfig) now has `fromHost()` and `fromEndpoint()` factory methods that simplify the use of custom service locations versus manually setting properties. We also standardized optional specification of `botId` to use a non-default bot across the configuration factories.-- **JavaScript**: Added string control property for websocket compression. For performance reasons we disabled websocket compression by default. This can be reenabled for low bandwidth scenarios. More details [here](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/propertyid). This addresses [GitHub issue #242](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/242).
+- **Java**: Improved low level debugging. The [`Connection`](https://docs.microsoft.com/java/api/com.microsoft.cognitiveservices.speech.connection?view=azure-java-stable) class now has a `MessageReceived` event, similar to other programing languages (C++, C#). This event provides low-level access to incoming data from the service and can be useful for diagnostics and debugging.
+- **JavaScript**: Easier setup for Voice Assistants and bots through [`BotFrameworkConfig`](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/botframeworkconfig), which now has `fromHost()` and `fromEndpoint()` factory methods that simplify the use of custom service locations versus manually setting properties. We also standardized optional specification of `botId` to use a non-default bot across the configuration factories.
+- **JavaScript**: Improved on device performance through added string control property for websocket compression. For performance reasons we disabled websocket compression by default. This can be reenabled for low bandwidth scenarios. More details [here](https://docs.microsoft.com/javascript/api/microsoft-cognitiveservices-speech-sdk/propertyid). This addresses [GitHub issue #242](https://github.com/microsoft/cognitive-services-speech-sdk-js/issues/242).
- **JavaScript**: Added support for pronunciation assessment to enable evaluation of speech pronunciation. See the quickstart [here](https://docs.microsoft.com/azure/cognitive-services/speech-service/how-to-pronunciation-assessment?pivots=programming-language-javascript). **Bug fixes**
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/concepts/model-versioning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/concepts/model-versioning.md
@@ -24,9 +24,9 @@ Use the table below to find which model versions are supported by each hosted en
| Endpoint | Supported Versions | latest version | ||--|-| | `/sentiment` | `2019-10-01`, `2020-04-01` | `2020-04-01` |
-| `/languages` | `2019-10-01`, `2020-07-01`, `2020-09-01` | `2020-09-01` |
+| `/languages` | `2019-10-01`, `2020-07-01`, `2020-09-01`, `2021-01-15` | `2021-01-15` |
| `/entities/linking` | `2019-10-01`, `2020-02-01` | `2020-02-01` |
-| `/entities/recognition/general` | `2019-10-01`, `2020-02-01`, `2020-04-01`, | `2020-04-01` |
+| `/entities/recognition/general` | `2019-10-01`, `2020-02-01`, `2020-04-01`,`2021-01-05` | `2021-01-05` |
| `/entities/recognition/pii` | `2019-10-01`, `2020-02-01`, `2020-04-01`,`2020-07-01` | `2020-07-01` | | `/entities/health` | `2020-09-03` | `2020-09-03` | | `/keyphrases` | `2019-10-01`, `2020-07-01` | `2020-07-01` |
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/how-tos/text-analytics-for-health https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/how-tos/text-analytics-for-health.md
@@ -8,7 +8,7 @@
Previously updated : 12/17/2020 Last updated : 01/21/2021
@@ -22,8 +22,8 @@ Text Analytics for health is not intended or made available for use as a medical
Text Analytics for health is a feature of the Text Analytics API service that extracts and labels relevant medical information from unstructured texts such as doctor's notes, discharge summaries, clinical documents, and electronic health records. There are two ways to utilize this service:
-* The web-based API (asynchronous)
-* A Docker container (synchronous)
+* [The web-based API (asynchronous)](#structure-the-api-request-for-the-hosted-asynchronous-web-api)
+* [A Docker container (synchronous)](#hosted-asynchronous-web-api-response)
> [!VIDEO https://channel9.msdn.com/Shows/AI-Show/Introducing-Text-Analytics-for-Health/player]
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/analyze-operation-pricing-caution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/analyze-operation-pricing-caution.md /dev/null
@@ -0,0 +1,15 @@
+
+ Title: Analyze operation pricing
+++++++ Last updated : 01/20/2021+++
+> [!CAUTION]
+> To use the Analyze operation, make sure your Azure resource is using the S standard pricing tier.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/entity-types/general-entities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/entity-types/general-entities.md
@@ -7,48 +7,812 @@
Previously updated : 05/13/2020 Last updated : 01/15/2021
-The following entity categories are returned when sending requests to the `/entities/recognition/general` endpoint.
+The NER feature for Text Analytics returns the following general (non identifying) entity categories. for example when sending requests to the `/entities/recognition/general` endpoint.
-| Category | Subcategory | Description | Starting model version | Notes |
+
+| Category | Description |
||-|--|-|--|
-| Person | N/A | Names of people. | `2019-10-01` | Also returned by NER v2.1 |
-| PersonType | N/A | Job types or roles held by a person. | `2020-02-01` | |
-|Location | N/A | Natural and human-made landmarks, structures, geographical features, and geopolitical entities | `2019-10-01` | Also returned by NER v2.1 |
-|Location | Geopolitical Entity (GPE) | Cities, countries/regions, states. | `2020-02-01` | |
-|Location | Structural | Manmade structures. | `2020-04-01` | |
-|Location | Geographical | Geographic and natural features such as rivers, oceans, and deserts. | `2020-04-01` | |
-|Organization | N/A | Companies, political groups, musical bands, sport clubs, government bodies, and public organizations. | `2019-10-01` | Nationalities and religions are not included in this entity type. Also returned by NER v2.1 |
-|Organization | Medical | Medical companies and groups. | `2020-04-01` | |
-|Organization | Stock exchange | Stock exchange groups. | `2020-04-01` | |
-| Organization | Sports | Sports-related organizations. | `2020-04-01` | |
-| Event | N/A | Historical, social, and naturally occurring events. | `2020-02-01` | |
-| Event | Cultural | Cultural events and holidays. | `2020-04-01` | |
-| Event | Natural | Naturally occurring events. | `2020-04-01` | |
-| Event | Sports | Sporting events. | `2020-04-01` | |
-| Product | N/A | Physical objects of various categories. | `2020-02-01` | |
-| Product | Computing products | Computing products. | `2020-02-01 ` | |
-| Skill | N/A | A capability, skill, or expertise. | `2020-02-01` | |
-| Address | N/A | Full mailing addresses. | `2020-04-01` | |
-| PhoneNumber | N/A | Phone numbers (US and EU phone numbers only). | `2019-10-01` | Also returned by NER v2.1 |
-| Email | N/A | Email addresses. | `2019-10-01` | Also returned by NER v2.1 |
-| URL | N/A | URLs to websites. | `2019-10-01` | Also returned by NER v2.1 |
-| IP | N/A | Network IP addresses. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | N/A | Dates and times of day. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | Date | Calender dates. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | Time | Times of day | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | DateRange | Date ranges. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | TimeRange | Time ranges. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | Duration | Durations. | `2019-10-01` | Also returned by NER v2.1 |
-| DateTime | Set | Set, repeated times. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | N/A | Numbers and numeric quantities. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Number | Numbers. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Percentage | Percentages.| `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Ordinal | Ordinal numbers. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Age | Ages. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Currency | Currencies. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Dimension | Dimensions and measurements. | `2019-10-01` | Also returned by NER v2.1 |
-| Quantity | Temperature | Temperatures. | `2019-10-01` | Also returned by NER v2.1 |
+| [Person](#category-person) | Names of people. |
+| [PersonType](#category-persontype) | Job types or roles held by a person. |
+| [Location](#category-location) | Natural and human-made landmarks, structures, geographical features, and geopolitical entities |
+| [Organization](#category-organization) | Companies, political groups, musical bands, sport clubs, government bodies, and public organizations. |
+| [Event](#category-event) | Historical, social, and naturally occurring events. |
+| [Product](#category-product) | Physical objects of various categories. |
+| [Skill](#category-skill) | A capability, skill, or expertise. |
+| [Address](#category-address) | Full mailing addresses. |
+| [Phone number](#category-phonenumber) | Phone numbers. |
+| [Email](#category-email) | Email addresses. |
+| [URL](#category-url) | URLs to websites. |
+| [IP](#category-ip) | Network IP addresses. |
+| [DateTime](#category-datetime) | Dates and times of day. |
++
+### Category: Person
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Person
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Names of people.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `ar`, `cs`, `da`, `nl`, `en`, `fi`, `fr`, `de`, `he`, <br> `hu`, `it`, `ja`, `ko`, `no`, `pl`, `pt-br`, `pt`-`pt`, `ru`, `es`, `sv`, `tr`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: PersonType
+
+This category contains the following entity:
++
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ PersonType
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Job types or roles held by a person
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Location
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Location
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Natural and human-made landmarks, structures, geographical features, and geopolitical entities.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `ar`, `cs`, `da`, `nl`, `en`, `fi`, `fr`, `de`, `he`, `hu`, `it`, `ja`, `ko`, `no`, `pl`, `pt-br`, `pt-pt`, `ru`, `es`, `sv`, `tr`
+
+ :::column-end:::
+:::row-end:::
+
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Geopolitical Entity (GPE)
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Cities, countries/regions, states.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Structural
+
+ :::column-end:::
+ :::column span="2":::
+
+ Manmade structures.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Geographical
+
+ :::column-end:::
+ :::column span="2":::
+
+ Geographic and natural features such as rivers, oceans, and deserts.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Organization
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Organization
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Companies, political groups, musical bands, sport clubs, government bodies, and public organizations. Nationalities and religions are not included in this entity type.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `ar`, `cs`, `da`, `nl`, `en`, `fi`, `fr`, `de`, `he`, `hu`, `it`, `ja`, `ko`, `no`, `pl`, `pt-br`, `pt-pt`, `ru`, `es`, `sv`, `tr`
+
+ :::column-end:::
+:::row-end:::
+
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Medical
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Medical companies and groups.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Stock exchange
+
+ :::column-end:::
+ :::column span="2":::
+
+ Stock exchange groups.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Sports
+
+ :::column-end:::
+ :::column span="2":::
+
+ Sports-related organizations.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Event
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Event
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Historical, social, and naturally occurring events.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt` and `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Cultural
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Cultural events and holidays.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Natural
+
+ :::column-end:::
+ :::column span="2":::
+
+ Naturally occurring events.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Sports
+
+ :::column-end:::
+ :::column span="2":::
+
+ Sporting events.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Product
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Product
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Physical objects of various categories.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
++
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Computing products
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Computing products.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Skill
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Skill
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ A capability, skill, or expertise.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Address
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Address
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Full mailing address.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: PhoneNumber
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ PhoneNumber
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Phone numbers (US and EU phone numbers only).
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt` `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Email
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Email
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Email addresses.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: URL
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ URL
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ URLs to websites.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: IP
+
+This category contains the following entity:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ IP
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ network IP addresses.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: DateTime
+
+This category contains the following entities:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ DateTime
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Dates and times of day.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+Entities in this category can have the following subcategories
+
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Date
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Calender dates.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Time
+
+ :::column-end:::
+ :::column span="2":::
+
+ Times of day.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ DateRange
+
+ :::column-end:::
+ :::column span="2":::
+
+ Date ranges.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ TimeRange
+
+ :::column-end:::
+ :::column span="2":::
+
+ Time ranges.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Duration
+
+ :::column-end:::
+ :::column span="2":::
+
+ Durations.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+
+ Set
+
+ :::column-end:::
+ :::column span="2":::
+
+ Set, repeated times.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+### Category: Quantity
+
+This category contains the following entities:
+
+:::row:::
+ :::column span="":::
+ **Entity**
+
+ Quantity
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Numbers and numeric quantities.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `ja`, `ko`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+
+#### Subcategories
+
+The entity in this category can have the following subcategories.
+
+:::row:::
+ :::column span="":::
+ **Entity subcategory**
+
+ Number
+
+ :::column-end:::
+ :::column span="2":::
+ **Details**
+
+ Numbers.
+
+ :::column-end:::
+ :::column span="2":::
+ **Supported document languages**
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Percentage
+
+ :::column-end:::
+ :::column span="2":::
+
+ Percentages
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Ordinal numbers
+
+ :::column-end:::
+ :::column span="2":::
+
+ Ordinal numbers.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Age
+
+ :::column-end:::
+ :::column span="2":::
+
+ Ages.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Currency
+
+ :::column-end:::
+ :::column span="2":::
+
+ Currencies
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Dimensions
+
+ :::column-end:::
+ :::column span="2":::
+
+ Dimensions and measurements.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="":::
+ Temperature
+
+ :::column-end:::
+ :::column span="2":::
+
+ Temperatures.
+
+ :::column-end:::
+ :::column span="2":::
+
+ `en`, `es`, `fr`, `de`, `it`, `zh-hans`, `pt-pt`, `pt-br`
+
+ :::column-end:::
+:::row-end:::
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/entity-types/health-entities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/entity-types/health-entities.md
@@ -11,8 +11,6 @@ Last updated 10/02/2020
-## Text Analytics for health categories, entities and attributes
- [Text Analytics for health](../../how-tos/text-analytics-for-health.md) detects medical concepts in the following categories. (Please note that only English text is supported in this container preview and only a single model-version is provided in each container image.)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/quickstarts/csharp-sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/quickstarts/csharp-sdk.md
@@ -6,7 +6,7 @@
Previously updated : 12/11/2020 Last updated : 01/20/2021
@@ -15,11 +15,11 @@
# [Version 3.1 preview](#tab/version-3-1)
-[v3.1 Reference documentation](/dotnet/api/azure.ai.textanalytics?preserve-view=true&view=azure-dotnet-previews) | [v3.1 Library source code](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics) | [v3.1 Package (NuGet)](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.1.0-beta.3) | [v3.1 Samples](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics/samples)
+[v3.1 Reference documentation](/dotnet/api/azure.ai.textanalytics?preserve-view=true&view=azure-dotnet-preview) | [v3.1 Library source code](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics) | [v3.1 Package (NuGet)](https://www.nuget.org/packages/Azure.AI.TextAnalytics/5.1.0-beta.3) | [v3.1 Samples](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/textanalytics/Azure.AI.TextAnalytics/samples)
# [Version 3.0](#tab/version-3)
-[v3 Reference documentation](/dotnet/api/azure.ai.textanalytics) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.TextAnalytics_5.0.0/sdk/textanalytics/Azure.AI.TextAnalytics) | [v3 Package (NuGet)](https://www.nuget.org/packages/Azure.AI.TextAnalytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.TextAnalytics_5.0.0/sdk/textanalytics/Azure.AI.TextAnalytics/samples)
+[v3 Reference documentation](/dotnet/api/azure.ai.textanalytics?preserve-view=true&view=azure-dotnet) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.TextAnalytics_5.0.0/sdk/textanalytics/Azure.AI.TextAnalytics) | [v3 Package (NuGet)](https://www.nuget.org/packages/Azure.AI.TextAnalytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.TextAnalytics_5.0.0/sdk/textanalytics/Azure.AI.TextAnalytics/samples)
# [Version 2.1](#tab/version-2)
@@ -807,8 +807,7 @@ Key phrases:
# [Version 3.1 preview](#tab/version-3-1)
-> [!CAUTION]
-> To use the Analyze operation, make sure your Azure resource is using a standard pricing tier.
+[!INCLUDE [Analyze operation pricing](../analyze-operation-pricing-caution.md)]
Create a new function called `AnalyzeOperationExample()` that takes the client that you created earlier, and call its `StartAnalyzeOperationBatch()` function. The returned `AnalyzeOperation` object will contain the `Operation` interface object for `AnalyzeOperationResult`. As it is a Long Running Operation, `await` on the `operation.WaitForCompletionAsync()` for the value to be updated. Once the `WaitForCompletionAsync()` is finishes, the collection should be updated in the `operation.Value`. If there was an error, it will throw a `RequestFailedException`.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/quickstarts/java-sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/quickstarts/java-sdk.md
@@ -6,7 +6,7 @@
Previously updated : 12/11/2020 Last updated : 01/20/2021
@@ -16,7 +16,7 @@
# [Version 3.1 preview](#tab/version-3-1)
-[Reference documentation](/java/api/overview/azure/ai-textanalytics-readme) | [Library source code](https://github.com/Azure/azure-sdk-for-java/blob/azure-ai-textanalytics_5.1.0-beta.3/sdk/textanalytics/azure-ai-textanalytics) | [Package](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.1.0-beta.3) | [Samples](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-textanalytics_5.1.0-beta.3/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics)
+[Reference documentation](/java/api/overview/azure/ai-textanalytics-readme?preserve-view=true&view=azure-java-preview) | [Library source code](https://github.com/Azure/azure-sdk-for-java/blob/azure-ai-textanalytics_5.1.0-beta.3/sdk/textanalytics/azure-ai-textanalytics) | [Package](https://mvnrepository.com/artifact/com.azure/azure-ai-textanalytics/5.1.0-beta.3) | [Samples](https://github.com/Azure/azure-sdk-for-java/tree/azure-ai-textanalytics_5.1.0-beta.3/sdk/textanalytics/azure-ai-textanalytics/src/samples/java/com/azure/ai/textanalytics)
# [Version 3.0](#tab/version-3)
@@ -602,8 +602,7 @@ veterinarian
# [Version 3.1 preview](#tab/version-3-1)
-> [!CAUTION]
-> To use Analyze operations, you must use a Text Analytics resource with the standard (S) pricing tier.
