Updates from: 10/12/2023 01:39:35
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory Define Conditional Rules For Provisioning User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md
Scoping filters are configured as part of the attribute mappings for each Micros
::: zone pivot="app-provisioning"
-5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra Users to ServiceNow".
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra users to ServiceNow".
::: zone-end ::: zone pivot="cross-tenant-synchronization"
-5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Microsoft Entra Users".
+5. In the **Mappings** section, select the mapping that you want to configure a scoping filter for: for example, "Provision Microsoft Entra users".
::: zone-end
active-directory Inbound Provisioning Api Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-issues.md
There's a user provisioning failure. The provisioning logs displays the error co
3. Copy and paste this expression into the expression box: ```Join("", Replace([userName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), RandomString(3, 3, 0, 0, 0, ), "@", DefaultDomain())```
-This expression fixes the issue by appending a random number to the UPN value accepted by Azure AD.
+This expression fixes the issue by appending a random number to the UPN value accepted by Microsoft Entra ID.
### User creation failed - Invalid domain
active-directory Inbound Provisioning Api Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/inbound-provisioning-api-powershell.md
PS > CSV2SCIM.ps1 -Path <path-to-csv-file>
> [!NOTE] > The `AttributeMapping` and `ValidateAttributeMapping` command-line parameters refer to the mapping of CSV column attributes to the standard SCIM schema elements.
-It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Azure AD/on-premises AD attributes.
+It doesn't refer to the attribute mappings that you perform in the Microsoft Entra admin center provisioning app between source SCIM schema elements and target Microsoft Entra / on-premises Active Directory attributes.
| Parameter | Description | Processing remarks | |-|-|--|
active-directory Insufficient Access Rights Error Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/insufficient-access-rights-error-troubleshooting.md
Expression $dsaclsCMD | Out-Null
``` If the Cx needs more help on troubleshooting on-premises AD permissions, engage Windows Server Support team.
-This article on [AdminSDHolder issues with Azure AD Connect](https://c7solutions.com/2017/03/administrators-aadconnect-and-adminsdholder-issues) has more examples on DSACLS usage.
+This article on [AdminSDHolder issues with Microsoft Entra Connect](https://c7solutions.com/2017/03/administrators-aadconnect-and-adminsdholder-issues) has more examples on DSACLS usage.
**Option 3: Assign full control to provAgentgMSA account**
active-directory On Premises Application Provisioning Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md
You can also check whether all the required ports are open.
- Microsoft Entra Connect Provisioning Agent Package ## Provisioning agent history
-This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra ID team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning.
+This article lists the versions and features of Microsoft Entra Connect Provisioning Agent that have been released. The Microsoft Entra team regularly updates the Provisioning Agent with new features and functionality. Please ensure that you do not use the same agent for on-premises provisioning and Cloud Sync / HR-driven provisioning.
Microsoft provides direct support for the latest agent version and one version before.
active-directory Partner Driven Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/partner-driven-integrations.md
If your line-of-business application supports the [SCIM](https://aka.ms/scimover
Many new applications use Microsoft Graph to retrieve users, groups and other resources from Microsoft Entra ID. You can learn more about what scenarios to use [SCIM and Graph](scim-graph-scenarios.md) in. **Option 4 - Use partner-driven connectors:**
-In cases where an application doesn't support SCIM, partners have built [custom ECMA connectors](on-premises-custom-connector.md) and SCIM gateways to integrate Microsoft Entra ID with numerous applications. **This document serves as a place for partners to attest to integrations that are compatible with Azure Active Directory, and for customers to discover these partner-driven integrations.** Custom ECMA connectors and SCIM gateways are built, maintained, and owned by the third-party vendor.
+In cases where an application doesn't support SCIM, partners have built [custom ECMA connectors](on-premises-custom-connector.md) and SCIM gateways to integrate Microsoft Entra ID with numerous applications. **This document serves as a place for partners to attest to integrations that are compatible with Microsoft Entra ID, and for customers to discover these partner-driven integrations.** Custom ECMA connectors and SCIM gateways are built, maintained, and owned by the third-party vendor.
[![Diagram showing gateways between the Microsoft Entra SCIM client and target applications.](media/partner-driven-integrations/partner-driven-connectors-1.png)](media/partner-driven-integrations/partner-driven-connectors-1.png#lightbox)
active-directory Plan Auto User Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-auto-user-provisioning.md
Refer to the following links to troubleshoot any issues that may turn up during
* [Writing expressions for attribute mappings](../app-provisioning/functions-for-customizing-application-data.md)
-* [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview)
+* [Microsoft Entra synchronization API overview](/graph/api/resources/synchronization-overview)
* [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md)
active-directory Plan Cloud Hr Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/plan-cloud-hr-provision.md
To troubleshoot any issues that might turn up during provisioning, see the follo
### Next steps - [Writing expressions for attribute mappings](functions-for-customizing-application-data.md)-- [Azure AD synchronization API overview](/graph/api/resources/synchronization-overview)
+- [Microsoft Entra synchronization API overview](/graph/api/resources/synchronization-overview)
- [Skip deletion of user accounts that go out of scope](skip-out-of-scope-deletions.md) - [Microsoft Entra Connect Provisioning Agent: Version release history](provisioning-agent-release-version-history.md)
active-directory Sap Successfactors Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/sap-successfactors-integration-reference.md
Based on the attribute-mapping, during full sync Microsoft Entra provisioning se
> [!NOTE] > During the full initial sync, both active and terminated workers from SAP SuccessFactors are fetched.
-For each SuccessFactors user, the provisioning service looks for an account in the target (Azure AD/on-premises Active Directory) using the matching attribute defined in the mapping. For example: if *personIdExternal* maps to *employeeId* and is set as the matching attribute, then the provisioning service uses the *personIdExternal* value to search for the user with *employeeId* filter. If a user match is found, then it updates the target attributes. If no match is found, then it creates a new entry in the target.
+For each SuccessFactors user, the provisioning service looks for an account in the target (Microsoft Entra ID / on-premises Active Directory) using the matching attribute defined in the mapping. For example: if *personIdExternal* maps to *employeeId* and is set as the matching attribute, then the provisioning service uses the *personIdExternal* value to search for the user with *employeeId* filter. If a user match is found, then it updates the target attributes. If no match is found, then it creates a new entry in the target.
To validate the data returned by your OData API endpoint for a specific `personIdExternal`, update the `SuccessFactorsAPIEndpoint` in the API query with your API data center server URL and use a tool like [Postman](https://www.postman.com/downloads/) to invoke the query. If the "in" filter doesn't work, you can try the "eq" filter.
active-directory Use Scim To Provision Users And Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md
To automate provisioning to an application, it requires building and integrating
1. [Optional] [Publish your application to the Microsoft Entra application gallery](#publish-your-application-to-the-azure-ad-application-gallery) - Make it easy for customers to discover your application and easily configure provisioning.
-![Diagram that shows the required steps for integrating a SCIM endpoint with Azure AD.](media/use-scim-to-provision-users-and-groups/process.png)
+![Diagram that shows the required steps for integrating a SCIM endpoint with Microsoft Entra ID.](media/use-scim-to-provision-users-and-groups/process.png)
## Design your user and group schema
active-directory Workday Integration Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/workday-integration-reference.md
Microsoft Entra provisioning service processes each page and iterates through th
For each worker entry imported from Workday: * The [XPATH expression](workday-attribute-reference.md) is applied to retrieve attribute values from Workday. * The attribute mapping and matching rules are applied and
-* The service determines what operation to perform in the target (Azure AD/AD).
+* The service determines what operation to perform in the target (Microsoft Entra ID / Active Directory).
Once the processing is complete, it saves the timestamp associated with the start of full sync as a watermark. This watermark serves as the starting point for the incremental sync cycle.
active-directory Application Proxy Connector Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-connector-groups.md
There are two different approaches you can take with a disaster recovery (DR) si
### Serve multiple companies from a single tenant
-There are many different ways to implement a model in which a single service provider deploys and maintains Microsoft Entra ID related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Microsoft Entra tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons.
+There are many different ways to implement a model in which a single service provider deploys and maintains Microsoft Entra related services for multiple companies. Connector groups help the admin segregate the connectors and applications into different groups. One way, which is suitable for small companies, is to have a single Microsoft Entra tenant while the different companies have their own domain name and networks. This is also true for M&A scenarios and situations where a single IT division serves several companies for regulatory or business reasons.
## Sample configurations
active-directory Application Proxy Page Links Broken Problem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-page-links-broken-problem.md
There are three ways to resolve this issue. The choices below are in listed in i
If you change the internal URL but donΓÇÖt want to change the landing page for users, change the Home page URL to the previously published internal URL. This can be done by navigating to **Microsoft Entra ID** > **App Registrations** and selecting the application **Branding**. In the branding section, you see the field **Home Page URL**, which you can adjust to be the desired landing page. If you are still using the legacy App registrations experience the properties tab would show the **Home Page URL** details. > [!IMPORTANT]
- > In order to make the above changes you require rights to modify application objects in Azure AD.The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modification rights in Microsoft Entra ID to the user.
+ > In order to make the above changes you require rights to modify application objects in Microsoft Entra ID. The user needs to be assigned [Application Administrator](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) role which grants application modification rights in Microsoft Entra ID to the user.
2. If your applications use fully qualified domain names (FQDNs), use [custom domains](application-proxy-configure-custom-domain.md) to publish your applications. This feature allows the same URL to be used both internally and externally.
active-directory Application Proxy Powershell Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-proxy/application-proxy-powershell-samples.md
# Microsoft Entra application proxy PowerShell examples
-The following table includes links to PowerShell script examples for Microsoft Entra application proxy. These samples require either the [Microsoft Entra V2 PowerShell for Graph module](/powershell/azure/active-directory/install-adv2) or the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted.
+The following table includes links to PowerShell script examples for Microsoft Entra application proxy. These samples require either the [Azure Active Directory PowerShell 2.0 for Graph module](/powershell/azure/active-directory/install-adv2) or the [Azure Active Directory PowerShell 2.0 for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true), unless otherwise noted.
For more information about the cmdlets used in these samples, see [Application Proxy Application Management](/powershell/module/azuread/#application_proxy_application_management) and [Application Proxy Connector Management](/powershell/module/azuread/#application_proxy_connector_management).
For more information about the cmdlets used in these samples, see [Application P
| [List basic information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-basic.md) | Lists basic information (AppId, DisplayName, ObjId) about all the Application Proxy apps in your directory. | | [List extended information for all Application Proxy apps](scripts/powershell-get-all-app-proxy-apps-extended.md) | Lists extended information (AppId, DisplayName, ExternalUrl, InternalUrl, ExternalAuthenticationType) about all the Application Proxy apps in your directory. | | [List all Application Proxy apps by connector group](scripts/powershell-get-all-app-proxy-apps-by-connector-group.md) | Lists information about all the Application Proxy apps in your directory and which connector groups the apps are assigned to. |
-| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [Microsoft Entra V2 PowerShell for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). |
+| [Get all Application Proxy apps with a token lifetime policy](scripts/powershell-get-all-app-proxy-apps-with-policy.md) | Lists all Application Proxy apps in your directory with a token lifetime policy and its details. This sample requires the [Azure Active Directory PowerShell 2.0 for Graph module preview version](/powershell/azure/active-directory/install-adv2?view=azureadps-2.0-preview&preserve-view=true). |
|**Connector groups**|| | [Get all connector groups and connectors in the directory](scripts/powershell-get-all-connectors.md) | Lists all the connector groups and connectors in your directory. | | [Move all apps assigned to a connector group to another connector group](scripts/powershell-move-all-apps-to-connector-group.md) | Moves all applications currently assigned to a connector group to a different connector group. |
active-directory 3 Secure Access Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/3-secure-access-plan.md
Generally, organizations customize policy, however consider the following parame
## Access control methods
-Some features, for example entitlement management, are available with a Microsoft Entra ID P1 or P2 2 (P2) license. Microsoft 365 E5 and Office 365 E5 licenses include Microsoft Entra ID P2 licenses. Learn more in the following entitlement management section.
+Some features, for example entitlement management, are available with a Microsoft Entra ID P1 or P2 license. Microsoft 365 E5 and Office 365 E5 licenses include Microsoft Entra ID P2 licenses. Learn more in the following entitlement management section.
> [!NOTE] > Licenses are for one user. Therefore users, administrators, and business owners can have delegated access control. This scenario can occur with Microsoft Entra ID P2 or Microsoft 365 E5, and you don't have to enable licenses for all users. The first 50,000 external users are free. If you don't enable P2 licenses for other internal users, they can't use entitlement management.
active-directory Architecture Icons https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/architecture-icons.md
Title: Microsoft Entra architecture icons
-description: Learn about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation.
+description: Learn about the official collection of Microsoft Entra ID icons that you can use in architectural diagrams, training materials, or documentation.
Last updated 08/15/2023
-# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra icons in architectural diagrams, training materials, or documentation.
+# Customer intent: As a new or existing customer, I want to learn how I can use the official Microsoft Entra ID icons in architectural diagrams, training materials, or documentation.
# Microsoft Entra architecture icons
-Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra icons that you can use in architectural diagrams, training materials, or documentation.
+Helping our customers design and architect new solutions is core to the Microsoft Entra mission. Architecture diagrams can help communicate design decisions and the relationships between components of a given workload. This article provides information about the official collection of Microsoft Entra ID icons that you can use in architectural diagrams, training materials, or documentation.
## General guidelines
active-directory Auth Ldap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-ldap.md
There is a need to for an application or service to use LDAP authentication.
## Implement LDAP authentication with Microsoft Entra ID
-* [Create and configure a Microsoft Entra DS instance](../../active-directory-domain-services/tutorial-create-instance.md)
+* [Create and configure a Microsoft Entra Domain Services instance](../../active-directory-domain-services/tutorial-create-instance.md)
-* [Configure virtual networking for a Microsoft Entra DS instance](../../active-directory-domain-services/tutorial-configure-networking.md)
+* [Configure virtual networking for a Microsoft Entra Domain Services instance](../../active-directory-domain-services/tutorial-configure-networking.md)
-* [Configure Secure LDAP for a Microsoft Entra DS managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md)
+* [Configure Secure LDAP for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md)
-* [Create an outbound forest trust to an on-premises domain in Microsoft Entra DS](../../active-directory-domain-services/tutorial-create-forest-trust.md)
+* [Create an outbound forest trust to an on-premises domain in Microsoft Entra Domain Services](../../active-directory-domain-services/tutorial-create-forest-trust.md)
active-directory Auth Prov Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/auth-prov-overview.md
Title: Azure Active Directory synchronization protocol overview
+ Title: Microsoft Entra synchronization protocol overview
description: Architectural guidance on integrating Microsoft Entra ID with legacy synchronization protocols
active-directory Backup Authentication System https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/backup-authentication-system.md
The backup authentication system is supported in all cloud environments except M
| Ceridian Dayforce HCM | No | SAML SP-initiated | | Cisco AnyConnect | No | SAML SP-initiated | | Cisco Webex | No | SAML SP-initiated |
-| Citrix ADC SAML Connector forAzure AD | No | SAML SP-initiated |
+| Citrix ADC SAML Connector for Azure AD | No | SAML SP-initiated |
| Clever | No | SAML SP-initiated | | Cloud Drive Mapper | Yes | Protected | | Cornerstone Single Sign-on | No | SAML SP-initiated |
active-directory Govern Service Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/govern-service-accounts.md
Regularly review service account permissions and accessed scopes to see if they
* See, [Get-AzureADServicePrincipalOAuth2PermissionGrant](/powershell/module/azuread/get-azureadserviceprincipaloauth2permissiongrant) * [Script to list all delegated permissions and application permissions in Microsoft Entra ID](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) scopes for service account
-* See, [Azure AD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment) and confirm validity
+* See, [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) and confirm validity
* Don't set service principal credentials to **Never expire** * Use certificates or credentials stored in Azure Key Vault, when possible * [What is Azure Key Vault?](../../key-vault/general/basic-concepts.md)
-The free PowerShell sample collects service principal OAuth2 grants and credential information, records them in a comma-separated values (CSV) file, and a Power BI sample dashboard. For more information, see [Azure AD/AzureADAssessment](https://github.com/AzureAD/AzureADAssessment).
+The free PowerShell sample collects service principal OAuth2 grants and credential information, records them in a comma-separated values (CSV) file, and a Power BI sample dashboard. For more information, see [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment).
### Recertify service account use
active-directory Monitor Sign In Health For Resilience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/monitor-sign-in-health-for-resilience.md
During an impacting event, two things may happen:
- A Microsoft Entra tenant. - A user with global administrator or security administrator role for the Microsoft Entra tenant. - A Log Analytics workspace in your Azure subscription to send logs to Azure Monitor logs. Learn how to [create a Log Analytics workspace](../../azure-monitor/logs/quick-create-workspace.md).-- Microsoft Entra ID logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+- Microsoft Entra logs integrated with Azure Monitor logs. Learn how to [Integrate Microsoft Entra sign-in logs with Azure Monitor Stream.](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
## Configure the App sign-in health workbook
active-directory Multilateral Federation Solution One https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/multilateral-federation-solution-one.md
Here are some of the advantages of implementing Microsoft Entra ID with Cirrus B
* This solution is the only architecture that enables you to configure granular Microsoft Entra Conditional Access for both multilateral federation apps and CAS apps.
-* **Use of other Microsoft Entra ID-related solutions for all apps**
+* **Use of other Microsoft Entra related solutions for all apps**
* You can use Intune and Microsoft Entra join for device management.
active-directory Ops Guide Auth https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/ops-guide-auth.md
Having access to sign-in activity, audits and risk events for Microsoft Entra ID
#### Logs recommended reading -- [Microsoft Entra ID audit API reference](/graph/api/resources/directoryaudit)
+- [Microsoft Entra audit API reference](/graph/api/resources/directoryaudit)
- [Microsoft Entra sign-in activity report API reference](/graph/api/resources/signin) - [Get data using the Microsoft Entra reporting API with certificates](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) - [Microsoft Graph for Microsoft Entra ID Protection](../identity-protection/howto-identity-protection-graph-api.md)
active-directory Parallel Identity Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/parallel-identity-options.md
If the customer chooses to keep some or all Litware's identity infrastructure, t
- Scenario A - Don't use *any* of Litware's identity infrastructure. - Scenario B - Use Litware's Active Directory forests, but not Litware's Microsoft Entra ID (if they've one) - Scenario C - Use Litware's Microsoft Entra ID.-- Scenario D - Use Litware's non-Microsoft identity infrastructure (if Litware isn't using Active Directory/Azure AD)
+- Scenario D - Use Litware's non-Microsoft identity infrastructure (if Litware isn't using Active Directory / Microsoft Entra ID)
The following table summarizes each option with the technologies for how the customer could achieve those outcomes, the constraints, and benefits of each.
active-directory Protect M365 From On Premises Attacks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/protect-m365-from-on-premises-attacks.md
On-premises accounts synced from Active Directory are marked to never expire in
We recommend the following provisioning methods: -- **Provision from cloud HR apps to Azure AD.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Microsoft Entra ID.
+- **Provision from cloud HR apps to Microsoft Entra ID.** This provisioning enables an on-premises compromise to be isolated. This isolation doesn't disrupt your joiner-mover-leaver cycle from your cloud HR apps to Microsoft Entra ID.
- **Cloud applications.** Where possible, deploy Microsoft Entra app provisioning as opposed to on-premises provisioning solutions. This method protects some of your software as a service (SaaS) apps from malicious hacker profiles in on-premises breaches. For more information, see [What is app provisioning in Microsoft Entra ID](../app-provisioning/user-provisioning.md). - **External identities.** Use Microsoft Entra B2B collaboration to reduce the dependency on on-premises accounts for external collaboration with partners, customers, and suppliers. Carefully evaluate any direct federation with other identity providers. For more information, see [B2B collaboration overview](../external-identities/what-is-b2b.md).
Monitor the following key scenarios, in addition to any scenarios specific to yo
- **Suspicious activity**
- Monitor all Microsoft Entra ID risk events for suspicious activity. See [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). Microsoft Entra ID Protection is natively integrated with [Microsoft Defender for Identity](/defender-for-identity/what-is).
+ Monitor all Microsoft Entra risk events for suspicious activity. See [How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md). Microsoft Entra ID Protection is natively integrated with [Microsoft Defender for Identity](/defender-for-identity/what-is).
Define network named locations to avoid noisy detections on location-based signals. See [Using the location condition in a Conditional Access policy](../conditional-access/location-condition.md).
active-directory Road To The Cloud Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-migrate.md
After you move SaaS applications that were federated to Microsoft Entra ID, ther
* [Move application authentication to Microsoft Entra ID](../manage-apps/migrate-adfs-apps-stages.md)
-* [Migrate from Microsoft Entra multifactor authentication Server to Microsoft Entra multifactor authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md)
+* [Migrate from Azure Multi-Factor Authentication Server to Microsoft Entra multifactor authentication](../authentication/how-to-migrate-mfa-server-to-azure-mfa.md)
* [Migrate from federation to cloud authentication](../hybrid/connect/migrate-from-federation-to-cloud-authentication.md)
In terms of infrastructure management, on-premises environments often use a comb
Active Directory is for on-premises IT environments, and Microsoft Entra ID is for cloud-based IT environments. One-to-one parity of features isn't present here, so you can manage application servers in several ways.
-For example, Azure Arc helps bring many of the features that exist in Active Directory together into a single view when you use Microsoft Entra ID for identity and access management (IAM). You can also use Microsoft Entra Domain Services (Microsoft Entra DS) to domain-join servers in Microsoft Entra ID, especially when you want those servers to use GPOs for specific business or technical reasons.
+For example, Azure Arc helps bring many of the features that exist in Active Directory together into a single view when you use Microsoft Entra ID for identity and access management (IAM). You can also use Microsoft Entra Domain Services to domain-join servers in Microsoft Entra ID, especially when you want those servers to use GPOs for specific business or technical reasons.
Use the following table to determine what Azure-based tools you can use to replace the on-premises environment:
Here's more information that you can use for application server management:
* [Manage and secure your Azure VM environment](https://azure.microsoft.com/services/virtual-machines/secure-well-managed-iaas/).
-* If you must wait to migrate or perform a partial migration, you can use GPOs with [Microsoft Entra DS](https://azure.microsoft.com/services/active-directory-ds/).
+* If you must wait to migrate or perform a partial migration, you can use GPOs with [Microsoft Entra Domain Services](https://azure.microsoft.com/services/active-directory-ds/).
-If you require management of application servers with Microsoft Configuration Manager, you can't achieve this requirement by using Microsoft Entra DS. Microsoft Configuration Manager isn't supported to run in a Microsoft Entra DS environment. Instead, you need to extend your on-premises Active Directory instance to a domain controller running on an Azure VM. Or, you need to deploy a new Active Directory instance to an Azure IaaS virtual network.
+If you require management of application servers with Microsoft Configuration Manager, you can't achieve this requirement by using Microsoft Entra Domain Services. Microsoft Configuration Manager isn't supported to run in a Microsoft Entra Domain Services environment. Instead, you need to extend your on-premises Active Directory instance to a domain controller running on an Azure VM. Or, you need to deploy a new Active Directory instance to an Azure IaaS virtual network.
### Define the migration strategy for legacy applications
To reduce or eliminate those dependencies, you have three main approaches.
In the most preferred approach, you undertake projects to migrate from legacy applications to SaaS alternatives that use modern authentication. Have the SaaS alternatives authenticate to Microsoft Entra ID directly:
-1. Deploy Microsoft Entra DS into an Azure virtual network and [extend the schema](/azure/active-directory-domain-services/concepts-custom-attributes) to incorporate additional attributes needed by the applications.
+1. Deploy Microsoft Entra Domain Services into an Azure virtual network and [extend the schema](/azure/active-directory-domain-services/concepts-custom-attributes) to incorporate additional attributes needed by the applications.
-2. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to Microsoft Entra DS.
+2. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to Microsoft Entra Domain Services.
3. Publish legacy apps to the cloud by using Microsoft Entra application proxy or a [secure hybrid access](../manage-apps/secure-hybrid-access.md) partner.
-4. As legacy apps retire through attrition, eventually decommission Microsoft Entra DS running in the Azure virtual network.
+4. As legacy apps retire through attrition, eventually decommission Microsoft Entra Domain Services running in the Azure virtual network.
>[!NOTE]
->* Use Microsoft Entra DS if the dependencies are aligned with [common deployment scenarios for Microsoft Entra DS](../../active-directory-domain-services/scenarios.md).
->* To validate if Microsoft Entra DS is a good fit, you might use tools like [Service Map in Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [automatic dependency mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867).
+>* Use Microsoft Entra Domain Services if the dependencies are aligned with [common deployment scenarios for Microsoft Entra Domain Services](../../active-directory-domain-services/scenarios.md).
+>* To validate if Microsoft Entra Domain Services is a good fit, you might use tools like [Service Map in Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [automatic dependency mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867).
>* Validate that your SQL Server instantiations can be [migrated to a different domain](https://social.technet.microsoft.com/wiki/contents/articles/24960.migrating-sql-server-to-new-domain.aspx). If your SQL service is running in virtual machines, [use this guidance](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide). #### Approach 2
This approach enables you to decouple the app from the existing Active Directory
#### Comparison of strategies
-| Strategy | Microsoft Entra DS | Extend Active Directory to IaaS | Independent Active Directory instance in IaaS |
+| Strategy | Microsoft Entra Domain Services | Extend Active Directory to IaaS | Independent Active Directory instance in IaaS |
| - | - | - | - | | Decoupling from on-premises Active Directory| Yes| No| Yes | | Allowing schema extensions| No| Yes| Yes |
To simplify your environment, you can use [Microsoft Entra application proxy](..
It's important to mention that enabling remote access to an application by using the preceding technologies is an interim step. You need to do more work to completely decouple the application from Active Directory.
-Microsoft Entra DS allows you to migrate application servers to the cloud IaaS and decouple from Active Directory, while using Microsoft Entra application proxy to enable remote access. To learn more about this scenario, check [Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services](../../active-directory-domain-services/deploy-azure-app-proxy.md).
+Microsoft Entra Domain Services allows you to migrate application servers to the cloud IaaS and decouple from Active Directory, while using Microsoft Entra application proxy to enable remote access. To learn more about this scenario, check [Deploy Microsoft Entra application proxy for Microsoft Entra Domain Services](../../active-directory-domain-services/deploy-azure-app-proxy.md).
## Next steps
active-directory Road To The Cloud Posture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/road-to-the-cloud-posture.md
In this state:
* Self-service password reset (SSPR) and password protection for users are enabled.
-* Some legacy apps are authenticated in the cloud through Microsoft Entra DS and Application Proxy.
+* Some legacy apps are authenticated in the cloud through Microsoft Entra Domain Services and Application Proxy.
### State 3: Cloud first
active-directory Secure Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-best-practices.md
All hybrid identity infrastructure OS logs should be archived and carefully moni
The following scenarios must be explicitly monitored and investigated:
-* **Suspicious activity** - All [Microsoft Entra ID risk events](../identity-protection/overview-identity-protection.md) should be monitored for suspicious activity. All tenants should define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals. [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center. It's recommended that any risk detection investigation includes all the environments the identity is provisioned (for example, if a human identity has an active risk detection in the corporate tenant, the team operating the customer facing tenant should also investigate the activity of the corresponding account in that environment).
+* **Suspicious activity** - All [Microsoft Entra risk events](../identity-protection/overview-identity-protection.md) should be monitored for suspicious activity. All tenants should define the network [named locations](../conditional-access/location-condition.md) to avoid noisy detections on location-based signals. [Microsoft Entra ID Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center. It's recommended that any risk detection investigation includes all the environments the identity is provisioned (for example, if a human identity has an active risk detection in the corporate tenant, the team operating the customer facing tenant should also investigate the activity of the corresponding account in that environment).
* **User entity behavioral analytics (UEBA) alerts** - UEBA should be used to get insightful information based on anomaly detection. [Microsoft Microsoft 365 Defender for Cloud Apps](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-cloud-apps) provides [UEBA in the cloud](/defender-cloud-apps/tutorial-ueba). Customers can integrate [on-premises UEBA from Microsoft Microsoft 365 Defender for Identity](/defender-cloud-apps/mdi-integration). MCAS reads signals from Microsoft Entra ID Protection.
active-directory Secure Fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-fundamentals.md
Microsoft Entra ID also provides a portal and the Microsoft Graph API to allow o
* Applications used to access
-Microsoft Entra ID also provides information on the actions that are being performed within Microsoft Entra ID, and reports on security risks. For more information, see [Microsoft Entra ID reports and monitoring](../reports-monitoring/index.yml).
+Microsoft Entra ID also provides information on the actions that are being performed within Microsoft Entra ID, and reports on security risks. For more information, see [Microsoft Entra reports and monitoring](../reports-monitoring/index.yml).