+[!INCLUDE [Analyze operation pricing](../analyze-operation-pricing-caution.md)]
Create a new function called `analyzeOperationExample()`, which calls the `beginAnalyzeTasks()` function. The result will be a long running operation which will be polled for results.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/quickstarts/nodejs-sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/quickstarts/nodejs-sdk.md
@@ -6,7 +6,7 @@
Previously updated : 12/11/2020 Last updated : 01/20/2021
@@ -16,12 +16,12 @@
# [Version 3.1 preview](#tab/version-3-1)
-[v3 Reference documentation](/javascript/api/overview/azure/ai-text-analytics-readme) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics) | [v3 Package (NPM)](https://www.npmjs.com/package/@azure/ai-text-analytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics/samples)
+[v3 Reference documentation](/javascript/api/overview/azure/ai-text-analytics-readme?preserve-view=true&view=azure-node-preview) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics) | [v3 Package (NPM)](https://www.npmjs.com/package/@azure/ai-text-analytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics/samples)
# [Version 3.0](#tab/version-3)
-[v3 Reference documentation](/javascript/api/overview/azure/ai-text-analytics-readme) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics) | [v3 Package (NPM)](https://www.npmjs.com/package/@azure/ai-text-analytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics/samples)
+[v3 Reference documentation](/javascript/api/overview/azure/ai-text-analytics-readme?preserve-view=true&view=azure-node-latest) | [v3 Library source code](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics) | [v3 Package (NPM)](https://www.npmjs.com/package/@azure/ai-text-analytics) | [v3 Samples](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/textanalytics/ai-text-analytics/samples)
# [Version 2.1](#tab/version-2)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/includes/quickstarts/python-sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/includes/quickstarts/python-sdk.md
@@ -3,7 +3,7 @@
Previously updated : 12/11/2020 Last updated : 01/20/2021
@@ -938,8 +938,7 @@ Document ID: 4
# [Version 3.1 preview](#tab/version-3-1)
-> [!CAUTION]
-> To use Analyze operations, you must use a Text Analytics resource with the standard (S) pricing tier.
+[!INCLUDE [Analyze operation pricing](../analyze-operation-pricing-caution.md)]
Create a new function called `analyze_example()` that takes the client as an argument, then calls the `begin_analyze()` function. The result will be a long running operation which will be polled for results.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/language-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/language-support.md
@@ -49,34 +49,33 @@
#### [Named Entity Recognition (NER)](#tab/named-entity-recognition) > [!NOTE]
-> * NER v3 currently only supports English and Spanish languages. If you call NER v3 with a different language, the API will return v2.1 results, provided the language is supported in version 2.1.
-> * v2.1 only returns the full set of available entities for the English, Chinese-Simplified, French, German, and Spanish languages. The "Person", "Location" and "Organization" entities are returned for the other supported languages.
-
-| Language | Language code | v2.1 support | v3 support | Starting with v3 model version: | Notes |
-|:--|:-:|:-:|:-:|:-:|::|
-| Arabic | `ar` | Γ£ô | | | |
-| Chinese-Simplified | `zh-hans` | Γ£ô | | | `zh` also accepted |
-| Chinese-Traditional | `zh-hant` | Γ£ô | | | |
-| Czech | `cs` | Γ£ô | | | |
-| Danish | `da` | Γ£ô | | | |
-| Dutch | `nl` | Γ£ô | | | |
-| English | `en` | Γ£ô | Γ£ô | 2019-10-01 | |
-| Finnish | `fi` | Γ£ô | | | |
-| French | `fr` | Γ£ô | | | |
-| German | `de` | Γ£ô | | | |
-| Hebrew | `he` | Γ£ô | | | |
-| Hungarian | `hu` | Γ£ô | | | |
-| Italian | `it` | Γ£ô | | | |
-| Japanese | `ja` | Γ£ô | | | |
-| Korean | `ko` | Γ£ô | | | |
-| Norwegian (Bokmål) | `no` | ✓ | | | `nb` also accepted |
-| Polish | `pl` | Γ£ô | | | |
-| Portuguese (Brazil) | `pt-BR` | Γ£ô | | | |
-| Portuguese (Portugal) | `pt-PT` | Γ£ô | | | `pt` also accepted |
-| Russian | `ru` | Γ£ô | | | |
-| Spanish | `es` | Γ£ô | Γ£ô | 2020-04-01 | |
-| Swedish | `sv` | Γ£ô | | | |
-| Turkish | `tr` | Γ£ô | | | |
+> * Only "Person", "Location" and "Organization" entities are returned for languages marked with *.
+
+| Language | Language code | v3 support | Starting with v3 model version: | Notes |
+|:--|:-:|:-:|:-:|::|
+| Arabic | `ar` | Γ£ô* | 2019-10-01 | |
+| Chinese-Simplified | `zh-hans` | Γ£ô | 2021-01-15 | `zh` also accepted |
+| Chinese-Traditional | `zh-hant` | Γ£ô* | 2019-10-01 | |
+| Czech | `cs` | Γ£ô* | 2019-10-01 | |
+| Danish | `da` | Γ£ô* | 2019-10-01 | |
+| Dutch | `nl` | Γ£ô* | 2019-10-01 | |
+| English | `en` | Γ£ô | 2019-10-01 | |
+| Finnish | `fi` | Γ£ô* | 2019-10-01 | |
+| French | `fr` | Γ£ô | 2021-01-15 | |
+| German | `de` | Γ£ô | 2021-01-15 | |
+| Hebrew | `he` | Γ£ô* | 2019-10-01 | |
+| Hungarian | `hu` | Γ£ô* | 2019-10-01 | |
+| Italian | `it` | Γ£ô | 2021-01-15 | |
+| Japanese | `ja` | Γ£ô | 2021-01-15 | |
+| Korean | `ko` | Γ£ô | 2021-01-15 | |
+| Norwegian (Bokmål) | `no` | ✓* | 2019-10-01 | `nb` also accepted |
+| Polish | `pl` | Γ£ô* | 2019-10-01 | |
+| Portuguese (Brazil) | `pt-BR` | Γ£ô | 2021-01-15 | |
+| Portuguese (Portugal) | `pt-PT` | Γ£ô | 2021-01-15 | `pt` also accepted |
+| Russian | `ru` | Γ£ô* | 2019-10-01 | |
+| Spanish | `es` | Γ£ô | 2020-04-01 | |
+| Swedish | `sv` | Γ£ô* | 2019-10-01 | |
+| Turkish | `tr` | Γ£ô* | 2019-10-01 | |
#### [Key phrase extraction](#tab/key-phrase-extraction)
@@ -91,7 +90,7 @@
| Italian               |     `it`      |     ✓      |     ✓      |                2019-10-01                 |                    | | Japanese              |     `ja`      |     ✓      |     ✓      |                2019-10-01                 |                    | | Korean                |     `ko`      |     ✓      |     ✓      |                2019-10-01                 |                    |
-| Norwegian  (Bokmål)   |     `no`      |     ✓      |     ✓      |                2019-10-01                 | `nb` also accepted |
+| Norwegian  (Bokmål)   |     `no`      |     ✓      |     ✓      |                2020-07-01                 | `nb` also accepted |
| Polish                |     `pl`      |     ✓      |     ✓      |                2019-10-01                 |                    | | Portuguese (Brazil)   |    `pt-BR`    |     ✓      |     ✓      |                2019-10-01                 |                    | | Portuguese (Portugal) |    `pt-PT`    |     ✓      |     ✓      |                2019-10-01                 | `pt` also accepted |
@@ -114,98 +113,113 @@ If you have content expressed in a less frequently used language, you can try La
| Language | Language Code | v3 support | Available starting with v3 model version: | |:-|:-:|:-:|:-:|
-| Afrikaans | `af` | Γ£ô | |
-| Albanian | `sq` | Γ£ô | |
-| Arabic | `ar` | Γ£ô | |
-| Armenian | `hy` | Γ£ô | |
-| Basque | `eu` | Γ£ô | |
-| Belarusian | `be` | Γ£ô | |
-| Bengali | `bn` | Γ£ô | |
-| Bosnian | `bs` | Γ£ô | 2020-09-01 |
-| Bulgarian | `bg` | Γ£ô | |
-| Burmese | `my` | Γ£ô | |
-| Catalan, Valencian | `ca` | Γ£ô | |
-| Central Khmer | `km` | Γ£ô | |
-| Chinese | `zh` | Γ£ô | |
-| Chinese Simplified | `zh_chs` | Γ£ô | |
-| Chinese Traditional | `zh_cht` | Γ£ô | |
-| Croatian | `hr` | Γ£ô | |
-| Czech | `cs` | Γ£ô | |
-| Danish | `da` | Γ£ô | |
-| Dari | `prs` | Γ£ô | 2020-09-01 |
-| Divehi, Dhivehi, Maldivian | `dv` | Γ£ô | |
-| Dutch, Flemish | `nl` | ✓ | |
-| English | `en` | Γ£ô | |
-| Esperanto | `eo` | Γ£ô | |
-| Estonian | `et` | Γ£ô | |
-| Fijian | `fj` | Γ£ô | 2020-09-01 |
-| Finnish | `fi` | Γ£ô | |
-| French | `fr` | Γ£ô | |
-| Galician | `gl` | Γ£ô | |
-| Georgian | `ka` | Γ£ô | |
-| German | `de` | Γ£ô | |
-| Greek | `el` | Γ£ô | |
-| Gujarati | `gu` | Γ£ô | |
-| Haitian, Haitian Creole | `ht` | Γ£ô | |
-| Hebrew | `he` | Γ£ô | |
-| Hindi | `hi` | Γ£ô | |
-| Hmong Daw | `mww` | Γ£ô | 2020-09-01 |
-| Hungarian | `hu` | Γ£ô | |
-| Icelandic | `is` | Γ£ô | |
-| Indonesian | `id` | Γ£ô | |
-| Inuktitut | `iu` | Γ£ô | |
-| Irish | `ga` | Γ£ô | |
-| Italian | `it` | Γ£ô | |
-| Japanese | `ja` | Γ£ô | |
-| Kannada | `kn` | Γ£ô | |
-| Kazakh | `kk` | Γ£ô | 2020-09-01 |
-| Korean | `ko` | Γ£ô | |
-| Kurdish | `ku` | Γ£ô | |
-| Lao | `lo` | Γ£ô | |
-| Latin | `la` | Γ£ô | |
-| Latvian | `lv` | Γ£ô | |
-| Lithuanian | `lt` | Γ£ô | |
-| Macedonian | `mk` | Γ£ô | |
-| Malagasy | `mg` | Γ£ô | 2020-09-01 |
-| Malay | `ms` | Γ£ô | |
-| Malayalam | `ml` | Γ£ô | |
-| Maltese | `mt` | Γ£ô | |
-| Maori | `mi` | Γ£ô | 2020-09-01 |
-| Marathi | `mr` | Γ£ô | 2020-09-01 |
-| Norwegian | `no` | Γ£ô | |
-| Norwegian Nynorsk | `nn` | Γ£ô | |
-| Oriya | `or` | Γ£ô | |
-| Pashto, Pushto | `ps` | Γ£ô | |
-| Persian | `fa` | Γ£ô | |
-| Polish | `pl` | Γ£ô | |
-| Portuguese | `pt` | Γ£ô | |
-| Punjabi, Panjabi | `pa` | Γ£ô | |
-| Queretaro Otomi | `otq` | Γ£ô | 2020-09-01 |
-| Romanian, Moldavian, Moldovan | `ro` | Γ£ô | |
-| Russian | `ru` | Γ£ô | |
-| Samoan | `sm` | Γ£ô | 2020-09-01 |
-| Serbian | `sr` | Γ£ô | |
-| Sinhala, Sinhalese | `si` | Γ£ô | |
-| Slovak | `sk` | Γ£ô | |
-| Slovenian | `sl` | Γ£ô | |
-| Somali | `so` | Γ£ô | |
-| Spanish, Castilian | `es` | Γ£ô | |
-| Swahili | `sw` | Γ£ô | |
-| Swedish | `sv` | Γ£ô | |
-| Tagalog | `tl` | Γ£ô | |
-| Tahitian | `ty` | Γ£ô | 2020-09-01 |
-| Tamil | `ta` | Γ£ô | |
-| Telugu | `te` | Γ£ô | |
-| Thai | `th` | Γ£ô | |
-| Tongan | `to` | Γ£ô | 2020-09-01 |
-| Turkish | `tr` | Γ£ô | |
-| Ukrainian | `uk` | Γ£ô | |
-| Urdu | `ur` | Γ£ô | |
-| Uzbek | `uz` | Γ£ô | |
-| Vietnamese | `vi` | Γ£ô | |
-| Welsh | `cy` | Γ£ô | |
-| Yiddish | `yi` | Γ£ô | |
-| Yucatec Maya | `yua` | Γ£ô | |
+|Afrikaans|`af`|Γ£ô| |
+|Albanian|`sq`|Γ£ô| |
+|Amharic|`am`|Γ£ô|2021-01-05|
+|Arabic|`ar`|Γ£ô| |
+|Armenian|`hy`|Γ£ô| |
+|Assamese|`as`|Γ£ô|2021-01-05|
+|Azerbaijani|`az`|Γ£ô|2021-01-05|
+|Basque|`eu`|Γ£ô| |
+|Belarusian|`be`|Γ£ô| |
+|Bengali|`bn`|Γ£ô| |
+|Bosnian|`bs`|Γ£ô|2020-09-01|
+|Bulgarian|`bg`|Γ£ô| |
+|Burmese|`my`|Γ£ô| |
+|Catalan|`ca`|Γ£ô| |
+|Central Khmer|`km`|Γ£ô| |
+|Chinese|`zh`|Γ£ô| |
+|Chinese Simplified|`zh_chs`|Γ£ô| |
+|Chinese Traditional|`zh_cht`|Γ£ô| |
+|Corsican|`co`|Γ£ô|2021-01-05|
+|Croatian|`hr`|Γ£ô| |
+|Czech|`cs`|Γ£ô| |
+|Danish|`da`|Γ£ô| |
+|Dari|`prs`|Γ£ô|2020-09-01|
+|Divehi|`dv`|Γ£ô| |
+|Dutch|`nl`|Γ£ô| |
+|English|`en`|Γ£ô| |
+|Esperanto|`eo`|Γ£ô| |
+|Estonian|`et`|Γ£ô| |
+|Fijian|`fj`|Γ£ô|2020-09-01|
+|Finnish|`fi`|Γ£ô| |
+|French|`fr`|Γ£ô| |
+|Galician|`gl`|Γ£ô| |
+|Georgian|`ka`|Γ£ô| |
+|German|`de`|Γ£ô| |
+|Greek|`el`|Γ£ô| |
+|Gujarati|`gu`|Γ£ô| |
+|Haitian|`ht`|Γ£ô| |
+|Hausa|`ha`|Γ£ô|2021-01-05|
+|Hebrew|`he`|Γ£ô| |
+|Hindi|`hi`|Γ£ô| |
+|Hmong Daw|`mww`|Γ£ô|2020-09-01|
+|Hungarian|`hu`|Γ£ô| |
+|Icelandic|`is`|Γ£ô| |
+|Igbo|`ig`|Γ£ô|2021-01-05|
+|Indonesian|`id`|Γ£ô| |
+|Inuktitut|`iu`|Γ£ô| |
+|Irish|`ga`|Γ£ô| |
+|Italian|`it`|Γ£ô| |
+|Japanese|`ja`|Γ£ô| |
+|Javanese|`jv`|Γ£ô|2021-01-05|
+|Kannada|`kn`|Γ£ô| |
+|Kazakh|`kk`|Γ£ô|2020-09-01|
+|Kinyarwanda|`rw`|Γ£ô|2021-01-05|
+|Kirghiz|`ky`|Γ£ô|2021-01-05|
+|Korean|`ko`|Γ£ô| |
+|Kurdish|`ku`|Γ£ô| |
+|Lao|`lo`|Γ£ô| |
+|Latin|`la`|Γ£ô| |
+|Latvian|`lv`|Γ£ô| |
+|Lithuanian|`lt`|Γ£ô| |
+|Luxembourgish|`lb`|Γ£ô|2021-01-05|
+|Macedonian|`mk`|Γ£ô| |
+|Malagasy|`mg`|Γ£ô|2020-09-01|
+|Malay|`ms`|Γ£ô| |
+|Malayalam|`ml`|Γ£ô| |
+|Maltese|`mt`|Γ£ô| |
+|Maori|`mi`|Γ£ô|2020-09-01|
+|Marathi|`mr`|Γ£ô|2020-09-01|
+|Mongolian|`mn`|Γ£ô|2021-01-05|
+|Nepali|`ne`|Γ£ô|2021-01-05|
+|Norwegian|`no`|Γ£ô| |
+|Norwegian Nynorsk|`nn`|Γ£ô| |
+|Oriya|`or`|Γ£ô| |
+|Pasht|`ps`|Γ£ô| |
+|Persian|`fa`|Γ£ô| |
+|Polish|`pl`|Γ£ô| |
+|Portuguese|`pt`|Γ£ô| |
+|Punjabi|`pa`|Γ£ô| |
+|Queretaro Otomi|`otq`|Γ£ô|2020-09-01|
+|Romanian|`ro`|Γ£ô| |
+|Russian|`ru`|Γ£ô| |
+|Samoan|`sm`|Γ£ô|2020-09-01|
+|Serbian|`sr`|Γ£ô| |
+|Shona|`sn`|Γ£ô|2021-01-05|
+|Sindhi|`sd`|Γ£ô|2021-01-05|
+|Sinhala|`si`|Γ£ô| |
+|Slovak|`sk`|Γ£ô| |
+|Slovenian|`sl`|Γ£ô| |
+|Somali|`so`|Γ£ô| |
+|Spanish|`es`|Γ£ô| |
+|Sundanese|`su`|Γ£ô|2021-01-05|
+|Swahili|`sw`|Γ£ô| |
+|Swedish|`sv`|Γ£ô| |
+|Tagalog|`tl`|Γ£ô| |
+|Tahitian|`ty`|Γ£ô|2020-09-01|
+|Tajik|`tg`|Γ£ô|2021-01-05|
+|Tamil|`ta`|Γ£ô| |
+|Tatar|`tt`|Γ£ô|2021-01-05|
+|Telugu|`te`|Γ£ô| |
+|Thai|`th`|Γ£ô| |
+|Tibetan|`bo`|Γ£ô|2021-01-05|
+|Tigrinya|`ti`|Γ£ô|2021-01-05|
+|Tongan|`to`|Γ£ô|2020-09-01|
+|Turkmen|`tk`|Γ£ô|2021-01-05|
+|Xhosa|`xh`|Γ£ô|2021-01-05|
+|Yoruba|`yo`|Γ£ô|2021-01-05|
+|Zulu|`zu`|Γ£ô|2021-01-05|
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/migration-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/migration-guide.md
@@ -8,7 +8,7 @@
Previously updated : 12/17/2020 Last updated : 01/22/2021
@@ -41,9 +41,6 @@ See the reference documentation for examples of the JSON response.
### Feature changes
-> [!NOTE]
-> Currently, [v3 entity categories](named-entity-types.md) are only returned on English and Spanish text. The API returns version 2.1 results for requests in other languages, provided they are supported in version 2.1.
- In version 2.1, the Text Analytics API uses one endpoint for Named Entity Recognition (NER) and entity linking. Version 3 provides expanded named entity detection, and uses separate endpoints for NER and entity linking requests. Starting in v3.1-preview.1, NER can additionally detect personal `pii` and health `phi` information. ### Steps to migrate
@@ -69,6 +66,35 @@ See the reference documentation for examples of the JSON response.
[!INCLUDE [Client library migration information](includes/client-library-migration-section.md)]
+#### Version 2.1 entity categories
+
+The following table lists the entity categories returned for NER v2.1.
+
+| Category | Description |
+||--|
+| Person | Names of people. |
+|Location | Natural and human-made landmarks, structures, geographical features, and geopolitical entities |
+|Organization | Companies, political groups, musical bands, sport clubs, government bodies, and public organizations. Nationalities and religions are not included in this entity type. |
+| PhoneNumber | Phone numbers (US and EU phone numbers only). |
+| Email | Email addresses. |
+| URL | URLs to websites. |
+| IP | Network IP addresses. |
+| DateTime | Dates and times of day.|
+| Date | Calender dates. |
+| Time | Times of day |
+| DateRange | Date ranges. |
+| TimeRange | Time ranges. |
+| Duration | Durations. |
+| Set | Set, repeated times. |
+| Quantity | Numbers and numeric quantities. |
+| Number | Numbers. |
+| Percentage | Percentages.|
+| Ordinal | Ordinal numbers. |
+| Age | Ages. |
+| Currency | Currencies. |
+| Dimension | Dimensions and measurements. |
+| Temperature | Temperatures. |
+ ## [Language detection](#tab/language-detection) ### Feature changes
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/named-entity-types https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/named-entity-types.md
@@ -9,13 +9,17 @@
Previously updated : 07/28/2020 Last updated : 01/22/2021 # Supported entity categories in the Text Analytics API v3
-Use this article to find the entity categories that can be returned by [Named Entity Recognition](how-tos/text-analytics-how-to-entity-linking.md) (NER). A preview of NER v3.1 is also available, which includes the ability to detect personal (`PII`) and health (`PHI`) information. Additionally, click on the **Health** tab to see a list of supported categories in Text Analytics for health.
+Use this article to find the entity categories that can be returned by [Named Entity Recognition](how-tos/text-analytics-how-to-entity-linking.md) (NER). NER runs a predictive model to identify and categorize named entities from an input document.
+
+A preview of NER v3.1 is also available, which includes the ability to detect personal (`PII`) and health (`PHI`) information. Additionally, click on the **Health** tab to see a list of supported categories in Text Analytics for health.
+
+You can find a list of types returned by version 2.1 in the [migration guide](migration-guide.md?tabs=named-entity-recognition)
## Entity categories
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/quickstarts/client-libraries-rest-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/quickstarts/client-libraries-rest-api.md
@@ -8,7 +8,7 @@
Previously updated : 12/02/2020 Last updated : 01/20/2021 keywords: text mining, sentiment analysis, text analytics
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/text-analytics/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/text-analytics/whats-new.md
@@ -8,7 +8,7 @@
Previously updated : 12/02/2020 Last updated : 01/27/2021
@@ -17,6 +17,14 @@
The Text Analytics API is updated on an ongoing basis. To stay up-to-date with recent developments, this article provides you with information about new releases and features.
+## January 2021
+
+* The `2021-01-15` model version for [Named Entity Recognition](how-tos/text-analytics-how-to-entity-linking.md) v3.x, which provides
+ * Expanded language support for [several general entity categories](named-entity-types.md).
+ * Improved AI quality of general entity categories for all supported v3 languages.
+
+* The `2021-01-05` model-version for [language detection](how-tos/text-analytics-how-to-language-detection.md), which provides additional [language support](language-support.md?tabs=language-detection).
+ ## December 2020 * [Updated pricing](https://azure.microsoft.com/pricing/details/cognitive-services/text-analytics/) details for the Text Analytics API
@@ -61,7 +69,7 @@ The Text Analytics API is updated on an ongoing basis. To stay up-to-date with r
### Text Analytics for health container updates The following updates are specific to the September release of the Text Analytics for health container only.
-* A new container image with tag `1.1.013530001-amd64-preview` with the new model-version `2020-09-03` has been released to the containerpreview repository.
+* A new container image with tag `1.1.013530001-amd64-preview` with the new model-version `2020-09-03` has been released to the container preview repository.
* This model version provides improvements in entity recognition, abbreviation detection, and latency enhancements. > [!div class="nextstepaction"]
connectors https://docs.microsoft.com/en-us/azure/connectors/connectors-native-http https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/connectors-native-http.md
@@ -244,7 +244,7 @@ If an HTTP trigger or action includes these headers, Logic Apps removes these he
* `Accept-*` headers except for `Accept-version` * `Allow`
-* `Content-*` with these exceptions: `Content-Disposition`, `Content-Encoding`, and `Content-Type`
+* `Content-*` headers except for `Content-Disposition`, `Content-Encoding`, and `Content-Type` when you use POST and PUT operations, but are not included for GET operations
* `Cookie` * `Expires` * `Host`
connectors https://docs.microsoft.com/en-us/azure/connectors/connectors-native-reqres https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/connectors/connectors-native-reqres.md
@@ -212,7 +212,7 @@ When you use the Request trigger to handle inbound requests, you can model the r
> If a Response action includes these headers, Logic Apps removes these headers from the generated response message without showing any warning or error: > > * `Allow`
-> * `Content-*` with these exceptions: `Content-Disposition`, `Content-Encoding`, and `Content-Type`
+> * `Content-*` headers except for `Content-Disposition`, `Content-Encoding`, and `Content-Type` when you use POST and PUT operations, but are not included for GET operations
> * `Cookie` > * `Expires` > * `Last-Modified`
container-registry https://docs.microsoft.com/en-us/azure/container-registry/container-registry-customer-managed-keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-customer-managed-keys.md
@@ -561,15 +561,20 @@ After completing the preceding steps, rotate the key to a new key in the key vau
## Troubleshoot
-### Removing user-assigned identity
+### Removing managed identity
-If you try to remove a user-assigned identity from a registry that is used for encryption, you might see an error message similar to:
+
+If you try to remove a user-assigned or system-assigned managed identity from a registry that is used to configure encryption, you might see an error message similar to:
``` Azure resource '/subscriptions/xxxx/resourcegroups/myGroup/providers/Microsoft.ContainerRegistry/registries/myRegistry' does not have access to identity 'xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx' Try forcibly adding the identity to the registry <registry name>. For more information on bring your own key, please visit 'https://aka.ms/acr/cmk'. ```
-You will also be unable to change (rotate) the encryption key. If this issue occurs, first reassign the identity using the GUID displayed in the error message. For example:
+You will also be unable to change (rotate) the encryption key. The resolution steps depend on the type of identity used for encryption.
+
+**User-assigned identity**
+
+If this issue occurs with a user-assigned identity, first reassign the identity using the GUID displayed in the error message. For example:
```azurecli az acr identity assign -n myRegistry --identities xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
@@ -577,6 +582,11 @@ az acr identity assign -n myRegistry --identities xxxxxxxxx-xxxx-xxxx-xxxx-xxxxx
Then, after changing the key and assigning a different identity, you can remove the original user-assigned identity.
+**System-assigned identity**
+
+If this issue occurs with a system-assigned identity, please [create an Azure support ticket](https://azure.microsoft.com/support/create-ticket/) for assistance to restore the identity.
++ ## Next steps * Learn more about [encryption at rest in Azure](../security/fundamentals/encryption-atrest.md).
container-registry https://docs.microsoft.com/en-us/azure/container-registry/container-registry-health-error-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-health-error-reference.md
@@ -2,12 +2,14 @@
Title: Error reference for registry health checks description: Error codes and possible solutions to problems found by running the az acr check-health diagnostic command in Azure Container Registry Previously updated : 07/02/2019 Last updated : 01/25/2021 # Health check error reference Following are details about error codes returned by the [az acr check-health][az-acr-check-health] command. For each error, possible solutions are listed.
+For information about running `az acr check-healh`, see [Check the health of an Azure container registry](container-registry-check-health.md).
+ ## DOCKER_COMMAND_ERROR This error means that Docker client for CLI could not be found. As a result, the following additional checks are not run: finding Docker version, evaluating Docker daemon status, and running a Docker pull command.
@@ -44,6 +46,12 @@ This error means that the CLI was unable to determine the Helm version installed
*Potential solutions*: Update to the latest Azure CLI version or to the recommended Helm version; run the command manually and investigate the error message.
+## CMK_ERROR
+
+This error means that the registry can't access the user-assigned or sysem-assigned managed identity used to configure registry encryption with a customer-managed key. The managed identity might have been deleted.
+
+*Potential solution*: To resolve the issue and rotate the key using a different managed identity, see steps to troubleshoot [the user-assigned identity](container-registry-customer-managed-keys.md#troubleshoot).
+ ## CONNECTIVITY_DNS_ERROR This error means that the DNS for the given registry login server was pinged but did not respond, which means it is unavailable. This can indicate some connectivity issues. Alternatively, the registry might not exist, the user might not have the permissions on the registry (to retrieve its login server properly), or the target registry is in a different cloud than the one used in the Azure CLI.
container-registry https://docs.microsoft.com/en-us/azure/container-registry/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/partners-migration-cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/partners-migration-cosmosdb.md
@@ -26,7 +26,7 @@ From NoSQL migration to application development, you can choose from a variety o
| [Capgemini](https://www.capgemini.com/) | Retail (inventory), IoT, Operational Analytics (Spark), App development | USA, France, UK, Netherlands, Finland | | [Cognizant](https://www.cognizant.com/) | IoT, Personalization, Retail (inventory), Operational Analytics (Spark), App development |USA, Canada, UK, Denmark, Netherlands, Switzerland, Australia, Japan | |[Infosys](https://www.infosys.com/) | App development | USA |
-| [Lagash Systems](https://www.lagash.com/) | IoT, Serverless architecture, App development | Argentina, Chile, Colombia, Mexico|
+| [Lagash Systems](https://www.devex.com/organizations/lagash-systems-131346) | IoT, Serverless architecture, App development | Argentina, Chile, Colombia, Mexico|
| [Lambda3 Informatics](https://www.lambda3.com.br/) | Real-time personalization, Retail inventory, App development | Brazil| |[Neal Analytics](https://www.nealanalytics.com/) | Personalization, Retail (inventory), Operational Analytics (Spark), App development | USA | |[Pragmatic Works Software Inc](https://www.pragmaticworks.com/) | NoSQL migration | USA |
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
cost-management-billing https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/analyze-cost-data-azure-cost-management-power-bi-template-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/analyze-cost-data-azure-cost-management-power-bi-template-app.md
@@ -3,7 +3,7 @@ Title: Analyze Azure costs with the Power BI App
description: This article explains how to install and use the Azure Cost Management Power BI App. Previously updated : 11/09/2020 Last updated : 1/29/2021
@@ -14,9 +14,9 @@
This article explains how to install and use the Azure Cost Management Power BI app. The app helps you analyze and manage your Azure costs in Power BI. You can use the app to monitor costs, usage trends, and identify cost optimization options to reduce your expenditures.
-You can use the app as-is, or you can modify it to extend the default filters, views, and visualizations to customize for your needs. Then, use it to join additional data to create customized reports to get holistic views of your overall business cost.
+The Azure Cost Management Power BI app currently supports only customers with an [Enterprise Agreement](https://azure.microsoft.com/pricing/enterprise-agreement/).
-The Azure Cost Management Power BI App currently supports only customers with an [Enterprise Agreement](https://azure.microsoft.com/pricing/enterprise-agreement/).
+The app limits customizability. If you want to modify and extend the default filters, views, and visualizations to customize for your needs, use [Azure Cost Management connector in Power BI Desktop](/power-bi/connect-data/desktop-connect-azure-cost-management) instead. With the Azure Cost Management connector you can join additional data from other sources to create customized reports to get holistic views of your overall business cost. The connector also supports Microsoft Customer Agreements.
> [!NOTE] > Power BI template apps don't support downloading the PBIX file.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/connect-data-factory-to-azure-purview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connect-data-factory-to-azure-purview.md
@@ -17,11 +17,32 @@ Last updated 12/3/2020
# Connect Data Factory to Azure Purview (Preview) [!INCLUDE[appliesto-adf-xxx-md](includes/appliesto-adf-xxx-md.md)]
-This article will explain how to connect data factory to Azure Purview and how to report data lineage of ADF activities Copy data, Data flow and Execute SSIS package.
+This article will explain how to connect Data Factory to Azure Purview and how to report data lineage of Azure Data Factory activities Copy data, Data flow and Execute SSIS package.
-## Connect data factory to Azure Purview
-Azure Purview is a new cloud service for use by data users centrally manage data governance across their data estate spanning cloud and on-prem environments. You can connect your data factory to Azure Purview and the connection allows you to leverage Azure Purview for capturing lineage data of Copy, Data flow and Execute SSIS package.
-For how to register data factory in Azure Purview, see [How to connect Azure Data Factory and Azure Purview](../purview/how-to-link-azure-data-factory.md).
+
+## Connect Data Factory to Azure Purview
+Azure Purview is a new cloud service for use by data users centrally manage data governance across their data estate spanning cloud and on-prem environments. You can connect your Data Factory to Azure Purview and the connection allows you to use Azure Purview for capturing lineage data of Copy, Data flow and Execute SSIS package.
+You have two ways to connect data factory to Azure Purview:
+### Register Azure Purview account to Data Factory
+1. In the ADF portal, go to **Manage** -> **Azure Purview**. Select **Connect to a Purview account**.
+
+:::image type="content" source="./media/data-factory-purview/register-purview-account.png" alt-text="Screenshot for registering a Purview account.":::
+2. You can choose **From Azure subscription** or **Enter manually**. **From Azure subscription**, you can select the account that you have access to.
+3. Once connected, you should be able to see the name of the Purview account in the tab **Purview account**.
+4. You can use the Search bar at the top center of Azure Data Factory portal to search for data.
+
+If you see warning in Azure Data Factor portal after you register Azure Purview account to Data Factory, follow below steps to fix the issue:
+
+:::image type="content" source="./media/data-factory-purview/register-purview-account-warning.png" alt-text="Screenshot for warning of registering a Purview account.":::
+
+1. Go to Azure portal and find your data factory. Choose section "Tags" and see if there is a tag named **catalogUri**. If not, please disconnect and reconnect the Azure Purview account in the ADF portal.
+
+:::image type="content" source="./media/data-factory-purview/register-purview-account-tag.png" alt-text="Screenshot for tags of registering a Purview account.":::
+
+2. Check if the permission is granted for registering an Azure Purview account to Data Factory. See [How to connect Azure Data Factory and Azure Purview](https://docs.microsoft.com/azure/purview/how-to-link-azure-data-factory#create-new-data-factory-connection)
+
+### Register Data Factory in Azure Purview
+For how to register Data Factory in Azure Purview, see [How to connect Azure Data Factory and Azure Purview](https://docs.microsoft.com/azure/purview/how-to-link-azure-data-factory).