**Auditing**. Auditing provides traceability through logs for all changes done by specific features within Microsoft Entra ID. Examples of activities found in audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles, and policies. Reporting in Microsoft Entra ID enables you to audit sign-in activities, risky sign-ins, and users flagged for risk. For more information, see [Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md).
active-directory Secure Resource Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/secure-resource-management.md
Before any resource management request can be executed by Resource Manager, a se
The following diagram summarizes the resource model we just described.
-![Diagram that shows Azure resource management with ARM and Azure AD.](media/secure-resource-management/resource-model.png)
+![Diagram that shows Azure resource management with ARM and Microsoft Entra ID.](media/secure-resource-management/resource-model.png)
**Azure Lighthouse** - [Azure Lighthouse](../../lighthouse/overview.md) enables resource management across tenants. Organizations can delegate roles at the subscription or resource group level to identities in another tenant.
active-directory Security Operations Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-applications.md
The log files you use for investigation and monitoring are:
* [Azure Key Vault logs](../../key-vault/general/logging.md)
-From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra ID logs with other tools, which allow more automation of monitoring and alerting:
+From the Azure portal, you can view the Microsoft Entra audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Microsoft Entra logs with other tools, which allow more automation of monitoring and alerting:
* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level with security information and event management (SIEM) capabilities.
From the Azure portal, you can view the Microsoft Entra audit logs and download
* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.
-* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Microsoft Entra ID logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.
+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Microsoft Entra logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.
* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.
Monitor application authentication using the following formation:
| What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |
-| Applications that are using the ROPC authentication flow|Medium | Microsoft Entra Sign-ins log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-|Applications using the Device code flow |Low to medium|Microsoft Entra Sign-ins log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Applications that are using the ROPC authentication flow|Medium | Microsoft Entra sign-in log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+|Applications using the Device code flow |Low to medium|Microsoft Entra sign-in log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
## Application configuration changes
Monitor changes to application configuration. Specifically, configuration change
| What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|
-| Dangling URI| High| Microsoft Entra ID Logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
-| Redirect URI configuration changes| High| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Dangling URI| High| Microsoft Entra logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Redirect URI configuration changes| High| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
Alert when these changes are detected.
Alert when these changes are detected.
| What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|
-| Changes to AppID URI| High| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Changes to AppID URI| High| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
Alert when these changes are detected outside approved change management procedures.
Alert when these changes are detected outside approved change management procedu
| What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|
-| Changes to application ownership| Medium| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
+| Changes to application ownership| Medium| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |
### Log-out URL modified or removed | What to monitor| Risk Level| Where| Filter/sub-filter| Notes | |-|-|-|-|-|
-| Changes to log-out URL| Low| Microsoft Entra ID logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Changes to log-out URL| Low| Microsoft Entra logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
## Resources
Alert when these changes are detected outside approved change management procedu
* OAuth attack detection guidance - [Unusual addition of credentials to an OAuth app](/cloud-app-security/investigate-anomaly-alerts)
-* Microsoft Entra ID monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md)
+* Microsoft Entra monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md)
## Next steps
active-directory Security Operations Infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-infrastructure.md
Organizations might need to monitor for and alert on the creation of new Microso
Microsoft Entra ID and Microsoft Entra application proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a virtual private network (VPN) or dual-homed servers and firewall rules. If your Microsoft Entra application proxy connector server is compromised, attackers could alter the SSO experience or change access to published applications.
-To configure monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor:
+To configure monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor:
| What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |
To configure monitoring for Application Proxy, see [Troubleshoot Application Pro
For multifactor authentication (MFA) to be effective, you also need to block legacy authentication. You then need to monitor your environment and alert on any use of legacy authentication. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI canΓÇÖt enforce MFA. This makes these protocols the preferred entry points for attackers. For more information on tools that you can use to block legacy authentication, see [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302).
-Legacy authentication is captured in the Microsoft Entra sign-in log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra ID reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include:
+Legacy authentication is captured in the Microsoft Entra sign-in log as part of the detail of the event. You can use the Azure Monitor workbook to help with identifying legacy authentication usage. For more information, see [Sign-ins using legacy authentication](../reports-monitoring/howto-use-azure-monitor-workbooks.md), which is part of [How to use Azure Monitor Workbooks for Microsoft Entra reports](../reports-monitoring/howto-use-azure-monitor-workbooks.md). You can also use the Insecure protocols workbook for Microsoft Sentinel. For more information, see [Microsoft Sentinel Insecure Protocols Workbook Implementation Guide](https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564). Specific activities to monitor include:
| What to monitor| Risk level| Where| Filter/sub-filter| Notes | | - | - | - | - | - |
The DC agent Admin log is the primary source of information for how the software
* Microsoft Entra audit log, Category Application Proxy
-Complete reference for Microsoft Entra ID audit activities is available at [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md).
+Complete reference for Microsoft Entra audit activities is available at [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md).
## Conditional Access
active-directory Security Operations Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-introduction.md
As part of an Azure hybrid environment, the following items should be baselined
* **Password writeback Agent** - Password writeback is a feature enabled with [Microsoft Entra Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Microsoft Entra ID](../authentication/concept-sspr-writeback.md).
-* **Microsoft Entra application proxy Connector** - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
+* **Microsoft Entra application proxy Connector** - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Microsoft Entra Application Proxy connectors](../app-proxy/application-proxy-connectors.md).
## Components of cloud-based authentication
active-directory Security Operations Privileged Identity Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-privileged-identity-management.md
The following are recommended baseline settings:
<a name='azure-ad-roles-assignment'></a>
+## Privileged Identity Management Alerts
+
+Privileged Identity Management (PIM) generates alerts when there's suspicious or unsafe activity in your Microsoft Entra ID organization. When an alert is generated, it appears in the Privileged Identity Management dashboard. You can also configure an email notification or send to your SIEM via GraphAPI. Because these alerts focus specifically on administrative roles, you should monitor closely for any alerts.
+
+| What to monitor| Risk Level| Where | Filter/sub-filter UX | Notes |
+| - |- |- |- |- |
+| [Roles are being assigned outside of Privileged Identity Management](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | High |Privileged Identity Management, Alerts |[Roles are being assigned outside of Privileged Identity Management](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [Potential stale accounts in a privileged role](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Medium |Privileged Identity Management, Alerts |[Potential stale accounts in a privileged role](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [Administrators aren't using their privileged roles](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Administrators aren't using their privileged roles](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [Roles don't require multi-factor authentication for activation](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Roles don't require multi-factor authentication for activation](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[The organization doesn't have Microsoft Entra ID P2 or Microsoft Entra ID Governance](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) |[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [There are too many global administrators](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[There are too many global administrators](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts)|[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| [Roles are being activated too frequently](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) | Low |Privileged Identity Management, Alerts |[Roles are being activated too frequently](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts)|[How to configure security alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md#security-alerts) <br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+
+<a name='azure-ad-roles-assignment'></a>
+ ## Microsoft Entra roles assignment A privileged role administrator can customize PIM in their Microsoft Entra organization, which includes changing the user experience of activating an eligible role assignment:
active-directory Security Operations User Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/security-operations-user-accounts.md
As you design and operationalize a log monitoring and alerting strategy, conside
| What to monitor | Risk Level | Where | Filter/sub-filter | Notes | | - | - | - | - | - |
-| Leaked credentials user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Atypical travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Anomalous Token| Varies| Microsoft Entra ID Risk Detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Suspicious browser sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Malicious IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Password Spray sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Impossible travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| New country/region sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
-| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Leaked credentials user risk detection| High| Microsoft Entra risk detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra risk detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Atypical travel sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Anomalous Token| Varies| Microsoft Entra risk detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Suspicious browser sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Malicious IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Password Spray sign-in risk detection| High| Microsoft Entra risk detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Impossible travel sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| New country/region sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra risk detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
+| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra risk detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
For more information, visit [What is Identity Protection](../identity-protection/overview-identity-protection.md).
active-directory Sync Ldap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/architecture/sync-ldap.md
Use LDAP synchronization when you need to synchronize identity data between your
## System components
-* **Microsoft Entra ID**: Azure AD synchronizes identity information (users, groups) from organization's on-premises LDAP directories via Microsoft Entra Connect.
+* **Microsoft Entra ID**: Microsoft Entra ID synchronizes identity information (users, groups) from organization's on-premises LDAP directories via Microsoft Entra Connect.
* **Microsoft Entra Connect**: is a tool for connecting on premises identity infrastructures to Microsoft Entra ID. The wizard and guided experiences help to deploy and configure prerequisites and components required for the connection. * **Custom Connector**: A Generic LDAP Connector enables you to integrate the Microsoft Entra Connect synchronization service with an LDAP v3 server. It sits on Microsoft Entra Connect. * **Active Directory**: Active Directory is a directory service included in most Windows Server operating systems. Servers that run Active Directory Services, referred to as domain controllers, authenticate and authorize all users and computers in a Windows domain.
active-directory Certificate Based Authentication Federation Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/certificate-based-authentication-federation-android.md
As a best practice, you should update your organization's AD FS error pages with
For more information, see [Customizing the AD FS Sign-in Pages](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn280950(v=ws.11)).
-Office apps with modern authentication enabled send '*prompt=login*' to Azure AD in their request. By default, Azure AD translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
+Office apps with modern authentication enabled send '*prompt=login*' to Microsoft Entra ID in their request. By default, Microsoft Entra ID translates '*prompt=login*' in the request to AD FS as '*wauth=usernamepassworduri*' (asks AD FS to do U/P Auth) and '*wfresh=0*' (asks AD FS to ignore SSO state and do a fresh authentication). If you want to enable certificate-based authentication for these apps, you need to modify the default Microsoft Entra behavior. Set the '*PromptLoginBehavior*' in your federated domain settings to '*Disabled*'.
You can use Set-MgDomainFederationConfiguration to perform this task: ```powershell
active-directory Concept Certificate Based Authentication Certificateuserids https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-certificateuserids.md
The values stored in **certificateUserIds** should be in the format described in
## Roles to update certificateUserIds
-For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute. Only Azure ADConnect can be used to update CertificateUserIds by syncing the value from on-prem for synched users.
+For cloud-only users, only users with roles **Global Administrators**, **Privileged Authentication Administrator** can write into certificateUserIds. Cloud-only users can use both UX and MSGraph to write into certificateUserIds. For synched users, AD users with role **Hybrid Identity Administrator** can write into the attribute. Only Microsoft Entra Connect can be used to update CertificateUserIds by syncing the value from on-prem for synched users.
>[!NOTE] >Active Directory Administrators (including accounts with delegated administrative privilege over synched user accounts as well as administrative rights over the Azure >AD Connect Servers) can make changes that impact the certificateUserIds value in Microsoft Entra ID for any synched accounts.
active-directory Concept Certificate Based Authentication Technical Deep Dive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
Now we'll walk through each step:
However, with the issue hints feature enabled (coming soon), the new certauth endpoint will change to `https://t{tenantid}.certauth.login.microsoftonline.com`.
-The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the Sign-ins log.
+The endpoint performs TLS mutual authentication, and requests the client certificate as part of the TLS handshake. You'll see an entry for this request in the sign-in log.
>[!NOTE] >The network administrator should allow access to the User sign-in page and certauth endpoint `*.certauth.login.microsoftonline.com` for the customer's cloud environment. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.
The endpoint performs TLS mutual authentication, and requests the client certifi
Without this change, certificate-based authentication will fail when you enable Issuer Hints feature.
- :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the Sign-ins log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
+ :::image type="content" border="true" source="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png" alt-text="Screenshot of the sign-in log in Microsoft Entra ID." lightbox="./media/concept-certificate-based-authentication-technical-deep-dive/sign-in-log.png":::
Click the log entry to bring up **Activity Details** and click **Authentication Details**. You'll see an entry for the X.509 certificate.
active-directory Concept Mfa Authprovider https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-authprovider.md
If your MFA provider isn't linked to a Microsoft Entra tenant, or you link the n
> [!CAUTION] > There is no confirmation when deleting an authentication provider. Selecting **Delete** is a permanent process.
-Authentication providers can be found in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). Browse to **Protection** > **multifactor authentication** > **Providers**. Click the listed providers to see details and configurations associated with that provider.
+Authentication providers can be found in the [Microsoft Entra admin center](https://entra.microsoft.com). Sign in as at least an [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator). Browse to **Protection** > **Multifactor authentication** > **Providers**. Click the listed providers to see details and configurations associated with that provider.
Before removing an authentication provider, take note of any customized settings configured in your provider. Decide what settings need to be migrated to general MFA settings from your provider and complete the migration of those settings.
active-directory Concept Mfa Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-mfa-data-residency.md
For Microsoft Azure Government, Microsoft Azure operated by 21Vianet, Azure AD B
If you use MFA Server, the following personal data is stored. > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
| Event type | Data store type | |--|--|
For MFA Server, the following pages might contain organizational data:
* Server settings * One-time bypass * Caching rules
-* Multifactor authentication Server status
+* Multi-Factor Authentication Server status
## Multifactor authentication activity reports for public cloud
active-directory Concept Password Ban Bad Combined Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-password-ban-bad-combined-policy.md
The following Microsoft Entra password policy requirements apply for all passwor
## Password expiration policies
-Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD Module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
+Password expiration policies are unchanged but they're included in this topic for completeness. A *Global Administrator* or *User Administrator* can use the [Azure AD module for PowerShell](/powershell/module/Azuread/) to set user passwords not to expire.
> [!NOTE] > By default, only passwords for user accounts that aren't synchronized through Microsoft Entra Connect can be configured to not expire. For more information about directory synchronization, see [Connect AD with Microsoft Entra ID](../hybrid/connect/how-to-connect-password-hash-synchronization.md#password-expiration-policy).
active-directory Concepts Azure Multi Factor Authentication Prompts Session Lifetime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md
When a user selects **Yes** on the *Stay signed in?* prompt option during sign-i
![Screenshot of example prompt to remain signed in](./media/concepts-azure-multi-factor-authentication-prompts-session-lifetime/stay-signed-in-prompt.png)
-If you have a Microsoft Entra ID P1 or P2 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have a Microsoft Entra ID P1 or P2 1 license, we recommend enabling the stay signed in setting for your users.
+If you have a Microsoft Entra ID P1 or P2 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have a Microsoft Entra ID P1 or P2 license, we recommend enabling the stay signed in setting for your users.
For more information on configuring the option to let users remain signed-in, see [How to manage the 'Stay signed in?' prompt](../fundamentals/how-to-manage-stay-signed-in-prompt.md).
This setting lets you configure values between 1-365 days and sets a persistent
While this setting reduces the number of authentications on web apps, it increases the number of authentications for modern authentication clients, such as Office clients. These clients normally prompt only after password reset or inactivity of 90 days. However, setting this value to less than 90 days shortens the default MFA prompts for Office clients, and increases reauthentication frequency. When used in combined with **Remain signed-in** or Conditional Access policies, it may increase the number of authentication requests.
-If you use *Remember MFA* and have Microsoft Entra ID P1 or P2 1 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using *Keep me signed in?* instead.
+If you use *Remember MFA* and have Microsoft Entra ID P1 or P2 licenses, consider migrating these settings to Conditional Access Sign-in Frequency. Otherwise, consider using *Keep me signed in?* instead.
More information, see [Remember multifactor authentication](howto-mfa-mfasettings.md#remember-multi-factor-authentication).
active-directory How To Authentication Two Way Sms Unsupported https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-authentication-two-way-sms-unsupported.md
# Two-way SMS unsupported
-Two-way SMS for Microsoft Entra multifactor authentication Server was originally deprecated in 2018, and no longer supported after February 24, 2021, except for organizations that received a support extension until August 2, 2021. Administrators should enable another method for users who still use two-way SMS.
+Two-way SMS for Azure Multi-Factor Authentication Server was originally deprecated in 2018, and no longer supported after February 24, 2021, except for organizations that received a support extension until August 2, 2021. Administrators should enable another method for users who still use two-way SMS.
Email notifications and Service Health notifications (portal toasts) were sent to affected admins on December 8, 2020 and January 28, 2021. The alerts went to the Owner, Co-Owner, Admin, and Service Admin RBAC roles tied to the subscriptions. If you've already completed the following steps, no action is necessary.
active-directory How To Mfa Number Match https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-number-match.md
Combined registration with Authenticator requires number matching. When a user g
### AD FS adapter
-AD FS adapter requires number matching on supported versions of Windows Server. On earlier versions, users continue to see the **Approve**/**Deny** experience and donΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after you install one of the updates in the following table. For more information about how to set up AD FS adapter, see [Configure Microsoft Entra multifactor authentication Server to work with AD FS in Windows Server](howto-mfaserver-adfs-windows-server.md).
+AD FS adapter requires number matching on supported versions of Windows Server. On earlier versions, users continue to see the **Approve**/**Deny** experience and donΓÇÖt see number matching until you upgrade. The AD FS adapter supports number matching only after you install one of the updates in the following table. For more information about how to set up AD FS adapter, see [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](howto-mfaserver-adfs-windows-server.md).
>[!NOTE] >Unpatched versions of Windows Server don't support number matching. Users continue to see the **Approve**/**Deny** experience and don't see number matching unless these updates are applied.
active-directory How To Mfa Registration Campaign https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-registration-campaign.md
To enable a registration campaign in the Microsoft Entra admin center, complete
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as [Authentication Policy Administrator](../roles/permissions-reference.md#authentication-policy-administrator) or [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse to **Protection** > **Authentication methods** > **Registration campaign** and click **Edit**.
-1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaign will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Azure Active Directory](concept-authentication-default-enablement.md).
+1. For **State**, click **Microsoft managed** or **Enabled**. In the following screenshot, the registration campaign is **Microsoft managed**. That setting allows Microsoft to set the default value to be either Enabled or Disabled. From Sept. 25 to Oct. 20, 2023, the Microsoft managed value for the registration campaign will change to **Enabled** for voice call and text message users across all tenants. For more information, see [Protecting authentication methods in Microsoft Entra ID](concept-authentication-default-enablement.md).
:::image type="content" border="true" source="media/how-to-mfa-registration-campaign/admin-experience.png" alt-text="Screenshot of enabling a registration campaign.":::
active-directory How To Mfa Server Migration Utility https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-mfa-server-migration-utility.md
Take a look at our video for an overview of the MFA Server Migration Utility and
|Phase|Steps| |:|:--|
-|Preparations |[Identify Microsoft Entra multifactor authentication Server dependencies](#identify-azure-ad-mfa-server-dependencies) |
-||[Backup Microsoft Entra multifactor authentication Server datafile](#backup-azure-ad-mfa-server-datafile) |
+|Preparations |[Identify Azure Multi-Factor Authentication Server dependencies](#identify-azure-ad-mfa-server-dependencies) |
+||[Backup Azure Multi-Factor Authentication Server datafile](#backup-azure-ad-mfa-server-datafile) |
||[Install MFA Server update](#install-mfa-server-update) | ||[Configure MFA Server Migration Utility](#configure-the-mfa-server-migration-utility) | |Migrations |[Migrate user data](#migrate-user-data)|
The following sections explain the migration steps in more detail.
<a name='identify-azure-ad-mfa-server-dependencies'></a>
-### Identify Microsoft Entra multifactor authentication Server dependencies
+<a name='identify-microsoft-entra-multifactor-authentication-server-dependencies'></a>
+
+### Identify Azure Multi-Factor Authentication Server dependencies
We've worked hard to ensure that moving onto our cloud-based Microsoft Entra multifactor authentication solution will maintain and even improve your security posture. There are three broad categories that should be used to group dependencies:
If you enabled the [MFA Server Authentication provider in AD FS 2.0](./howto-mfa
<a name='backup-azure-ad-mfa-server-datafile'></a>
-### Backup Microsoft Entra multifactor authentication Server datafile
-Make a backup of the MFA Server data file located at %programfiles%\multifactor authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services.
+<a name='backup-microsoft-entra-multifactor-authentication-server-datafile'></a>
+
+### Backup Azure Multi-Factor Authentication Server datafile
+Make a backup of the MFA Server data file located at %programfiles%\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (default location) on your primary MFA Server. Make sure you have a copy of the installer for your currently installed version in case you need to roll back. If you no longer have a copy, contact Customer Support Services.
Depending on user activity, the data file can become outdated quickly. Any changes made to MFA Server, or any end-user changes made through the portal after the backup won't be captured. If you roll back, any changes made after this point won't be restored. ### Install MFA Server update
-Run the new installer on the Primary MFA Server. Before you upgrade a server, remove it from load balancing or traffic sharing with other MFA Servers. You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade using the current installation path (for example, C:\Program Files\multifactor authentication Server). If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. It isn't required to install updates for User portal, Web SDK, or AD FS Adapter.
+Run the new installer on the Primary MFA Server. Before you upgrade a server, remove it from load balancing or traffic sharing with other MFA Servers. You don't need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade using the current installation path (for example, C:\Program Files\Multi-Factor Authentication Server). If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. It isn't required to install updates for User portal, Web SDK, or AD FS Adapter.
>[!NOTE] >After you run the installer on your primary server, secondary servers may begin to log **Unhandled SB** entries. This is due to schema changes made on the primary server that will not be recognized by secondary servers. These errors are expected. In environments with 10,000 users or more, the amount of log entries can increase significantly. To mitigate this issue, you can increase the file size of your MFA Server logs, or upgrade your secondary servers. ### Configure the MFA Server Migration Utility
-After installing the MFA Server update, open an elevated PowerShell command prompt: hover over the PowerShell icon, right-click, and click **Run as Administrator**. Run the .\Configure-MultiFactorAuthMigrationUtility.ps1 script found in your MFA Server installation directory (C:\Program Files\multifactor authentication Server by default).
+After installing the MFA Server update, open an elevated PowerShell command prompt: hover over the PowerShell icon, right-click, and click **Run as Administrator**. Run the .\Configure-MultiFactorAuthMigrationUtility.ps1 script found in your MFA Server installation directory (C:\Program Files\Multi-Factor Authentication Server by default).
This script will require you to provide credentials for an Application Administrator in your Microsoft Entra tenant. The script will then create a new MFA Server Migration Utility application within Microsoft Entra ID, which will be used to write user authentication methods to each Microsoft Entra user object.
The script will instruct you to grant admin consent to the newly created applica
:::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/permissions.png" alt-text="Screenshot of permissions.":::
-Once complete, navigate to the multifactor authentication Server folder, and open the **MultiFactorAuthMigrationUtilityUI** application. You should see the following screen:
+Once complete, navigate to the Multi-Factor Authentication Server folder, and open the **MultiFactorAuthMigrationUtilityUI** application. You should see the following screen:
:::image type="content" border="true" source="./media/how-to-mfa-server-migration-utility/utility.png" alt-text="Screenshot of MFA Server Migration Utility.":::
The Configure-MultiFactorAuthMigrationUtility.ps1 script should be run on the se
### Migrate user data
-Migrating user data doesn't remove or alter any data in the multifactor authentication Server database. Likewise, this process won't change where a user performs MFA. This process is a one-way copy of data from the on-premises server to the corresponding user object in Microsoft Entra ID.
+Migrating user data doesn't remove or alter any data in the Multi-Factor Authentication Server database. Likewise, this process won't change where a user performs MFA. This process is a one-way copy of data from the on-premises server to the corresponding user object in Microsoft Entra ID.
The MFA Server Migration utility targets a single Microsoft Entra group for all migration activities. You can add users directly to this group, or add other groups. You can also add them in stages during the migration.
active-directory How To Migrate Mfa Server To Azure Mfa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md
# Migrate from MFA Server to Microsoft Entra multifactor authentication
-Multifactor authentication is important to securing your infrastructure and assets from bad actors. Microsoft Entra multifactor authentication Server (MFA Server) isn't available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Microsoft Entra multifactor authentication.
+Multifactor authentication is important to securing your infrastructure and assets from bad actors. Azure Multi-Factor Authentication Server (MFA Server) isn't available for new deployments and will be deprecated. Customers who are using MFA Server should move to using cloud-based Microsoft Entra multifactor authentication.
In this article, we assume that you have a hybrid environment where:
If you no longer have access to the secret keys, contact your hardware vendor fo
The MFA Server Web Service SDK can be used to export the serial number for any OATH tokens assigned to a given user. You can use this information along with the seed file to import the tokens into Microsoft Entra ID and assign the OATH token to the specified user based on the serial number. The user will also need to be contacted at the time of import to supply OTP information from the device to complete the registration.
-Refer to the help file topic **GetUserInfo** > **userSettings** > **OathTokenSerialNumber** in multifactor authentication Server on your MFA Server.
+Refer to the help file topic **GetUserInfo** > **userSettings** > **OathTokenSerialNumber** in Multi-Factor Authentication Server on your MFA Server.
### More migrations
active-directory How To Migrate Mfa Server To Mfa User Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-user-authentication.md
# Migrate to Microsoft Entra multifactor authentication and Microsoft Entra user authentication
-Multifactor authentication helps secure your infrastructure and assets from bad actors. Microsoft multifactor authentication Server (MFA Server) is no longer offered for new deployments. Customers who are using MFA Server should move to Microsoft Entra multifactor authentication (Microsoft Entra multifactor authentication).
+Multifactor authentication helps secure your infrastructure and assets from bad actors. Microsoft Multi-Factor Authentication Server (MFA Server) is no longer offered for new deployments. Customers who are using MFA Server should move to Microsoft Entra multifactor authentication (Microsoft Entra multifactor authentication).
There are several options for migrating from MFA Server to Microsoft Entra ID:
This change ensures only Microsoft Entra multifactor authentication is used as a
1. Open the **AD FS management console**. 1. Under **Services**, right-click on **Authentication Methods**, and select **Edit multifactor authentication Methods**.
-1. Clear the **Azure multifactor authentication Server** checkbox.
+1. Clear the **Azure Multi-Factor Authentication Server** checkbox.
### Decommission the MFA Server
Follow your enterprise server decommissioning process to remove the MFA Servers
Possible considerations when decommissions the MFA Server include: * We recommend reviewing MFA Server logs to ensure no users or applications are using it before you remove the server.
-* Uninstall multifactor authentication Server from the Control Panel on the server.
+* Uninstall Multi-Factor Authentication Server from the Control Panel on the server.
* Optionally clean up logs and data directories that are left behind after backing them up first. * Uninstall the multifactor authentication Web Server SDK, if applicable including any files left over inetpub\wwwroot\MultiFactorAuthWebServiceSdk and/or MultiFactorAuth directories. * For pre-8.0.x versions of MFA Server, it may also be necessary to remove the multifactor authentication Phone App Web Service.
active-directory How To Migrate Mfa Server To Mfa With Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/how-to-migrate-mfa-server-to-mfa-with-federation.md
For step-by-step directions on this process, see [Configure the AD FS servers](/
Once you've configured the servers, you can add Microsoft Entra multifactor authentication as an additional authentication method.
-![Screen shot showing the Edit authentication methods screen with Microsoft Entra multifactor authentication and Azure multifactor authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png)
+![Screen shot showing the Edit authentication methods screen with Microsoft Entra multifactor authentication and Azure Multi-Factor Authentication Server selected](./media/how-to-migrate-mfa-server-to-mfa-user-authentication/edit-authentication-methods.png)
<a name='prepare-azure-ad-and-implement-migration'></a>
This change ensures only Microsoft Entra multifactor authentication is used as a
1. Under **Services**, right-click on **Authentication Methods**, and select **Edit multifactor authentication Methods**.
-1. Uncheck the box next to **Azure multifactor authentication Server**.
+1. Uncheck the box next to **Azure Multi-Factor Authentication Server**.
### Decommission the MFA Server
Possible considerations when decommissions the MFA Servers include:
* Review MFA Servers' logs to ensure no users or applications are using it before you remove the server.
-* Uninstall multifactor authentication Server from the Control Panel on the server
+* Uninstall Multi-Factor Authentication Server from the Control Panel on the server
* Optionally clean up logs and data directories that are left behind after backing them up first.
active-directory Howto Authentication Passwordless Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-deployment.md
Microsoft provides communication templates for end users. Download the [authenti
## Plan user registration
-Users register their passwordless method as a part of the **combined security information workflow** at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Microsoft Entra ID logs registration of security keys and the Authenticator app, and any other changes to the authentication methods.
+Users register their passwordless method as a part of the **combined security information workflow** at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Microsoft Entra logs registration of security keys and the Authenticator app, and any other changes to the authentication methods.
For the first-time user who doesn't have a password, admins can provide a [Temporary Access Passcode](howto-authentication-temporary-access-pass.md) to register their security information in [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) . This is a time-limited passcode and satisfies strong authentication requirements. **Temporary Access Pass is a per-user process**.
This method can also be used for easy recovery when the user has lost or forgott
**MFA server** - End users enabled for multifactor authentication through an organization's on-premises MFA server can create and use a single passwordless phone sign-in credential. If the user attempts to upgrade multiple installations (5 or more) of the Authenticator app with the credential, this change may result in an error. > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their users' authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
**Device registration** - To use the Authenticator app for passwordless authentication, the device must be registered in the Microsoft Entra tenant and can't be a shared device. A device can only be registered in a single tenant. This limit means that only one work or school account is supported for phone sign-in using the Authenticator app.
active-directory Howto Authentication Passwordless Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-passwordless-faqs.md
Like any other DC, the Microsoft Entra Kerberos server encryption *krbtgt* keys
### Why do we need Microsoft Entra Connect? Does it write any info back to AD DS from Microsoft Entra ID?
-Microsoft Entra Connect doesn't write info back from Microsoft Entra ID to AD DS. The utility includes the PowerShell module to create the Kerberos Server Object in AD DS and publish it in Microsoft Entra ID.
+Microsoft Entra Connect doesn't write info back from Microsoft Entra ID to Active Directory DS. The utility includes the PowerShell module to create the Kerberos Server Object in AD DS and publish it in Microsoft Entra ID.
### What does the HTTP request/response look like when requesting PRT+ partial TGT?
Microsoft Entra ID combines the encrypted client key and message buffer into the
| tgt_message_buffer | string | Base64 encoded KERB_MESSAGE_BUFFER. | ### Do users need to be a member of the Domain Users Active Directory group?
-Yes. A user must be in the Domain Users group to be able to sign-in using Azure AD Kerberos.
+Yes. A user must be in the Domain Users group to be able to sign-in using Microsoft Entra Kerberos.
## Next steps
active-directory Howto Authentication Use Email Signin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-authentication-use-email-signin.md
Many organizations want to let users sign in to Microsoft Entra ID using the sam
Some organizations haven't moved to hybrid authentication for the following reasons:
-* By default, the Microsoft Entra User Principal Name (UPN) is set to the same value as the on-premises UPN.
+* By default, the Microsoft Entra user Principal Name (UPN) is set to the same value as the on-premises UPN.
* Changing the Microsoft Entra UPN creates a mismatch between on-premises and Microsoft Entra environments that could cause problems with certain applications and services. * Due to business or compliance reasons, the organization doesn't want to use the on-premises UPN to sign in to Microsoft Entra ID.
active-directory Howto Mfa Nps Extension Rdg https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-rdg.md
Typically, organizations use NPS (RADIUS) to simplify and centralize the managem
Organizations can also integrate NPS with Microsoft Entra multifactor authentication to enhance security and provide a high level of compliance. This helps ensure that users establish two-step verification to sign in to the Remote Desktop Gateway. For users to be granted access, they must provide their username/password combination along with information that the user has in their control. This information must be trusted and not easily duplicated, such as a cell phone number, landline number, application on a mobile device, and so on. RDG currently supports phone call and **Approve**/**Deny** push notifications from Microsoft authenticator app methods for 2FA. For more information about supported authentication methods see the section [Determine which authentication methods your users can use](howto-mfa-nps-extension.md#determine-which-authentication-methods-your-users-can-use).
-Prior to the availability of the NPS extension for Azure, customers who wished to implement two-step verification for integrated NPS and Microsoft Entra multifactor authentication environments had to configure and maintain a separate MFA Server in the on-premises environment as documented in [Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).
+Prior to the availability of the NPS extension for Azure, customers who wished to implement two-step verification for integrated NPS and Microsoft Entra multifactor authentication environments had to configure and maintain a separate MFA Server in the on-premises environment as documented in [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).
The availability of the NPS extension for Azure now gives organizations the choice to deploy either an on-premises based MFA solution or a cloud-based MFA solution to secure RADIUS client authentication.
This section details the prerequisites necessary before integrating Microsoft En
* Microsoft Entra multifactor authentication License * Windows Server software * Network Policy and Access Services (NPS) role
-* Azure Active Directory synched with on-premises Active Directory
+* Microsoft Entra synched with on-premises Active Directory
* Microsoft Entra GUID ID ### Remote Desktop Services (RDS) infrastructure
The NPS role service provides the RADIUS server and client functionality as well
For information on installing the NPS role service Windows Server 2012 or older, see [Install a NAP Health Policy Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd296890(v=ws.10)). For a description of best practices for NPS, including the recommendation to install NPS on a domain controller, see [Best Practices for NPS](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771746(v=ws.10)).
-### Azure Active Directory synched with on-premises Active Directory
+<a name='azure-active-directory-synched-with-on-premises-active-directory'></a>
+
+### Microsoft Entra synched with on-premises Active Directory
To use the NPS extension, on-premises users must be synced with Microsoft Entra ID and enabled for MFA. This section assumes that on-premises users are synched with Microsoft Entra ID using AD Connect. For information on Microsoft Entra Connect, see [Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md).
The image below from Microsoft Message Analyzer shows network traffic filtered o
[How to get Microsoft Entra multifactor authentication](concept-mfa-licensing.md)
-[Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md)
+[Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md)
[Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md)
active-directory Howto Mfa Nps Extension Vpn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-nps-extension-vpn.md
Network Policy and Access Services gives organizations the ability to:
To enhance security and provide a high level of compliance, organizations can integrate NPS with Microsoft Entra multifactor authentication to ensure that users use two-step verification to connect to the virtual port on the VPN server. For users to be granted access, they must provide their username and password combination and other information that they control. This information must be trusted and not easily duplicated. It can include a cell phone number, a landline number, or an application on a mobile device.
-Prior to the availability of the NPS extension for Azure, customers who wanted to implement two-step verification for integrated NPS and MFA environments had to configure and maintain a separate MFA server in an on-premises environment. This type of authentication is offered by Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS.
+Prior to the availability of the NPS extension for Azure, customers who wanted to implement two-step verification for integrated NPS and MFA environments had to configure and maintain a separate MFA server in an on-premises environment. This type of authentication is offered by Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS.
With the NPS extension for Azure, organizations can secure RADIUS client authentication by deploying either an on-premises based MFA solution or a cloud-based MFA solution.
This section details the prerequisites that must be completed before you can int
* Microsoft Entra multifactor authentication license * Windows Server software * Libraries
-* Azure Active Directory (Azure AD) synced with on-premises Active Directory
+* Microsoft Entra ID synced with on-premises Active Directory
* Microsoft Entra GUID ID ### VPN infrastructure
The following libraries are installed automatically with the NPS extension:
If the Azure Active Directory PowerShell module is not already present, it is installed with a configuration script that you run as part of the setup process. There is no need to install the module ahead of time if it is not already installed.
-### Azure Active Directory synced with on-premises Active Directory
+<a name='azure-active-directory-synced-with-on-premises-active-directory'></a>
+
+### Microsoft Entra ID synced with on-premises Active Directory
To use the NPS extension, on-premises users must be synced with Microsoft Entra ID and enabled for MFA. This guide assumes that on-premises users are synced with Microsoft Entra ID via Microsoft Entra Connect. Instructions for enabling users for MFA are provided below.
For more information, see [Integrate your existing NPS infrastructure with Micro
[Get Microsoft Entra multifactor authentication](concept-mfa-licensing.md)
-[Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md)
+[Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md)
[Integrate your on-premises directories with Microsoft Entra ID](../hybrid/whatis-hybrid-identity.md)
active-directory Howto Mfa Reporting Datacollection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-reporting-datacollection.md
# Microsoft Entra user data collection for multifactor authentication and self-service password reset
-This document explains how to find user information collected by Azure multifactor authentication Server (MFA Server), Microsoft Entra multifactor authentication (Cloud-based), and self-service password reset (SSPR) in the event you would like to remove it.
+This document explains how to find user information collected by Azure Multi-Factor Authentication Server (MFA Server), Microsoft Entra multifactor authentication (Cloud-based), and self-service password reset (SSPR) in the event you would like to remove it.
[!INCLUDE [gdpr-hybrid-note](../../../includes/gdpr-hybrid-note.md)]
active-directory Howto Mfa Userdevicesettings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfa-userdevicesettings.md
If you're assigned the *Authentication Administrator* role, you can require user
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Authentication Administrator](../roles/permissions-reference.md#authentication-administrator). 1. Browse to **Identity** > **Users** > **All users**. 1. Select **Multifactor authentication**. You may need to scroll to the right to see this menu option. Select the example screenshot below to see the full window and menu location:
- [![Select multifactor authentication from the Users window in Azure AD.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox)
+ [![Select multifactor authentication from the Users window in Microsoft Entra ID.](media/howto-mfa-userstates/selectmfa-cropped.png)](media/howto-mfa-userstates/selectmfa.png#lightbox)
1. Check the box next to the user or users that you wish to manage. A list of quick step options appears on the right. 1. Select **Manage user settings**, then check the box for **Delete all existing app passwords generated by the selected users**, as shown in the following example: ![Delete all existing app passwords](./media/howto-mfa-userdevicesettings/deleteapppasswords.png)
If you're assigned the *Authentication Administrator* role, you can require user
This article showed you how to configure individual user settings. To configure overall Microsoft Entra multifactor authentication service settings, see [Configure Microsoft Entra multifactor authentication settings](howto-mfa-mfasettings.md). If your users need help, see the [User guide for Microsoft Entra multifactor authentication](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc).--
active-directory Howto Mfaserver Adfs 2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-adfs-2.md
Title: Use Microsoft Entra multifactor authentication Server with AD FS 2.0
+ Title: Use Azure Multi-Factor Authentication Server with AD FS 2.0
description: Describes how to get started with Microsoft Entra multifactor authentication and AD FS 2.0.
-# Configure Azure multifactor authentication Server to work with AD FS 2.0
+# Configure Azure Multi-Factor Authentication Server to work with AD FS 2.0
-This article is for organizations that are federated with Microsoft Entra ID, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Azure multifactor authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points.
+This article is for organizations that are federated with Microsoft Entra ID, and want to secure resources that are on-premises or in the cloud. Protect your resources by using the Azure Multi-Factor Authentication Server and configuring it to work with AD FS so that two-step verification is triggered for high-value end points.
-This documentation covers using the Azure multifactor authentication Server with AD FS 2.0. For information about AD FS, see [Securing cloud and on-premises resources using Azure multifactor authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md).
+This documentation covers using the Azure Multi-Factor Authentication Server with AD FS 2.0. For information about AD FS, see [Securing cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md).
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). >
This documentation covers using the Azure multifactor authentication Server with
## Secure AD FS 2.0 with a proxy
-To secure AD FS 2.0 with a proxy, install the Azure multifactor authentication Server on the AD FS proxy server.
+To secure AD FS 2.0 with a proxy, install the Azure Multi-Factor Authentication Server on the AD FS proxy server.
### Configure IIS authentication
-1. In the Azure multifactor authentication Server, click the **IIS Authentication** icon in the left menu.
+1. In the Azure Multi-Factor Authentication Server, click the **IIS Authentication** icon in the left menu.
2. Click the **Form-Based** tab. 3. Click **Add**.
Make sure users are imported from Active Directory into the Server. To allow use
## AD FS 2.0 Direct without a proxy
-You can secure AD FS when the AD FS proxy isn't used. Install the Azure multifactor authentication Server on the AD FS server and configure the Server per the following steps:
+You can secure AD FS when the AD FS proxy isn't used. Install the Azure Multi-Factor Authentication Server on the AD FS server and configure the Server per the following steps:
-1. Within the Azure multifactor authentication Server, click the **IIS Authentication** icon in the left menu.
+1. Within the Azure Multi-Factor Authentication Server, click the **IIS Authentication** icon in the left menu.
2. Click the **HTTP** tab. 3. Click **Add**. 4. In the Add Base URL dialogue box, enter the URL for the AD FS website where HTTP authentication is performed (like `https://sso.domain.com/adfs/ls/auth/integrated`) into the Base URL field. Then, enter an Application name (optional). The Application name appears in Azure multifactor authentication reports and may be displayed within SMS or Mobile App authentication messages.
active-directory Howto Mfaserver Adfs Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-adfs-windows-server.md
-# Configure Azure multifactor authentication Server to work with AD FS in Windows Server
+# Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server
-If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Azure multifactor authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints.
+If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Azure Multi-Factor Authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints.
-In this article, we discuss using Azure multifactor authentication Server with AD FS beginning with Windows Server 2016. For more information, read about how to [secure cloud and on-premises resources by using Azure multifactor authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md).
+In this article, we discuss using Azure Multi-Factor Authentication Server with AD FS beginning with Windows Server 2016. For more information, read about how to [secure cloud and on-premises resources by using Azure Multi-Factor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md).
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). >
In this article, we discuss using Azure multifactor authentication Server with A
<a name='secure-windows-server-ad-fs-with-azure-multi-factor-authentication-server'></a>
-## Secure Windows Server AD FS with Azure multifactor authentication Server
+<a name='secure-windows-server-ad-fs-with-azure-multifactor-authentication-server'></a>
-When you install Azure multifactor authentication Server, you have the following options:
+## Secure Windows Server AD FS with Azure Multi-Factor Authentication Server
-* Install Azure multifactor authentication Server locally on the same server as AD FS
-* Install the Azure multifactor authentication adapter locally on the AD FS server, and then install multifactor authentication Server on a different computer
+When you install Azure Multi-Factor Authentication Server, you have the following options:
+
+* Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
+* Install the Azure multifactor authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer
Before you begin, be aware of the following information:
-* You don't have to install Azure multifactor authentication Server on your AD FS server. However, you must install the multifactor authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately.
+* You don't have to install Azure Multi-Factor Authentication Server on your AD FS server. However, you must install the multifactor authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately.
* If your organization is using text message or mobile app verification methods, the strings defined in Company Settings contain a placeholder, <$*application_name*$>. In MFA Server v7.1, you can provide an application name that replaces this placeholder. In v7.0 or older, this placeholder is not automatically replaced when you use the AD FS adapter. For those older versions, remove the placeholder from the appropriate strings when you secure AD FS. * The account that you use to sign in must have user rights to create security groups in your Active Directory service. * The multifactor Authentication AD FS adapter installation wizard creates a security group called PhoneFactor Admins in your instance of Active Directory. It then adds the AD FS service account of your federation service to this group. Verify that the PhoneFactor Admins group was created on your domain controller, and that the AD FS service account is a member of this group. If necessary, manually add the AD FS service account to the PhoneFactor Admins group on your domain controller.
-* For information about installing the Web Service SDK with the user portal, see [deploying the user portal for Azure multifactor authentication Server.](howto-mfaserver-deploy-userportal.md)
+* For information about installing the Web Service SDK with the user portal, see [deploying the user portal for Azure Multi-Factor Authentication Server.](howto-mfaserver-deploy-userportal.md)
<a name='install-azure-multi-factor-authentication-server-locally-on-the-ad-fs-server'></a>
-### Install Azure multifactor authentication Server locally on the AD FS server
+<a name='install-azure-multifactor-authentication-server-locally-on-the-ad-fs-server'></a>
+
+### Install Azure Multi-Factor Authentication Server locally on the AD FS server
-1. Download and install Azure multifactor authentication Server on your AD FS server. For installation information, read about [getting started with Azure multifactor authentication Server](howto-mfaserver-deploy.md).
-2. In the Azure multifactor authentication Server management console, click the **AD FS** icon. Select the options **Allow user enrollment** and **Allow users to select method**.
+1. Download and install Azure Multi-Factor Authentication Server on your AD FS server. For installation information, read about [getting started with Azure Multi-Factor Authentication Server](howto-mfaserver-deploy.md).
+2. In the Azure Multi-Factor Authentication Server management console, click the **AD FS** icon. Select the options **Allow user enrollment** and **Allow users to select method**.
3. Select any additional options you'd like to specify for your organization. 4. Click **Install AD FS Adapter**.
Before you begin, be aware of the following information:
5. If the Active Directory window is displayed, that means two things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Active Directory configuration and configure settings manually** check box. Click **Next**. 6. If the Local Group window is displayed, that means two things. Your computer is not joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the multifactor authentication service is incomplete. Click **Next** to automatically complete this configuration, or select the **Skip automatic Local Group configuration and configure settings manually** check box. Click **Next**.
-7. In the installation wizard, click **Next**. Azure multifactor authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group.
+7. In the installation wizard, click **Next**. Azure Multi-Factor Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group.
8. On the **Launch Installer** page, click **Next**. 9. In the multifactor authentication AD FS adapter installer, click **Next**. 10. Click **Close** when the installation is finished.
Before you begin, be aware of the following information:
![Edit global authentication policy](./media/howto-mfaserver-adfs-2012/global.png)
-At this point, multifactor authentication Server is set up to be an additional authentication provider to use with AD FS.
+At this point, Multi-Factor Authentication Server is set up to be an additional authentication provider to use with AD FS.
## Install a standalone instance of the AD FS adapter by using the Web Service SDK
-1. Install the Web Service SDK on the server that is running multifactor authentication Server.
-2. Copy the following files from the \Program Files\multifactor authentication Server directory to the server on which you plan to install the AD FS adapter:
+1. Install the Web Service SDK on the server that is running Multi-Factor Authentication Server.
+2. Copy the following files from the \Program Files\Multi-Factor Authentication Server directory to the server on which you plan to install the AD FS adapter:
* MultiFactorAuthenticationAdfsAdapterSetup64.msi * Register-MultiFactorAuthenticationAdfsAdapter.ps1 * Unregister-MultiFactorAuthenticationAdfsAdapter.ps1
If you don't want to use a username and password, follow these steps to configur
24. Open the client certificate and copy the thumbprint from the **Details** tab. 25. In the MultiFactorAuthenticationAdfsAdapter.config file, set **WebServiceSdkCertificateThumbprint** to the string copied in the previous step.
-Finally, to register the adapter, run the \Program Files\multifactor authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect.
+Finally, to register the adapter, run the \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect.
<a name='secure-azure-ad-resources-using-ad-fs'></a>
active-directory Howto Mfaserver Deploy Ha https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-ha.md
Title: High availability for Azure MFA Server
-description: Deploy multiple instances of Azure multifactor authentication Server in configurations that provide high availability.
+description: Deploy multiple instances of Azure Multi-Factor Authentication Server in configurations that provide high availability.
-# Configure Azure multifactor authentication Server for high availability
+# Configure Azure Multi-Factor Authentication Server for high availability
To achieve high-availability with your Azure Server MFA deployment, you need to deploy multiple MFA servers. This section provides information on a load-balanced design to achieve your high availability targets in your Azure MFS Server deployment. > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). >
active-directory Howto Mfaserver Deploy Mobileapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-mobileapp.md
-# Enable mobile app authentication with Microsoft Entra multifactor authentication Server
+# Enable mobile app authentication with Azure Multi-Factor Authentication Server
The Microsoft Authenticator app offers an extra out-of-band verification option. Instead of placing an automated phone call or SMS to the user during login, Microsoft Entra multifactor authentication pushes a notification to the Authenticator app on the user's smartphone or tablet. The user simply taps **Verify** (or enters a PIN and taps "Authenticate") in the app to complete their sign-in. Using a mobile app for two-step verification is preferred when phone reception is unreliable. If you use the app as an OATH token generator, it doesn't require any network or internet connection. > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). > [!IMPORTANT]
-> If you have installed Microsoft Entra multifactor authentication Server v8.x or higher, most of the steps below are not required. Mobile app authentication can be set up by following the steps under [Configure the mobile app](#configure-the-mobile-app-settings-in-mfa-server).
+> If you have installed Azure Multi-Factor Authentication Server v8.x or higher, most of the steps below are not required. Mobile app authentication can be set up by following the steps under [Configure the mobile app](#configure-the-mobile-app-settings-in-mfa-server).
## Requirements
-To use the Authenticator app, you must be running Microsoft Entra multifactor authentication Server v8.x or higher
+To use the Authenticator app, you must be running Azure Multi-Factor Authentication Server v8.x or higher
## Configure the mobile app settings in MFA Server
To use the Authenticator app, you must be running Microsoft Entra multifactor au
## Next steps -- [Advanced scenarios with Microsoft Entra multifactor authentication Server and third-party VPNs](howto-mfaserver-nps-vpn.md).
+- [Advanced scenarios with Azure Multi-Factor Authentication Server and third-party VPNs](howto-mfaserver-nps-vpn.md).
active-directory Howto Mfaserver Deploy Upgrade Pf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-upgrade-pf.md
Title: Upgrade PhoneFactor to Microsoft Entra multifactor authentication Server
-description: Get started with Microsoft Entra multifactor authentication Server when you upgrade from the older phonefactor agent.
+ Title: Upgrade PhoneFactor to Azure Multi-Factor Authentication Server
+description: Get started with Azure Multi-Factor Authentication Server when you upgrade from the older phonefactor agent.
-# Upgrade the PhoneFactor Agent to Microsoft Entra multifactor authentication Server
+# Upgrade the PhoneFactor Agent to Azure Multi-Factor Authentication Server
-To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra multifactor authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the multifactor authentication Server and its affiliated components can be installed.
+To upgrade the PhoneFactor Agent v5.x or older to Azure Multi-Factor Authentication Server, uninstall the PhoneFactor Agent and affiliated components first. Then the Multi-Factor Authentication Server and its affiliated components can be installed.
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md).
To upgrade the PhoneFactor Agent v5.x or older to Microsoft Entra multifactor au
<a name='install-the-multi-factor-authentication-server'></a>
-## Install the multifactor authentication Server
+<a name='install-the-multifactor-authentication-server'></a>
-The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\multifactor authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new multifactor authentication Server.
+## Install the Multi-Factor Authentication Server
-1. If prompted, activate the multifactor authentication Server and ensure it is assigned to the correct replication group.
+The installation path is picked up from the registry from the previous PhoneFactor Agent installation, so it should install in the same location (for example, C:\Program Files\PhoneFactor). New installations have a different default install path (for example, C:\Program Files\Multi-Factor Authentication Server). The data file left by the previous PhoneFactor Agent should be upgraded during installation, so your users and settings should still be there after installing the new Multi-Factor Authentication Server.
-2. If the Web Service SDK was previously installed, install the new Web Service SDK through the multifactor authentication Server User Interface.
+1. If prompted, activate the Multi-Factor Authentication Server and ensure it is assigned to the correct replication group.
+
+2. If the Web Service SDK was previously installed, install the new Web Service SDK through the Multi-Factor Authentication Server User Interface.
The default virtual directory name is now **MultiFactorAuthWebServiceSdk** instead of **PhoneFactorWebServiceSdk**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you have to change the URL in any applications that reference the Web Service SDK (like the User portal and Mobile App Web Service) to point at the correct location.
-3. If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the multifactor authentication Server User Interface.
+3. If the User portal was previously installed on the PhoneFactor Agent Server, install the new multifactor authentication User portal through the Multi-Factor Authentication Server User Interface.
- The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the multifactor authentication Server and update the User portal URL on the Settings tab.
+ The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the Multi-Factor Authentication Server and update the User portal URL on the Settings tab.
4. If the User portal and/or Mobile App Web Service was previously installed on a different server from the PhoneFactor Agent:
The installation path is picked up from the registry from the previous PhoneFact
2. To install the User portal on the web server, open a command prompt as an administrator and run MultiFactorAuthenticationUserPortalSetupXX.msi.
- The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the multifactor authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL.
+ The default virtual directory name is now **MultiFactorAuth** instead of **PhoneFactor**. If you want to use the previous name, you must change the name of the virtual directory during installation. Otherwise, if you allow the install to use the new default name, you should click the User portal icon in the Multi-Factor Authentication Server and update the User portal URL on the Settings tab. Existing users need to be informed of the new URL.
3. Go to the User portal install location (for example, C:\inetpub\wwwroot\MultiFactorAuth) and edit the web.config file. Copy the values in the appSettings and applicationSettings sections from your original web.config file that was backed up before the upgrade into the new web.config file. If the new default virtual directory name was kept when installing the Web Service SDK, change the URL in the applicationSettings section to point to the correct location. If any other defaults were changed in the previous web.config file, apply those same changes to the new web.config file.
The installation path is picked up from the registry from the previous PhoneFact
## Next steps -- [Install the users portal](howto-mfaserver-deploy-userportal.md) for the Microsoft Entra multifactor authentication Server.
+- [Install the users portal](howto-mfaserver-deploy-userportal.md) for the Azure Multi-Factor Authentication Server.
- [Configure Windows Authentication](howto-mfaserver-windows.md) for your applications.
active-directory Howto Mfaserver Deploy Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-upgrade.md
Title: Upgrading Azure MFA Server
-description: Steps and guidance to upgrade the Microsoft Entra multifactor authentication Server to a newer version.
+description: Steps and guidance to upgrade the Azure Multi-Factor Authentication Server to a newer version.
-# Upgrade to the latest Microsoft Entra multifactor authentication Server
+# Upgrade to the latest Azure Multi-Factor Authentication Server
-This article walks you through the process of upgrading Microsoft Entra multifactor authentication Server v6.0 or higher. If you need to upgrade an old version of the PhoneFactor Agent, refer to [Upgrade the PhoneFactor Agent to Microsoft Entra multifactor authentication Server](howto-mfaserver-deploy-upgrade-pf.md).
+This article walks you through the process of upgrading Azure Multi-Factor Authentication Server v6.0 or higher. If you need to upgrade an old version of the PhoneFactor Agent, refer to [Upgrade the PhoneFactor Agent to Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade-pf.md).
If you're upgrading from v6.x or older to v7.x or newer, all components change from .NET 2.0 to .NET 4.5. All components also require Microsoft Visual C++ 2015 Redistributable Update 1 or higher. The MFA Server installer installs both the x86 and x64 versions of these components if they aren't already installed. If the User Portal and Mobile App Web Service run on separate servers, you need to install those packages before upgrading those components. You can search for the latest Microsoft Visual C++ 2015 Redistributable update on the [Microsoft Download Center](https://www.microsoft.com/download/). > [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md).
Upgrade steps at a glance:
## Upgrade Azure MFA Server
-1. Use the instructions in [Download the Microsoft Entra multifactor authentication Server](howto-mfaserver-deploy.md#download-the-mfa-server) to get the latest version of the Azure MFA Server installer.
-2. Make a backup of the MFA Server data file located at C:\Program Files\multifactor authentication Server\Data\PhoneFactor.pfdata (assuming the default install location) on your primary MFA Server.
+1. Use the instructions in [Download the Azure Multi-Factor Authentication Server](howto-mfaserver-deploy.md#download-the-mfa-server) to get the latest version of the Azure MFA Server installer.
+2. Make a backup of the MFA Server data file located at C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata (assuming the default install location) on your primary MFA Server.
3. If you run multiple servers for high availability, change the client systems that authenticate to the MFA Server so that they stop sending traffic to the servers that are upgrading. If you use a load balancer, remove a subordinate MFA Server from the load balancer, do the upgrade, and then add the server back into the farm. 4. Run the new installer on each MFA Server. Upgrade subordinate servers first because they can read the old data file being replicated by the primary. > [!NOTE] > When upgrading a server it should be removed from any load balancing or traffic sharing with other MFA Servers. >
- > You do not need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade. The installation path is picked up from the registry from the previous installation, so it installs in the same location (for example, C:\Program Files\multifactor authentication Server).
+ > You do not need to uninstall your current MFA Server before running the installer. The installer performs an in-place upgrade. The installation path is picked up from the registry from the previous installation, so it installs in the same location (for example, C:\Program Files\Multi-Factor Authentication Server).
5. If you're prompted to install a Microsoft Visual C++ 2015 Redistributable update package, accept the prompt. Both the x86 and x64 versions of the package are installed. 6. If you use the Web Service SDK, you are prompted to install the new Web Service SDK. When you install the new Web Service SDK, make sure that the virtual directory name matches the previously installed virtual directory (for example, MultiFactorAuthWebServiceSdk).
Complete the upgrade of your MFA Servers and User Portal before moving to this s
### If MFA runs on different servers than AD FS
-These instructions only apply if you run multifactor authentication Server separately from your AD FS servers. If both services run on the same servers, skip this section and go to the installation steps.
+These instructions only apply if you run Multi-Factor Authentication Server separately from your AD FS servers. If both services run on the same servers, skip this section and go to the installation steps.
1. Save a copy of the MultiFactorAuthenticationAdfsAdapter.config file that was registered in AD FS, or export the configuration using the following PowerShell command: `Export-AdfsAuthenticationProviderConfigurationData -Name [adapter name] -FilePath [path to config file]`. The adapter name is either "WindowsAzureMultiFactorAuthentication" or "AzureMfaServerAuthentication" depending on the version previously installed. 2. Copy the following files from the MFA Server installation location to the AD FS servers:
active-directory Howto Mfaserver Deploy Userportal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy-userportal.md
-# User portal for the Microsoft Entra multifactor authentication Server
+# User portal for the Azure Multi-Factor Authentication Server
The user portal is an IIS web site that allows users to enroll in Microsoft Entra multifactor authentication and maintain their accounts. A user may change their phone number, change their PIN, or choose to bypass two-step verification during their next sign-on.
Users sign in to the user portal with their normal username and password, then e
User portal Administrators may be set up and granted permission to add new users and update existing users.
-Depending on your environment, you may want to deploy the user portal on the same server as Microsoft Entra multifactor authentication Server or on another internet-facing server.
+Depending on your environment, you may want to deploy the user portal on the same server as Azure Multi-Factor Authentication Server or on another internet-facing server.
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Microsoft Entra multifactor authentication Server. Beginning September 30, 2024, Microsoft Entra multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md).