## Report Lineage data to Azure Purview When customers run Copy, Data flow or Execute SSIS package activity in Azure Data Factory, customers could get the dependency relationship and have a high-level overview of whole workflow process among data sources and destination.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-factory-private-link https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-factory-private-link.md
@@ -44,7 +44,7 @@ With the support of Private Link for Azure Data Factory, you can:
* Create a private endpoint in your virtual network. * Enable the private connection to a specific data factory instance.
-The communications to Azure Data Factory service go through Private Link and help provide secure private connectivity. You donΓÇÖt need to configure the preceding domain and port in a virtual network or your corporate firewall to provide a more secure way to protect your resources.
+The communications to Azure Data Factory service go through Private Link and help provide secure private connectivity.
![Diagram of Private Link for Azure Data Factory architecture.](./media/data-factory-private-link/private-link-architecture.png)
@@ -59,6 +59,9 @@ Enabling the Private Link service for each of the preceding communication channe
> [!NOTE] > For functionality that's not currently supported, you still need to configure the previously mentioned domain and port in the virtual network or your corporate firewall.
+ > [!NOTE]
+ > Connecting to Azure Data Factory via private endpoint is only applicable to self-hosted integration runtime in data factory. It's not supported in Synapse.
+ > [!WARNING] > When you create a linked service, make sure that your credentials are stored in an Azure key vault. Otherwise, the credentials won't work when you enable Private Link in Azure Data Factory.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-factory-ux-troubleshoot-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-factory-ux-troubleshoot-guide.md
@@ -24,7 +24,7 @@ This article explores common troubleshooting methods for Azure Data Factory UX.
### Third-party cookies blocked ADF UX uses browser cookies to persist user session and enable interactive development and monitoring experiences.
-It is possible your browser blocks third-party cookies because you are using an incognito session or have an ad blocker enabled. Blocking third-party cookies can cause issues when loading the portal, such as being redirected to a blank page, https://adf.azure.com/accesstoken.html, or getting a warning message saying that third-party cookies are blocked. To solve this problem, enable third-party cookies options on your browser using the following steps:
+It is possible your browser blocks third-party cookies because you are using an incognito session or have an ad blocker enabled. Blocking third-party cookies can cause issues when loading the portal, such as being redirected to a blank page, 'https://adf.azure.com/accesstoken.html', or getting a warning message saying that third-party cookies are blocked. To solve this problem, enable third-party cookies options on your browser using the following steps:
### Google Chrome
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-reserved-capacity-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-reserved-capacity-overview.md
@@ -1,54 +0,0 @@
- Title: Save compute costs with reserved capacity
-description: Learn how to buy Azure Data Factory data flow reserved capacity to save on your compute costs.
---- Previously updated : 01/25/2021-
-# Save costs for resources with reserved capacity - Azure Data Factory data flows
-
-Save money with Azure Data Factory data flow costs by committing to a reservation for compute resources compared to pay-as-you-go prices. With reserved capacity, you make a commitment for ADF data flow usage for a period of one or three years to get a significant discount on the compute costs. To purchase reserved capacity, you need to specify the Azure region, compute type, core count, and term.
-
-You do not need to assign the reservation to a specific factory or integration runtime. Existing factories or newly deployed factories automatically get the benefit. By purchasing a reservation, you commit to usage for the data flow compute costs for a period of one or three years. As soon as you buy a reservation, the compute charges that match the reservation attributes are no longer charged at the pay-as-you go rates.
-
-You can buy reserved capacity in the [Azure portal](https://portal.azure.com). Pay for the reservation [up front or with monthly payments](https://docs.microsoft.com/azure/cost-management-billing/reservations/prepare-buy-reservation.md). To buy reserved capacity:
--- You must be in the owner role for at least one Enterprise or individual subscription with pay-as-you-go rates.-- For Enterprise subscriptions, **Add Reserved Instances** must be enabled in the [EA portal](https://ea.azure.com). Or, if that setting is disabled, you must be an EA Admin on the subscription. Reserved capacity.-
-For more information about how enterprise customers and Pay-As-You-Go customers are charged for reservation purchases, see [Understand Azure reservation usage for your Enterprise enrollment](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea) and [Understand Azure reservation usage for your Pay-As-You-Go subscription](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage.md).
-
-> [!NOTE]
-> Purchasing reserved capacity does not pre-allocate or reserve specific infrastructure resources (virtual machines or clusters) for your use.
-
-## Determine proper Azure IR sizes needed before purchase
-
-The size of reservation should be based on the total amount of compute used by the existing or soon-to-be-deployed data flows using the same compute tier.
-
-For example, let's suppose that you are executing a pipeline hourly using memory optimized with 32 cores. Further, let's supposed that you plan to deploy within the next month an additional pipeline that uses general purpose 64 cores. Also, let's suppose that you know that you will need these resources for at least 1 year. In this case, you should purchase a 32 cores 1-year reservation for memory optimized data flows and a general purpose 64 core 1-year reservation.
-
-## Buy reserved capacity
-
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All services** > **Reservations**.
-3. Select **Add** and then in the **Purchase Reservations** pane, select **ADF Data Flows** to purchase a new reservation for ADF data flows.
-4. Fill in the required fields and attributes you select qualify to get the reserved capacity discount. The actual number of data flows that get the discount depends on the scope and quantity selected.
-5. Review the cost of the capacity reservation in the **Costs** section.
-6. Select **Purchase**.
-7. Select **View this Reservation** to see the status of your purchase.
-
-## Cancel, exchange, or refund reservations
-
-You can cancel, exchange, or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations](https://docs.microsoft.com/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations.md).
-
-## Need help? Contact us
-
-If you have questions or need help, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
-
-## Next steps
-
-To learn more about Azure Reservations, see the following articles:
--- [Understand Azure Reservations discount](data-flow-understand-reservation-charges.md)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-understand-reservation-charges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-understand-reservation-charges.md
@@ -1,40 +0,0 @@
- Title: Understand reservations discount for Azure Data Factory data flows | Microsoft Docs
-description: Learn how a reservation discount is applied to running ADF data flows. The discount is applied to these data flows on an hourly basis.
--- Previously updated : 01/25/2021---
-# How a reservation discount is applied to Azure Data Factory data flows
-
-After you buy ADF data flow reserved capacity, the reservation discount is automatically applied to data flows using an Azure integration runtime that match the compute type and core count of the reservation.
-
-## How reservation discount is applied
-
-A reservation discount is "*use-it-or-lose-it*". So, if you don't have matching Azure integration resources used for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.
-
-When you stop using the integration runtime for data flows, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.
-
-## Discount applied to ADF data flows
-
-The ADF data flow reserved capacity discount is applied to executing integration runtimes on an hourly basis. The reservation that you buy is matched to the compute usage emitted by the integration runtime being utilized. For data flows that don't run the full hour, the reservation is automatically applied to other data flows matching the reservation attributes. The discount can apply to data flows that are running concurrently. If you don't have data flows that run for the full hour that match the reservation attributes, you don't get the full benefit of the reservation discount for that hour.
-
-The following examples show how the ADF data flow reserved capacity discount applies depending on the number of cores you bought, and when they're running.
--- Scenario 1: You buy an ADF data flow reserved capacity for 80 cores of memory optimized compute. You run a data flow with an Azure integration runtime set to 144 cores of memory optimized for one hour. You're charged the pay-as-you-go price for 64 cores of data flow usage for one hour. You get the reservation discount for one hour of 80 cores of memory optimized usage.-- Scenario 2: You buy an ADF data flow reserved capacity for 32 cores of general purpose compute. You debug your data flows for 1 hour using 32 cores of general compute Azure integration runtime. You get the reservation discount for that entire hour of usage.-
-To understand and view the application of your Azure Reservations in billing usage reports, see [Understand Azure reservation usage](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea).
-
-## Need help? Contact us
-
-If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).
-
-## Next steps
-
-To learn more about Azure Reservations, see the following article:
--- [What are Azure Reservations?](https://docs.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/how-to-discover-explore-purview-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/how-to-discover-explore-purview-data.md /dev/null
@@ -0,0 +1,50 @@
+
+ Title: Discover and explore data in ADF using Purview
+description: Learn how to discover, explore data in Azure Data Factory using Purview
+
+documentationcenter: ''
+++++++ Last updated : 01/15/2021++
+# Discover and explore data in ADF using Purview
+
+[!INCLUDE[appliesto-adf-xxx-md](includes/appliesto-adf-xxx-md.md)]
+
+In this article, you will register an Azure Purview Account to a Data Factory. That connection allows you to discover Azure Purview assets and interact with them through ADF capabilities.
+
+You can perform the following tasks in ADF:
+- Use the search box at the top to find Purview assets based on keywords
+- Understand the data based on metadata, lineage, annotations
+- Connect those data to your data factory with linked services or datasets
+
+## Prerequisites
+- [Azure Purview account](../purview/create-catalog-portal.md)
+- [Data Factory](./quickstart-create-data-factory-portal.md)
+- [Connect an Azure Purview Account into Data Factory](./connect-data-factory-to-azure-purview.md)
+
+## Using Azure Purview in Data Factory
+
+The use Azure Purview in Data Factory requires you to have access to that Purview account. Data Factory passes-through your Purview permission. As an example, if you have a curator permission role, you will be able to edit metadata scanned by Azure Purview.
+
+### Data discovery: search datasets
+
+To discover data registered and scanned by Azure Purview, you can use the Search bar at the top center of Data Factory portal. Make sure that you select Azure Purview to search for all of your organization data.
+
+:::image type="content" source="./media/data-factory-purview/search-dataset.png" alt-text="Screenshot for performing over datasets.":::
+
+### Actions that you can perform over datasets with Data Factory resources
+You can directly create Linked Service, Dataset, or dataflow over the data you search by Azure Purview.
+
+:::image type="content" source="./media/data-factory-purview/actions-over-purview-data.png" alt-text="Screenshot for performing over datasets.":::
+
+##  Next steps
+
+- [Register and scan Azure Data Factory assets in Azure Purview](../purview/register-scan-azure-synapse-analytics.md)
+- [How to Search Data in Azure Purview Data Catalog](../purview/how-to-search-catalog.md)
\ No newline at end of file
data-lake-analytics https://docs.microsoft.com/en-us/azure/data-lake-analytics/data-lake-analytics-manage-use-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/data-lake-analytics-manage-use-powershell.md
@@ -293,7 +293,7 @@ Wait-AdlJob -Account $adla -JobId $job.JobId
## Analyzing job history
-Using Azure PowerShell to analyze the history of jobs that have run in Data Lake analytics is a powerful technique. You can use it to gain insights into usage and cost. You can learn more by looking at the [Job History Analysis sample repo](https://github.com/Azure-Samples/data-lake-analytics-powershell-job-history-analysis)
+Using Azure PowerShell to analyze the history of jobs that have run in Data Lake analytics is a powerful technique. You can use it to gain insights into usage and cost. You can learn more by looking at the [Job History Analysis sample repo](https://github.com/jpalbright31/data-lake-analytics-powershell-job-history-analysis)
## List job pipelines and recurrences
data-lake-analytics https://docs.microsoft.com/en-us/azure/data-lake-analytics/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
data-lake-store https://docs.microsoft.com/en-us/azure/data-lake-store/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
databox-gateway https://docs.microsoft.com/en-us/azure/databox-gateway/data-box-gateway-2101-release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-gateway/data-box-gateway-2101-release-notes.md /dev/null
@@ -0,0 +1,44 @@
+
+ Title: Azure Data Box Gateway 2101 release notes| Microsoft Docs
+description: Describes critical open issues and resolutions for the Azure Data Box Gateway running 2101 release.
++
+
+++ Last updated : 01/29/2021+++
+# Azure Data Box Gateway 2101 release notes
+
+The following release notes identify the critical open issues and the resolved issues for the 2101 release of Azure Data Box Gateway.
+
+The release notes are continuously updated. As critical issues that require a workaround are discovered, they are added. Before you deploy your Azure Data Box Gateway, carefully review the information in the release notes.
+
+This release corresponds to the software versions:
+
+- **Data Box Gateway 2101 (1.6.1475.2528)** - KB 4603462
+
+> [!NOTE]
+> Update 2101 can be applied only to all devices that are running general availability (GA) versions of the software or later.
+
+## What's new
+
+This release contains the following bug fix:
+
+- **Upload issue** - This release fixes an upload problem where upload restarts because of failures can slow the rate of upload completion. This problem can occur when uploading a dataset that primarily consists of files that are large in size relative to available bandwidth, particularly, but not limited to, when bandwidth throttling is active. This change ensures sufficient opportunity for upload completion before restarting upload for a given file.
+
+This release also contains the following updates:
+
+- All cumulative Windows updates and .NET framework updates released through October 2020.
+- The static IP address for Azure Data Box Gateway is retained across software updates.
+
+## Known issues in this release
+
+No new issues are release noted for this release. All the release noted issues have carried over from the previous releases. To see a list of known issues, go to [Known issues in the GA release](data-box-gateway-release-notes.md#known-issues-in-ga-release).
+
+## Next steps
+
+- [Prepare to deploy Azure Data Box Gateway](data-box-gateway-deploy-prep.md)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-2101-release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-2101-release-notes.md /dev/null
@@ -0,0 +1,45 @@
+
+ Title: Azure Stack Edge Pro with FPGA 2101 release notes | Microsoft Docs
+description: Describes critical open issues and resolutions for the Azure Stack Edge 2101 release.
+++++ Last updated : 01/29/2021+++
+# Azure Stack Edge Pro with FPGA 2101 release notes
+
+The following release notes identify the critical open issues and the resolved issues for the 2101 release of Azure Stack Edge Pro with with a built-in Field Programmable Gate Array (FPGA).
+
+The release notes are continuously updated. As critical issues that require a workaround are discovered, they are added. Before you deploy your Azure Stack Edge device, carefully review the information in the release notes.
+
+This release corresponds to software version:
+
+- **Azure Stack Edge 2101 (1.6.1475.2528)** - KB 4599267
+
+> [!NOTE]
+> Update 2101 can be applied only to devices that are running general availability (GA) versions of the software or later.
+
+## What's new
+
+This release contains the following bug fix:
+
+- **Upload issue** - This release fixes an upload problem, where upload restarts caused by a failure can slow the rate of upload completion. This problem can occur when uploading a dataset that primarily consists of files that are large relative to available bandwidth, particularly, but not limited to, when bandwidth throttling is active. This change ensures sufficient opportunity for upload completion before restarting upload for a given file.
+
+This release also contains the following updates:
+
+- All cumulative Windows updates and .NET framework updates released through October 2020.
+- The baseboard management controller (BMC) firmware version is upgraded from 3.32.32.32 to 3.36.36.36 during factory install to address incompatibility with newer Dell power supply units.
+- The static IP address for Azure Data Box Gateway is retained across software updates.
+- This release supports IoT Edge 1.0.9.3 on Azure Stack Edge devices.
+
+## Known issues in this release
+
+No new issues are release noted for this release. All the release noted issues have carried over from the previous releases. To see a list of known issues, go to [Known issues in the GA release](data-box-gateway-release-notes.md#known-issues-in-ga-release).
+
+## Next steps
+
+- [Prepare to deploy Azure Stack Edge](../databox-online/azure-stack-edge-deploy-prep.md)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-sample-module-marketplace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-sample-module-marketplace.md
@@ -7,7 +7,7 @@
Previously updated : 09/09/2020 Last updated : 01/28/2021
@@ -59,13 +59,11 @@ Before you begin, make sure you have:
6. Enter the name of the IoT Hub service that you created when you configured your Azure Stack Edge Pro device. To find this IoT Hub service name, go to the Azure Stack Edge resource associated with your device in Azure portal.
- 1. In the left pane menu options, go to **Edge compute > Get started**.
-
- 1. In the **Configure Edge compute** tile, select **View config**.
+ 1. In the left pane menu options, go to **Edge services > IoT Edge**.
![View compute config](media/azure-stack-edge-gpu-deploy-sample-module-marketplace/view-config-1.png)
- 1. In the **Edge compute configuration** blade:
+ 1. Go to **Properties**.
1. Make a note of the IoT Hub service that was created when you configured compute on your Azure Stack Edge Pro device. 2. Note the name of the IoT Edge device that was created when you configured compute. You will use this name in the subsequent step.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-kubernetes-storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-kubernetes-storage.md
@@ -7,7 +7,7 @@
Previously updated : 11/04/2020 Last updated : 01/28/2021 # Kubernetes storage management on your Azure Stack Edge Pro GPU device
@@ -74,11 +74,11 @@ The following steps occur:
On the Azure Stack Edge Pro device, statically provisioned `PersistentVolumes` are created using the device' storage capabilities. When you provision a share and **Use the share with Edge compute** option is enabled, this action creates a PV resource automatically in the Kubernetes cluster.
-![Local share creation in Azure portal for static provisioning](./media/azure-stack-edge-gpu-kubernetes-storage/static-provisioning-azure-portal-2.png)
+![Local share creation in Azure portal for static provisioning](./media/azure-stack-edge-gpu-kubernetes-storage/static-provisioning-azure-portal-1.png)
To use cloud tiering, you can create an Edge cloud share with the Use the share with Edge compute option enabled. A PV is again created automatically for this share. Any application data that you write to the Edge share is tiered to the cloud.
-![Cloud share creation in Azure portal for static provisioning](./media/azure-stack-edge-gpu-kubernetes-storage/static-provisioning-azure-portal-1.png)
+![Cloud share creation in Azure portal for static provisioning](./media/azure-stack-edge-gpu-kubernetes-storage/static-provisioning-azure-portal-2.png)
You can create both SMB and NFS shares to statically provision PVs on Azure Stack Edge Pro device. Once the PV is provisioned, you will submit a PVC to claim this storage. Here is an example of a PVC deployment `yaml` that claims the storage and uses the shares you provisioned.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-manage-access-power-connectivity-mode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-manage-access-power-connectivity-mode.md
@@ -7,7 +7,7 @@
Previously updated : 11/04/2020 Last updated : 01/28/2021
@@ -50,7 +50,7 @@ The reset workflow does not require the user to recall the old password and is u
1. In the Azure portal, go to **Overview > Reset admin password**.
- ![Screenshot shows the device with Reset device password selected.](media/azure-stack-edge-manage-access-power-connectivity-mode/reset-password-1.png)
+ ![Screenshot shows the device with Reset device password selected.](media/azure-stack-edge-gpu-manage-access-power-connectivity-mode/reset-password-1.png)
2. Enter the new password and then confirm it. The supplied password must be between 8 and 16 characters. The password must have 3 of the following characters: uppercase, lowercase, numeric, and special characters. Select **Reset**.
databox https://docs.microsoft.com/en-us/azure/databox/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/security-controls-policy.md /dev/null
@@ -0,0 +1,27 @@
+
+ Title: Azure Policy Regulatory Compliance controls for Azure Data Box
+description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Box. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
Last updated : 01/29/2021++++++
+# Azure Policy Regulatory Compliance controls for Azure Data Box
+
+[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md)
+provides Microsoft created and managed initiative definitions, known as _built-ins_, for the
+**compliance domains** and **security controls** related to different compliance standards. This
+page lists the **compliance domains** and **security controls** for Azure Data Box. You can
+assign the built-ins for a **security control** individually to help make your Azure resources
+compliant with the specific standard.
+
+[!INCLUDE [azure-policy-compliancecontrols-introwarning](../../includes/policy/standards/intro-warning.md)]
+
+[!INCLUDE [azure-policy-compliancecontrols-databox](../../includes/policy/standards/byrp/microsoft.databox.md)]
+
+## Next steps
+
+- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
ddos-protection https://docs.microsoft.com/en-us/azure/ddos-protection/manage-ddos-protection-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/manage-ddos-protection-template.md
@@ -36,8 +36,8 @@ The template used in this quickstart is from [Azure Quickstart Templates](https:
The template defines two resources: -- [Microsoft.Network/ddosProtectionPlans](/templates/microsoft.network/ddosprotectionplans)-- [Microsoft.Network/virtualNetworks](/templates/microsoft.network/virtualnetworks)
+- [Microsoft.Network/ddosProtectionPlans](/azure/templates/microsoft.network/ddosprotectionplans)
+- [Microsoft.Network/virtualNetworks](/azure/templates/microsoft.network/virtualnetworks)
## Deploy the template
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/concepts-twins-graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/concepts-twins-graph.md
@@ -17,7 +17,7 @@
# Understand digital twins and their twin graph
-In an Azure Digital Twins solution, the entities in your environment are represented by Azure **digital twins**. A digital twin is an instance of one of your custom-defined [models](concepts-models.md). It can be connected to other digital twins via **relationships** to form a **twin graph**: this twin graph is the representation of your entire environment.
+In an Azure Digital Twins solution, the entities in your environment are represented by **digital twins**. A digital twin is an instance of one of your custom-defined [models](concepts-models.md). It can be connected to other digital twins via **relationships** to form a **twin graph**: this twin graph is the representation of your entire environment.
> [!TIP] > "Azure Digital Twins" refers to this Azure service as a whole. "Digital twin(s)" or just "twin(s)" refers to individual twin nodes inside your instance of the service.
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-integrate-time-series-insights https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-integrate-time-series-insights.md
@@ -121,7 +121,7 @@ To create the second event hub, you can either use the Azure CLI instructions be
3. Create an [authorization rule](/cli/azure/eventhubs/eventhub/authorization-rule?view=azure-cli-latest&preserve-view=true#az-eventhubs-eventhub-authorization-rule-create) with send and receive permissions. Specify a name for the rule. ```azurecli-interactive
- az eventhubs eventhub authorization-rule create --rights Listen Send --resource-group <resource group name> --namespace-name <Event Hubs namespace from earlier> --eventhub-name <TSI event hub name from above> --name <name for your TSI auth rule>
+ az eventhubs eventhub authorization-rule create --rights Listen Send --resource-group <resource group name> --namespace-name <Event Hubs namespace from earlier> --eventhub-name <TSI event hub name from above> --name <name for your TSI auth rule>
``` ## Configure your function
@@ -150,7 +150,7 @@ Next, you'll need to set environment variables in your function app from earlier
az eventhubs eventhub authorization-rule keys list --resource-group <resource group name> --namespace-name <Event Hubs namespace> --eventhub-name <TSI event hub name> --name <TSI auth rule> ```
-2. In your function app, create an app setting containing your connection string:
+2. Use the *primaryConnectionString* value from the result to create an app setting in your function app that contains your connection string:
```azurecli-interactive az functionapp config appsettings set --settings "EventHubAppSetting-TSI=<TSI event hub connection string>" -g <resource group> -n <your App Service (function app) name>
@@ -164,7 +164,9 @@ Next, you will set up a Time Series Insights instance to receive the data from y
1. Select the **Gen2(L1)** pricing tier. 2. You will need to choose a **time series ID** for this environment. Your time series ID can be up to three values that you will use to search for your data in Time Series Insights. For this tutorial, you can use **$dtId**. Read more about selecting an ID value in [*Best practices for choosing a Time Series ID*](../time-series-insights/how-to-select-tsid.md).
- :::image type="content" source="media/how-to-integrate-time-series-insights/create-twin-id.png" alt-text="The creation portal UX for a Time Series Insights environment. The Gen2(L1) pricing tier is selected and the time series ID property name is $dtId" lightbox="media/how-to-integrate-time-series-insights/create-twin-id.png":::
+ :::image type="content" source="media/how-to-integrate-time-series-insights/create-time-series-insights-environment-1.png" alt-text="The creation portal UX for a Time Series Insights environment. Select your subscription, resource group, and location from the respective dropdowns and choose a name for your environment." lightbox="media/how-to-integrate-time-series-insights/create-time-series-insights-environment-1.png":::
+
+ :::image type="content" source="media/how-to-integrate-time-series-insights/create-time-series-insights-environment-2.png" alt-text="The creation portal UX for a Time Series Insights environment. The Gen2(L1) pricing tier is selected and the time series ID property name is $dtId" lightbox="media/how-to-integrate-time-series-insights/create-time-series-insights-environment-2.png":::
2. Select **Next: Event Source** and select your TSI event hub information from earlier. You will also need to create a new Event Hubs consumer group.
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-routes-apis-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-apis-cli.md
@@ -49,7 +49,7 @@ This section explains how to create these endpoints using the Azure CLI. You can
### Create the endpoint
-Once you have created the endpoint resources, you can use them for an Azure Digital Twins endpoint. The following examples show how to create endpoints using the `az dt endpoint create` command for the [Azure Digital Twins CLI](how-to-use-cli.md). Replace the placeholders in the commands with the details of your own resources.
+Once you have created the endpoint resources, you can use them for an Azure Digital Twins endpoint. The following examples show how to create endpoints using the [az dt endpoint create](/cli/azure/ext/azure-iot/dt/endpoint/create?view=azure-cli-latest&preserve-view=true) command for the [Azure Digital Twins CLI](how-to-use-cli.md). Replace the placeholders in the commands with the details of your own resources.
To create an Event Grid endpoint:
@@ -57,29 +57,47 @@ To create an Event Grid endpoint:
az dt endpoint create eventgrid --endpoint-name <Event-Grid-endpoint-name> --eventgrid-resource-group <Event-Grid-resource-group-name> --eventgrid-topic <your-Event-Grid-topic-name> -n <your-Azure-Digital-Twins-instance-name> ```
-To create an Event Hubs endpoint:
+To create an Event Hubs endpoint (key-based authentication):
```azurecli-interactive az dt endpoint create eventhub --endpoint-name <Event-Hub-endpoint-name> --eventhub-resource-group <Event-Hub-resource-group> --eventhub-namespace <Event-Hub-namespace> --eventhub <Event-Hub-name> --eventhub-policy <Event-Hub-policy> -n <your-Azure-Digital-Twins-instance-name> ```
-To create a Service Bus topic endpoint:
+To create a Service Bus topic endpoint (key-based authentication):
```azurecli-interactive az dt endpoint create servicebus --endpoint-name <Service-Bus-endpoint-name> --servicebus-resource-group <Service-Bus-resource-group-name> --servicebus-namespace <Service-Bus-namespace> --servicebus-topic <Service-Bus-topic-name> --servicebus-policy <Service-Bus-topic-policy> -n <your-Azure-Digital-Twins-instance-name> ``` After successfully running these commands, the event grid, event hub, or Service Bus topic will be available as an endpoint inside of Azure Digital Twins, under the name you supplied with the `--endpoint-name` argument. You'll typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
+#### Create an endpoint with identity-based authentication
+
+You can also create an endpoint that has identity-based authentication, to use the endpoint with a [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources-preview). This option is only available for Event Hub and Service Bus-type endpoints (it's not supported for Event Grid).
+
+The CLI command to create this type of endpoint is below. You'll need the following values to plug into the placeholders in the command:
+* the Azure resource ID of your Azure Digital Twins instance
+* an endpoint name
+* an endpoint type
+* the endpoint resource's namespace
+* the name of the event hub or Service Bus topic
+* the location of your Azure Digital Twins instance
+
+```azurecli-interactive
+az resource create --id <Azure-Digital-Twins-instance-Azure-resource-ID>/endpoints/<endpoint-name> --properties '{\"properties\": { \"endpointType\": \"<endpoint-type>\", \"authenticationType\": \"IdentityBased\", \"endpointUri\": \"sb://<endpoint-namespace>.servicebus.windows.net\", \"entityPath\": \"<name-of-event-hub-or-Service-Bus-topic>\"}, \"location\":\"<instance-location>\" }' --is-full-object
+```
+ ### Create an endpoint with dead-lettering When an endpoint can't deliver an event within a certain time period or after trying to deliver the event a certain number of times, it can send the undelivered event to a storage account. This process is known as **dead-lettering**.
+Endpoints with dead-lettering enabled can be set up with the Azure Digital Twins [CLI](how-to-use-cli.md) or [control plane APIs](how-to-use-apis-sdks.md#overview-control-plane-apis).
+ To learn more about dead-lettering, see [*Concepts: Event routes*](concepts-route-events.md#dead-letter-events). For instructions on how to set up an endpoint with dead-lettering, continue through the rest of this section. #### Set up storage resources Before setting the dead-letter location, you must have a [storage account](../storage/common/storage-account-create.md?tabs=azure-portal) with a [container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container) set up in your Azure account.
-You'll provide the URL for this container when creating the endpoint later. The dead-letter location will be provided to the endpoint as a container URL with a [SAS token](../storage/common/storage-sas-overview.md). That token needs `write` permission for the destination container within the storage account. The fully formed URL will be in the format of: `https://<storageAccountname>.blob.core.windows.net/<containerName>?<SASToken>`.
+You'll provide the URI for this container when creating the endpoint later. The dead-letter location will be provided to the endpoint as a container URI with a [SAS token](../storage/common/storage-sas-overview.md). That token needs `write` permission for the destination container within the storage account. The fully formed **dead letter SAS URI** will be in the format of: `https://<storage-account-name>.blob.core.windows.net/<container-name>?<SAS-token>`.
Follow the steps below to set up these storage resources in your Azure account, to prepare to set up the endpoint connection in the next section.
@@ -100,25 +118,44 @@ Follow the steps below to set up these storage resources in your Azure account,
:::image type="content" source="./media/how-to-manage-routes-apis-cli/copy-sas-token.png" alt-text="Copy SAS token to use in the dead-letter secret." lightbox="./media/how-to-manage-routes-apis-cli/copy-sas-token.png":::
-#### Configure the endpoint
+#### Create the dead-letter endpoint
-To create an endpoint that has dead-lettering enabled, you can create the endpoint using the Azure Resource Manager APIs.
+To create an endpoint that has dead-lettering enabled, add the following dead letter parameter to the [az dt endpoint create](/cli/azure/ext/azure-iot/dt/endpoint/create?view=azure-cli-latest&preserve-view=true) command for the [Azure Digital Twins CLI](how-to-use-cli.md).
-1. First, use the [Azure Resource Manager APIs documentation](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) to set up a request to create an endpoint, and fill in the required request parameters.
+The value for the parameter is the **dead letter SAS URI** made up of the storage account name, container name, and SAS token that you gathered in the [previous section](#set-up-storage-resources). This parameter creates the endpoint with key-based authentication.
-2. Next, add a `deadLetterSecret` field to the properties object in the **body** of the request. Set this value according to the template below, which crafts a URL from the storage account name, container name, and SAS token value that you gathered in the [previous section](#set-up-storage-resources).
-
- :::code language="json" source="~/digital-twins-docs-samples/api-requests/deadLetterEndpoint.json":::
+```azurecli
+--deadletter-sas-uri https://<storage-account-name>.blob.core.windows.net/<container-name>?<SAS-token>
+```
-3. Send the request to create the endpoint.
+Add this parameter to the end of the endpoint creation commands from the [*Create the endpoint*](#create-the-endpoint) section earlier to create an endpoint of your desired type that has dead-lettering enabled.
-For more information on structuring this request, see the Azure Digital Twins REST API documentation: [Endpoints - DigitalTwinsEndpoint CreateOrUpdate](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate).
+Alternatively, you can create dead letter endpoints using the [Azure Digital Twins control plane APIs](how-to-use-apis-sdks.md#overview-control-plane-apis) instead of the CLI. To do this, view the [DigitalTwinsEndpoint documentation](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) to see how to structure the request and add the dead letter parameters.
+
+#### Create a dead-letter endpoint with identity-based authentication
+
+You can also create a dead-lettering endpoint that has identity-based authentication, to use the endpoint with a [managed identity](concepts-security.md#managed-identity-for-accessing-other-resources-preview). This option is only available for Event Hub and Service Bus-type endpoints (it's not supported for Event Grid).
+
+To create this type of endpoint, use the same CLI command from earlier to [create an endpoint with identity-based authentication](#create-an-endpoint-with-identity-based-authentication), with an extra field in the JSON payload for a `deadLetterUri`.
+
+Here are the values you'll need to plug into the placeholders in the command:
+* the Azure resource ID of your Azure Digital Twins instance
+* an endpoint name
+* an endpoint type
+* the endpoint resource's namespace
+* the name of the event hub or Service Bus topic
+* **dead letter SAS URI** details: storage account name, container name
+* the location of your Azure Digital Twins instance
+
+```azurecli-interactive
+az resource create --id <Azure-Digital-Twins-instance-Azure-resource-ID>/endpoints/<endpoint-name> --properties '{\"properties\": { \"endpointType\": \"<endpoint-type>\", \"authenticationType\": \"IdentityBased\", \"endpointUri\": \"sb://<endpoint-namespace>.servicebus.windows.net\", \"entityPath\": \"<name-of-event-hub-or-Service-Bus-topic>\", \"deadLetterUri\": \"https://<storage-account-name>.blob.core.windows.net/<container-name>\"}, \"location\":\"<instance-location>\" }' --is-full-object
+```
-### Message storage schema
+#### Message storage schema
Once the endpoint with dead-lettering is set up, dead-lettered messages will be stored in the following format in your storage account:
-`{container}/{endpointName}/{year}/{month}/{day}/{hour}/{eventId}.json`
+`{container}/{endpoint-name}/{year}/{month}/{day}/{hour}/{event-ID}.json`
Dead-lettered messages will match the schema of the original event that was intended to be delivered to your original endpoint.
@@ -129,7 +166,7 @@ Here is an example of a dead-letter message for a [twin create notification](how
"specversion": "1.0", "id": "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx", "type": "Microsoft.DigitalTwins.Twin.Create",
- "source": "<yourInstance>.api.<yourregion>.da.azuredigitaltwins-test.net",
+ "source": "<your-instance>.api.<your-region>.da.azuredigitaltwins-test.net",
"data": { "$dtId": "<yourInstance>xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx", "$etag": "W/\"xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxx\"",
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-routes-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-portal.md
@@ -99,9 +99,9 @@ Now the event grid, event hub, or Service Bus topic is available as an endpoint
When an endpoint can't deliver an event within a certain time period or after trying to deliver the event a certain number of times, it can send the undelivered event to a storage account. This process is known as **dead-lettering**.