Depending on your environment, you may want to deploy the user portal on the sam
![MFA Server User portal log in page](./media/howto-mfaserver-deploy-userportal/portal.png) > [!NOTE]
-> The user portal is only available with multifactor authentication Server. If you use multifactor authentication in the cloud, refer your users to the [Set-up your account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) or [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7).
+> The user portal is only available with Multi-Factor Authentication Server. If you use multifactor authentication in the cloud, refer your users to the [Set-up your account for two-step verification](https://support.microsoft.com/account-billing/how-to-use-the-microsoft-authenticator-app-9783c865-0308-42fb-a519-8cf666fe0acc) or [Manage your settings for two-step verification](https://support.microsoft.com/account-billing/change-your-two-step-verification-method-and-settings-c801d5ad-e0fc-4711-94d5-33ad5d4630f7).
## Install the web service SDK
-In either scenario, if the Microsoft Entra multifactor authentication Web Service SDK is **not** already installed on the Microsoft Entra multifactor authentication Server, complete the steps that follow.
+In either scenario, if the Microsoft Entra multifactor authentication Web Service SDK is **not** already installed on the Azure Multi-Factor Authentication Server, complete the steps that follow.
-1. Open the multifactor authentication Server console.
+1. Open the Multi-Factor Authentication Server console.
2. Go to the **Web Service SDK** and select **Install Web Service SDK**. 3. Complete the install using the defaults unless you need to change them for some reason. 4. Bind a TLS/SSL Certificate to the site in IIS.
The Web Service SDK must be secured with a TLS/SSL certificate. A self-signed ce
<a name='deploy-the-user-portal-on-the-same-server-as-the-azure-ad-multi-factor-authentication-server'></a>
-## Deploy the user portal on the same server as the Microsoft Entra multifactor authentication Server
+<a name='deploy-the-user-portal-on-the-same-server-as-the-microsoft-entra-multifactor-authentication-server'></a>
-The following pre-requisites are required to install the user portal on the **same server** as the Microsoft Entra multifactor authentication Server:
+## Deploy the user portal on the same server as the Azure Multi-Factor Authentication Server
+
+The following pre-requisites are required to install the user portal on the **same server** as the Azure Multi-Factor Authentication Server:
* IIS, including ASP.NET, and IIS 6 meta base compatibility (for IIS 7 or higher) * An account with admin rights for the computer and Domain if applicable. The account needs permissions to create Active Directory security groups.
The following pre-requisites are required to install the user portal on the **sa
To deploy the user portal, follow these steps:
-1. Open the Microsoft Entra multifactor authentication Server console, click the **User Portal** icon in the left menu, then click **Install User Portal**.
+1. Open the Azure Multi-Factor Authentication Server console, click the **User Portal** icon in the left menu, then click **Install User Portal**.
2. Complete the install using the defaults unless you need to change them for some reason. 3. Bind a TLS/SSL Certificate to the site in IIS
If you have questions about configuring a TLS/SSL Certificate on an IIS server,
## Deploy the user portal on a separate server
-If the server where Microsoft Entra multifactor authentication Server is running isn't internet-facing, you should install the user portal on a **separate, internet-facing server**.
+If the server where Azure Multi-Factor Authentication Server is running isn't internet-facing, you should install the user portal on a **separate, internet-facing server**.
If your organization uses the Microsoft Authenticator app as one of the verification methods, and want to deploy the user portal on its own server, complete the following requirements:
-* Use v6.0 or higher of the Microsoft Entra multifactor authentication Server.
+* Use v6.0 or higher of the Azure Multi-Factor Authentication Server.
* Install the user portal on an internet-facing web server running Microsoft internet Information Services (IIS) 6.x or higher. * When using IIS 6.x, ensure ASP.NET v2.0.50727 is installed, registered, and set to **Allowed**. * When using IIS 7.x or higher, IIS, including Basic Authentication, ASP.NET, and IIS 6 meta base compatibility. * Secure the user portal with a TLS/SSL certificate. * Secure the Microsoft Entra multifactor authentication Web Service SDK with a TLS/SSL certificate. * Ensure that the user portal can connect to the Microsoft Entra multifactor authentication Web Service SDK over TLS/SSL.
-* Ensure that the user portal can authenticate to the Microsoft Entra multifactor authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Microsoft Entra multifactor authentication Server is running on a domain-joined server. This service account and group exist locally on the Microsoft Entra multifactor authentication Server if it isn't joined to a domain.
+* Ensure that the user portal can authenticate to the Microsoft Entra multifactor authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Azure Multi-Factor Authentication Server is running on a domain-joined server. This service account and group exist locally on the Azure Multi-Factor Authentication Server if it isn't joined to a domain.
-Installing the user portal on a server other than the Microsoft Entra multifactor authentication Server requires the following steps:
+Installing the user portal on a server other than the Azure Multi-Factor Authentication Server requires the following steps:
-1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\multifactor authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you'll install it.
+1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\Multi-Factor Authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you'll install it.
2. **On the internet-facing web server**, run the MultiFactorAuthenticationUserPortalSetup64 install file as an administrator, change the Site if desired and change the Virtual directory to a short name if you would like. 3. Bind a TLS/SSL Certificate to the site in IIS.
If you have questions about configuring a TLS/SSL Certificate on an IIS server,
<a name='configure-user-portal-settings-in-the-azure-ad-multi-factor-authentication-server'></a>
-## Configure user portal settings in the Microsoft Entra multifactor authentication Server
+<a name='configure-user-portal-settings-in-the-microsoft-entra-multifactor-authentication-server'></a>
+
+## Configure user portal settings in the Azure Multi-Factor Authentication Server
-Now that the user portal is installed, you need to configure the Microsoft Entra multifactor authentication Server to work with the portal.
+Now that the user portal is installed, you need to configure the Azure Multi-Factor Authentication Server to work with the portal.
-1. In the Microsoft Entra multifactor authentication Server console, click the **User Portal** icon. On the Settings tab, enter the URL to the user portal in the **User Portal URL** textbox. If email functionality has been enabled, this URL is included in the emails that are sent to users when they're imported into the Microsoft Entra multifactor authentication Server.
+1. In the Azure Multi-Factor Authentication Server console, click the **User Portal** icon. On the Settings tab, enter the URL to the user portal in the **User Portal URL** textbox. If email functionality has been enabled, this URL is included in the emails that are sent to users when they're imported into the Azure Multi-Factor Authentication Server.
2. Choose the settings that you want to use in the User Portal. For example, if users are allowed to choose their authentication methods, ensure that **Allow users to select method** is checked, along with the methods they can choose from. 3. Define who should be Administrators on the **Administrators** tab. You can create granular administrative permissions using the checkboxes and dropdowns in the Add/Edit boxes.
Optional configuration:
![MFA Server User Portal configuration](./media/howto-mfaserver-deploy-userportal/config.png)
-Microsoft Entra multifactor authentication server provides several options for the user portal. The following table provides a list of these options and an explanation of what they're used for.
+Azure Multi-Factor Authentication Server provides several options for the user portal. The following table provides a list of these options and an explanation of what they're used for.
| User Portal Settings | Description | |: |: |
Microsoft Entra multifactor authentication server provides several options for t
| Use security questions for fallback | Allow security questions in case two-step verification fails. You can specify the number of security questions that must be successfully answered. | | Allow users to associate third-party OATH token | Allow users to specify a third-party OATH token. | | Use OATH token for fallback | Allow for the use of an OATH token in case two-step verification isn't successful. You can also specify the session timeout in minutes. |
-| Enable logging | Enable logging on the user portal. The log files are located at: C:\Program Files\multifactor authentication Server\Logs. |
+| Enable logging | Enable logging on the user portal. The log files are located at: C:\Program Files\Multi-Factor Authentication Server\Logs. |
> [!IMPORTANT] > Starting in March of 2019 the phone call options will not be available to MFA Server users in free/trial Microsoft Entra tenants. SMS messages are not impacted by this change. Phone call will continue to be available to users in paid Microsoft Entra tenants. This change only impacts free/trial Microsoft Entra tenants.
The page then displays an activation code and a URL along with a barcode picture
After the activation is complete, the user clicks the **Authenticate Me Now** button. Microsoft Entra multifactor authentication performs a verification to the user's mobile app. The user must enter their PIN (if applicable) and press the Authenticate button in their mobile app to move on to the next step of the self-enrollment process.
-If the administrators have configured the Microsoft Entra multifactor authentication Server to collect security questions and answers, the user is then taken to the Security Questions page. The user must select four security questions and provide answers to their selected questions.
+If the administrators have configured the Azure Multi-Factor Authentication Server to collect security questions and answers, the user is then taken to the Security Questions page. The user must select four security questions and provide answers to their selected questions.
![User portal security questions](./media/howto-mfaserver-deploy-userportal/secq.png)
The user self-enrollment is now complete and the user is signed in to the user p
## Next steps -- [Deploy the Microsoft Entra multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md)
+- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md)
active-directory Howto Mfaserver Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-deploy.md
Title: Getting started Microsoft Entra multifactor authentication Server
-description: Step-by-step get started with Microsoft Entra multifactor authentication Server on-premises
+ Title: Getting started Azure Multi-Factor Authentication Server
+description: Step-by-step get started with Azure Multi-Factor Authentication Server on-premises
-# Getting started with the Microsoft Entra multifactor authentication Server
+# Getting started with the Azure Multi-Factor Authentication Server
<center> ![Getting started with MFA Server on-premises](./media/howto-mfaserver-deploy/server2.png)</center>
-This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure multifactor authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
+This page covers a new installation of the server and setting it up with on-premises Active Directory. If you already have the MFA server installed and are looking to upgrade, see [Upgrade to the latest Azure Multi-Factor Authentication Server](howto-mfaserver-deploy-upgrade.md). If you're looking for information on installing just the web service, see [Deploying the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). ## Plan your deployment
-Before you download the Azure multifactor authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
+Before you download the Azure Multi-Factor Authentication Server, think about what your load and high availability requirements are. Use this information to decide how and where to deploy.
A good guideline for the amount of memory you need is the number of users you expect to authenticate regularly.
A good guideline for the amount of memory you need is the number of users you ex
| 100,000-200,001 | 16 GB | | 200,001+ | 32 GB |
-Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Microsoft Entra multifactor authentication Server. When you install your first Microsoft Entra multifactor authentication Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.
+Do you need to set up multiple servers for high availability or load balancing? There are many ways to set up this configuration with Azure Multi-Factor Authentication Server. When you install your first Azure Multi-Factor Authentication Server, it becomes the master. Any other servers become subordinate, and automatically synchronize users and configuration with the master. Then, you can configure one primary server and have the rest act as backup, or you can set up load balancing among all the servers.
-When a master Microsoft Entra multifactor authentication Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.
+When a master Azure Multi-Factor Authentication Server goes offline, the subordinate servers can still process two-step verification requests. However, you can't add new users and existing users can't update their settings until the master is back online or a subordinate gets promoted.
### Prepare your environment Make sure the server that you're using for Azure multifactor authentication meets the following requirements.
-| Azure multifactor authentication Server Requirements | Description |
+| Azure Multi-Factor Authentication Server Requirements | Description |
|: |: | | Hardware |<li>200 MB of hard disk space</li><li>x32 or x64 capable processor</li><li>1 GB or greater RAM</li> | | Software |<li>Windows Server 2022<sup>1</sup><li>Windows Server 2019<sup>1</sup></li><li>Windows Server 2016</li><li>Windows Server 2012 R2</li><li>Windows Server 2012</li><li>Windows Server 2008/R2 (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Windows 10</li><li>Windows 8.1, all editions</li><li>Windows 8, all editions</li><li>Windows 7, all editions (with [ESU](/lifecycle/faq/extended-security-updates) only)</li><li>Microsoft .NET 4.0 Framework</li><li>IIS 7.0 or greater if installing the user portal or web service SDK</li> | | Permissions | Domain Administrator or Enterprise Administrator account to register with Active Directory |
-<sup>1</sup>If Microsoft Entra multifactor authentication Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server.
+<sup>1</sup>If Azure Multi-Factor Authentication Server fails to activate on an Azure VM that runs Windows Server 2019 or later, try using an earlier version of Windows Server.
<a name='azure-active-directory-multi-factor-authentication-server-components'></a>
-### Microsoft Entra multifactor authentication Server Components
+<a name='microsoft-entra-multifactor-authentication-server-components'></a>
-There are three web components that make up Microsoft Entra multifactor authentication Server:
+### Azure Multi-Factor Authentication Server Components
+
+There are three web components that make up Azure Multi-Factor Authentication Server:
* Web Service SDK - Enables communication with the other components and is installed on the Microsoft Entra multifactor authentication application server * User portal - An IIS web site that allows users to enroll in Azure multifactor authentication and maintain their accounts.
All three components can be installed on the same server if the server is intern
<a name='azure-multi-factor-authentication-server-firewall-requirements'></a>
-### Azure multifactor authentication Server firewall requirements
+<a name='azure-multifactor-authentication-server-firewall-requirements'></a>
+
+### Azure Multi-Factor Authentication Server firewall requirements
Each MFA server must be able to communicate on port 443 outbound to the following addresses:
If you aren't using the Event Confirmation feature, and your users aren't using
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-Follow these steps to download the Microsoft Entra multifactor authentication Server:
+Follow these steps to download the Azure Multi-Factor Authentication Server:
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Microsoft Entra multifactor authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Microsoft Entra multifactor authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Microsoft Entra multifactor authentication service by using the latest Migration Utility included in the most recent [Azure Multi-Factor Authentication Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure Multi-Factor Authentication Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Azure multifactor authentication](tutorial-enable-azure-mfa.md). >
Now that you have downloaded the server you can install and configure it. Be sur
* [Visual C++ Redistributable for Visual Studio 2017 (x64)](https://go.microsoft.com/fwlink/?LinkId=746572) * [Visual C++ Redistributable for Visual Studio 2017 (x86)](https://go.microsoft.com/fwlink/?LinkId=746571) 3. When the installation finishes, select **Finish**. The configuration wizard starts.
-5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Microsoft Entra multifactor authentication Server in the boxes provided and click **Activate**.
+5. Back on the page that you downloaded the server from, click the **Generate Activation Credentials** button. Copy this information into the Azure Multi-Factor Authentication Server in the boxes provided and click **Activate**.
> [!NOTE] > Only global administrators are able to generate activation credentials in the Microsoft Entra admin center.
Now that the server is installed you want to add users. You can choose to create
### Manual import from Active Directory
-1. In the Microsoft Entra multifactor authentication Server, on the left, select **Users**.
+1. In the Azure Multi-Factor Authentication Server, on the left, select **Users**.
2. At the bottom, select **Import from Active Directory**. 3. Now you can either search for individual users or search the AD directory for OUs with users in them. In this case, we specify the users OU. 4. Highlight all the users on the right and click **Import**. You should receive a pop-up telling you that you were successful. Close the import window.
Now that the server is installed you want to add users. You can choose to create
### Automated synchronization with Active Directory
-1. In the Microsoft Entra multifactor authentication Server, on the left, select **Directory Integration**.
+1. In the Azure Multi-Factor Authentication Server, on the left, select **Directory Integration**.
2. Navigate to the **Synchronization** tab. 3. At the bottom, choose **Add** 4. In the **Add Synchronization Item** box that appears choose the Domain, OU **or** security group, Settings, Method Defaults, and Language Defaults for this synchronization task and click **Add**.
Now that the server is installed you want to add users. You can choose to create
<a name='how-the-azure-ad-multi-factor-authentication-server-handles-user-data'></a>
-## How the Microsoft Entra multifactor authentication Server handles user data
+<a name='how-the-microsoft-entra-multifactor-authentication-server-handles-user-data'></a>
-When you use the multifactor authentication Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Microsoft Entra multifactor authentication cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the multifactor authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:
+## How the Azure Multi-Factor Authentication Server handles user data
+
+When you use the Multi-Factor Authentication Server on-premises, a user's data is stored in the on-premises servers. No persistent user data is stored in the cloud. When the user performs a two-step verification, the MFA Server sends data to the Microsoft Entra multifactor authentication cloud service to perform the verification. When these authentication requests are sent to the cloud service, the following fields are sent in the request and logs so that they are available in the customer's authentication/usage reports. Some of the fields are optional so they can be enabled or disabled within the Multi-Factor Authentication Server. The communication from the MFA Server to the MFA cloud service uses SSL/TLS over port 443 outbound. These fields are:
* Unique ID - either username or internal MFA server ID * First and last name (optional)
In addition to the fields above, the verification result (success/denial) and re
<a name='back-up-and-restore-azure-active-directory-multi-factor-authentication-server'></a>
-## Back up and restore Microsoft Entra multifactor authentication Server
+<a name='back-up-and-restore-microsoft-entra-multifactor-authentication-server'></a>
+
+## Back up and restore Azure Multi-Factor Authentication Server
Making sure that you have a good backup is an important step to take with any system.
-To back up Microsoft Entra multifactor authentication Server, ensure that you have a copy of the **C:\Program Files\multifactor authentication Server\Data** folder including the **PhoneFactor.pfdata** file.
+To back up Azure Multi-Factor Authentication Server, ensure that you have a copy of the **C:\Program Files\Multi-Factor Authentication Server\Data** folder including the **PhoneFactor.pfdata** file.
In case a restore is needed complete the following steps:
-1. Reinstall Microsoft Entra multifactor authentication Server on a new server.
-2. Activate the new Microsoft Entra multifactor authentication Server.
+1. Reinstall Azure Multi-Factor Authentication Server on a new server.
+2. Activate the new Azure Multi-Factor Authentication Server.
3. Stop the **MultiFactorAuth** service. 4. Overwrite the **PhoneFactor.pfdata** with the backed-up copy. 5. Start the **MultiFactorAuth** service.
Once you have upgraded to or installed MFA Server version 8.x or higher, it is r
## Next steps - Set up and configure the [User portal](howto-mfaserver-deploy-userportal.md) for user self-service.-- Set up and configure the Microsoft Entra multifactor authentication Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [LDAP Authentication](howto-mfaserver-dir-ldap.md).-- Set up and configure [Remote Desktop Gateway and Azure multifactor authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).-- [Deploy the Azure multifactor authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
+- Set up and configure the Azure Multi-Factor Authentication Server with [Active Directory Federation Service](multi-factor-authentication-get-started-adfs.md), [RADIUS Authentication](howto-mfaserver-dir-radius.md), or [LDAP Authentication](howto-mfaserver-dir-ldap.md).
+- Set up and configure [Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS](howto-mfaserver-nps-rdg.md).
+- [Deploy the Azure Multi-Factor Authentication Server Mobile App Web Service](howto-mfaserver-deploy-mobileapp.md).
- [Advanced scenarios with Azure multifactor authentication and third-party VPNs](howto-mfaserver-nps-vpn.md).
active-directory Howto Mfaserver Dir Radius https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-dir-radius.md
Title: RADIUS and Azure MFA Server
-description: Deploying RADIUS Authentication and Azure multifactor authentication Server.
+description: Deploying RADIUS Authentication and Azure Multi-Factor Authentication Server.
-# Integrate RADIUS authentication with Azure multifactor authentication Server
+# Integrate RADIUS authentication with Azure Multi-Factor Authentication Server
-RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure multifactor authentication Server can act as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target to add two-step verification. Your authentication target could be Active Directory, an LDAP directory, or another RADIUS server. For Azure multifactor authentication to function, you must configure the Azure MFA Server so that it can communicate with both the client servers and the authentication target. The Azure MFA Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure multifactor authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure multifactor authentication succeed.
+RADIUS is a standard protocol to accept authentication requests and to process those requests. The Azure Multi-Factor Authentication Server can act as a RADIUS server. Insert it between your RADIUS client (VPN appliance) and your authentication target to add two-step verification. Your authentication target could be Active Directory, an LDAP directory, or another RADIUS server. For Azure multifactor authentication to function, you must configure the Azure MFA Server so that it can communicate with both the client servers and the authentication target. The Azure MFA Server accepts requests from a RADIUS client, validates credentials against the authentication target, adds Azure multifactor authentication, and sends a response back to the RADIUS client. The authentication request only succeeds if both the primary authentication and the Azure multifactor authentication succeed.
> [!IMPORTANT]
-> In September 2022, Microsoft announced deprecation of Azure multifactor authentication Server. Beginning September 30, 2024, Azure multifactor authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
+> In September 2022, Microsoft announced deprecation of Azure Multi-Factor Authentication Server. Beginning September 30, 2024, Azure Multi-Factor Authentication Server deployments will no longer service multifactor authentication requests, which could cause authentications to fail for your organization. To ensure uninterrupted authentication services and to remain in a supported state, organizations should [migrate their usersΓÇÖ authentication data](how-to-migrate-mfa-server-to-mfa-user-authentication.md) to the cloud-based Azure MFA service by using the latest Migration Utility included in the most recent [Azure MFA Server update](https://www.microsoft.com/download/details.aspx?id=55849). For more information, see [Azure MFA Server Migration](how-to-migrate-mfa-server-to-azure-mfa.md).
> > To get started with cloud-based MFA, see [Tutorial: Secure user sign-in events with Microsoft Entra multifactor authentication](tutorial-enable-azure-mfa.md). >
RADIUS is a standard protocol to accept authentication requests and to process t
## Add a RADIUS client
-To configure RADIUS authentication, install the Azure multifactor authentication Server on a Windows server. If you have an Active Directory environment, the server should be joined to the domain inside the network. Use the following procedure to configure the Azure multifactor authentication Server:
+To configure RADIUS authentication, install the Azure Multi-Factor Authentication Server on a Windows server. If you have an Active Directory environment, the server should be joined to the domain inside the network. Use the following procedure to configure the Azure Multi-Factor Authentication Server:
-1. In the Azure multifactor authentication Server, click the RADIUS Authentication icon in the left menu.
+1. In the Azure Multi-Factor Authentication Server, click the RADIUS Authentication icon in the left menu.
2. Check the **Enable RADIUS authentication** checkbox. 3. On the Clients tab, change the Authentication and Accounting ports if the Azure MFA RADIUS service needs to listen for RADIUS requests on non-standard ports. 4. Click **Add**.
-5. Enter the IP address of the appliance/server that will authenticate to the Azure multifactor authentication Server, an application name (optional), and a shared secret.
+5. Enter the IP address of the appliance/server that will authenticate to the Azure Multi-Factor Authentication Server, an application name (optional), and a shared secret.
The application name appears in reports and may be displayed within SMS or mobile app authentication messages.
- The shared secret needs to be the same on both the Azure multifactor authentication Server and appliance/server.
+ The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and appliance/server.
6. Check the **Require multifactor authentication user match** box if all users have been imported into the Server and subject to multifactor authentication. If a significant number of users have not yet been imported into the Server or are exempt from two-step verification, leave the box unchecked. 7. Check the **Enable fallback OATH token** box if you want to use OATH passcodes from mobile verification apps as a backup method.
Repeat steps 4 through 8 to add as many additional RADIUS clients as you need.
1. Click **Add** to configure the server to which the Azure MFA Server will proxy the RADIUS requests. 1. In the Add RADIUS Server dialog box, enter the IP address of the RADIUS server and a shared secret.
- The shared secret needs to be the same on both the Azure multifactor authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server.
+ The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and RADIUS server. Change the Authentication port and Accounting port if different ports are used by the RADIUS server.
1. Click **OK**.
-1. Add the Azure MFA Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Azure MFA Server. Use the same shared secret configured in the Azure multifactor authentication Server.
+1. Add the Azure MFA Server as a RADIUS client in the other RADIUS server so that it can process access requests sent to it from the Azure MFA Server. Use the same shared secret configured in the Azure Multi-Factor Authentication Server.
Repeat these steps to add more RADIUS servers. Configure the order in which the Azure MFA Server should call them with the **Move Up** and **Move Down** buttons.
-You've successfully configured the Azure multifactor authentication Server. The Server is now listening on the configured ports for RADIUS access requests from the configured clients.
+You've successfully configured the Azure Multi-Factor Authentication Server. The Server is now listening on the configured ports for RADIUS access requests from the configured clients.
## RADIUS Client configuration To configure the RADIUS client, use the guidelines:
-* Configure your appliance/server to authenticate via RADIUS to the Azure multifactor authentication Server's IP address, which acts as the RADIUS server.
+* Configure your appliance/server to authenticate via RADIUS to the Azure Multi-Factor Authentication Server's IP address, which acts as the RADIUS server.
* Use the same shared secret that was configured earlier. * Configure the RADIUS timeout to 60 seconds so that there is time to validate the user's credentials, perform two-step verification, receive their response, and then respond to the RADIUS access request.
active-directory Howto Mfaserver Nps Vpn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-nps-vpn.md
# Advanced scenarios with Azure MFA Server and third-party VPN solutions
-Azure multifactor authentication Server (Azure MFA Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco&reg; ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. We created configuration guides to address these three common appliances. Azure MFA Server can also integrate with most other systems that use RADIUS, LDAP, IIS, or claims-based authentication to AD FS. You can find more details in [Azure MFA Server configurations](howto-mfaserver-deploy.md#next-steps).
+Azure Multi-Factor Authentication Server (Azure MFA Server) can be used to seamlessly connect with various third-party VPN solutions. This article focuses on Cisco&reg; ASA VPN appliance, Citrix NetScaler SSL VPN appliance, and the Juniper Networks Secure Access/Pulse Secure Connect Secure SSL VPN appliance. We created configuration guides to address these three common appliances. Azure MFA Server can also integrate with most other systems that use RADIUS, LDAP, IIS, or claims-based authentication to AD FS. You can find more details in [Azure MFA Server configurations](howto-mfaserver-deploy.md#next-steps).
> [!IMPORTANT] > As of July 1, 2019, Microsoft no longer offers MFA Server for new deployments. New customers that want to require multifactor authentication during sign-in events should use cloud-based Microsoft Entra multifactor authentication.
active-directory Howto Mfaserver Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-mfaserver-windows.md
Title: Windows authentication and Azure MFA Server
-description: Deploying Windows Authentication and Azure multifactor authentication Server.
+description: Deploying Windows Authentication and Azure Multi-Factor Authentication Server.
-# Windows Authentication and Azure multifactor authentication Server
+# Windows Authentication and Azure Multi-Factor Authentication Server
-Use the Windows Authentication section of the Azure multifactor authentication Server to enable and configure Windows authentication for applications. Before you set up Windows Authentication, keep the following list in mind:
+Use the Windows Authentication section of the Azure Multi-Factor Authentication Server to enable and configure Windows authentication for applications. Before you set up Windows Authentication, keep the following list in mind:
* After setup, reboot the Azure multifactor authentication for Terminal Services to take effect. * If 'Require Azure multifactor authentication user match' is checked and you are not in the user list, you will not be able to log into the machine after reboot.
Use the Windows Authentication section of the Azure multifactor authentication S
## To secure an application with Windows Authentication, use the following procedure
-1. In the Azure multifactor authentication Server click the Windows Authentication icon.
+1. In the Azure Multi-Factor Authentication Server click the Windows Authentication icon.
![Windows Authentication in MFA Server](./media/howto-mfaserver-windows/windowsauth.png) 2. Check the **Enable Windows Authentication** checkbox. By default, this box is unchecked. 3. The Applications tab allows the administrator to configure one or more applications for Windows Authentication.
active-directory Howto Sspr Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-deployment.md
For a guided walkthrough of many of the recommendations in this article, see the
| |[How to enable and configure SSPR in Microsoft Entra ID](https://www.youtube.com/watch?v=rA8TvhNcCvQ)| | |[How to configure self-service password reset for users in Microsoft Entra ID?](https://azure.microsoft.com/resources/videos/self-service-password-reset-azure-ad/) | | |[How to [prepare users to] register [their] security information for Microsoft Entra ID](https://youtu.be/gXuh0XS18wA) |
-| Online courses|[Managing Identities in Microsoft Entra ID](https://www.pluralsight.com/courses/microsoft-azure-active-directory-managing-identities) Use SSPR to give your users a modern, protected experience. See especially the "[Managing Microsoft Entra Users and Groups](https://app.pluralsight.com/library/courses/microsoft-azure-active-directory-managing-identities/table-of-contents)" module. |
+| Online courses|[Managing Identities in Microsoft Entra ID](https://www.pluralsight.com/courses/microsoft-azure-active-directory-managing-identities) Use SSPR to give your users a modern, protected experience. See especially the "[`Managing Microsoft Entra Users and Groups`](https://app.pluralsight.com/library/courses/microsoft-azure-active-directory-managing-identities/table-of-contents)" module. |
|Pluralsight Paid courses |[The Issues of Identity and Access Management](https://www.pluralsight.com/courses/identity-access-management-issues) Learn about IAM and security issues to be aware of in your organization. See especially the "Other Authentication Methods" module.| | |[Getting Started with the Microsoft Enterprise Mobility Suite](https://www.pluralsight.com/courses/microsoft-enterprise-mobility-suite-getting-started) Learn the best practices for extending on-premises assets to the cloud in a manner that allows for authentication, authorization, encryption, and a secured mobile experience. See especially the "Configuring Advanced Features of Microsoft Entra ID P1 or P2" module. |Tutorials |[Complete a Microsoft Entra self-service password reset pilot roll out](./tutorial-enable-sspr.md) |
active-directory Multi Factor Authentication Get Started Adfs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/multi-factor-authentication-get-started-adfs.md
If your organization has federated your on-premises Active Directory with Microsoft Entra ID using AD FS, there are two options for using Microsoft Entra multifactor authentication. * Secure cloud resources using Microsoft Entra multifactor authentication or Active Directory Federation Services
-* Secure cloud and on-premises resources using Azure multifactor authentication Server
+* Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server
The following table summarizes the verification experience between securing resources with Microsoft Entra multifactor authentication and AD FS
Caveats with app passwords for federated users:
* You lose on-premises authentication-logging capability for app passwords. * Account disable/deletion may take up to three hours for directory sync, delaying disable/deletion of app passwords in the cloud identity.