-In order to create an endpoint with dead-lettering enabled, you must use the [ARM APIs](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) or [CLI commands](how-to-use-cli.md) to create your endpoint, rather than the Azure portal.
+In order to create an endpoint with dead-lettering enabled, you must use the [CLI commands](how-to-use-cli.md) or [control plane APIs](/rest/api/digital-twins/controlplane/endpoints/digitaltwinsendpoint_createorupdate) to create your endpoint, rather than the Azure portal.
-For instructions on how to do this with the APIs, see the [*APIs and CLI*](how-to-manage-routes-apis-cli.md#create-an-endpoint-with-dead-lettering) version of this article.
+For instructions on how to do this with these tools, see the [*APIs and CLI*](how-to-manage-routes-apis-cli.md#create-an-endpoint-with-dead-lettering) version of this article.
## Create an event route
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/overview-differences https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/overview-differences.md
@@ -1,48 +0,0 @@
-
-# Mandatory fields.
Title: Differences from first release-
-description: Understand what has changed in the new version of Azure Digital Twins
-- Previously updated : 3/12/2020---
-# Optional fields. Don't forget to remove # if you need a field.
-#
-#
-#
--
-# What is the new Azure Digital Twins? How is it different from the previous version (2018)?
-
-The first public preview of Azure Digital Twins was released in October of 2018. While the core concepts from that first version have carried through to the new service, many of the interfaces and implementation details have changed to make the service more flexible and accessible. These changes were motivated by customer feedback.
-
-> [!IMPORTANT]
-> In light of the new service's expanded capabilities, the previous Azure Digital Twins service will be retired, with its APIs and associated data no longer available starting January 18th, 2021.
-
-If you used the first version of Azure Digital Twins during the first public preview, use the information and best practices in this article to learn how to work with the new service, and take advantage of its features.
-
-## Differences by topic
-
-The chart below provides a side-by-side view of concepts that have changed between the previous version of the service and the new (current) service.
-
-| Topic | In previous version | In new version |
-| | | | |
-| **Modeling**<br>*More flexible* | The previous release was designed around smart spaces, so it came with a built-in vocabulary for buildings. | The new Azure Digital Twins is domain-agnostic. You can define your own custom vocabulary and custom models for your solution, to represent more kinds of environments in more flexible ways.<br><br>Learn more in [*Concepts: Custom models*](concepts-models.md). |
-| **Topology**<br>*More flexible*| The previous release supported a tree data structure, tailored to smart spaces. Digital twins were connected with hierarchical relationships. | With the new release, your digital twins can be connected into arbitrary graph topologies, organized however you want. This gives you more flexibility to express the complex relationships of the real world.<br><br>Learn more in [*Concepts: Digital twins and the twin graph*](concepts-twins-graph.md). |
-| **Compute**<br>*Richer, more flexible* | In the previous release, logic for processing events and telemetry was defined in JavaScript user-defined functions (UDFs). Debugging with UDFs was limited. | The new release has an open compute model: you provide custom logic by attaching external compute resources like [Azure Functions](../azure-functions/functions-overview.md). This lets you use a programming language of your choice, access custom code libraries without restriction, and take advantage of development and debugging resources that the external service may have.<br><br>Learn more in [*How-to: Set up an Azure function for processing data*](how-to-create-azure-function.md). |
-| **Device management with IoT Hub**<br>*More accessible* | The previous release managed devices with an instance of [IoT Hub](../iot-hub/about-iot-hub.md) that was internal to the Azure Digital Twins service. This integrated hub was not fully accessible to developers. | In the new release, you "bring your own" IoT hub, by attaching an independently-created IoT Hub instance (along with any devices it already manages). This gives you full access to IoT Hub's capabilities and puts you in control of device management.<br><br>Learn more in [*How-to: Ingest telemetry from IoT Hub*](how-to-ingest-iot-hub-data.md). |
-| **Security**<br>*More standard* | The previous release had pre-defined roles that you could use to manage access to your instance. | The new release integrates with the same [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) back-end service that other Azure services use. This may make it simpler to authenticate between other Azure services in your solution, like IoT Hub, Azure Functions, Event Grid, and more.<br>With RBAC, you can still use pre-defined roles, or you can build and configure custom roles.<br><br>Learn more in [*Concepts: Security for Azure Digital Twins solutions*](concepts-security.md). |
-| **Scalability**<br>*Greater* | The previous release had scale limitations for devices, messages, graphs, and scale units. Only one instance of Azure Digital Twins was supported per subscription. | The new release relies on a new architecture with improved scalability, and has greater compute power. It also supports 10 instances per region, per subscription.<br><br>See [*Reference: Service limits*](reference-service-limits.md) for details of the limits in the current release. |
-
-## Service limits
-
-For a list of Azure Digital Twins limits, see [*Reference: Service limits*](reference-service-limits.md).
-
-## Next steps
-
-Next, dive into working with Azure Digital Twins with the first tutorial:
-
-[*Tutorial: Code a client app*](tutorial-code.md)
\ No newline at end of file
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/overview.md
@@ -95,10 +95,10 @@ The following diagram shows where Azure Digital Twins lies in the context of a l
## Service limits
-For a list of Azure Digital Twins limits, see [*Reference: Service limits*](reference-service-limits.md).
+For a list of Azure Digital Twins limits, see [*Azure Digital Twins service limits*](reference-service-limits.md).
## Next steps
-If you have worked with the first preview release of Azure Digital Twins (October 2018), learn what has changed: [*Overview: Differences from first release*](overview-differences.md).
+* Dive into working with Azure Digital Twins in the quickstart: [*Quickstart: Explore a sample scenario*](quickstart-adt-explorer.md).
-Or, go ahead and dive into working with Azure Digital Twins with the quickstart: [*Quickstart: Explore a sample scenario*](quickstart-adt-explorer.md).
\ No newline at end of file
+* Or, start reading about Azure Digital Twins concepts with [*Concepts: Custom models*](concepts-models.md).
\ No newline at end of file
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/resources-compare-original-release https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/resources-compare-original-release.md /dev/null
@@ -0,0 +1,48 @@
+
+# Mandatory fields.
+ Title: Differences from original release
+
+description: Understand what has changed in the new version of Azure Digital Twins
++ Last updated : 1/28/2021+++
+# Optional fields. Don't forget to remove # if you need a field.
+#
+#
+#
++
+# What is the new Azure Digital Twins? How is it different from the original version (2018)?
+
+The first public preview of Azure Digital Twins was released in October of 2018. While the core concepts from that original version have carried through to the current service, many of the interfaces and implementation details have changed to make the service more flexible and accessible. These changes were motivated by customer feedback.
+
+> [!IMPORTANT]
+> In light of the new service's expanded capabilities, the original Azure Digital Twins service has been retired. As of January 2021, its APIs and associated data are no longer available.
+
+If you used the first version of Azure Digital Twins during the first public preview, use the information and best practices in this article to learn how to work with the current service, and take advantage of its features.
+
+## Differences by topic
+
+The chart below provides a side-by-side view of concepts that have changed between the original version of the service and the current service.
+
+| Topic | In original version | In current version |
+| | | | |
+| **Modeling**<br>*More flexible* | The original release was designed around smart spaces, so it came with a built-in vocabulary for buildings. | The current Azure Digital Twins is domain-agnostic. You can define your own custom vocabulary and custom models for your solution, to represent more kinds of environments in more flexible ways.<br><br>Learn more in [*Concepts: Custom models*](concepts-models.md). |
+| **Topology**<br>*More flexible*| The original release supported a tree data structure, tailored to smart spaces. Digital twins were connected with hierarchical relationships. | With the current release, your digital twins can be connected into arbitrary graph topologies, organized however you want. This gives you more flexibility to express the complex relationships of the real world.<br><br>Learn more in [*Concepts: Digital twins and the twin graph*](concepts-twins-graph.md). |
+| **Compute**<br>*Richer, more flexible* | In the original release, logic for processing events and telemetry was defined in JavaScript user-defined functions (UDFs). Debugging with UDFs was limited. | The current release has an open compute model: you provide custom logic by attaching external compute resources like [Azure Functions](../azure-functions/functions-overview.md). This lets you use a programming language of your choice, access custom code libraries without restriction, and take advantage of development and debugging resources that the external service may have.<br><br>Learn more in [*How-to: Set up an Azure function for processing data*](how-to-create-azure-function.md). |
+| **Device management with IoT Hub**<br>*More accessible* | The original release managed devices with an instance of [IoT Hub](../iot-hub/about-iot-hub.md) that was internal to the Azure Digital Twins service. This integrated hub was not fully accessible to developers. | In the current release, you "bring your own" IoT hub, by attaching an independently-created IoT Hub instance (along with any devices it already manages). This gives you full access to IoT Hub's capabilities and puts you in control of device management.<br><br>Learn more in [*How-to: Ingest telemetry from IoT Hub*](how-to-ingest-iot-hub-data.md). |
+| **Security**<br>*More standard* | The original release had pre-defined roles that you could use to manage access to your instance. | The current release integrates with the same [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) back-end service that other Azure services use. This may make it simpler to authenticate between other Azure services in your solution, like IoT Hub, Azure Functions, Event Grid, and more.<br>With RBAC, you can still use pre-defined roles, or you can build and configure custom roles.<br><br>Learn more in [*Concepts: Security for Azure Digital Twins solutions*](concepts-security.md). |
+| **Scalability**<br>*Greater* | The original release had scale limitations for devices, messages, graphs, and scale units. Only one instance of Azure Digital Twins was supported per subscription. | The current release relies on a new architecture with improved scalability, and has greater compute power. It also supports 10 instances per region, per subscription.<br><br>See [*Azure Digital Twins service limits*](reference-service-limits.md) for details of the limits in the current release. |
+
+## Service limits
+
+For a list of Azure Digital Twins limits, see [*Azure Digital Twins service limits*](reference-service-limits.md).
+
+## Next steps
+
+* Dive into working with the current release in the quickstart: [*Quickstart: Explore a sample scenario*](quickstart-adt-explorer.md).
+
+* Or, start reading about key concepts with [*Concepts: Custom models*](concepts-models.md).
\ No newline at end of file
dms https://docs.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-managed-instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/dms/tutorial-sql-server-to-managed-instance.md
@@ -61,7 +61,7 @@ To complete this tutorial, you need to:
>[!NOTE] >By default, Azure Database Migration Service only supports migrating SQL logins. However, you can enable the ability to migrate Windows logins by: >
- >- Ensuring that the target SQL Managed Instance has AAD read access, which can be configured via the Azure portal by a user with the **Company Administrator**or a **Global Administrator**" role.
+ >- Ensuring that the target SQL Managed Instance has AAD read access, which can be configured via the Azure portal by a user with the **Global Administrator** role.
>- Configuring your Azure Database Migration Service instance to enable Windows user/group login migrations, which is set up via the Azure portal, on the Configuration page. After enabling this setting, restart the service for the changes to take effect. > > After restarting the service, Windows user/group logins appear in the list of logins available for migration. For any Windows user/group logins you migrate, you are prompted to provide the associated domain name. Service user accounts (account with domain name NT AUTHORITY) and virtual user accounts (account name with domain name NT SERVICE) are not supported.
event-grid https://docs.microsoft.com/en-us/azure/event-grid/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/security-controls-policy.md /dev/null
@@ -0,0 +1,24 @@
+
+ Title: Azure Policy Regulatory Compliance controls for Azure Event Grid
+description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Grid. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
Last updated : 01/29/2021+++
+# Azure Policy Regulatory Compliance controls for Azure Event Grid
+
+[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md)
+provides Microsoft created and managed initiative definitions, known as _built-ins_, for the
+**compliance domains** and **security controls** related to different compliance standards. This
+page lists the **compliance domains** and **security controls** for Azure Event Grid. You can
+assign the built-ins for a **security control** individually to help make your Azure resources
+compliant with the specific standard.
+
+[!INCLUDE [azure-policy-compliancecontrols-introwarning](../../includes/policy/standards/intro-warning.md)]
+
+[!INCLUDE [azure-policy-compliancecontrols-eventgrid](../../includes/policy/standards/byrp/microsoft.eventgrid.md)]
+
+## Next steps
+
+- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
expressroute https://docs.microsoft.com/en-us/azure/expressroute/expressroute-monitoring-metrics-alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/expressroute/expressroute-monitoring-metrics-alerts.md
@@ -6,7 +6,7 @@
Previously updated : 08/25/2020 Last updated : 01/11/2020
@@ -31,10 +31,14 @@ Once a metric is selected, the default aggregation will be applied. Optionally,
| | | | | |ARP Availability|Availability|<ui><li>Peer (Primary/Secondary ExpressRoute router)</ui></li><ui><li> Peering Type (Private/Public/Microsoft)</ui></li>|ExpressRoute| |Bgp Availability|Availability|<ui><li> Peer (Primary/Secondary ExpressRoute router)</ui></li><ui><li> Peering Type</ui></li>|ExpressRoute|
-|BitsInPerSecond|Traffic|<ui><li> Peering Type (ExpressRoute)</ui></li><ui><li>Link (ExpressRoute Direct)</ui></li>|<li>ExpressRoute</li><li>ExpressRoute Direct|
-|BitsOutPerSecond|Traffic| <ui><li>Peering Type (ExpressRoute)</ui></li><ui><li> Link (ExpressRoute Direct) |<ui><li>ExpressRoute<ui><li>ExpressRoute Direct</ui></li> |
+|BitsInPerSecond|Traffic|<ui><li> Peering Type (ExpressRoute)</ui></li><ui><li>Link (ExpressRoute Direct)</ui></li>|<li>ExpressRoute</li><li>ExpressRoute Direct</li><ui><li>ExpressRoute Gateway Connection</ui></li>|
+|BitsOutPerSecond|Traffic| <ui><li>Peering Type (ExpressRoute)</ui></li><ui><li> Link (ExpressRoute Direct) |<ui><li>ExpressRoute<ui><li>ExpressRoute Direct</ui></li><ui><li>ExpressRoute Gateway Connection</ui></li>|
|CPU Utilization|Performance| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway| |Packets per Second|Performance| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway|
+|Count of Routes Advertised to Peer |Availability| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway|
+|Count of Routes Learned from Peer |Availability| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway|
+|Frequency of Routes change |Availability| <ui><li>Instance</ui></li>|ExpressRoute Virtual Network Gateway|
+|Number of VMs in the Virtual Network |Availability| N/A |ExpressRoute Virtual Network Gateway|
|GlobalReachBitsInPerSecond|Traffic|<ui><li>Peered Circuit Skey (Service Key)</ui></li>|Global Reach| |GlobalReachBitsOutPerSecond|Traffic|<ui><li>Peered Circuit Skey (Service Key)</ui></li>|Global Reach| |AdminState|Physical Connectivity|Link|ExpressRoute Direct|
@@ -123,6 +127,30 @@ You can view packets per second traversing the gateway.
:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/pps-split.jpg" alt-text="Packets per second - split":::
+### Count of Routes Advertised to Peer - Split by Instance
+
+You can view the number of routes advertised to the ExpressRoute circuit.
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/count-of-routes-advertised-to-peer.png" alt-text="Count of Routes Advertised to Peer":::
+
+### Count of Routes Learned from Peer - Split by Instance
+
+You can view the number of routes received from the ExpressRoute circuit.
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/count-of-routes-learned-from-peer.png" alt-text="Count of Routes Learned from Peer":::
+
+### Frequency of Routes change - Split by Instance
+
+You can view the frequency of which the route changes on the gateway.
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/frequency-of-routes-changed.png" alt-text="Frequency of Routes Changed":::
+
+### Number of VMs in the Virtual Network
+
+You can view the number of virtual machines in the virtual network.
+
+:::image type="content" source="./media/expressroute-monitoring-metrics-alerts/number-of-virtual-machines-virtual-network.png" alt-text="Number of virtual machines in the virtual network":::
+ ## ExpressRoute gateway connections in bits/seconds :::image type="content" source="./media/expressroute-monitoring-metrics-alerts/erconnections.jpg" alt-text="gateway connections":::
@@ -161,7 +189,7 @@ You can also view ExpressRoute metrics by navigating to your ExpressRoute circui
|TimeGrain|string|PT1M (metric values are pushed every minute)| |Count|real|Usually equal to 2 (each MSEE pushes a single metric value every minute)| |Minimum|real|The minimum of the two metric values pushed by the two MSEEs|
-|Maximum|real|The maxiumum of the two metric values pushed by the two MSEEs|
+|Maximum|real|The maximum of the two metric values pushed by the two MSEEs|
|Average|real|Equal to (Minimum + Maximum)/2| |Total|real|Sum of the two metric values from both MSEEs (the main value to focus on for the metric queried)|
@@ -171,4 +199,4 @@ Configure your ExpressRoute connection.