-For information on setting up either Microsoft Entra multifactor authentication or the Azure multifactor authentication Server with AD FS, see the following articles:
+For information on setting up either Microsoft Entra multifactor authentication or the Azure Multi-Factor Authentication Server with AD FS, see the following articles:
* [Secure cloud resources using Microsoft Entra multifactor authentication and AD FS](howto-mfa-adfs.md)
-* [Secure cloud and on-premises resources using Azure multifactor authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md)
-* [Secure cloud and on-premises resources using Azure multifactor authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md)
+* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server](howto-mfaserver-adfs-windows-server.md)
+* [Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with AD FS 2.0](howto-mfaserver-adfs-2.md)
active-directory Multi Factor Authentication Wizard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/multi-factor-authentication-wizard.md
This guide provides step-by-step instructions for IT administrators to implement
## What to expect and what you need
-The setup guides help you configure the core functionality of Microsoft Entra ID. If you need to set up a more advanced configuration, the setup guide points you to the appropriate location in the Microsoft Entra portal.
+The setup guides help you configure the core functionality of Microsoft Entra ID. If you need to set up a more advanced configuration, the setup guide points you to the appropriate location in the Microsoft Entra admin center.
### Required permissions
active-directory Troubleshoot Authentication Strengths https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/troubleshoot-authentication-strengths.md
Use the **Sign-ins** log to find more information about the sign-in:
- Under the **Authentication details** tab, the **Requirement** column shows the name of the authentication strength policy.
- :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-authentication-details.png" alt-text="Screenshot showing the authentication strength in the Sign-ins log.":::
+ :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-authentication-details.png" alt-text="Screenshot showing the authentication strength in the sign-in log.":::
- Under the **Conditional Access** tab, you can see which Conditional Access policy was applied. Click the name of the policy, and look for **Grant controls** to see the authentication strength that was enforced.
- :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-control.png" alt-text="Screenshot showing the authentication strength under Conditional Access Policy details in the Sign-ins log.":::
+ :::image type="content" source="./media/troubleshoot-authentication-strengths/sign-in-logs-control.png" alt-text="Screenshot showing the authentication strength under Conditional Access Policy details in the sign-in log.":::
## Users can't use their FIDO2 security key to sign in An Authentication Policy Administrator can restrict access to specific security keys. When a user tries to sign in by using a key they can't use, this **You can't get there from here** message appears. The user has to restart the session, and sign-in with a different FIDO2 security key.
active-directory Terms Of Use https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/conditional-access/terms-of-use.md
Previously updated : 03/30/2023 Last updated : 10/10/2023
The following procedure describes how to add a ToU language.
## Per-device terms of use
-The **Require users to consent on every device** setting enables you to require end users to accept your terms of use policy on every device they're accessing from. The end user is required to register their device in Microsoft Entra ID. When the device is registered, the device ID is used to enforce the terms of use policy on each device.
-
-Supported platforms and software.
-
-> [!div class="mx-tableFixed"]
-> | | iOS | Android | Windows 10 | Other |
-> | | | | | |
-> | **Native app** | Yes | Yes | Yes | |
-> | **Microsoft Edge** | Yes | Yes | Yes | |
-> | **Internet Explorer** | Yes | Yes | Yes | |
-> | **Chrome (with extension)** | Yes | Yes | Yes | |
+The **Require users to consent on every device** setting enables you to require end users to accept your terms of use policy on every device they're accessing from. The end user's device must be registered in Microsoft Entra ID. When the device is registered, the device ID is used to enforce the terms of use policy on each device. Their experience is dependent on permissions to join devices as well as the platform and software used, for more information see, [device identity in Microsoft Entra ID](../devices/overview.md).
Per-device terms of use have the following constraints: -- A device can only be joined to one tenant.-- A user must have permissions to join their device. - The Intune Enrollment app isn't supported. Ensure that it's excluded from any Conditional Access policy requiring Terms of Use policy. - Microsoft Entra B2B users aren't supported.
-If the user's device isn't joined, they receive a message that they need to join their device. Their experience is dependent on the platform and software.
-
-### Join a Windows 10 device
-
-If a user is using Windows 10 and Microsoft Edge, they receive a message similar to the following to [join their device](https://support.microsoft.com/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973#to-join-an-already-configured-windows-10-device).
-
-![Windows 10 and Microsoft Edge - Message indicating your device must be registered](./media/terms-of-use/per-device-win10-edge.png)
-
-If they're using Chrome, they're prompted to install the [Windows 10 Accounts extension](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji).
-
-### Register an iOS device
-
-If a user is using an iOS device, they're prompted to install the [Microsoft Authenticator app](https://apps.apple.com/us/app/microsoft-authenticator/id983156458).
-
-### Register an Android device
-
-If a user is using an Android device, they're prompted to install the [Microsoft Authenticator app](https://play.google.com/store/apps/details?id=com.azure.authenticator).
-
-### Browsers
-
-If a user is using browser that isn't supported, they're asked to use a different browser.
-
-![Message indicating your device must be registered, but browser is not supported](./media/terms-of-use/per-device-browser-unsupported.png)
- ## Delete terms of use You can delete old terms of use policies using the following procedure.
active-directory Access Tokens https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/access-tokens.md
Microsoft Entra ID has a tenant-independent version of the document available at
- Keys that have an issuer value like `https://login.microsoftonline.com/{tenantid}/v2.0` may be used with any matching token issuer. - Keys that have an issuer value like `https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0` should only be used with exact match.
- Microsoft Entra's tenant-independent key endpoint ([https://login.microsoftonline.com/common/discovery/v2.0/keys](https://login.microsoftonline.com/common/discovery/v2.0/keys)) returns a document like:
+ Microsoft Entra tenant-independent key endpoint ([https://login.microsoftonline.com/common/discovery/v2.0/keys](https://login.microsoftonline.com/common/discovery/v2.0/keys)) returns a document like:
``` { "keys":[
active-directory Developer Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/developer-glossary.md
An identity used by a software workload like an application, service, script, or
## Workload identity federation
-Allows you to securely access Microsoft Entra ID protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](../workload-identities/workload-identity-federation.md).
+Allows you to securely access Microsoft Entra protected resources from external apps and services without needing to manage secrets (for supported scenarios). For more information, see [workload identity federation](../workload-identities/workload-identity-federation.md).
## Next steps
active-directory Federation Metadata https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/federation-metadata.md
Title: Azure AD federation metadata
-description: This article describes the federation metadata document that Microsoft Entra ID publishes for services that accept Microsoft Entra ID tokens.
+ Title: Microsoft Entra federation metadata
+description: This article describes the federation metadata document that Microsoft Entra ID publishes for services that accept Microsoft Entra tokens.
Microsoft Entra ID publishes federation metadata at `https://login.microsoftonli
For **tenant-specific endpoints**, the `TenantDomainName` can be one of the following types:
-* A registered domain name of an Azure AD tenant, such as: `contoso.onmicrosoft.com`.
+* A registered domain name of a Microsoft Entra tenant, such as: `contoso.onmicrosoft.com`.
* The immutable tenant ID of the domain, such as `72f988bf-86f1-41af-91ab-2d7cd011db45`.
-For **tenant-independent endpoints**, the `TenantDomainName` is `common`. This document lists only the Federation Metadata elements that are common to all Azure AD tenants that are hosted at login.microsoftonline.com.
+For **tenant-independent endpoints**, the `TenantDomainName` is `common`. This document lists only the Federation Metadata elements that are common to all Microsoft Entra tenants that are hosted at login.microsoftonline.com.
For example, a tenant-specific endpoint might be `https://login.microsoftonline.com/contoso.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml`. The tenant-independent endpoint is [https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml](https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml). You can view the federation metadata document by typing this URL in a browser. ## Contents of federation metadata
-The following section provides information needed by services that consume the tokens issued by Azure AD.
+The following section provides information needed by services that consume the tokens issued by Microsoft Entra ID.
### Entity ID
entityID="https://sts.windows.net/{tenant}/">
### Token signing certificates
-When a service receives a token that is issued by an Azure AD tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. The federation metadata includes the public portion of the certificates that the tenants use for token signing. The certificate raw bytes appear in the `KeyDescriptor` element. The token signing certificate is valid for signing only when the value of the `use` attribute is `signing`.
+When a service receives a token that is issued by a Microsoft Entra tenant, the signature of the token must be validated with a signing key that is published in the federation metadata document. The federation metadata includes the public portion of the certificates that the tenants use for token signing. The certificate raw bytes appear in the `KeyDescriptor` element. The token signing certificate is valid for signing only when the value of the `use` attribute is `signing`.
-A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document.
+A federation metadata document published by Microsoft Entra ID can have multiple signing keys, such as when Microsoft Entra ID is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document.
The following metadata shows a sample `KeyDescriptor` element with a signing key.
There are no differences in the format of tenant-specific and tenant-independent
### WS-Federation endpoint URL
-The federation metadata includes the URL that is Azure AD uses for single sign-in and single sign-out in WS-Federation protocol. This endpoint appears in the `PassiveRequestorEndpoint` element.
+The federation metadata includes the URL that is Microsoft Entra ID uses for single sign-in and single sign-out in WS-Federation protocol. This endpoint appears in the `PassiveRequestorEndpoint` element.
The following metadata shows a sample `PassiveRequestorEndpoint` element for a tenant-specific endpoint.
https://login.microsoftonline.com/common/wsfed
### SAML protocol endpoint URL
-The federation metadata includes the URL that Azure AD uses for single sign-in and single sign-out in SAML 2.0 protocol. These endpoints appear in the `IDPSSODescriptor` element.
+The federation metadata includes the URL that Microsoft Entra ID uses for single sign-in and single sign-out in SAML 2.0 protocol. These endpoints appear in the `IDPSSODescriptor` element.
The sign-in and sign-out URLs appear in the `SingleSignOnService` and `SingleLogoutService` elements.
active-directory How To Integrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/how-to-integrate.md
There are several ways for your application to integrate with the Microsoft iden
### Promote your application in the Azure and Microsoft 365 Marketplaces
-**Promote your application to the millions of organizations who are already using Azure AD.** Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. Learn more about promoting your application in [the Azure Marketplace](https://azure.microsoft.com/marketplace/partner-program/).
+**Promote your application to the millions of organizations who are already using Microsoft Entra ID.** Users who search and browse these marketplaces are already using one or more cloud services, making them qualified cloud service customers. Learn more about promoting your application in [the Azure Marketplace](https://azure.microsoft.com/marketplace/partner-program/).
**When users sign up for your application, it will appear in their Microsoft Entra ID access panel and Microsoft 365 app launcher.** Users will be able to quickly and easily return to your application later, improving user engagement. Learn more about the [Microsoft Entra ID access panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
active-directory Howto Add Branding In Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-add-branding-in-apps.md
Your app may present separate paths for sign-up and sign-in and the following se
## Visual guidance for app acquisition
-Your ΓÇ£get the appΓÇ¥ link must redirect the user to the Microsoft Entra grant access (authorize) page, to allow an organizationΓÇÖs administrator to authorize your app to have access to their organizationΓÇÖs data, which is hosted by Microsoft. Details on how to request access are discussed in the [Integrating Applications with Microsoft Entra ID](./quickstart-register-app.md) article.
+Your ΓÇ£get the appΓÇ¥ link must redirect the user to the Microsoft Entra ID grant access (authorize) page, to allow an organizationΓÇÖs administrator to authorize your app to have access to their organizationΓÇÖs data, which is hosted by Microsoft. Details on how to request access are discussed in the [Integrating Applications with Microsoft Entra ID](./quickstart-register-app.md) article.
After admins consent to your app, they can choose to add it to their usersΓÇÖ Microsoft 365 app launcher experience (accessible from the waffle and from [https://www.office.com/](https://www.office.com/)). If you want to advertise this capability, you can use terms like ΓÇ£Add this app to your organizationΓÇ¥ and show a button like the following example:
active-directory Migrate Objc Adal Msal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/migrate-objc-adal-msal.md
The Azure Active Directory Authentication Library ([ADAL Objective-C](https://github.com/AzureAD/azure-activedirectory-library-for-objc)) was created to work with Microsoft Entra accounts via the v1.0 endpoint.
-The Microsoft Authentication Library for iOS and macOS (MSAL) is built to work with all Microsoft identities such as Microsoft Entra accounts, personal Microsoft accounts, and Azure AD B2C accounts via the Microsoft identity platform (formally the Azure AD v2.0 endpoint).
+The Microsoft Authentication Library for iOS and macOS (MSAL) is built to work with all Microsoft identities such as Microsoft Entra accounts, personal Microsoft accounts, and Azure AD B2C accounts via the Microsoft identity platform (formerly the Azure AD v2.0 endpoint).
The Microsoft identity platform has a few key differences with Azure AD v1.0. This article highlights these differences and provides guidance to migrate an app from ADAL to MSAL.
active-directory Msal Compare Msal Js And Adal Js https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/msal-compare-msal-js-and-adal-js.md
In addition, as MSAL.js is implemented in TypeScript unlike ADAL.js, it exposes
## Use scopes instead of resources
-An important difference between the Microsoft Entra ID **v1.0** vs. **v2.0** endpoints is about how the resources are accessed. When using ADAL.js with the **v1.0** endpoint, you would first register a permission on app registration portal, and then request an access token for a resource (such as Microsoft Graph) as shown below:
+An important difference between the Azure Active Directory v1.0 versus 2.0 endpoints is about how the resources are accessed. When using ADAL.js with the **v1.0** endpoint, you would first register a permission on app registration portal, and then request an access token for a resource (such as Microsoft Graph) as shown below:
```javascript authContext.acquireTokenRedirect("https://graph.microsoft.com", function (error, token) {
active-directory Quickstart Daemon App Java Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-daemon-app-java-acquire-token.md
To register your application and add the app's registration information to your
### Step 3: Configure the Java project
-1. Extract the zip file to a local folder close to the root of the disk, for example, *C:\Azure-Samples*.
-1. Navigate to the sub folder **msal-client-credential-secret**.
-1. Edit *src\main\resources\application.properties* and replace the values of the fields `AUTHORITY`, `CLIENT_ID`, and `SECRET` with the following snippet:
+1. Extract the zip file to a local folder close to the root of the disk, such as `C:\Azure-Samples`.
+1. Navigate to the `msal-client-credential-secret` subfolder.
+1. Edit `src\main\resources\application.properties` and replace the values of the fields `AUTHORITY`, `CLIENT_ID`, and `SECRET` with the following snippet:
``` AUTHORITY=https://login.microsoftonline.com/Enter_the_Tenant_Id_Here/
active-directory Quickstart V2 Java Webapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-v2-java-webapp.md
> > To run the web application from an IDE, select run, and then go to the home page of the project. For this sample, the standard home page URL is https://localhost:8443. >
-> 1. On the front page, select the **Login** button to redirect users to Azure Active Directory and prompt them for credentials.
+> 1. On the front page, select the **Login** button to redirect users to Microsoft Entra ID and prompt them for credentials.
> > 1. After users are authenticated, they're redirected to `https://localhost:8443/msal4jsample/secure/aad`. They're now signed in, and the page will show information about the user account. The sample UI has these buttons: > - **Sign Out**: Signs the current user out of the application and redirects that user to the home page.
active-directory Quickstart Web App Java Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/quickstart-web-app-java-sign-in.md
If you want to deploy the web sample to Tomcat, make a couple changes to the sou
clientAuth="false" sslProtocol="TLS"/> ```
-3. Open a Command Prompt window. Go to the root folder of this sample (where the pom.xml file is located), and run `mvn package` to build the project.
- - This command will generate a *msal-web-sample-0.1.0.war* file in your */targets* directory.
- - Rename this file to *msal4jsample.war*.
+3. Open a Command Prompt window. Go to the root folder of this sample (where the `pom.xml` file is located), and run `mvn package` to build the project.
+ - This command will generate a `msal-web-sample-0.1.0.war` file in your `/targets` directory.
+ - Rename this file to `msal4jsample.war`.
- Deploy the WAR file by using Tomcat or any other J2EE container solution.
- - To deploy the msal4jsample.war file, copy it to the */webapps/* directory in your Tomcat installation, and then start the Tomcat server.
+ - To deploy the `msal4jsample.war` file, copy it to the `/webapps/` directory in your Tomcat installation, and then start the Tomcat server.
-4. After the file is deployed, go to https://localhost:8443/msal4jsample by using a browser.
+4. After the file is deployed, go to `https://localhost:8443/msal4jsample` by using a browser.
> [!IMPORTANT] > This quickstart application uses a client secret to identify itself as a confidential client. Because the client secret is added as plain text to your project files, for security reasons we recommend that you use a certificate instead of a client secret before using the application in a production environment. For more information on how to use a certificate, see [Certificate credentials for application authentication](./certificate-credentials.md).
active-directory Sample V2 Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/sample-v2-code.md
The following samples illustrate web applications that sign in users. Some sampl
> | Blazor | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | [MSAL.NET](/entra/msal/dotnet) | Hybrid flow | > | ASP.NET Core|[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) | > | ASP.NET Core|[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |
-> | ASP.NET Core|[Active Directory FS to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |
+> | ASP.NET Core|[Active Directory Federation Services to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |
> | ASP.NET | &#8226; [Microsoft Graph Training Sample](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect) <br/> &#8226; [Sign in users and call Microsoft Graph with admin restricted scope](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) <br/> &#8226; [Quickstart: Sign in users](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) | [MSAL.NET](/entra/msal/dotnet) | &#8226; OpenID connect <br/> &#8226; Authorization code | > | Java </p> Spring |Microsoft Entra Spring Boot Starter Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/roles) <br/> &#8226; [Use Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/4-Deployment/deploy-to-azure-app-service) <br/> &#8226; [Protect a web API](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/4-spring-web-app/3-Authorization-II/protect-web-api) | &#8226; [MSAL Java](/java/api/com.microsoft.aad.msal4j) <br/> &#8226; Microsoft Entra ID Boot Starter | Authorization code | > | Java </p> Servlets | Spring-less Servlet Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/2-Authorization-I/call-graph) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/3-Authorization-II/roles) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/3-Authorization-II/groups) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3-java-servlet-web-app/4-Deployment/deploy-to-azure-app-service) | [MSAL Java](/java/api/com.microsoft.aad.msal4j) | Authorization code |
The following samples show how to build applications using the C# language and f
> | Web application| &#8226; [Sign in users](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/README.md) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-5-B2C/README.md) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md) <br/> &#8226; [Customize token cache](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-2-TokenCache/README.md) <br/> &#8226; [Call Graph (multi-tenant)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-3-Multi-Tenant/README.md) <br/> &#8226; [Call Azure REST APIs](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/3-WebApp-multi-APIs/README.md) <br/> &#8226; [Protect web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-1-MyOrg/README.md) <br/> &#8226; [Protect web API (B2C)](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) <br/> &#8226; [Protect multi-tenant web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-3-AnyOrg/Readme.md) <br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-1-Roles/README.md) <br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/5-WebApp-AuthZ/5-2-Groups/README.md) <br/> &#8226; [Deploy to Azure Storage and App Service](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/6-Deploy-to-Azure/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | &#8226; OpenID connect <br/> &#8226; Authorization code <br/> &#8226; On-Behalf-Of| > | Web application |[Advanced Token Cache Scenarios](https://github.com/Azure-Samples/ms-identity-dotnet-advanced-token-cache) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | On-Behalf-Of (OBO) | > | Web application |[Use the Conditional Access auth context to perform step\-up authentication](https://github.com/Azure-Samples/ms-identity-dotnetcore-ca-auth-context-app/blob/main/README.md) | [Microsoft.Identity.Web](/dotnet/api/microsoft-authentication-library-dotnet/confidentialclient) | Authorization code |
-> | Web application |[Active Directory FS to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |
+> | Web application |[Active Directory Federation Services to Microsoft Entra migration](https://github.com/Azure-Samples/ms-identity-dotnet-adfs-to-aad) | [MSAL.NET](/entra/msal/dotnet) | &#8226; SAML <br/> &#8226; OpenID connect |
> | Web API | [Sign in users and call Microsoft Graph](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/2.%20Web%20API%20now%20calls%20Microsoft%20Graph) | [MSAL.NET](/entra/msal/dotnet) | On-Behalf-Of (OBO) | > | Multi-tenant SaaS | [ASP.NET Core MVC web application calls Microsoft Graph API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-3-Multi-Tenant) | [MSAL.NET](/entra/msal/dotnet) | OpenID connect | > | Multi-tenant SaaS | [ASP.NET Core MVC web application calls ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/4-WebApp-your-API/4-3-AnyOrg) | [MSAL.NET](/entra/msal/dotnet) | Authorization code |
active-directory Scenario Daemon Acquire Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-daemon-acquire-token.md
var scopes = new [] { ResourceId+"/.default"};
-<a name='azure-ad-v10-resources'></a>
-
-### Microsoft Entra ID (v1.0) resources
+### Azure AD (v1.0) resources
The scope used for client credentials should always be the resource ID followed by `/.default`.
active-directory Scenario Web App Sign User App Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md
The *.env* file should never be checked into source control, since it contains s
## Initialization code
-The initialization code differences are platform dependant. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Microsoft Entra v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform.
+The initialization code differences are platform dependant. For ASP.NET Core and ASP.NET, signing in users is delegated to the OpenID Connect middleware. The ASP.NET or ASP.NET Core template generates web applications for the Azure AD v1.0 endpoint. Some configuration is required to adapt them to the Microsoft identity platform.
# [ASP.NET Core](#tab/aspnetcore)
In ASP.NET Core web apps (and web APIs), the application is protected because yo
> .AddAzureAD(options => Configuration.Bind("AzureAd", options)); > ``` >
-> This code uses the legacy **Microsoft.AspNetCore.Authentication.AzureAD.UI** NuGet package which is used to create a Microsoft Entra v1.0 application. This article explains how to create a Microsoft identity platform (Microsoft Entra v2.0) application which replaces that code.
+> This code uses the legacy **Microsoft.AspNetCore.Authentication.AzureAD.UI** NuGet package which is used to create an Azure Active Directory v1.0 application. This article explains how to create a Microsoft identity platform v2.0 application which replaces that code.
1. Add the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) and [Microsoft.Identity.Web.UI](https://www.nuget.org/packages/Microsoft.Identity.Web.UI) NuGet packages to your project. Remove the `Microsoft.AspNetCore.Authentication.AzureAD.UI` NuGet package if it's present.
active-directory Tutorial Single Page App React Prepare Spa https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-single-page-app-react-prepare-spa.md
Identity related **npm** packages must be installed in the project to enable use
```
-To learn more about these packages refer to the documentation in [msal-browser](/javascript/api/@azure/msal-browser), [msal-common](/javascript/api/@azure/msal-common), [msal-react](/javascript/api/@azure/msal-react).
+To learn more about these packages refer to the documentation in [`msal-browser`](/javascript/api/@azure/msal-browser), [`msal-common`](/javascript/api/@azure/msal-common), [`msal-react`](/javascript/api/@azure/msal-react).
## Creating the authentication configuration file
active-directory Tutorial V2 Aspnet Daemon Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/tutorial-v2-aspnet-daemon-web-app.md
The "daemon" component in this sample is an API controller, `SyncController.cs`.
Because the app is a multi-tenant app for Microsoft business customers, it must provide a way for customers to "sign up" or "connect" the application to their company data. During the connection flow, a Global Administrator first grants *application permissions* directly to the app so that it can access company data in a non-interactive fashion, without the presence of a signed-in user. The majority of the logic in this sample shows how to achieve this connection flow by using the identity platform's [admin consent](./permissions-consent-overview.md#using-the-admin-consent-endpoint) endpoint.
-![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Microsoft Entra I D, AccountController getting admin consent to connect to Microsoft Entra I D, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png)
+![Diagram shows UserSync App with three local items connecting to Azure, with Start dot Auth acquiring a token interactively to connect to Microsoft Entra ID, AccountController getting admin consent to connect to Microsoft Entra ID, and SyncController reading user to connect to Microsoft Graph.](./media/tutorial-v2-aspnet-daemon-webapp/topology.png)
For more information on the concepts used in this sample, read the [client credentials protocol documentation for the identity platform](v2-oauth2-client-creds-grant-flow.md).
active-directory V2 Conditional Access Dev Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/v2-conditional-access-dev-guide.md
To try out this scenario, see our [React SPA calling Node.js web API using on-be
## See also * To learn more about the capabilities, see [Conditional Access in Microsoft Entra ID](../conditional-access/overview.md).
-* For more Microsoft Entra ID code samples, see [samples](sample-v2-code.md).
+* For more Microsoft Entra code samples, see [samples](sample-v2-code.md).
* For more info on the MSAL SDK's and access the reference documentation, see the [Microsoft Authentication Library overview](msal-overview.md). * To learn more about multi-tenant scenarios, see [How to sign in users using the multi-tenant pattern](howto-convert-app-to-be-multi-tenant.md). * Learn more about [Conditional Access and securing access to IoT apps](/azure/architecture/example-scenario/iot-aad/iot-aad).
active-directory Web App Quickstart Portal Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/web-app-quickstart-portal-java.md
> > To run the web application from an IDE, select run, and then go to the home page of the project. For this sample, the standard home page URL is https://localhost:8443. >
-> 1. On the front page, select the **Login** button to redirect users to Azure Active Directory and prompt them for credentials.
+> 1. On the front page, select the **Login** button to redirect users to Microsoft Entra ID and prompt them for credentials.
> > 1. After users are authenticated, they're redirected to `https://localhost:8443/msal4jsample/secure/aad`. They're now signed in, and the page will show information about the user account. The sample UI has these buttons: > - **Sign Out**: Signs the current user out of the application and redirects that user to the home page.
active-directory Assign Local Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/assign-local-admin.md
To modify the Azure AD Joined Device Local Administrator role, configure **Addit
> [!NOTE] > This option requires Microsoft Entra ID P1 or P2 licenses.
-Azure AD Joined Device Local Administrators are assigned to all Microsoft Entra joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen:
+Microsoft Entra joined Device Local Administrators are assigned to all Microsoft Entra joined devices. You canΓÇÖt scope this role to a specific set of devices. Updating the Azure AD Joined Device Local Administrator role doesn't necessarily have an immediate impact on the affected users. On devices where a user is already signed into, the privilege elevation takes place when *both* the below actions happen:
- Upto 4 hours have passed for Microsoft Entra ID to issue a new Primary Refresh Token with the appropriate privileges. - User signs out and signs back in, not lock/unlock, to refresh their profile.
active-directory How To Hybrid Join Verify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/how-to-hybrid-join-verify.md
Verify the device registration state in your Azure tenant by using **[Get-MsolDe
When you use the **Get-MSolDevice** cmdlet to check the service details: - An object with the **device ID** that matches the ID on the Windows client must exist.-- The value for **DeviceTrustType** is **Domain Joined**. This setting is equivalent to the **Microsoft Entra hybrid joined** state on the **Devices** page in the Microsoft Entra portal.
+- The value for **DeviceTrustType** is **Domain Joined**. This setting is equivalent to the **Microsoft Entra hybrid joined** state on the **Devices** page in the Microsoft Entra admin center.
- For devices that are used in Conditional Access, the value for **Enabled** is **True** and **DeviceTrustLevel** is **Managed**. 1. Open Windows PowerShell as an administrator.
active-directory Manage Device Identities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/manage-device-identities.md
You must be assigned one of the following roles to manage device settings:
- Global Administrator - Cloud Device Administrator
-![Screenshot that shows device settings related to Azure AD.](./media/manage-device-identities/device-settings-azure-portal.png)
+![Screenshot that shows device settings related to Microsoft Entra ID.](./media/manage-device-identities/device-settings-azure-portal.png)
- **Users may join devices to Microsoft Entra ID**: This setting enables you to select the users who can register their devices as Microsoft Entra joined devices. The default is **All**.
active-directory Troubleshoot Device Dsregcmd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-device-dsregcmd.md
This section lists the statuses of various attributes for users who are currentl
- **WamDefaultSet**: Set the state to *YES* if a Web Account Manager (WAM) default WebAccount is created for the logged-in user. This field could display an error if `dsregcmd /status` is run from an elevated command prompt. - **WamDefaultAuthority**: Set the state to *organizations* for Microsoft Entra ID. - **WamDefaultId**: Always use *https://login.microsoft.com* for Microsoft Entra ID.-- **WamDefaultGUID**: The WAM provider's (Azure AD/Microsoft account) GUID for the default WAM WebAccount.