* [Create and modify a circuit](expressroute-howto-circuit-arm.md) * [Create and modify peering configuration](expressroute-howto-routing-arm.md)
-* [Link a VNet to an ExpressRoute circuit](expressroute-howto-linkvnet-arm.md)
\ No newline at end of file
+* [Link a VNet to an ExpressRoute circuit](expressroute-howto-linkvnet-arm.md)
firewall-manager https://docs.microsoft.com/en-us/azure/firewall-manager/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/firewall-manager/security-baseline.md
@@ -127,7 +127,7 @@ Azure Advanced Threat Protection (ATP) is a security solution that can use Activ
### PA-1: Protect and limit highly privileged users **Guidance**: Azure Firewall Manager uses Azure Active Directory (Azure AD) for identity and access. The most critical built-in roles are Azure AD are Global Administrator and the Privileged Role Administrator as users assigned to these two roles can delegate administrator roles:-- Global Administrator / Company Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
+- Global Administrator: Users with this role have access to all administrative features in Azure AD, as well as services that use Azure AD identities.
- Privileged Role Administrator: Users with this role can manage role assignments in Azure AD, as well as within Azure AD Privileged Identity Management (PIM). In addition, this role allows management of all aspects of PIM and administrative units. You may have other critical roles that need to be governed if you use custom roles with certain privileged permissions assigned. And you may also want to apply similar controls to the administrator account of critical business assets.
governance https://docs.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create-linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/how-to/guest-configuration-create-linux.md
@@ -238,9 +238,19 @@ The cmdlet also supports input from the PowerShell pipeline. Pipe the output of
New-GuestConfigurationPackage -Name AuditFilePathExists -Configuration ./Config/AuditFilePathExists.mof -ChefInspecProfilePath './' | Test-GuestConfigurationPackage ```
-The next step is to publish the file to Azure Blob Storage. The command `Publish-GuestConfigurationPackage` requires the `Az.Storage`
+The next step is to publish the file to Azure Blob Storage. The command `Publish-GuestConfigurationPackage` requires the `Az.Storage`
module.
+Parameters of the `Publish-GuestConfigurationPackage` cmdlet:
+
+- **Path**: Location of the package to be published
+- **ResourceGroupName**: Name of the resource group where the storage account is located
+- **StorageAccountName**: Name of the storage account where the package should be published
+- **StorageContainerName**: (default: *guestconfiguration*) Name of the storage container in the storage account
+- **Force**: Overwrite existing package in the storage account with the same name
+
+The example below publishes the package to a storage container name 'guestconfiguration'.
+ ```azurepowershell-interactive Publish-GuestConfigurationPackage -Path ./AuditBitlocker.zip -ResourceGroupName myResourceGroupName -StorageAccountName myStorageAccountName ```
governance https://docs.microsoft.com/en-us/azure/governance/policy/how-to/guest-configuration-create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/how-to/guest-configuration-create.md
@@ -331,6 +331,16 @@ New-GuestConfigurationPackage -Name AuditBitlocker -Configuration ./Config/Audit
The next step is to publish the file to Azure Blob Storage. The command `Publish-GuestConfigurationPackage` requires the `Az.Storage` module.
+Parameters of the `Publish-GuestConfigurationPackage` cmdlet:
+
+- **Path**: Location of the package to be published
+- **ResourceGroupName**: Name of the resource group where the storage account is located
+- **StorageAccountName**: Name of the storage account where the package should be published
+- **StorageContainerName**: (default: *guestconfiguration*) Name of the storage container in the storage account
+- **Force**: Overwrite existing package in the storage account with the same name
+
+The example below publishes the package to a storage container name 'guestconfiguration'.
+ ```azurepowershell-interactive Publish-GuestConfigurationPackage -Path ./AuditBitlocker.zip -ResourceGroupName myResourceGroupName -StorageAccountName myStorageAccountName ```
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/azure-security-benchmark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmark.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for Azure Security Benchmark description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -79,7 +79,7 @@ initiative definition.
|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
+|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
@@ -100,7 +100,7 @@ initiative definition.
|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) | |[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) | |[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
-|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
+|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Deny, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) | |[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
@@ -262,7 +262,6 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Enforce HTTPS ingress in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
@@ -276,6 +275,7 @@ initiative definition.
|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Encrypt sensitive data at rest
@@ -404,7 +404,7 @@ initiative definition.
## Incident Response
-### Preparation setup incident notification
+### Preparation - setup incident notification
**ID**: Azure Security Benchmark IR-2 **Ownership**: Customer
@@ -415,7 +415,7 @@ initiative definition.
|[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) | |[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) |
-### Detection and analysis create incidents based on high quality alerts
+### Detection and analysis - create incidents based on high quality alerts
**ID**: Azure Security Benchmark IR-3 **Ownership**: Customer
@@ -432,7 +432,7 @@ initiative definition.
|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) | |[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-### Detection and analysis prioritize incidents
+### Detection and analysis - prioritize incidents
**ID**: Azure Security Benchmark IR-5 **Ownership**: Customer
@@ -458,7 +458,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
+|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
|[CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) | |[CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) | |[CORS should not allow every resource to access your Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
@@ -500,7 +500,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) | |[Vulnerabilities on your SQL databases should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) | |[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/azure-security-benchmarkv1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmarkv1.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for Azure Security Benchmark v1 description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -356,7 +356,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) | |[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/cis-azure-1-1-0.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark description: Details of the CIS Microsoft Azure Foundations Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -159,7 +159,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
### Ensure ASC Default policy setting "Monitor JIT Network Access" is not "Disabled"
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/cmmc-l3 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/cmmc-l3.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for CMMC Level 3 description: Details of the CMMC Level 3 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -88,7 +88,6 @@ initiative definition.
||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) | |[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and here [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json) | |[CORS should not allow every domain to access your API for FHIR](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0fea8f8a-4169-495d-8307-30ec335f387d) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. |audit, disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20for%20FHIR/HealthcareAPIs_RestrictCORSAccess_Audit.json) |
@@ -118,6 +117,7 @@ initiative definition.
|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[Windows machines should meet requirements for 'Security Options - Network Access'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Verify and control/limit connections to and use of external information systems.
@@ -358,7 +358,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[An activity log alert should exist for specific Security operations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) |This policy audits specific Security operations with no activity log alerts configured. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) |
@@ -376,7 +376,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | |[Allowlist rules in your adaptive application control policy should be updated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F123a3936-f020-408a-ba0c-47873faf1534) |Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControlsUpdate_Audit.json) | |[An activity log alert should exist for specific Security operations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3b980d31-7904-4bb7-8575-5665739a8052) |This policy audits specific Security operations with no activity log alerts configured. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json) |
@@ -398,7 +398,7 @@ initiative definition.
||||| |[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) | |[An activity log alert should exist for specific Policy operations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc5447c04-a4d7-4ba8-a263-c9ee321a6858) |This policy audits specific Policy operations with no activity log alerts configured. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json) |
-|[Linux machines should meet requirements for the Azure security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) |
+|[Linux machines should meet requirements for the Azure security baseline](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc9b3da7-8347-4380-8e70-0a0361d8dedd) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines should meet the requirements for the Azure security baseline |AuditIfNotExists, Disabled |[1.1.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AzureLinuxBaseline_AINE.json) |
### Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
@@ -577,7 +577,6 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | |[Latest TLS version should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) | |[Latest TLS version should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
@@ -586,6 +585,7 @@ initiative definition.
|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
## Incident Response
@@ -670,7 +670,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
@@ -693,7 +693,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
@@ -716,7 +716,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
@@ -771,7 +771,6 @@ initiative definition.
|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) | |[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and here [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json) | |[Flow log should be configured for every network security group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc251913d-7d24-4958-af87-478ed3b9ba41) |Audit for network security groups to verify if flow log resource is configured. Flow log allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_FlowLog_Audit.json) |
@@ -802,6 +801,7 @@ initiative definition.
|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) | |[Windows machines should meet requirements for 'Security Options - Network Access'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) | |[Windows machines should meet requirements for 'Security Options - Network Security'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1221c620-d201-468c-81e7-2817e6107e84) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
@@ -934,7 +934,6 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | |[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
@@ -945,6 +944,7 @@ initiative definition.
|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Establish and manage cryptographic keys for cryptography employed in organizational systems.
@@ -970,7 +970,6 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Certificates using RSA cryptography should have the specified minimum key size](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcee51871-e572-4576-855c-047c820360f0) |Manage your organizational compliance requirements by specifying a minimum key size for RSA certificates stored in your key vault. |audit, deny, disabled |[2.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json) | |[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) |
@@ -982,6 +981,7 @@ initiative definition.
|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) | |[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Protect the confidentiality of CUI at rest.
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/hipaa-hitrust-9-2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/hipaa-hitrust-9-2.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for HIPAA HITRUST 9.2 description: Details of the HIPAA HITRUST 9.2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -1605,7 +1605,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) | |[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | |[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
@@ -1630,7 +1630,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
### Patches are tested and evaluated before they are installed.
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/index https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/index.md
@@ -1,7 +1,7 @@
Title: Index of policy samples description: Index of built-ins for Azure Policy. Categories Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more. Previously updated : 01/25/2021 Last updated : 01/29/2021 # Azure Policy Samples
@@ -36,6 +36,7 @@ The following are the [Regulatory Compliance](../concepts/regulatory-compliance.
- [CIS Microsoft Azure Foundations Benchmark v1.1.0](./cis-azure-1-1-0.md) - [CMMC Level 3](./cmmc-l3.md) - [HIPAA HITRUST 9.2](./hipaa-hitrust-9-2.md)
+- [ISO 27001:2013](./iso-27001.md)
- [NIST SP 800-53 R4](./nist-sp-800-53-r4.md) - [NIST SP 800-171 R2](./nist-sp-800-171-r2.md)
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/iso-27001 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/iso-27001.md /dev/null
@@ -0,0 +1,295 @@
+
+ Title: Regulatory Compliance details for ISO 27001:2013
+description: Details of the ISO 27001:2013 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Last updated : 01/29/2021+++
+# Details of the ISO 27001:2013 Regulatory Compliance built-in initiative
+
+The following article details how the Azure Policy Regulatory Compliance built-in initiative
+definition maps to **compliance domains** and **controls** in ISO 27001:2013.
+For more information about this compliance standard, see
+[ISO 27001:2013](https://www.iso.org/isoiec-27001-information-security.html). To understand
+_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
+[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
+
+The following mappings are to the **ISO 27001:2013** controls. Use the
+navigation on the right to jump directly to a specific **compliance domain**. Many of the controls
+are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
+initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
+Then, find and select the **ISO 27001:2013** Regulatory Compliance built-in
+initiative definition.
+
+This built-in initiative is deployed as part of the
+[ISO 27001:2013 blueprint sample](../../blueprints/samples/iso27001/index.md).
+
+> [!IMPORTANT]
+> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
+> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
+> control; however, there often is not a one-to-one or complete match between a control and one or
+> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
+> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
+> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
+> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
+> overall compliance status. The associations between compliance domains, controls, and Azure Policy
+> definitions for this compliance standard may change over time. To view the change history, see the
+> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/ISO27001_2013_audit.json).
+
+## Organization of information security
+
+### Segregation of Duties
+
+**ID**: ISO 27001:2013 A.6.1.2
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
+|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
+
+## Asset management
+
+### Classification of information
+
+**ID**: ISO 27001:2013 A.8.2.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Vulnerabilities on your SQL databases should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+
+## Access control
+
+### Access to networks and network services
+
+**ID**: ISO 27001:2013 A.9.1.2
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Linux machines that allow remote connections from accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea53dbee-c6c9-4f0e-9f9e-de0039b78023) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword110_AINE.json) |
+|[Audit Linux machines that have accounts without passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6ec09a3-78bf-4f8f-99dc-6c77182d0f99) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that have accounts without passwords |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword232_AINE.json) |
+|[Audit VMs that do not use managed disks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F06a78e20-9358-41c9-923c-fb736d382a4d) |This policy audits VMs that do not use managed disks |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VMRequireManagedDisk_Audit.json) |
+|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
+|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |
+|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
+
+### Management of privileged access rights
+
+**ID**: ISO 27001:2013 A.9.2.3
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
+|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
+
+### Management of secret authentication information of users
+
+**ID**: ISO 27001:2013 A.9.2.4
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Linux machines that do not have the passwd file permissions set to 0644](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe6955644-301c-44b5-a4c4-528577de6861) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxPassword121_AINE.json) |
+|[Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F331e8ea8-378a-410f-a2e5-ae22f38bb0da) |This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionLinux_Prerequisite.json) |
+|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
+
+### Review of user access rights
+
+**ID**: ISO 27001:2013 A.9.2.5
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
+
+### Removal or adjustment of access rights
+
+**ID**: ISO 27001:2013 A.9.2.6
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+
+### Secure log-on procedures
+
+**ID**: ISO 27001:2013 A.9.4.2
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
+
+### Password management system
+
+**ID**: ISO 27001:2013 A.9.4.3
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[Audit Windows machines that allow re-use of the previous 24 passwords](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b054a0d-39e2-4d53-bea3-9734cad2c69b) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEnforce_AINE.json) |
+|[Audit Windows machines that do not have a maximum password age of 70 days](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4ceb8dc2-559c-478b-a15b-733fbf1e3738) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMaximumPassword_AINE.json) |
+|[Audit Windows machines that do not have a minimum password age of 1 day](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F237b38db-ca4d-4259-9e47-7882441ca2c0) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsMinimumPassword_AINE.json) |
+|[Audit Windows machines that do not have the password complexity setting enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbf16e0bb-31e1-4646-8202-60a235cc7e74) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not have the password complexity setting enabled |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordComplexity_AINE.json) |
+|[Audit Windows machines that do not restrict the minimum password length to 14 characters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa2d0e922-65d0-40c4-8f87-ea6da2d307a2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordLength_AINE.json) |
+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
+
+## Cryptography
+
+### Policy on the use of cryptographic controls
+
+**ID**: ISO 27001:2013 A.10.1.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
+|[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
+|[Audit Windows machines that do not store passwords using reversible encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fda0f98fe-a24b-4ad5-af69-bd0400233661) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if Windows machines that do not store passwords using reversible encryption |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsPasswordEncryption_AINE.json) |
+|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
+|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
+|[Disk encryption should be applied on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) |
+|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
+|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
+|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
+|[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+
+## Operations security
+
+### Event Logging
+
+**ID**: ISO 27001:2013 A.12.4.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[\[Preview\]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) |
+|[Audit Dependency agent deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) |
+|[Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+
+### Administrator and operator logs
+
+**ID**: ISO 27001:2013 A.12.4.3
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[\[Preview\]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) |
+|[Audit Dependency agent deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) |
+|[Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+
+### Clock Synchronization
+
+**ID**: ISO 27001:2013 A.12.4.4
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[\[Preview\]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F32133ab0-ee4b-4b44-98d6-042180979d50) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json) |
+|[Audit Dependency agent deployment - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11ac78e3-31bc-4f0c-8434-37ab963cea07) |Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json) |
+|[Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2dd799a-a932-4e9d-ac17-d473bc3c6c10) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json) |
+|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
+|[Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138) |Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. |auditIfNotExists |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+
+### Installation of software on operational systems
+
+**ID**: ISO 27001:2013 A.12.5.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
+
+### Management of technical vulnerabilities
+
+**ID**: ISO 27001:2013 A.12.6.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
+|[Vulnerabilities on your SQL databases should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+
+### Restrictions on software installation
+
+**ID**: ISO 27001:2013 A.12.6.2
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
+
+## Communications security
+
+### Network controls
+
+**ID**: ISO 27001:2013 A.13.1.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) |
+|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
+
+### Information transfer policies and procedures
+
+**ID**: ISO 27001:2013 A.13.2.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) |
+|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) |
+
+> [!NOTE]
+> Availability of specific Azure Policy definitions may vary in Azure Government and other national
+> clouds.
+
+## Next steps
+
+Additional articles about Azure Policy:
+
+- [Regulatory Compliance](../concepts/regulatory-compliance.md) overview.
+- See the [initiative definition structure](../concepts/initiative-definition-structure.md).
+- Review other examples at [Azure Policy samples](./index.md).
+- Review [Understanding policy effects](../concepts/effects.md).
+- Learn how to [remediate non-compliant resources](../how-to/remediate-resources.md).
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-171-r2 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/nist-sp-800-171-r2.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for NIST SP 800-171 R2 description: Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -259,7 +259,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
@@ -279,7 +279,6 @@ initiative definition.
|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All network ports should be restricted on network security groups associated to your virtual machine](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9daedab3-fb2d-461e-b861-71790eead4f6) |Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnprotectedEndpoints_Audit.json) | |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | |[Latest TLS version should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_ApiApp_Audit.json) | |[Latest TLS version should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9d614c5-c173-4d56-95a7-b4437057d193) |Upgrade to the latest TLS version |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RequireLatestTls_FunctionApp_Audit.json) |
@@ -288,6 +287,7 @@ initiative definition.
|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
@@ -309,11 +309,11 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | |[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Protect the confidentiality of CUI at rest.
@@ -336,7 +336,7 @@ initiative definition.
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Ensure that 'HTTP Version' is the latest, if used to run the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F991310cd-e9f3-47bc-b7b6-f57b557d07db) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_HTTP_Latest.json) | |[Ensure that 'HTTP Version' is the latest, if used to run the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe2c1c086-2d84-4019-bff3-c44ccd95113c) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_HTTP_Latest.json) | |[Ensure that 'HTTP Version' is the latest, if used to run the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c122334-9d20-4eb8-89ea-ac9a705b74ae) |Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_HTTP_Latest.json) |
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r4 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/nist-sp-800-53-r4.md
@@ -1,7 +1,7 @@
Title: Regulatory Compliance details for NIST SP 800-53 R4 description: Details of the NIST SP 800-53 R4 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment. Previously updated : 01/25/2021 Last updated : 01/29/2021
@@ -3159,7 +3159,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) | |[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) | |[Microsoft Managed Control 1546 - Vulnerability Scanning](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2ce1ea7e-4038-4e53-82f4-63e8859333c1) |Microsoft implements this Risk Assessment control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/MicrosoftManagedControl1546.json) |
@@ -3703,12 +3703,12 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
-|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
|[Function App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceFunctionApp_AuditHTTP_Audit.json) | |[Microsoft Managed Control 1641 - Transmission Confidentiality And Integrity \| Cryptographic Or Alternate Physical Protection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd39d4f68-7346-4133-8841-15318a714a24) |Microsoft implements this System and Communications Protection control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/MicrosoftManagedControl1641.json) | |[Only secure connections to your Azure Cache for Redis should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22bee202-a82f-4305-9a2a-6d7f44d4dedb) |Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_AuditSSLPort_Audit.json) | |[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
+|[Windows web servers should be configured to use secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines. TLS 1.3 is faster and more secure than the earlier versions: TLS 1.0-1.2 and SSL 2-3, which are all considered legacy protocols. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
### Network Disconnect
@@ -3909,7 +3909,7 @@ This built-in initiative is deployed as part of the
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
|[Microsoft Managed Control 1668 - Flaw Remediation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8fb0966e-be1d-42c3-baca-60df5c0bcc61) |Microsoft implements this System and Information Integrity control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/MicrosoftManagedControl1668.json) | |[Microsoft Managed Control 1669 - Flaw Remediation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48f2f62b-5743-4415-a143-288adc0e078d) |Microsoft implements this System and Information Integrity control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/MicrosoftManagedControl1669.json) | |[Microsoft Managed Control 1670 - Flaw Remediation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc6108469-57ee-4666-af7e-79ba61c7ae0c) |Microsoft implements this System and Information Integrity control |audit |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Regulatory%20Compliance/MicrosoftManagedControl1670.json) |
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/domain-joined-authentication-issues https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/domain-joined/domain-joined-authentication-issues.md
@@ -30,7 +30,7 @@ Azure AD error code 50126 means the `AllowCloudPasswordValidation` policy has no
### Resolution
-The Company Administrator of the Azure AD tenant should enable Azure AD to use password hashes for ADFS backed users. Apply the `AllowCloudPasswordValidationPolicy` as shown in the article [Use Enterprise Security Package in HDInsight](../domain-joined/apache-domain-joined-architecture.md).
+The Global Administrator of the Azure AD tenant should enable Azure AD to use password hashes for ADFS backed users. Apply the `AllowCloudPasswordValidationPolicy` as shown in the article [Use Enterprise Security Package in HDInsight](../domain-joined/apache-domain-joined-architecture.md).
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/hdinsight-release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/hdinsight-release-notes.md
@@ -44,6 +44,9 @@ HDInsight added network security groups (NSGs) and user-defined routes (UDRs) ch
## Upcoming changes The following changes will happen in upcoming releases.
+### Breaking change for .NET for Apache Spark 1.0.0
+HDInsight will introduce the first major official release of .NET for Apache Spark in the next release. It provides DataFrame API completeness for Spark 2.4.x and Spark 3.0.x along with other features. There will be breaking changes for this major version, refer to [this migration guid](https://github.com/dotnet/spark/blob/master/docs/migration-guide.md#upgrading-from-microsoftspark-0x-to-10) to understand steps needed to update your code and pipelines. Learn more [here](https://docs.microsoft.com/azure/hdinsight/spark/spark-dotnet-version-update#using-net-for-apache-spark-v10-in-hdinsight).
+ ### Default cluster VM size will be changed to Ev3 family Starting from next release (around end of January), default cluster VM sizes will be changed from D family to Ev3 family. This change applies to head nodes and worker nodes. To avoid this change, specify the VM sizes that you want to use in the ARM template.
@@ -51,7 +54,7 @@ Starting from next release (around end of January), default cluster VM sizes wil
Starting February 2021, the default version of HDInsight cluster will be changed from 3.6 to 4.0. For more information about available versions, see [available versions](./hdinsight-component-versioning.md#available-versions). Learn more about what is new in [HDInsight 4.0](./hdinsight-version-release.md) ### OS version upgrade
-HDInsight is upgrading OS version from 16.04 to 18.04. The upgrade will complete before April, 2021.
+HDInsight is upgrading OS version from 16.04 to 18.04. The upgrade will complete before April 2021.
### HDInsight 3.6 end of support on June 30 2021 HDInsight 3.6 will be end of support. Starting form June 30 2021, customers can't create new HDInsight 3.6 clusters. Existing clusters will run as is without the support from Microsoft. Consider moving to HDInsight 4.0 to avoid potential system/support interruption.
@@ -65,7 +68,7 @@ No component version change for this release. You can find the current component
## Known issues ### Prevent HDInsight cluster VMs from rebooting periodically
-Starting from mid November 2020, you may have noticed HDInsight cluster VMs getting rebooted on a regular basis. This could be caused by:
+Starting from mid November 2020, you may have noticed HDInsight cluster VMs getting rebooted regularly. This could be caused by:
1. Clamav is enabled on your cluster. The new azsec-clamav package consumes large amount of memory that triggers node rebooting. 2. A CRON job is scheduled daily that monitors for changes to the list of certificate authorities (CAs) used by Azure services. When a new CA certificate is available, the script adds the certificate to the JDK trust store and schedules a reboot.
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/policy-reference.md /dev/null
@@ -0,0 +1,29 @@
+
+ Title: Built-in policy definitions for Azure HDInsight
+description: Lists Azure Policy built-in policy definitions for Azure HDInsight. These built-in policy definitions provide common approaches to managing your Azure resources.
Last updated : 01/25/2021++++++
+# Azure Policy built-in definitions for Azure HDInsight
+
+This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy
+definitions for Azure HDInsight. For additional Azure Policy built-ins for other services, see
+[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).
+
+The name of each built-in policy definition links to the policy definition in the Azure portal. Use
+the link in the **Version** column to view the source on the
+[Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
+
+## Azure HDInsight
+
+[!INCLUDE [azure-policy-reference-rp-hdinsight](../../includes/policy/reference/byrp/microsoft.hdinsight.md)]
+
+## Next steps
+
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
+- Review the [Azure Policy definition structure](../governance/policy/concepts/definition-structure.md).
+- Review [Understanding policy effects](../governance/policy/concepts/effects.md).
hdinsight https://docs.microsoft.com/en-us/azure/hdinsight/spark/apache-spark-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/hdinsight/spark/apache-spark-overview.md
@@ -47,7 +47,7 @@ Apache Spark clusters in HDInsight include the following components that are ava
* [Jupyter Notebook](https://jupyter.org) * [Apache Zeppelin notebook](http://zeppelin-project.org/)
-HDInsight Spark clusters an [ODBC driver](https://go.microsoft.com/fwlink/?LinkId=616229) for connectivity from BI tools such as Microsoft Power BI.
+HDInsight Spark clusters an [ODBC driver](/sql/connect/odbc/download-odbc-driver-for-sql-server?view=sql-server-ver15) for connectivity from BI tools such as Microsoft Power BI.
## Spark cluster architecture
healthcare-apis https://docs.microsoft.com/en-us/azure/healthcare-apis/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/healthcare-apis/security-controls-policy.md /dev/null
@@ -0,0 +1,28 @@
+
+ Title: Azure Policy Regulatory Compliance controls for Azure API for FHIR
+description: Lists Azure Policy Regulatory Compliance controls available for Azure API for FHIR. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources.
Last updated : 01/29/2021+++++++
+# Azure Policy Regulatory Compliance controls for Azure API for FHIR
+
+[Regulatory Compliance in Azure Policy](../governance/policy/concepts/regulatory-compliance.md)
+provides Microsoft created and managed initiative definitions, known as _built-ins_, for the
+**compliance domains** and **security controls** related to different compliance standards. This
+page lists the **compliance domains** and **security controls** for Azure API for FHIR. You can
+assign the built-ins for a **security control** individually to help make your Azure resources
+compliant with the specific standard.
+
+[!INCLUDE [azure-policy-compliancecontrols-introwarning](../../includes/policy/standards/intro-warning.md)]
+
+[!INCLUDE [azure-policy-compliancecontrols-healthcare](../../includes/policy/standards/byrp/microsoft.healthcareapis.md)]
+
+## Next steps
+
+- Learn more about [Azure Policy Regulatory Compliance](../governance/policy/concepts/regulatory-compliance.md).
+- See the built-ins on the [Azure Policy GitHub repo](https://github.com/Azure/azure-policy).
iot-central https://docs.microsoft.com/en-us/azure/iot-central/core/concepts-get-connected https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-central/core/concepts-get-connected.md
@@ -1,8 +1,8 @@
Title: Device connectivity in Azure IoT Central | Microsoft Docs description: This article introduces key concepts relating to device connectivity in Azure IoT Central--++ Last updated 1/15/2020
@@ -227,12 +227,9 @@ The Azure Device SDKs offer the easiest way for you implement your device code.
All device communication with IoT Hub uses the following IoT Hub connectivity options: - [Device-to-cloud messaging](../../iot-hub/iot-hub-devguide-messages-d2c.md)-- [Cloud-to-Device messaging](../../iot-hub/iot-hub-csharp-csharp-c2d.md)
+- [Cloud-to-device messaging](../../iot-hub/iot-hub-devguide-messages-c2d.md)
- [Device twins](../../iot-hub/iot-hub-devguide-device-twins.md)
-> [!NOTE]
-> Azure now supports
- The following table summarizes how Azure IoT Central device features map on to IoT Hub features: | Azure IoT Central | Azure IoT Hub |
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure IoT Hub description: Lists Azure Policy built-in policy definitions for Azure IoT Hub. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/quickstart-control-device-android https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/quickstart-control-device-android.md
@@ -84,7 +84,7 @@ You also need a _service connection string_ to enable the back-end service appli
**YourIoTHubName**: Replace this placeholder below with the name you chose for your IoT hub. ```azurecli-interactive
-az iot hub show-connection-string --policy-name service --name {YourIoTHubName} --output table
+az iot hub connection-string show --policy-name service --name {YourIoTHubName} --output table
``` Make a note of the service connection string, which looks like:
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/quickstart-control-device-dotnet https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/quickstart-control-device-dotnet.md
@@ -91,7 +91,7 @@ A device must be registered with your IoT hub before it can connect. In this qui
You also need your IoT hub _service connection string_ to enable the service application to connect to the hub and retrieve the messages. The following command retrieves the service connection string for your IoT hub: ```azurecli-interactive
-az iot hub show-connection-string --policy-name service --name {YourIoTHubName} --output table
+az iot hub connection-string show --policy-name service --name {YourIoTHubName} --output table
``` Make a note of the service connection string, which looks like:
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/quickstart-control-device-java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/quickstart-control-device-java.md
@@ -94,7 +94,7 @@ You also need a _service connection string_ to enable the back-end application t
**YourIoTHubName**: Replace this placeholder below with the name you chose for your IoT hub. ```azurecli-interactive
-az iot hub show-connection-string --policy-name service --name {YourIoTHubName} --output table
+az iot hub connection-string show --policy-name service --name {YourIoTHubName} --output table
``` Make a note of the service connection string, which looks like:
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/quickstart-control-device-node https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/quickstart-control-device-node.md
@@ -84,7 +84,7 @@ A device must be registered with your IoT hub before it can connect. In this qui
**YourIoTHubName**: Replace this placeholder below with the name you chose for your IoT hub. ```azurecli-interactive
- az iot hub show-connection-string \
+ az iot hub connection-string show \
--policy-name service --name {YourIoTHubName} --output table ```
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/quickstart-control-device-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/quickstart-control-device-python.md
@@ -74,7 +74,7 @@ A device must be registered with your IoT hub before it can connect. In this qui
**YourIoTHubName**: Replace this placeholder below with the name you choose for your IoT hub. ```azurecli-interactive
- az iot hub show-connection-string \
+ az iot hub connection-string show \
--policy-name service \ --name {YourIoTHubName} \ --output table
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure IoT Hub description: Lists Azure Policy Regulatory Compliance controls available for Azure IoT Hub. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/25/2021 Last updated : 01/29/2021
iot-hub https://docs.microsoft.com/en-us/azure/iot-hub/tutorial-connectivity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/iot-hub/tutorial-connectivity.md
@@ -166,7 +166,7 @@ After a device connects, it typically tries to send telemetry to your IoT hub. T
First, retrieve the current connection string for your simulated device using the following command: ```azurecli-interactive
-az iot hub device-identity show-connection-string --device-id MyTestDevice --output table --hub-name {YourIoTHubName}
+az iot hub device-identity connection-string show --device-id MyTestDevice --output table --hub-name {YourIoTHubName}
``` To run a simulated device that sends messages, navigate to the **iot-hub\Tutorials\ConnectivityTests** folder in the code you downloaded.
key-vault https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/key-vault/certificates/quick-create-cli.md
@@ -1,17 +1,17 @@
Title: 'Quickstart: Set & view Azure Key Vault certificates ΓÇô Azure CLI'
+ Title: Quickstart - Set & view Azure Key Vault certificates with Azure CLI
description: Quickstart showing how to set and retrieve a certificate from Azure Key Vault using Azure CLI - tags: azure-resource-manager Previously updated : 09/03/2019 Last updated : 01/27/2021 + #Customer intent:As a security admin who is new to Azure, I want to use Key Vault to securely store keys and passwords in Azure # Quickstart: Set and retrieve a certificate from Azure Key Vault using Azure CLI
@@ -26,30 +26,11 @@ In this quickstart, you create a key vault in Azure Key Vault with Azure CLI. Az
## Create a resource group
-A resource group is a logical container into which Azure resources are deployed and managed. The following example creates a resource group named *ContosoResourceGroup* in the *eastus* location.
-
-```azurecli
-az group create --name "ContosoResourceGroup" --location eastus
-```
-
-## Create a Key Vault
-
-Next you will create a Key Vault in the resource group created in the previous step. You will need to provide some information:
--- For this quickstart we use **Contoso-vault2**. You must provide a unique name in your testing.-- Resource group name **ContosoResourceGroup**.-- The location **East US**.
+[!INCLUDE [Create a resource group](../../../includes/key-vault-cli-rg-creation.md)]
-```azurecli
-az keyvault create --name "Contoso-Vault2" --resource-group "ContosoResourceGroup" --location eastus
-```
-
-The output of this cmdlet shows properties of the newly created Key Vault. Take note of the two properties listed below:
--- **Vault Name**: In the example, this is **Contoso-Vault2**. You will use this name for other Key Vault commands.-- **Vault URI**: In the example, this is https://contoso-vault2.vault.azure.net/. Applications that use your vault through its REST API must use this URI.
+## Create a key vault
-At this point, your Azure account is the only one authorized to perform any operations on this new vault.
+[!INCLUDE [Create a key vault](../../../includes/key-vault-cli-kv-creation.md)]
## Add a certificate to Key Vault
@@ -58,33 +39,28 @@ To add a certificate to the vault, you just need to take a couple of additional
Type the commands below to create a self-signed certificate with default policy called **ExampleCertificate** : ```azurecli
-az keyvault certificate create --vault-name "Contoso-Vault2" -n ExampleCertificate -p "$(az keyvault certificate get-default-policy)"
+az keyvault certificate create --vault-name "<your-unique-keyvault-name>" -n ExampleCertificate -p "$(az keyvault certificate get-default-policy)"
```
-You can now reference this certificate that you added to Azure Key Vault by using its URI. Use **'https://Contoso-Vault2.vault.azure.net/certificates/ExampleCertificate'** to get the current version.
+You can now reference this certificate that you added to Azure Key Vault by using its URI. Use **'https://<your-unique-keyvault-name>.vault.azure.net/certificates/ExampleCertificate'** to get the current version.
To view previously stored certificate: ```azurecli
-az keyvault certificate show --name "ExampleCertificate" --vault-name "Contoso-Vault2"
+az keyvault certificate show --name "ExampleCertificate" --vault-name "<your-unique-keyvault-name>"
``` Now, you have created a Key Vault, stored a certificate, and retrieved it. ## Clean up resources
-Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place.
-When no longer needed, you can use the [az group delete](/cli/azure/group) command to remove the resource group, and all related resources. You can delete the resources as follows:
-
-```azurecli
-az group delete --name ContosoResourceGroup
-```
+[!INCLUDE [Create a key vault](../../../includes/key-vault-cli-delete-resources.md)]
## Next steps In this quickstart you created a Key Vault and stored a certificate in it. To learn more about Key Vault and how to integrate it with your applications, continue on to the articles below. - Read an [Overview of Azure Key Vault](../general/overview.md)-- See the reference for the [Azure CLI az keyvault commands](/cli/azure/keyvault?view=azure-cli-latest)
+- See the reference for the [Azure CLI az keyvault commands](/cli/azure/keyvault)
- Review the [Key Vault security overview](../general/security-overview.md)
key-vault https://docs.microsoft.com/en-us/azure/key-vault/certificates/quick-create-powershell https://github.