+- **WamDefaultGUID**: The WAM provider's (Microsoft Entra ID / Microsoft account) GUID for the default WAM WebAccount.
### Sample user state output
active-directory Troubleshoot Mac Sso Extension Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-mac-sso-extension-plugin.md
Now that the PRT (shared credential) has been verified, before doing any deeper
##### Native MSAL application
-Scenario: An application developed to use MSAL (Example: **Microsoft To Do** client) that is running on an Apple device needs to sign the user in with their Microsoft Entra account in order to access a Microsoft Entra ID protected service (Example: **Microsoft To Do Service**).
+Scenario: An application developed to use MSAL (Example: **Microsoft To Do** client) that is running on an Apple device needs to sign the user in with their Microsoft Entra account in order to access a Microsoft Entra protected service (Example: **Microsoft To Do Service**).
:::image type="content" source="media/troubleshoot-mac-sso-extension-plugin/macos-prt-msal-app.gif" alt-text="A GIF animation showing the authentication flow of an MSAL app with a PRT.":::
-1. MSAL-developed applications invoke the SSO extension directly, and send the PRT to the Microsoft Entra token endpoint along with the application's request for a token for a Microsoft Entra ID protected resource
+1. MSAL-developed applications invoke the SSO extension directly, and send the PRT to the Microsoft Entra token endpoint along with the application's request for a token for a Microsoft Entra protected resource
1. Microsoft Entra ID validates the PRT credential, and returns an application-specific token back to the SSO extension broker
-1. The SSO extension broker then passes the token to the MSAL client application, which then sends it to the Microsoft Entra ID protected resource
+1. The SSO extension broker then passes the token to the MSAL client application, which then sends it to the Microsoft Entra protected resource
1. The user is now signed into the app and the authentication process is complete ##### Non-MSAL/Browser SSO
-Scenario: A user on an Apple device opens up the Safari web browser (or any Non-MSAL native app that supports the Apple Networking Stack) to sign into a Microsoft Entra ID protected resource (Example: `https://office.com`).
+Scenario: A user on an Apple device opens up the Safari web browser (or any Non-MSAL native app that supports the Apple Networking Stack) to sign into a Microsoft Entra protected resource (Example: `https://office.com`).
:::image type="content" source="media/troubleshoot-mac-sso-extension-plugin/macos-prt-non-msal-app.gif" alt-text="An animation showing the high level authentication flow of a Non-MSAL app using the SSO Extension.":::
Scenario: A user on an Apple device opens up the Safari web browser (or any Non-
1. As long as the Non-MSAL application is allow-listed in the MDM payload configuration, the Apple network stack intercepts the authentication request and redirects the request to the SSO Extension broker 1. Once the SSO extension receives the intercepted request, the PRT is sent to the Microsoft Entra token endpoint 1. Microsoft Entra ID validates the PRT, and returns an application-specific token back to the SSO Extension
-1. The application-specific token is given to the Non-MSAL client application, and the client application sends the token to access the Microsoft Entra ID protected service
+1. The application-specific token is given to the Non-MSAL client application, and the client application sends the token to access the Microsoft Entra protected service
1. The user now has completed the sign-in and the authentication process is complete ### Obtaining the SSO extension logs
active-directory Troubleshoot Primary Refresh Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/devices/troubleshoot-primary-refresh-token.md
Microsoft Entra ID can't find the user account in the tenant.
##### Solution
-To acquire a fresh PRT that has the new credentials, wait for the Azure AD synchronization to finish.
+To acquire a fresh PRT that has the new credentials, wait for the Microsoft Entra synchronization to finish.
</details> #### Common network error codes ("ERROR_WINHTTP_" prefix)
active-directory Linkedin Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/linkedin-integration.md
Previously updated : 09/08/2023 Last updated : 10/10/2023
You can allow users in your organization to access their LinkedIn connections wi
## Enable LinkedIn account connections in the Azure portal - You can enable LinkedIn account connections for only the users you want to have access, from your entire organization to only selected users in your organization. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Global Administrator](../roles/permissions-reference.md#global-administrator).
You can enable LinkedIn account connections for only the users you want to have
1. When you're done, select **Save** to save your settings. > [!Important]
-> LinkedIn integration is not fully enabled for your users until they consent to connect their accounts. No data is shared when you enable account connections for your users.
+> While LinkedIn integration is not fully enabled until your users consent to connect their accounts, access to public LinkedIn profile information is available without requiring individual consent. Full integration (two-way consent and additional fields) is not enabled without each user's consent. Your users can see the available LinkedIn profile of anyone that matches the name searched, regardless of whether that match is in the same enabled group or not.
### Assign selected users with a group
active-directory B2b Direct Connect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/b2b-direct-connect-overview.md
Reporting for monitoring and auditing B2B direct connect activity is available i
<a name='azure-ad-monitoring-and-audit-logs'></a>
-### Microsoft Entra ID monitoring and audit logs
+<a name='microsoft-entra-id-monitoring-and-audit-logs'></a>
+
+### Microsoft Entra monitoring and audit logs
Microsoft Entra ID includes information about cross-tenant access and B2B direct connect in the organization's Audit logs and Sign-in logs. These logs can be viewed in the Azure portal under **Monitoring**.
active-directory Cross Cloud Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/cross-cloud-settings.md
The following scenarios are supported when collaborating with an organization fr
## Next steps
-See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non-Azure AD identities, social identities, and non-IT managed external accounts.
+See [Configure external collaboration settings](external-collaboration-settings-configure.md) for B2B collaboration with non Microsoft Entra identities, social identities, and non-IT managed external accounts.
active-directory How To Facebook Federation Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-facebook-federation-customers.md
After you create the Facebook application, in this step you set the Facebook cli
1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Facebook**.
- <!-- ![Screenshot that shows how to add Facebook identity provider in Azure AD.](./media/sign-in-with-facebook/configure-facebook-idp.png)-->
+ <!-- ![Screenshot that shows how to add Facebook identity provider in Microsoft Entra ID.](./media/sign-in-with-facebook/configure-facebook-idp.png)-->
1. Enter a **Name**. For example, *Facebook*. 1. For the **Client ID**, enter the App ID of the Facebook application that you created earlier.
active-directory How To Google Federation Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/how-to-google-federation-customers.md
After you create the Google application, in this step you set the Google client
1. Browse to **Identity** > **External Identities** > **All identity providers**. 2. Select **+ Google**.
- <!-- ![Screenshot that shows how to add Google identity provider in Azure AD.](./media/sign-in-with-google/configure-google-idp.png)-->
+ <!-- ![Screenshot that shows how to add Google identity provider in Microsoft Entra ID.](./media/sign-in-with-google/configure-google-idp.png)-->
1. Enter a **Name**. For example, *Google*. 1. For the **Client ID**, enter the Client ID of the Google application that you created earlier.
active-directory Tutorial Desktop App Maui Sign In Prepare App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/tutorial-desktop-app-maui-sign-in-prepare-app.md
Download the following files into a folder in your computer:
You need to install the following packages: -- _Microsoft.Identity.Client_ - This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).-- _Microsoft.Extensions.Configuration.Json_ - This package contains JSON configuration provider implementation for Microsoft.Extensions.Configuration.-- _Microsoft.Extensions.Configuration.Binder_ - This package contains functionality to bind an object to data in configuration providers for Microsoft.Extensions.Configuration.-- _Microsoft.Extensions.Configuration.Abstractions_ - This package contains abstractions of key-value pair based configuration.-- _Microsoft.Identity.Client.Extensions.Msal_ - This package contains extensions to Microsoft Authentication Library for .NET (MSAL.NET).
+- `Microsoft.Identity.Client` - This package contains the binaries of the Microsoft Authentication Library for .NET (MSAL.NET).
+- `Microsoft.Extensions.Configuration.Json` - This package contains JSON configuration provider implementation for Microsoft.Extensions.Configuration.
+- `Microsoft.Extensions.Configuration.Binder` - This package contains functionality to bind an object to data in configuration providers for Microsoft.Extensions.Configuration.
+- `Microsoft.Extensions.Configuration.Abstractions` - This package contains abstractions of key-value pair based configuration.
+- `Microsoft.Identity.Client.Extensions.Msal` - This package contains extensions to Microsoft Authentication Library for .NET (MSAL.NET).
### NuGet Package Manager
active-directory Whats New Docs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customers/whats-new-docs.md
Title: "What's new in Azure Active Directory for customers"
-description: "New and updated documentation for the Azure Active Directory for customers documentation."
+ Title: "What's new in Microsoft Entra ID for customers"
+description: "New and updated documentation for the Microsoft Entra ID for customers documentation."
Last updated 09/29/2023
-# Azure Active Directory for customers: What's new
+# Microsoft Entra ID for customers: What's new
-Welcome to what's new in Azure Active Directory for customers documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
+Welcome to what's new in Microsoft Entra ID for customers documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
## September 2023
-This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID. For more information about the rebranding, see the [New name for Azure Active Directory](/azure/active-directory/fundamentals/new-name) article.
+This month, we renamed Microsoft Entra ID to Microsoft Entra ID. For more information about the rebranding, see the [New name for Microsoft Entra ID](/azure/active-directory/fundamentals/new-name) article.
### Updated articles
This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
- [Quickstart: Create a tenant (preview)](quickstart-tenant-setup.md) - Get started guide update - [Add and manage admin accounts](how-to-manage-admin-accounts.md) - Editorial review - [Tutorial: Prepare a Vanilla JavaScript single-page app for authentication in a customer tenant](tutorial-single-page-app-vanillajs-prepare-app.md) - Editorial review-- [Azure AD for customers documentation](index.yml) - Editorial review
+- [Microsoft Entra ID for customers documentation](index.yml) - Editorial review
- [Tutorial: Sign in users in .NET MAUI app](tutorial-desktop-app-maui-sign-in-sign-out.md) - Add app roles to .NET MAUI app and receive them in the ID token - [Tutorial: Sign in users in .NET MAUI shell app](tutorial-mobile-app-maui-sign-in-sign-out.md) - Add app roles to .NET MAUI app and receive them in the ID token
This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
### New articles - [Tutorial: Prepare your customer tenant to authorize a .NET daemon application](tutorial-daemon-dotnet-call-api-prepare-tenant.md)-- [Tutorial: Secure an ASP.NET web API registered in the Azure AD for customer's tenant](tutorial-protect-web-api-dotnet-core-build-app.md)
+- [Tutorial: Secure an ASP.NET web API registered in the Microsoft Entra ID for customer's tenant](tutorial-protect-web-api-dotnet-core-build-app.md)
- [Tutorial: Prepare your customer tenant to authorize a Node.js daemon application](tutorial-daemon-node-call-api-prepare-tenant.md) - [Tutorial: Register and configure .NET browserless app authentication details in a customer tenant](tutorial-browserless-app-dotnet-sign-in-prepare-tenant.md) - [Sign in users in a sample WPF desktop application](sample-desktop-wpf-dotnet-sign-in.md)
This month, we renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
- [Tutorial: Add add sign-in and sign-out in your Node.js web application](tutorial-web-app-node-sign-in-sign-out.md) - Editorial review - [Tutorial: Call a web API from your Node.js daemon application](tutorial-daemon-node-call-api-build-app.md) - Editorial review - [Tutorial: Sign in users to your .NET browserless application](tutorial-browserless-app-dotnet-sign-in-build-app.md) - Editorial review-
active-directory Customize Invitation Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/customize-invitation-api.md
Get-AzureADUser -Filter "UserState eq 'PendingAcceptance'" | Format-List -Proper
``` > [!NOTE]
-> Make sure you have the latest version of the Azure AD PowerShell module or AzureADPreview PowerShell module.
+> Make sure you have the latest version of the Azure AD PowerShell module or AzureADPreview PowerShell module.
## See also
active-directory Google Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/google-federation.md
First, create a new project in the Google Developers Console to obtain a client
1. Select **Create credentials**, and then select **OAuth client ID**.
-1. In the Application type menu, select **Web application**. Give the application a suitable name, like `Azure AD B2B`. Under **Authorized redirect URIs**, add the following URIs:
+1. In the Application type menu, select **Web application**. Give the application a suitable name, like `Microsoft Entra B2B`. Under **Authorized redirect URIs**, add the following URIs:
- `https://login.microsoftonline.com` - `https://login.microsoftonline.com/te/<tenant ID>/oauth2/authresp` <br>(where `<tenant ID>` is your tenant ID)
active-directory Self Service Sign Up User Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/self-service-sign-up-user-flow.md
Next, you'll create the user flow for self-service sign-up and add it to an appl
1. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**). 1. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.
-1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
+1. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Microsoft Entra ID Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
1. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**. :::image type="content" source="media/self-service-sign-up-user-flow/create-user-flow.png" alt-text="Screenshot of the new user flow creation page. ":::
active-directory Tenant Restrictions V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/external-identities/tenant-restrictions-v2.md
The following table compares the features in each version.
| |Tenant restrictions v1 |Tenant restrictions v2 | |-||| |**Policy enforcement** | The corporate proxy enforces the tenant restriction policy in the Microsoft Entra ID control plane. | Options: <br></br>- Universal tenant restrictions in Global Secure Access (preview), which uses policy signaling to tag all traffic, providing both authentication and data plane support on all platforms. <br></br>- Authentication plane-only protection, where the corporate proxy sets tenant restrictions v2 signals on all traffic. <br></br>- Windows device management, where devices are configured to point Microsoft traffic to the tenant restriction policy, and the policy is enforced in the cloud. |
-|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra ID traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. |
+|**Policy enforcement limitation** | Manage corporate proxies by adding tenants to the Microsoft Entra traffic allowlist. The character limit of the header value in Restrict-Access-To-Tenants: `<allowed-tenant-list>` limits the number of tenants that can be added. | Managed by a cloud policy in the cross-tenant access policy. A partner policy is created for each external tenant. Currently, the configuration for all external tenants is contained in one policy with a 25KB size limit. |
|**Malicious tenant requests** | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | Microsoft Entra ID blocks malicious tenant authentication requests to provide authentication plane protection. | |**Granularity** | Limited. | Tenant, user, group, and application granularity. (User-level granularity isn't supported with Microsoft Accounts.) | |**Anonymous access** | Anonymous access to Teams meetings and file sharing is allowed. | Anonymous access to Teams meetings is blocked. Access to anonymously shared resources (ΓÇ£Anyone with the linkΓÇ¥) is blocked. |
to this tenant restrictions v2 header:
`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
-where `<DirectoryID>` is your Azure AD tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy.
+where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy.
#### Tenant restrictions v1 settings on the corporate proxy
You can configure the corporate proxy to enable client-side tagging of the tenan
`sec-Restrict-Tenant-Access-Policy: <DirectoryID>:<policyGUID>`
-where `<DirectoryID>` is your Azure AD tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy)
+where `<DirectoryID>` is your Microsoft Entra tenant ID and `<policyGUID>` is the object ID for your cross-tenant access policy. For details, see [Set up tenant restrictions v2 on your corporate proxy](#option-2-set-up-tenant-restrictions-v2-on-your-corporate-proxy)
You can configure server-side cloud tenant restrictions v2 policies by following the steps at [Step 2: Configure tenant restrictions v2 for specific partners](#step-2-configure-tenant-restrictions-v2-for-specific-partners). Be sure to follow these guidelines:
You can configure server-side cloud tenant restrictions v2 policies by following
>Blocking the MSA tenant will not block user-less traffic for devices, including: > >- Traffic for Autopilot, Windows Update, and organizational telemetry.
->- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Azure AD to sign in consumer users in a consumer context.
+>- B2B authentication of consumer accounts, or "passthrough" authentication, where Azure apps and Office.com apps use Microsoft Entra ID to sign in consumer users in a consumer context.
#### Tenant restrictions v2 with no support for break and inspect
active-directory Add Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-custom-domain.md
# Add your custom domain name to your tenant
-Microsoft Entra tenants come with an initial domain name like, `domainname.onmicrosoft.com`. You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as `alain@contoso.com`.
+Microsoft Entra tenants come with an initial domain name like, `domainname.onmicrosoft.com`. You can't change or delete the initial domain name, but you can add your organization's name to the initial domain. By adding your custom domain name, you can then add user names that are familiar to your users, such as `alain@contoso.com`.
## Before you begin
For more information about subscription roles, see [Azure roles](../../role-base
After you create your directory, you can add your custom domain name. > [!IMPORTANT]
-> When updating domain information, you may be unable to complete the process and encounter a HTTP 500 Internal Server Error message. Under some conditions, this error may be expected. This message may appear if you try to use a protected DNS suffix. Protected DNS suffixes may only be used by Microsoft. If you believe that this operation should have been completed successfully, please contact your Microsoft representative for assistance.
+> When updating domain information, you may be unable to complete the process and encounter a HTTP 500 Internal Server Error message. Under some conditions, this error may be expected. This message may appear if you try to use a protected DNS suffix. Protected DNS suffixes may only be used by Microsoft. If you believe that this operation should have been completed successfully, please contact your Microsoft representative for assistance.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Domain Name Administrator](../roles/permissions-reference.md#domain-name-administrator).
active-directory Add Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/add-users.md
When a user is deleted, any licenses consumed by the user are made available for
After you've added your users, you can do the following basic processes: - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Create a basic group and add members](./how-to-manage-groups.md)- - [Work with dynamic groups and users](../enterprise-users/groups-create-rule.md)- - [Add guest users from another directory](../external-identities/what-is-b2b.md)
active-directory Concept Learn About Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-learn-about-groups.md
# Learn about groups and access rights in Microsoft Entra ID
-Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of [Zero Trust](/security/zero-trust/zero-trust-overview). This article provides an overview of how groups and access rights can be used together to make managing your Microsoft Entra users easier while also applying security best practices.
+Microsoft Entra ID provides several ways to manage access to resources, applications, and tasks. With Microsoft Entra groups, you can grant access and permissions to a group of users instead of for each individual user. Limiting access to Microsoft Entra resources to only those users who need access is one of the core security principles of [Zero Trust](/security/zero-trust/zero-trust-overview).
+
+This article provides an overview of how groups and access rights can be used together to make managing your Microsoft Entra users easier while also applying security best practices.
Microsoft Entra ID lets you use groups to manage access to applications, data, and resources. Resources can be:
After a user requests to join a group, the request is forwarded to the group own
## Next steps - [Create and manage Microsoft Entra groups and group membership](how-to-manage-groups.md)- - [Learn about group-based licensing in Microsoft Entra ID](./licensing-whatis-azure-portal.md)- - [Manage access to SaaS apps using groups](../enterprise-users/groups-saasapps.md)- - [Manage dynamic rules for users in a group](../enterprise-users/groups-create-rule.md)- - [Learn about Privileged Identity Management for Microsoft Entra roles](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)
active-directory Concept Secure Remote Workers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/concept-secure-remote-workers.md
# Secure your organization's identities with Microsoft Entra ID
-It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article is meant to provide a concise list of all the actions to take, helping you identify and prioritize which order to deploy the Microsoft Entra features based on the license type you own. Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration.
+It can seem daunting trying to secure your workers in today's world, especially when you have to respond rapidly and provide access to many services quickly. This article is meant to provide a concise list of all the actions to take, helping you identify and prioritize which order to deploy the Microsoft Entra features based on the license type you own.
+
+Microsoft Entra ID offers many features and provides many layers of security for your Identities, navigating which feature is relevant can sometimes be overwhelming. This document is intended to help organizations deploy services quickly, with secure identities as the primary consideration.
Each table provides a consistent security recommendation, protecting identities from common security attacks while minimizing user friction. The guidance helps: -- Configure access to SaaS and on-premises applications in a secure and protected manner.-- Both cloud and hybrid identities.-- Users working remotely or in the office.
+- Configure access to SaaS and on-premises applications in a secure and protected manner
+- Both cloud and hybrid identities
+- Users working remotely or in the office
## Prerequisites
-This guide assumes that your cloud only or hybrid identities have been established in Microsoft Entra ID already. For help with choosing your identity type see the article, [Choose the right authentication method for your Microsoft Entra hybrid identity solution](../hybrid/connect/choose-ad-authn.md)
+This guide assumes that your cloud only or hybrid identities have been established in Microsoft Entra ID already. For help with choosing your identity type see the article, [Choose the right authentication method for your Microsoft Entra hybrid identity solution](../hybrid/connect/choose-ad-authn.md).
### Guided walkthrough
For a guided walkthrough of many of the recommendations in this article, see the
<a name='guidance-for-azure-ad-free-office-365-or-microsoft-365-customers'></a>
-## Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers.
+## Guidance for Microsoft Entra ID Free, Office 365, or Microsoft 365 customers
There are many recommendations that Microsoft Entra ID Free, Office 365, or Microsoft 365 app customers should take to protect their user identities. The following table is intended to highlight key actions for the following license subscriptions:
There are many recommendations that Microsoft Entra ID Free, Office 365, or Micr
| Recommended action | Detail | | | |
-| [Enable Security Defaults](security-defaults.md) | Protect all user identities and applications by enabling MFA and blocking legacy authentication |
-| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) |
+| [Enable Security Defaults](security-defaults.md) | Protect all user identities and applications by enabling MFA and blocking legacy authentication. |
+| [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials). |
| [Enable ADFS smart lock out](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection) (If applicable) | Protects your users from experiencing extranet account lockout from malicious activity. | | [Enable Microsoft Entra smart lockout](../authentication/howto-password-smart-lockout.md) (if using managed identities) | Smart lockout helps to lock out bad actors who are trying to guess your users' passwords or use brute-force methods to get in. | | [Disable end-user consent to applications](../manage-apps/configure-user-consent.md) | The admin consent workflow gives admins a secure way to grant access to applications that require admin approval so end users don't expose corporate data. Microsoft recommends disabling future user consent operations to help reduce your surface area and mitigate this risk. |
-| [Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable Single sign on](../manage-apps/add-application-portal.md) | Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO) |
+| [Integrate supported SaaS applications from the gallery to Microsoft Entra ID and enable Single sign on](../manage-apps/add-application-portal.md) | Microsoft Entra ID has a gallery that contains thousands of preintegrated applications. Some of the applications your organization uses are probably in the gallery accessible directly from the Azure portal. Provide access to corporate SaaS applications remotely and securely with improved user experience (SSO). |
| [Automate user provisioning and deprovisioning from SaaS Applications](../app-provisioning/user-provisioning.md) (if applicable) | Automatically create user identities and roles in the cloud (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change, increasing your organization's security. | | [Enable Secure hybrid access: Secure legacy apps with existing app delivery controllers and networks](../manage-apps/secure-hybrid-access.md) (if applicable) | Publish and protect your on-premises and cloud legacy authentication applications by connecting them to Microsoft Entra ID with your existing application delivery controller or network. | | [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) (applicable to cloud only accounts) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. |
There are many recommendations that Microsoft Entra ID Free, Office 365, or Micr
<a name='guidance-for-azure-ad-premium-plan-1-customers'></a>
-## Guidance for Microsoft Entra ID P1 customers.
+## Guidance for Microsoft Entra ID P1 customers
The following table is intended to highlight the key actions for the following license subscriptions:
The following table is intended to highlight the key actions for the following l
| | | | [Create more than one Global Administrator](../roles/security-emergency-access.md) | Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords. | | [Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience](../authentication/howto-registration-mfa-sspr-combined.md) | Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset. |
-| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication |
-| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application |
+| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication. |
+| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. |
| [Implement Password Writeback](../authentication/tutorial-enable-sspr-writeback.md) (if using hybrid identities) | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | | Create and enable Conditional Access policies | [MFA for admins to protect accounts that are assigned administrative rights.](../conditional-access/howto-conditional-access-policy-admin-mfa.md) <br><br> [Block legacy authentication protocols due to the increased risk associated with legacy authentication protocols.](../conditional-access/howto-conditional-access-policy-block-legacy.md) <br><br> [MFA for all users and applications to create a balanced MFA policy for your environment, securing your users and applications.](../conditional-access/howto-conditional-access-policy-all-users-mfa.md) <br><br> [Require MFA for Azure Management to protect your privileged resources by requiring multifactor authentication for any user accessing Azure resources.](../conditional-access/howto-conditional-access-policy-azure-management.md) | | [Enable Password Hash Sync](../hybrid/connect/how-to-connect-password-hash-synchronization.md) (if using hybrid identities) | Provide redundancy for authentication and improve security (including Smart Lockout, IP Lockout, and the ability to discover leaked credentials.) |
The following table is intended to highlight the key actions for the following l
| [Use least privileged roles where possible](../roles/permissions-reference.md) | Give your administrators only the access they need to only the areas they need access to. Not all administrators need to be Global Administrators. | | [Enable Microsoft's password guidance](https://www.microsoft.com/research/publication/password-guidance/) | Stop requiring users to change their password on a set schedule, disable complexity requirements, and your users are more apt to remember their passwords and keep them something that is secure. | | [Create an organization specific custom banned password list](../authentication/tutorial-configure-custom-password-protection.md) | Prevent users from creating passwords that include common words or phrases from your organization or area. |
-| [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods |
+| [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods. |
| [Create a plan for guest user access](../external-identities/what-is-b2b.md) | Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities. | <a name='guidance-for-azure-ad-premium-plan-2-customers'></a>
-## Guidance for Microsoft Entra ID P2 customers.
+## Guidance for Microsoft Entra ID P2 customers
The following table is intended to highlight the key actions for the following license subscriptions:
The following table is intended to highlight the key actions for the following l
| | | | [Create more than one Global Administrator](../roles/security-emergency-access.md) | Assign at least two cloud-only permanent Global Administrator accounts for use in an emergency. These accounts aren't to be used daily and should have long and complex passwords. | | [Enable combined registration experience for Microsoft Entra multifactor authentication and SSPR to simplify user registration experience](../authentication/howto-registration-mfa-sspr-combined.md) | Allow your users to register from one common experience for both Microsoft Entra multifactor authentication and self-service password reset. |
-| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication |
-| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application |
+| [Configure MFA settings for your organization](../authentication/howto-mfa-getstarted.md) | Ensure accounts are protected from being compromised with multifactor authentication. |
+| [Enable self-service password reset](../authentication/tutorial-enable-sspr.md) | This ability reduces help desk calls and loss of productivity when a user can't sign into their device or an application. |
| [Implement Password Writeback](../authentication/tutorial-enable-sspr-writeback.md) (if using hybrid identities) | Allow password changes in the cloud to be written back to an on-premises Windows Server Active Directory environment. | | [Enable Identity Protection policies to enforce MFA registration](../identity-protection/howto-identity-protection-configure-mfa-policy.md) | Manage the roll-out of Microsoft Entra multifactor authentication. | | [Enable Identity Protection user and sign-in risk policies](../identity-protection/howto-identity-protection-configure-risk-policies.md) | Enable Identity Protection User and Sign-in policies. The recommended sign-in policy is to target medium risk sign-ins and require MFA. For User policies, you should target high risk users requiring the password change action. |
The following table is intended to highlight the key actions for the following l
| [Create an organization specific custom banned password list](../authentication/tutorial-configure-custom-password-protection.md) | Prevent users from creating passwords that include common words or phrases from your organization or area. | | [Deploy passwordless authentication methods for your users](../authentication/concept-authentication-passwordless.md) | Provide your users with convenient passwordless authentication methods | | [Create a plan for guest user access](../external-identities/what-is-b2b.md) | Collaborate with guest users by letting them sign into your apps and services with their own work, school, or social identities. |
-| [Enable Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval |
+| [Enable Privileged Identity Management](../privileged-identity-management/pim-configure.md) | Enables you to manage, control, and monitor access to important resources in your organization, ensuring admins have access only when needed and with approval. |
| [Complete an access review for Microsoft Entra directory roles in PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md) | Work with your security and leadership teams to create an access review policy to review administrative access based on your organization's policies. | [!INCLUDE [active-directory-zero-trust](../../../includes/active-directory-zero-trust.md)]
active-directory Create New Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/create-new-tenant.md
You can do all of your administrative tasks using the Microsoft Entra admin center, including creating a new tenant for your organization.
-In this quickstart, you'll learn how to get to the Azure portal and Microsoft Entra ID, and you'll learn how to create a basic tenant for your organization.
+In this quickstart article, you'll learn how to get to the Azure portal and Microsoft Entra ID, and you'll learn how to create a basic tenant for your organization.
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
After you sign in to the [Azure portal](https://portal.azure.com), you can creat
1. From the Azure portal menu, select **Microsoft Entra ID**.
-1. On the overview page, select **Manage tenants**
+1. On the overview page, select **Manage tenants**.
1. Select **Create**.
After you sign in to the [Azure portal](https://portal.azure.com), you can creat
1. On the Basics tab, select the type of tenant you want to create, either **Microsoft Entra ID** or **Microsoft Entra ID (B2C)**.
-1. Select **Next: Configuration** to move on to the Configuration tab.
+1. Select **Next: Configuration** to move to the Configuration tab.
1. On the Configuration tab, enter the following information:
After you sign in to the [Azure portal](https://portal.azure.com), you can creat
- Type your desired Initial domain name (for example _Contosoorg_) into the **Initial domain name** box. - Select your desired Country/Region or leave the _United States_ option in the **Country or region** box.
-1. Select **Next: Review + Create**. Review the information you entered and if the information is correct, select **create**.
+1. Select **Next: Review + Create**. Review the information you entered and if the information is correct, select **Create** in the lower left corner.
Your new tenant is created with the domain contoso.onmicrosoft.com.
If you're not going to continue to use this application, you can delete the tena
## Next steps -- Change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md)
+- Change or add other domain names, see [How to add a custom domain name to Microsoft Entra ID](add-custom-domain.md).
- Add users, see [Add or delete a new user](./add-users.md) -- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md)
+- Add groups and members, see [Create a basic group and add members](./how-to-manage-groups.md).
- Learn about [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and [Conditional Access](../conditional-access/overview.md) to help manage your organization's application and resource access.
active-directory Custom Security Attributes Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/custom-security-attributes-overview.md
For more information about working with extensions, see [Add custom data to reso
Check that you are assigned the [Attribute Definition Administrator](../roles/permissions-reference.md#attribute-definition-administrator) or [Attribute Assignment Administrator](../roles/permissions-reference.md#attribute-assignment-administrator) roles. If not, check with your administrator to assign you the appropriate role at tenant scope or attribute set scope. By default, [Global Administrator](../roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes. If necessary, a Global Administrator can assign these roles to themselves.
- ![Diagram showing checking permissions to add custom security attributes in Azure AD.](./media/custom-security-attributes-overview/attributes-permissions.png)
+ ![Diagram showing checking permissions to add custom security attributes in Microsoft Entra ID.](./media/custom-security-attributes-overview/attributes-permissions.png)
1. **Add attribute sets**
Depending on whether you have a Microsoft Entra ID P1 or P2 license, here are th
## License requirements ## Next steps
active-directory Data Operational Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-operational-considerations.md
# Data operational considerations
-In this article, learn about data operational considerations for your configuration. There's information about how log files and other features work in relation to Microsoft Entra ID, such as usage data and operator security. YouΓÇÖll learn about physical security considerations in addition to guidance on how the Microsoft Entra ID team defines deployments and change.
+In this article, learn about data operational considerations for your configuration. There's information about how log files and other features work in relation to Microsoft Entra ID, such as usage data and operator security. YouΓÇÖll learn about physical security considerations in addition to guidance on how the Microsoft Entra team defines deployments and change.
## Log files
Learn more: [Azure facilities, premises, and physical security](../../security/f
## Change control process
-To roll out changes to the service across data centers, the Microsoft Entra ID team defines the layers of a deployment environment. Applying the change layers is constrained by strict exit criteria. The amount of time to roll a change across layers is defined by the operations team and is based on potential effects. Typically a rollout takes between 1 to 2 weeks. Critical changes, such as security fixes or hot fixes, can be deployed faster. If a change doesn't meet the exit criteria when applied to a deployment layer, it's rolled back to the prior, stable state.
+To roll out changes to the service across data centers, the Microsoft Entra team defines the layers of a deployment environment. Applying the change layers is constrained by strict exit criteria. The amount of time to roll a change across layers is defined by the operations team and is based on potential effects. Typically a rollout takes between 1 to 2 weeks. Critical changes, such as security fixes or hot fixes, can be deployed faster. If a change doesn't meet the exit criteria when applied to a deployment layer, it's rolled back to the prior, stable state.
## Resources
To roll out changes to the service across data centers, the Microsoft Entra ID t
## Next steps * [Microsoft Entra ID and data residency](data-residency.md)- * [Data operational considerations](data-operational-considerations.md) (You're here) * [Data protection considerations](data-protection-considerations.md)
active-directory Data Protection Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-protection-considerations.md
The security tokens are issued by the Microsoft Entra authentication Services. I
**Application Access**: Because applications can access the Application Programming Interfaces (APIs) without user context, the access check includes information about the userΓÇÖs application and the scope of access requested, for example read only, read/write, etc. Many applications use OpenID Connect or OAuth to obtain tokens to access the directory on behalf of the user. These applications must be explicitly granted access to the directory or they won't receive a token from Microsoft Entra authentication Service, and they access data from the granted scope.
-**Auditing**: Access is audited. For example, authorized actions such as create user and password reset create an audit trail that can be used by a tenant administrator to manage compliance efforts or investigations. Tenant administrators can generate audit reports by using the Microsoft Entra ID audit API.
+**Auditing**: Access is audited. For example, authorized actions such as create user and password reset create an audit trail that can be used by a tenant administrator to manage compliance efforts or investigations. Tenant administrators can generate audit reports by using the Microsoft Entra audit API.
Learn more: [Audit logs in Microsoft Entra ID](../reports-monitoring/concept-audit-logs.md)
For more information about Secret encryption at rest, see the following table.
## Next steps * [Microsoft Entra ID and data residency](data-residency.md) - * [Data operational considerations](data-operational-considerations.md) * [Data protection considerations](data-protection-considerations.md) (You're here)
active-directory Data Residency https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-residency.md
The Core Store is made up of tenants stored in scale units, each of which contai
Learn more: [Microsoft Entra Core Store Scale Units](https://www.youtube.com/watch?v=OcKO44GtHh8)
-Microsoft Entra ID is available in the following clouds
+Microsoft Entra ID is available in the following clouds:
* Public * China
For more information on data residency in Microsoft Cloud offerings, see the fol
## Next steps * [Microsoft Entra ID and data residency](data-residency.md) (You're here)- * [Data operational considerations](data-operational-considerations.md) * [Data protection considerations](data-protection-considerations.md)
active-directory Data Storage Australia https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-australia.md
All other Microsoft Entra services store customer data in global datacenters. To
## Microsoft Entra multifactor authentication
-MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Microsoft Entra multifactor authentication and Microsoft Entra multifactor authentication Server, see [Microsoft Entra multifactor authentication user data collection](../authentication/concept-mfa-data-residency.md).
+MFA stores Identity Customer Data in global datacenters. To learn more about the user information collected and stored by cloud-based Microsoft Entra multifactor authentication and Azure Multi-Factor Authentication Server, see [Microsoft Entra multifactor authentication user data collection](../authentication/concept-mfa-data-residency.md).
## Next steps
active-directory Data Storage Eu https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/data-storage-eu.md
# Customer data storage and processing for European customers in Microsoft Entra ID
-Microsoft Entra stores customer data in a geographic location based on how a tenant was created and provisioned. The following list provides information about how the location is defined:
+Microsoft Entra ID stores customer data in a geographic location based on how a tenant was created and provisioned. The following list provides information about how the location is defined:
* **Microsoft Entra admin center or Microsoft Entra API** - A customer selects a location from the pre-defined list. * **Dynamics 365 and Power Platform** - A customer provisions their tenant in a pre-defined location.
-* **EU Data Residency** - For customers who provided a location in Europe, Microsoft Entra stores most of the customer data in Europe, except where noted later in this article.
-* **EU Data Boundary** - For customers who provided a location that is within the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations) (members of the EU and EFTA), Microsoft Entra stores and processes most of the customer data in the EU Data Boundary, except where noted later in this article.
+* **EU Data Residency** - For customers who provided a location in Europe, Microsoft Entra ID stores most of the customer data in Europe, except where noted later in this article.
+* **EU Data Boundary** - For customers who provided a location that is within the [EU Data Boundary](/privacy/eudb/eu-data-boundary-learn#eu-data-boundary-countries-and-datacenter-locations) (members of the EU and EFTA), Microsoft Entra ID stores and processes most of the customer data in the EU Data Boundary, except where noted later in this article.
* **Microsoft 365** - The location is based on a customer provided billing address. The following sections provide information about customer data that doesn't meet the EU Data Residency or EU Data Boundary commitments.
See more information on optional service capabilities that transfer customer dat
### Other EU Data Boundary online services
-Services and applications that integrate with Microsoft Entra have access to customer data. Review how each service and application stores and processes customer data, and verify that they meet your company's data handling requirements.
+Services and applications that integrate with Microsoft Entra ID have access to customer data. Review how each service and application stores and processes customer data, and verify that they meet your company's data handling requirements.
## Next steps
active-directory Five Steps To Full Application Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/five-steps-to-full-application-integration.md
Last updated 03/01/2023
# Five steps to integrate your apps with Microsoft Entra ID
-Learn to integrate your applications with Microsoft Entra ID, which is a cloud-based identity and access management service. Organizations use Microsoft Entra ID for secure authentication and authorization so customers, partners, and employees can access applications. With Microsoft Entra ID, features such as Conditional Access, Microsoft Entra multifactor authentication, single sign-on, and application provisioning make identity and access management easier to manage and more secure.
+Learn to integrate your applications with Microsoft Entra ID, which is a cloud-based identity and access management service. Organizations use Microsoft Entra ID for secure authentication and authorization so customers, partners, and employees can access applications.
+
+With Microsoft Entra ID, features such as Conditional Access, Microsoft Entra multifactor authentication, single sign-on, and application provisioning make identity and access management easier to manage and more secure.
Learn more:
Learn more:
When your business acquires new applications, add them to the Microsoft Entra tenant. Establish a company policy of adding new apps to Microsoft Entra ID.
-See, [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md)
+See: [Quickstart: Add an enterprise application](../manage-apps/add-application-portal.md)
-Microsoft Entra ID has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Microsoft Entra organization (see, previous link) and learn about integrating software as a service (SaaS) tutorials.
+Microsoft Entra ID has a gallery of integrated applications to make it easy to get started. Add a gallery app to your Microsoft Entra organization (see previous link) and learn about integrating software as a service (SaaS) tutorials.
-See, [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md)
+See: [Tutorials for integrating SaaS applications with Microsoft Entra ID](../saas-apps/tutorial-list.md)
### Integration tutorials Use the following tutorials to learn to integrate common tools with Microsoft Entra single sign-on (SSO).
-* [Tutorial: Microsoft Entra SSO integration with ServiceNow](../saas-apps/servicenow-tutorial.md)
-* [Tutorial: Microsoft Entra SSO integration with Workday](../saas-apps/workday-tutorial.md)
-* [Tutorial: Microsoft Entra SSO integration with Salesforce](../saas-apps/salesforce-tutorial.md)
-* [Tutorial: Microsoft Entra SSO integration with AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md)
-* [Tutorial: Microsoft Entra SSO integration with Slack](../saas-apps/slack-tutorial.md)
+* Tutorial: [Microsoft Entra SSO integration with ServiceNow](../saas-apps/servicenow-tutorial.md)
+* Tutorial: [Microsoft Entra SSO integration with Workday](../saas-apps/workday-tutorial.md)
+* Tutorial: [Microsoft Entra SSO integration with Salesforce](../saas-apps/salesforce-tutorial.md)
+* Tutorial: [Microsoft Entra SSO integration with AWS Single-Account Access](../saas-apps/amazon-web-service-tutorial.md)
+* Tutorial: [Microsoft Entra SSO integration with Slack](../saas-apps/slack-tutorial.md)
### Apps not in the gallery
Learn more:
In addition, use the Active Directory Federation Services (AD FS) in the Azure portal to discover AD FS apps in your organization. Discover unique users that signed in to the apps, and see information about integration compatibility.
-See, [Review the application activity report](../manage-apps/migrate-adfs-application-activity.md)
+See: [Review the application activity report](../manage-apps/migrate-adfs-application-activity.md)
### Application migration
After you discover apps in your environment, prioritize the apps to migrate and
- Apps to be decommissioned, therefore not in migration - Apps that stay on-premises
-See, [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md)
+See: [Resources for migrating applications to Microsoft Entra ID](../manage-apps/migration-resources.md)
## Integrate apps and identity providers
During discovery, there might be applications not tracked by the IT team, which
* Reduce on-premises user set-up, authentication, and IdP licensing fees * Lower administrative overhead with streamlined identity and access management process * Enable single sign-on (SSO) access to applications in the My Apps portal
- * See, [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md)
+ * See: [Create collections on the My Apps portal](../manage-apps/access-panel-collections.md)
* Use Identity Protection and Conditional Access to increase data from app usage, and extend benefits to recently added apps * [What is Identity Protection?](../identity-protection/overview-identity-protection.md) * [What is Conditional Access?](../conditional-access/overview.md)
To help manage app integration with Microsoft Entra ID, use the following materi
You can download:
-* Zip file, [Editable Microsoft Entra App Integration One-Pager](https://aka.ms/AppOnePager)
-* Microsoft PowerPoint presentation, [Microsoft Entra application integration guidelines](https://aka.ms/AppGuideline)
+* Zip file: [Editable Microsoft Entra App Integration One-Pager](https://aka.ms/AppOnePager)
+* Microsoft PowerPoint presentation: [Microsoft Entra application integration guidelines](https://aka.ms/AppGuideline)
### Active Directory Federation Services
Learn more:
See the following diagram of app authentication simplified by Microsoft Entra ID.
- ![Diagram of app authentication with Azure AD.](./media/five-steps-to-full-application-integration/integration-2.png)
+ ![Diagram of app authentication with Microsoft Entra ID.](./media/five-steps-to-full-application-integration/integration-2.png)
After Microsoft Entra ID is the central IdP, you might be able to discontinue ADFS.
You can migrate apps that use a different cloud-based IdP. Your organization mig
Traditionally, application security enabled access during a connection to a corporate network. However, organization grant access to apps for customers, partners, and/or employees, regardless of location. Application Proxy Service in Microsoft Entra connects on-premises apps to Microsoft Entra ID and doesn't require edge servers or more infrastructure.
-See, [Using Microsoft Entra application proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md)
+See: [Using Microsoft Entra application proxy to publish on-premises apps for remote users](../app-proxy/what-is-application-proxy.md)
The following diagram illustrates Application Proxy Service processing a user request. ![Diagram of the Microsoft Entra application proxy Service processing a user request.](./media/five-steps-to-full-application-integration/app-proxy.png)
-See, [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md)
+See: [Tutorial: Add an on-premises application for remote access through Application Proxy in Microsoft Entra ID](../app-proxy/application-proxy-add-on-premises-application.md)
In addition, integrate application delivery controllers like F5 BIG-IP APM, or Zscaler Private Access, with Microsoft Entra ID. Benefits are modern authentication and identity management, traffic management, and security features. We call this solution secure hybrid access.
-See, [Secure hybrid access: Protect legacy apps with Microsoft Entra ID](../manage-apps/secure-hybrid-access.md)
+See: [Secure hybrid access: Protect legacy apps with Microsoft Entra ID](../manage-apps/secure-hybrid-access.md)
For the following services, there are Microsoft Entra integration tutorials.
active-directory Get Started Premium https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/get-started-premium.md
You can purchase and associate Microsoft Entra ID P1 or P2 editions with your Az
Before you sign up for Active Directory Premium 1 or Premium 2, you must first determine which of your existing subscription or plan to use: - Through your existing Azure or Microsoft 365 subscription- - Through your Enterprise Mobility + Security licensing plan- - Through a Microsoft Volume Licensing plan
+## Sign up options
+ Signing up using your Azure subscription with previously purchased and activated Microsoft Entra ID licenses, automatically activates the licenses in the same directory. If that's not the case, you must still activate your license plan and your Microsoft Entra ID access. For more information about activating your license plan, see [Activate your new license plan](#activate-your-new-license-plan). For more information about activating your Microsoft Entra ID access, see [Activate your Microsoft Entra ID access](#activate-your-azure-ad-access).
-## Sign up using your existing Azure or Microsoft 365 subscription
+### Sign up using your existing Azure or Microsoft 365 subscription
As an Azure or Microsoft 365 subscriber, you can purchase the Microsoft Entra ID P1 or P2 editions online. For detailed steps, see [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide&preserve-view=true).
-## Sign up using your Enterprise Mobility + Security licensing plan
+### Sign up using your Enterprise Mobility + Security licensing plan
Enterprise Mobility + Security is a suite, comprised of Microsoft Entra ID P1 or P2, Azure Information Protection, and Microsoft Intune. If you already have an EMS license, you can get started with Microsoft Entra ID, using one of these licensing options:
For more information about EMS, see [Enterprise Mobility + Security web site](ht
- Purchase [Enterprise Mobility + Security E3 licenses](https://signup.microsoft.com/Signup?OfferId=4BBA281F-95E8-4136-8B0F-037D6062F54C&ali=1)
-## Sign up using your Microsoft Volume Licensing plan
+### Sign up using your Microsoft Volume Licensing plan
Through your Microsoft Volume Licensing plan, you can sign up for Microsoft Entra ID P1 or P2 using one of these two programs, based on the number of licenses you want to get: -- **For 250 or more licenses.** [Microsoft Enterprise Agreement](https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx)
+- For 250 or more licenses, see [Microsoft Enterprise Agreement](https://www.microsoft.com/en-us/licensing/licensing-programs/enterprise.aspx).
-- **For 5 to 250 licenses.** [Open Volume License](https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx)
+- For 5 to 250 licenses, see [Open Volume License](https://www.microsoft.com/en-us/licensing/licensing-programs/open-license.aspx).
-For more information about volume licensing purchase options, see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/licensing/how-to-buy/how-to-buy.aspx).
+- For more information about volume licensing purchase options, see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/licensing/how-to-buy/how-to-buy.aspx).
## Activate your new license plan
If you signed up using a new Microsoft Entra ID license plan, you must activate
### To activate your license plan -- Open the confirmation email you received from Microsoft after you signed up, and then select either **Sign In** or **Sign Up**.
+1. Open the confirmation email you received from Microsoft after you signed up, and then select either **Sign In** or **Sign Up**.
- ![Confirmation email with sign in and sign up links](media/get-started-premium/MOLSEmail.png)
+ ![Confirmation email with sign in and sign up links](media/get-started-premium/MOLSEmail.png)
- - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a Global Administrator on the tenant where the licenses are being activated.
+1. Select **Sign in** or **Sign up**.
+ - **Sign in.** Choose this link if you have an existing tenant, and then sign in using your existing administrator account. You must be a Global Administrator on the tenant where the licenses are being activated.
- - **Sign up.** Choose this link if you want to open the **Create Account Profile** page and create a new Microsoft Entra tenant for your licensing plan.
+ - **Sign up.** Choose this link if you want to open the **Create Account Profile** page and create a new Microsoft Entra tenant for your licensing plan.
- ![Create account profile page, with sample information](media/get-started-premium/MOLSAccountProfile.png)
+ ![Create account profile page, with sample information](media/get-started-premium/MOLSAccountProfile.png)
When you're done, you'll see a confirmation box thanking you for activating the license plan for your tenant.
active-directory How To Create Delete Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-create-delete-users.md
For more information abut the differences between internal and external guests a
Authentication methods vary based on the type of user you create. Internal guests and members have credentials in your Microsoft Entra tenant that can be managed by administrators. These users can also reset their own password. External members authenticate to their home Microsoft Entra tenant and your Microsoft Entra tenant authenticates the user through a federated sign-in with the external member's Microsoft Entra tenant. If external members forget their password, the administrator in their Microsoft Entra tenant can reset their password. External guests set up their own password using the link they receive in email when their account is created.
-Reviewing the default user permissions may also help you determine the type of user you need to create. For more information, see [Set default user permissions](users-default-permissions.md)
+Reviewing the default user permissions may also help you determine the type of user you need to create. For more information, see [Set default user permissions](users-default-permissions.md).
## Required roles
The required role of least privilege varies based on the type of user you're add
The **Basics** tab contains the core fields required to create a new user. -- **User principal name**: Enter a unique username and select a domain from the menu after the @ symbol. Select **Domain not listed** if you need to create a new domain. For more information, see [Add your custom domain name](add-custom-domain.md)
+- **User principal name**: Enter a unique username and select a domain from the menu after the @ symbol. Select **Domain not listed** if you need to create a new domain. For more information, see [Add your custom domain name](add-custom-domain.md).
- **Mail nickname**: If you need to enter an email nickname that is different from the user principal name you entered, uncheck the **Derive from user principal name** option, then enter the mail nickname. - **Display name**: Enter the user's name, such as Chris Green or Chris A. Green - **Password**: Provide a password for the user to use during their initial sign-in. Uncheck the **Auto-generate password** option to enter a different password.
If you have an environment with both Microsoft Entra ID (cloud) and Windows Serv
## Delete a user
-You can delete an existing user using Azure portal.
+You can delete an existing user using the [Microsoft Entra admin center](https://entra.microsoft.com/).
- You must have a Global Administrator, Privileged Authentication Administrator, or User Administrator role assignment to delete users in your organization. - Global Administrators and Privileged Authentication Administrators can delete any users including other administrators.
active-directory How To Customize Branding https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-customize-branding.md
When users authenticate into your corporate intranet or web-based applications, Microsoft Entra ID provides the identity and access management (IAM) service. You can add company branding that applies to all these experiences to create a consistent sign-in experience for your users.
-The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS.
+The default sign-in experience is the global look and feel that applies across all sign-ins to your tenant. Before you customize any settings, the default Microsoft branding appears in your sign-in pages. You can customize this default experience with a custom background image and/or color, favicon, layout, header, and footer. You can also upload a custom CSS file.
> [!NOTE] > Instructions for how to manage the **'Stay signed in prompt?'** can be found in the **[Manage the 'Stay signed in?' prompt](how-to-manage-stay-signed-in-prompt.md)** article.
The default sign-in experience is the global look and feel that applies across a
Adding custom branding requires one of the following licenses: -- Microsoft Entra ID P1 or P2 1-- Microsoft Entra ID P1 or P2 2
+- Microsoft Entra ID P1 or P2
+- Microsoft Entra ID P1 or P2
- Office 365 (for Office apps) For more information about licensing and editions, see the [Sign up for Microsoft Entra ID P1 or P2](./get-started-premium.md) article.
-Microsoft Entra ID P1 or P2 editions are available for customers in China using the worldwide instance of Microsoft Entra ID. Microsoft Entra ID P1 or P2 editions aren't currently supported in the Azure service operated by 21Vianet in China
+Microsoft Entra ID P1 or P2 editions are available for customers in China using the worldwide instance of Microsoft Entra ID. Microsoft Entra ID P1 or P2 editions aren't currently supported in the Azure service operated by 21Vianet in China.
The **Global Administrator** role is required to customize company branding.
The sign-in experience process is grouped into sections. At the end of each sect
!['Review + create' and 'Next: Layout' buttons from the bottom of the configure custom branding page](media/how-to-customize-branding/customize-branding-buttons.png)
-## Basics
+### Basics
- **Favicon**: Select a PNG or JPG of your logo that appears in the web browser tab.
The sign-in experience process is grouped into sections. At the end of each sect
- **Page background color**: If the background image isn't able to load because of a slower connection, your selected background color appears instead.
-## Layout
+### Layout
-- **Visual Templates**: Customize the layout of your sign-in page using templates or custom CSS.
+- **Visual Templates**: Customize the layout of your sign-in page using templates or a custom CSS file.
- Choose one of two **Templates**: Full-screen or partial-screen background. The full-screen background could obscure your background image, so choose the partial-screen background if your background image is important. - The details of the **Header** and **Footer** options are set on the next two sections of the process. ![Screenshot of the Layout tab.](media/how-to-customize-branding/layout-visual-templates.png) -- **Custom CSS**: Upload custom CSS to replace the Microsoft default style of the page.
+- **Custom CSS**: Upload a custom CSS file to replace the Microsoft default style of the page.
- [Download the CSS template](https://download.microsoft.com/download/7/2/7/727f287a-125d-4368-a673-a785907ac5ab/custom-styles-template-013023.css). - View the [CSS template reference guide](reference-company-branding-css-template.md).
-## Header
+### Header
If you haven't enabled the header, go to the **Layout** section and select **Show header**. Once enabled, select a PNG or JPG to display in the header of the sign-in page. ![Screenshot of the message indicating that the header needs to be enabled.](media/how-to-customize-branding/disabled-header-message.png)
-## Footer
+### Footer
If you haven't enabled the footer, go to the **Layout** section and select **Show footer**. Once enabled, adjust the following settings.
If you haven't enabled the footer, go to the **Layout** section and select **Sho
![Customize branding on the Footer section](media/how-to-customize-branding/customize-branding-footer.png)
-## Sign-in form
+### Sign-in form
- **Banner logo**: Select a PNG or JPG image file of a banner-sized logo (short and wide) to appear on the sign-in pages.
If you haven't enabled the footer, go to the **Layout** section and select **Sho
- Username collection display text: Replace the default text with your own custom username collection text. - Password collection display text: Replace the default text with your own customer password collection text.
-## Review
+### Review
All of the available options appear in one list so you can review everything you've customized or left at the default setting. When you're done, select the **Create** button. Once your default sign-in experience is created, select the **Edit** button to make any changes. You can't delete a default sign-in experience after it's created, but you can remove all custom settings.
-## Customize the sign-in experience by browser language
+### Customize the sign-in experience by browser language
You can create a personalized sign-in experience for users who sign in using a specific browser language by customizing the branding elements for that browser language. This customization overrides any configurations made to the default branding. If you don't make any changes to the elements, the default elements are displayed.
Microsoft Entra ID supports right-to-left functionality for languages such as Ar
## Next steps -- [View the CSS template reference guide](reference-company-branding-css-template.md).
+- [View the CSS template reference guide](reference-company-branding-css-template.md)
- [Learn more about default user permissions in Microsoft Entra ID](../fundamentals/users-default-permissions.md) - [Manage the 'stay signed in' prompt](how-to-manage-stay-signed-in-prompt.md)
active-directory How To Get Support https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-get-support.md
Support for Microsoft Entra ID in the [Microsoft 365 admin center](https://admin
Things can change quickly. The following resources provide updates and information on the latest releases. - [Azure Updates](https://azure.microsoft.com/updates/?category=identity): Learn about important product updates, roadmap, and announcements.- - [What's new in Microsoft Entra ID](whats-new.md): Get to know what's new in Microsoft Entra ID including the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.- - [Microsoft Entra identity blog](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/bg-p/Identity): Get news and information about Microsoft Entra ID. ## Next steps * [Post a question to Microsoft Q&A](/answers/products/)-
-* [Join the Microsoft Technical Community](https://techcommunity.microsoft.com/)]
-
+* [Join the Microsoft Technical Community](https://techcommunity.microsoft.com/)
* [Learn about the diagnostic data Azure identity support can access](https://azure.microsoft.com/support/legal/support-diagnostic-information-collection/)
active-directory How To Manage Stay Signed In Prompt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-stay-signed-in-prompt.md
The KMSI setting is managed in **User settings**.
## Troubleshoot 'Stay signed in?' issues
-If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-ins logs. The prompt the user sees is called an "interrupt."
+If a user doesn't act on the **Stay signed in?** prompt but abandons the sign-in attempt, a sign-in log entry appears in the Microsoft Entra sign-in logs. The prompt the user sees is called an "interrupt."
![Sample 'Stay signed in?' prompt](media/how-to-manage-stay-signed-in-prompt/kmsi-stay-signed-in-prompt.png)
active-directory How To Manage User Profile Info https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-manage-user-profile-info.md
When new users are created, only a few details are added to their user profile.
1. After making any changes, select the **Save** button.
-If you selected the **Edit properties option**:
+If you selected the **Edit properties** option:
- The full list of properties appears in edit mode on the **All** category. - To edit properties based on the category, select a category from the top of the page. - Select the **Save** button at the bottom of the page to save any changes. ![Screenshot a selected user's details, with the detail categories and save button highlighted.](media/how-to-manage-user-profile-info/user-profile-properties-tabbed-view.png)
-If you selected the **Properties tab option**:
+If you selected the **Properties** tab option:
- The full list of properties appears for you to review. - To edit a property, select the pencil icon next to the category heading. - Select the **Save** button at the bottom of the page to save any changes.
The following settings can be managed from **User settings**.
## Next steps - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Create a basic group and add members](./how-to-manage-groups.md)--- [View Microsoft Entra enterprise user management documentation](../enterprise-users/index.yml).
+- [View Microsoft Entra enterprise user management documentation](../enterprise-users/index.yml)
active-directory How To Rename Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/how-to-rename-azure-ad.md
# How to: Rename Azure AD
-Azure Active Directory (Azure AD) is being renamed to Microsoft Entra ID to better communicate the multicloud, multiplatform functionality of the product and unify the naming of the Microsoft Entra product family.
+Azure Active Directory (Azure AD) has been renamed to Microsoft Entra ID to better communicate the multicloud, multiplatform functionality of the product and unify the naming of the Microsoft Entra product family.
This article provides best practices and support for customers and organizations who wish to update their documentation or content with the new product name and icon. ## Prerequisites
-Before changing instances of Azure AD in your documentation or content, familiarize yourself with the guidance in [New name for Azure AD](./new-name.md) to:
+Before changing instances of Azure AD to Microsoft Entra ID in your documentation or content, familiarize yourself with the guidance in [New name for Azure AD](new-name.md) to:
- Understand the product name and why we made the change - Download the new product icon
foreach ($file in $filteredFiles) {
```
-## Communicate the change to your customers
+### Communicate the change to your customers
To help your customers with the transition, it's helpful to add a note: "Azure Active Directory is now Microsoft Entra ID" or follow the new name with "formerly Azure Active Directory" for the first year.
active-directory Identity Fundamental Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/identity-fundamental-concepts.md
Authorization validates that the user, machine, or software component has been g
## Authentication vs. authorization The terms authentication and authorization are sometimes used interchangeably, because they often seem like a single experience to users. They're actually two separate processes: -- Authentication proves the identity of a user, machine, or software component -- Authorization grants or denies the user, machine, or software component access to certain resources
+- Authentication proves the identity of a user, machine, or software component.
+- Authorization grants or denies the user, machine, or software component access to certain resources.
:::image type="content" source="./media/identity-fundamentals/authentication-vs-authorization.svg" alt-text="Diagram that shows authentication and authorization side by side." :::
If you're staying at the hotel, you first go to reception to start the "authenti
:::image type="content" source="./media/identity-fundamentals/hotel-authentication.png" alt-text="Diagram that shows a person showing identification to get a hotel keycard." :::
-The doors to the hotel rooms and other areas have keycard sensors. Swiping the keycard in front of a sensor is the "authorization process". The keycard only lets you open the doors to rooms you're permitted to access, such as your hotel room and the hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your access is denied. Individual [permissions](/azure/active-directory/fundamentals/users-default-permissions?context=/azure/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](/azure/active-directory/roles/concept-understand-roles) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor.
+The doors to the hotel rooms and other areas have keycard sensors. Swiping the keycard in front of a sensor is the "authorization process". The keycard only lets you open the doors to rooms you're permitted to access, such as your hotel room and the hotel exercise room. If you swipe your keycard to enter any other hotel guest room, your access is denied.
+
+Individual [permissions](/azure/active-directory/fundamentals/users-default-permissions?context=/azure/active-directory/roles/context/ugr-context), such as accessing the exercise room and a specific guest room, are collected into [roles](/azure/active-directory/roles/concept-understand-roles) which can be granted to individual users. When you're staying at the hotel, you're granted the Hotel Patron role. Hotel room service staff would be granted the Hotel Room Service role. This role permits access to all hotel guest rooms (but only between 11am and 4pm), the laundry room, and the supply closets on each floor.
:::image type="content" source="./media/identity-fundamentals/hotel-authorization.png" alt-text="Diagram that shows a user getting access to a room with a keycard." :::
With a central identity provider, organizations can establish authentication and
- Read [Introduction to identity and access management](introduction-identity-access-management.md) to learn more. - Learn about [Single sign-on (SSO)](/azure/active-directory/manage-apps/what-is-single-sign-on).-- Learn about [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks).
+- Learn about [Multi-factor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks).
active-directory License Users Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/license-users-groups.md
Title: Assign or remove licenses
-description: Instructions about how to assign or remove Microsoft Entra licenses from your users or groups.
+description: Instructions about how to assign or remove Microsoft Entra ID licenses from your users or groups.
Many Microsoft Entra services require you to license each of your users or group
## Available license plans
-There are several Microsoft Entra license plans:
+There are several Microsoft Entra ID license plans:
- Microsoft Entra ID Free- - Microsoft Entra ID P1- - Microsoft Entra ID P2 For specific information about each license plan and the associated licensing details, see [What license do I need?](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing). To sign up for Microsoft Entra ID P1 or P2 license plans see [here](./get-started-premium.md).
-Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in **Identity** > **Users** > **All users** > *select a user* > **Properties**. When assigning licenses to a group or bulk updates such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
+Not all Microsoft services are available in all locations. Before a license can be assigned to a group, you must specify the **Usage location** for all members. You can set this value in Microsoft Entra by going to **Identity** > **Users** > **All users** > *select a user* > **Properties**.
+
+When assigning licenses to a group or bulk updates, such as disabling the synchronization status for the organization, any user whose usage location isn't specified inherits the location of the tenant.
## View license plans and plan details
You can view your available service plans, including the individual licenses, ch
> [!NOTE] > The numbers are defined as:
- > - Total: Total number of licenses purchased
- > - Assigned: Number of licenses assigned to users
- > - Available: Number of licenses available for assignment including expiring soon
- > - Expiring soon: Number of licenses expiring soon
+ > - **Total**: Total number of licenses purchased
+ > - **Assigned**: Number of licenses assigned to users
+ > - **Available**: Number of licenses available for assignment including expiring soon
+ > - **Expiring soon**: Number of licenses expiring soon
1. Select a plan name to see its licensed users and groups.
You can remove a license from a user's Microsoft Entra user page, from the group
After you've assigned your licenses, you can perform the following processes: - [Identify and resolve license assignment problems](../enterprise-users/licensing-groups-resolve-problems.md)- - [Add licensed users to a group for licensing](../enterprise-users/licensing-groups-migrate-users.md)- - [Scenarios, limitations, and known issues using groups to manage licensing in Microsoft Entra ID](../enterprise-users/licensing-group-advanced.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md)
active-directory Licensing Preview Terms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/licensing-preview-terms.md
Title: Microsoft Entra preview program terms
-description: In this article we go over the terms in effect when participating in Microsoft Entra preview programs.
+ Title: Microsoft Entra ID preview program terms
+description: In this article we go over the terms in effect when participating in Microsoft Entra ID preview programs.
Last updated 09/19/2023
-# Customer intent: I am trying to find information on the terms and conditions for Microsoft Entra preview programs.
+# Customer intent: I am trying to find information on the terms and conditions for Microsoft Entra ID preview programs.
-# Microsoft Entra preview program terms
+# Microsoft Entra ID preview program terms
active-directory New Name https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/new-name.md
# New name for Azure Active Directory
-To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, the new name for Azure Active Directory (Azure AD) is Microsoft Entra ID.
+Microsoft has reamed Azure Active Directory (Azure AD) to Microsoft Entra ID for the following reasons: (1) to communicate the multicloud, multiplatform functionality of the products, (2) to alleviate confusion with Windows Server Active Directory, and (3) to unify the [Microsoft Entra](/entra) product family.
## No interruptions to usage or service
-If you're using Azure AD today or are currently deploying Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
+If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
You can continue to use familiar Azure AD capabilities that you can access through the Azure portal, Microsoft 365 admin center, and the [Microsoft Entra admin center](https://entra.microsoft.com).
All features and capabilities are still available in the product. Licensing, ter
To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling.
-Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).
+Service plan display names will change on October 1, 2023. Microsoft Entra ID Free, Microsoft Entra ID P1, and Microsoft Entra ID P2 will be the new names of standalone offers, and all capabilities included in the current Azure AD plans remain the same. Microsoft Entra ID ΓÇô previously known as Azure AD ΓÇô continues to be included in Microsoft 365 licensing plans, including Microsoft 365 E3 and Microsoft 365 E5. Details on pricing and whatΓÇÖs included are available on the [pricing and free trials page](https://aka.ms/PricingEntra).
:::image type="content" source="./media/new-name/azure-ad-new-name.png" alt-text="Diagram showing the new name for Azure AD and Azure AD External Identities." border="false" lightbox="./media/new-name/azure-ad-new-name-high-res.png":::
The Microsoft Entra product family helps you protect all identities and secure n
| Identity and access management | New identity categories | Network access | ||||
-| [Microsoft Entra ID (currently known as Azure AD)](../index.yml) | [Microsoft Entra Verified ID](../verifiable-credentials/index.yml) | [Microsoft Entra Internet Access](https://aka.ms/GlobalSecureAccessDocs) |
+| [Microsoft Entra ID (previously known as Azure AD)](../index.yml) | [Microsoft Entra Verified ID](../verifiable-credentials/index.yml) | [Microsoft Entra Internet Access](https://aka.ms/GlobalSecureAccessDocs) |
| [Microsoft Entra ID Governance](../governance/index.yml) | [Microsoft Entra Permissions Management](../cloud-infrastructure-entitlement-management/index.yml) | [Microsoft Entra Private Access](https://aka.ms/GlobalSecureAccessDocs) | | [Microsoft Entra External ID](../external-identities/index.yml) | [Microsoft Entra Workload ID](../workload-identities/index.yml) | |
No. Prices, terms and service level agreements (SLAs) remain the same. Pricing d
### Will Microsoft Entra ID be available as a free service with an Azure subscription?
-Customers currently using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.
+Customers using Azure AD Free as part of their Azure, Microsoft 365, Dynamics 365, Teams, or Intune subscription continue to have access to the same capabilities. It will be called Microsoft Entra ID Free. Get the free version at <https://www.microsoft.com/security/business/microsoft-entra-pricing>.
### What's changing for Microsoft 365 or Azure AD for Office 365?
-Microsoft Entra ID ΓÇô currently known as Azure AD ΓÇô continues to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) are now be available to all Microsoft customers in Microsoft Entra ID Free.
+Microsoft Entra ID ΓÇô previously known as Azure AD ΓÇô continues to be available within Microsoft 365 enterprise and business premium offers. Office 365 was renamed Microsoft 365 in 2022. Unique capabilities in the Azure AD for Office 365 apps (such as company branding and self-service sign-in activity search) are now be available to all Microsoft customers in Microsoft Entra ID Free.
### What's changing for Microsoft 365 E3?
-There are no changes to the identity features and functionality available in Microsoft 365 E3. Microsoft 365 E3 includes Microsoft Entra ID P1, currently known as Azure AD Premium P1.
+There are no changes to the identity features and functionality available in Microsoft 365 E3. Microsoft 365 E3 includes Microsoft Entra ID P1, previously known as Azure AD Premium P1.
### What's changing for Microsoft 365 E5?
-In addition to the capabilities they already have, Microsoft 365 E5 customers also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra ID P2, currently known as Azure AD Premium P2.
+In addition to the capabilities they already have, Microsoft 365 E5 customers also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, previously known as Azure AD Premium P2.
-### What's changing for identity developer and devops experience?
+### What's changing for identity developer and devops experiences?
Identity developer and devops experiences aren't being renamed. To make the transition seamless, all existing login URLs, APIs, PowerShell cmdlets, and Microsoft Authentication Libraries (MSAL) stay the same, as do developer experiences and tooling.
active-directory Properties Area https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/properties-area.md
We strongly recommend you add both your global privacy contact and your organiza
## Add your privacy info
-Your privacy and technical information is located in the **Properties** area.
+Your privacy and technical information is located in the **Properties** area of the Microsoft Entra admin center.
### To access the properties area and add your privacy information
active-directory Scenario Azure First Sap Identity Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md
When your authoritative user directory is Microsoft Entra ID, we recommend setti
![SAP trust configuration](./media/scenario-azure-first-sap-identity-integration/sap-trust-configuration.png)
-On the trust configuration in BTP, we recommend that "Create Shadow Users During Logon" is enabled. This way, users who haven't yet been created in BTP, automatically get an account when they sign in through IAS/Azure AD for the first time. If this setting would be disabled, only pre-provisioned users would be allowed to sign in.
+On the trust configuration in BTP, we recommend that "Create Shadow Users During Logon" is enabled. This way, users who haven't yet been created in BTP, automatically get an account when they sign in through IAS / Microsoft Entra ID for the first time. If this setting would be disabled, only pre-provisioned users would be allowed to sign in.
#### Why this recommendation?
active-directory Security Defaults https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/security-defaults.md
Microsoft is making these preconfigured security settings available to everyone,
These basic controls include: -- [Requiring all users to register for multifactor authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication).-- [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication).-- [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary).-- [Blocking legacy authentication protocols](#block-legacy-authentication-protocols).-- [Protecting privileged activities like access to the Azure portal](#protect-privileged-activities-like-access-to-the-azure-portal).
+- [Requiring all users to register for multifactor authentication](#require-all-users-to-register-for-azure-ad-multifactor-authentication)
+- [Requiring administrators to do multifactor authentication](#require-administrators-to-do-multifactor-authentication)
+- [Requiring users to do multifactor authentication when necessary](#require-users-to-do-multifactor-authentication-when-necessary)
+- [Blocking legacy authentication protocols](#block-legacy-authentication-protocols)
+- [Protecting privileged activities like access to the Azure portal](#protect-privileged-activities-like-access-to-the-azure-portal)
## Who's it for? - Organizations who want to increase their security posture, but don't know how or where to start.-- Organizations using the free tier of Microsoft Entra licensing.
+- Organizations using the free tier of Microsoft Entra ID licensing.
### Who should use Conditional Access? - If you're an organization with Microsoft Entra ID P1 or P2 licenses, security defaults are probably not right for you.-- If your organization has complex security requirements, you should consider [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md#template-categories)
+- If your organization has complex security requirements, you should consider [Conditional Access](../conditional-access/concept-conditional-access-policy-common.md#template-categories).
## Enabling security defaults
If your tenant was created on or after October 22, 2019, security defaults may b
To help protect organizations, we're always working to improve the security of Microsoft account services. As part of this protection, customers are periodically notified for the automatic enablement of the security defaults if they: -- Haven't enabled Conditional Access policies.-- Don't have premium licenses.-- ArenΓÇÖt actively using legacy authentication clients.
+- Haven't enabled Conditional Access policies
+- Don't have premium licenses
+- ArenΓÇÖt actively using legacy authentication clients
After this setting is enabled, all users in the organization will need to register for multifactor authentication. To avoid confusion, refer to the email you received and alternatively you can [disable security defaults](#disabling-security-defaults) after it's enabled.
To enable security defaults:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»> **Overview** > **Properties**.
- 1. Select **Manage security defaults**.
+1. Select **Manage security defaults**.
1. Set **Security defaults** to **Enabled**. 1. Select **Save**.
One common method to improve protection for all users is to require a stronger f
To give your users easy access to your cloud apps, we support various authentication protocols, including legacy authentication. *Legacy authentication* is a term that refers to an authentication request made by: -- Clients that don't use modern authentication (for example, an Office 2010 client).-- Any client that uses older mail protocols such as IMAP, SMTP, or POP3.
+- Clients that don't use modern authentication (for example, an Office 2010 client)
+- Any client that uses older mail protocols such as IMAP, SMTP, or POP3
Today, most compromising sign-in attempts come from legacy authentication. Legacy authentication doesn't support multifactor authentication. Even if you have a multifactor authentication policy enabled on your directory, an attacker can authenticate by using an older protocol and bypass multifactor authentication.
To disable security defaults in your directory:
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](../roles/permissions-reference.md#global-administrator). 1. Browse toΓÇ»**Identity**ΓÇ»>ΓÇ»**Overview** > **Properties**.
- 1. Select **Manage security defaults**.
+1. Select **Manage security defaults**.
1. Set **Security defaults** to **Disabled (not recommended)**. 1. Select **Save**.
active-directory Users Reset Password Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-reset-password-azure-portal.md
Administrators can reset a user's password if the password is forgotten, if the
After you've reset your user's password, you can perform the following basic processes: - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Create a basic group and add members](./how-to-manage-groups.md) Or you can perform more complex user scenarios, such as assigning delegates, using policies, and sharing user accounts. For more information about other available actions, see [Microsoft Entra user management documentation](../enterprise-users/index.yml).
active-directory Users Restore https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/users-restore.md
# Restore or remove a recently deleted user
-After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios.
+After you delete a user, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties.
+
+After that 30-day window passes, the permanent deletion process is automatically started and can't be stopped. During this time, the management of soft-deleted users is blocked. This limitation also applies to restoring a soft-deleted user via a match during Tenant sync cycle for on-premises hybrid scenarios.
You can view your restorable users, restore a deleted user, or permanently delete a user using the Microsoft Entra admin center.
You can permanently delete a user from your organization without waiting the 30
After you've restored or deleted your users, you can: - [Add or delete users](./add-users.md)- - [Assign roles to users](./how-subscriptions-associated-directory.md)- - [Add or change profile information](./how-to-manage-user-profile-info.md)- - [Add guest users from another organization](../external-identities/what-is-b2b.md) For more information about other available user management tasks, [Microsoft Entra user management documentation](../enterprise-users/index.yml).
active-directory What Is Deprecated https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/what-is-deprecated.md
# What's deprecated in Microsoft Entra ID?
-The lifecycle of functionality, features, and services are governed by policy, support timelines, data, also leadership and engineering team decisions. Lifecycle information allows customers to predictably plan long-term deployment aspects, transition from outdated to new technology, and help improve business outcomes. Use the definitions below to understand the following table with change information about Azure Active Directory (Azure AD) and Microsoft Entra features, services, and functionality.
+The lifecycle of functionality, features, and services are governed by policy, support timelines, data, also leadership and engineering team decisions. Lifecycle information allows customers to predictably plan long-term deployment aspects, transition from outdated to new technology, and help improve business outcomes.
+
+> ![NOTE]
+> If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22What's+deprecated+in+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
Use the following table to learn about changes including deprecations, retiremen
|[Azure AD Graph API](https://aka.ms/aadgraphupdate)|Start of phased retirement|Jul 2023| |[Terms of Use experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|Jul 2023| |[Azure AD PowerShell and MSOnline PowerShell](https://aka.ms/aadgraphupdate)|Deprecation|Mar 30, 2024|
-|[Azure AD MFA Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024|
+|[Azure Multi-Factor Authentication Server](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2024|
|[Legacy MFA & SSPR policy](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Retirement|Sep 30, 2025| |['Require approved client app' Conditional Access Grant](https://aka.ms/RetireApprovedClientApp)|Retirement|Mar 31, 2026|
Use the following table to learn about changes including deprecations, retiremen
|[My Groups experience](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |[My Apps browser extension](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-march-2023-train/ba-p/2967448)|Feature change|May 2023| |Microsoft Authenticator app [Number matching](../authentication/how-to-mfa-number-match.md)|Feature change|May 8, 2023|
-|[Azure AD Domain Services virtual network deployments](../../active-directory-domain-services/overview.md)|Retirement|Mar 1, 2023|
+|[Microsoft Entra Domain Services virtual network deployments](../../active-directory-domain-services/overview.md)|Retirement|Mar 1, 2023|
|[License management API, PowerShell](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/migrate-your-apps-to-access-the-license-managements-apis-from/ba-p/2464366)|Retirement|*Mar 31, 2023| \* The legacy license management API and PowerShell cmdlets won't work for **new tenants** created after Nov 1, 2022.
Use the definitions in this section help clarify the state, availability, and su
[What's new in Microsoft Entra ID?](../../active-directory/fundamentals/whats-new.md) ## Resources
-* [Microsoft Entra Change Announcement blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-november-2022-train/ba-p/2967452)
+* [Microsoft Entra change announcement blog](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-change-announcements-november-2022-train/ba-p/2967452)
* Devices: [End-of-life management and recycling](https://www.microsoft.com/legal/compliance/recycling)
active-directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whatis.md
# What is Microsoft Entra ID?
-Microsoft Entra ID is a cloud-based identity and access management service. Microsoft Entra ID enables your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](./create-new-tenant.md).
+Microsoft Entra ID is a cloud-based identity and access management service that enables your employees access external resources. Example resources include Microsoft 365, the Azure portal, and thousands of other SaaS applications.
-To learn the differences between Active Directory and Microsoft Entra ID, see [Compare Active Directory to Microsoft Entra ID](compare.md). You can also refer [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft-365.
+Microsoft Entra ID also helps them access internal resources like apps on your corporate intranet, and any cloud apps developed for your own organization. To learn how to create a tenant, see [Quickstart: Create a new tenant in Microsoft Entra ID](./create-new-tenant.md).
+
+To learn the differences between Active Directory and Microsoft Entra ID, see [Compare Active Directory to Microsoft Entra ID](compare.md). You can also refer to [Microsoft Cloud for Enterprise Architects Series](/microsoft-365/solutions/cloud-architecture-models) posters to better understand the core identity services in Azure like Microsoft Entra ID and Microsoft-365.
<a name='who-uses-azure-ad'></a>
active-directory Whats New Sovereign Clouds Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds-archive.md
Title: Archive for What's new in Sovereign Clouds?
+ Title: Archive for What's new in Azure Sovereign Clouds?
description: The What's new in sovereign cloud release notes in the Overview section of this content set contain six months of activity. After six months, the items are removed from the main article and put into this archive article for the next two years.
active-directory Whats New Sovereign Clouds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new-sovereign-clouds.md
Title: What's new in Sovereign Clouds? Release notes
-description: Learn what is new with Azure Active Directory Sovereign Cloud.
+ Title: What's new in Azure Sovereign Clouds? Release notes
+description: Learn what is new with Azure Sovereign Clouds.
-# What's new in Azure Active Directory Sovereign Clouds?
-
+# What's new in Azure Sovereign Clouds?
Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
active-directory Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/fundamentals/whats-new.md
Title: What's new? Release notes
-description: Learn what is new with Azure Active Directory; such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.
+description: Learn what is new with Microsoft Entra ID, such as the latest release notes, known issues, bug fixes, deprecated functionality, and upcoming changes.
featureFlags:
-# What's new in Azure Active Directory?
+# What's new in Microsoft Entra ID?
>Get notified about when to revisit this page for updates by copying and pasting this URL: `https://learn.microsoft.com/api/search/rss?search=%22Release+notes+-+Azure+Active+Directory%22&locale=en-us` into your ![RSS feed reader icon](./media/whats-new/feed-icon-16x16.png) feed reader.
-Azure AD receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
+Microsoft Entra ID (previously known as Azure AD) receives improvements on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:
- The latest releases - Known issues
Azure AD receives improvements on an ongoing basis. To stay up to date with the
- Deprecated functionality - Plans for changes
+> ![NOTE]
+> If you're currently using Azure AD today or are have previously deployed Azure AD in your organizations, you can continue to use the service without interruption. All existing deployments, configurations, and integrations continue to function as they do today without any action from you.
+ This page updates monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Active Directory](whats-new-archive.md).
active-directory Access Reviews Application Preparation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/access-reviews-application-preparation.md
In order to permit a wide variety of applications and IT requirements to be addr
|Pattern|Application integration pattern|Steps to prepare for an access review| |:||--| |A| The application supports federated SSO, Microsoft Entra ID is the only identity provider, and the application doesn't rely upon group or role claims. | In this pattern, you'll configure that the application requires individual application role assignments, and that users are assigned to the application. Then to perform the review, you'll create a single access review for the application, of the users assigned to this application role. When the review completes, if a user was denied, then they will be removed from the application role. Microsoft Entra ID will then no longer issue that user with federation tokens and the user will be unable to sign into that application.|
-|B|If the application uses group claims in addition to application role assignments.| An application may use AD or Microsoft Entra group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.|
+|B|If the application uses group claims in addition to application role assignments.| An application may use Active Directory or Microsoft Entra group membership, distinct from application roles to express finer-grained access. Here, you can choose based on your business requirements either to have the users who have application role assignments reviewed, or to review the users who have group memberships. If the groups do not provide comprehensive access coverage, in particular if users may have access to the application even if they aren't a member of those groups, then we recommend reviewing the application role assignments, as in pattern A above.|
|C| If the application doesn't rely solely on Microsoft Entra ID for federated SSO, but does support provisioning via SCIM, via updates to a SQL table of users, has a non-AD LDAP directory, or supports a SOAP or REST provisioning protocol. | In this pattern, you'll configure Microsoft Entra ID to provision the users with application role assignments to the application's database or directory, update the application role assignments in Microsoft Entra ID with a list of the users who currently have access, and then create a single access review of the application role assignments. For more information, see [Governing an application's existing users](identity-governance-applications-existing-users.md) to update the application role assignments in Microsoft Entra ID.| ### Other options
Now that you have identified the integration pattern for the application, check
* If the application has local user accounts, managed through a MIM connector, configure an application with the [provisioning agent with a custom connector](../app-provisioning/on-premises-custom-connector.md). * If the application is SAP ECC with NetWeaver AS ABAP 7.0 or later, configure an application with the [provisioning agent with a SAP ECC configured web services connector](../app-provisioning/on-premises-sap-connector-configure.md).
-1. If provisioning is configured, then click on **Edit Attribute Mappings**, expand the Mapping section and click on **Provision Microsoft Entra Users**. Check that in the list of attribute mappings, there is a mapping for `isSoftDeleted` to the attribute in the application's data store that you would like to set to false when a user loses access. If this mapping isn't present, then Microsoft Entra ID will not notify the application when a user has gone out of scope, as described in [how provisioning works](../app-provisioning/how-provisioning-works.md).
+1. If provisioning is configured, then click on **Edit Attribute Mappings**, expand the Mapping section and click on **Provision Microsoft Entra users**. Check that in the list of attribute mappings, there is a mapping for `isSoftDeleted` to the attribute in the application's data store that you would like to set to false when a user loses access. If this mapping isn't present, then Microsoft Entra ID will not notify the application when a user has gone out of scope, as described in [how provisioning works](../app-provisioning/how-provisioning-works.md).
1. If the application supports federated SSO, then change to the **Conditional Access** tab. Inspect the enabled policies for this application. If there are policies that are enabled, block access, have users assigned to the policies, but no other conditions, then those users may be already blocked from being able to get federated SSO to the application. 1. Change to the **Users and groups** tab. This list contains all the users who are assigned to the application in Microsoft Entra ID. If the list is empty, then a review of the application will complete immediately, since there isn't any task for the reviewer to perform.
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
Use the following procedure to view events:
![View app role assignments](./media/entitlement-management-access-package-incompatible/workbook-ara.png) ## Create custom Azure Monitor queries using the Microsoft Entra admin center
-You can create your own queries on Microsoft Entra ID audit events, including entitlement management events.
+You can create your own queries on Microsoft Entra audit events, including entitlement management events.
1. In Identity of the Microsoft Entra admin center, select **Logs** under the Monitoring section in the left navigation menu to create a new query page.
-1. Your workspace should be shown in the upper left of the query page. If you have multiple Azure Monitor workspaces, and the workspace you're using to store Microsoft Entra ID audit events isn't shown, select **Select Scope**. Then, select the correct subscription and workspace.
+1. Your workspace should be shown in the upper left of the query page. If you have multiple Azure Monitor workspaces, and the workspace you're using to store Microsoft Entra audit events isn't shown, select **Select Scope**. Then, select the correct subscription and workspace.
1. Next, in the query text area, delete the string "search *" and replace it with the following query:
active-directory How To Lifecycle Workflow Sync Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/how-to-lifecycle-workflow-sync-attributes.md
For more information on attributes, see [Attribute mapping in Microsoft Entra Co
## How to create a custom sync rule in Microsoft Entra Connect for EmployeeHireDate The following example walks you through setting up a custom synchronization rule that synchronizes the Active Directory attribute to the employeeHireDate attribute in Microsoft Entra ID. 1. Open a PowerShell window as administrator and run `Set-ADSyncScheduler -SyncCycleEnabled $false` to disable the scheduler.
- 1. Go to Start\Azure AD Connect\ and open the Synchronization Rules Editor
+ 1. Go to Start\Microsoft Entra Connect\ and open the Synchronization Rules Editor
1. Ensure the direction at the top is set to **Inbound**. 1. Select **Add Rule.** 1. On the **Create Inbound synchronization rule** screen, enter the following information and select **Next**.
active-directory Identity Governance Applications Define https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-applications-define.md
Organizations with compliance requirements or risk management plans have sensiti
> [!Note] > If you're using an application from the Microsoft Entra application gallery that supports provisioning, then Microsoft Entra ID may import defined roles in the application and automatically update the application manifest with the application's roles automatically, once provisioning is configured.
-1. **Select which roles and groups have membership that are to be governed in Azure AD.** Based on compliance and risk management requirements, organizations often prioritize those application roles or groups that give privileged access or access to sensitive information.
+1. **Select which roles and groups have membership that are to be governed in Microsoft Entra ID.** Based on compliance and risk management requirements, organizations often prioritize those application roles or groups that give privileged access or access to sensitive information.
## Define the organization's policy with prerequisites and other constraints for access to the application
If you already have an organization role definition, then see [how to migrate an
1. **Determine how long a user who has been approved for access, should have access, and when that access should go away.** For many applications, a user might retain access indefinitely, until they're no longer affiliated with the organization. In some situations, access may be tied to particular projects or milestones, so that when the project ends, access is removed automatically. Or, if only a few users are using an application through a policy, you may configure quarterly or yearly reviews of everyone's access through that policy, so that there's regular oversight.
-1. **If your organization is governing access already with an organizational role model, plan to bring that organizational role model into Azure AD.** You may have an [organizational role](identity-governance-organizational-roles.md) defined which assigns access based on a user's property, such as their position or department. These processes can ensure users lose access eventually when access is no longer needed, even if there isn't a pre-determined project end date.
+1. **If your organization is governing access already with an organizational role model, plan to bring that organizational role model into Microsoft Entra ID.** You may have an [organizational role](identity-governance-organizational-roles.md) defined which assigns access based on a user's property, such as their position or department. These processes can ensure users lose access eventually when access is no longer needed, even if there isn't a pre-determined project end date.
1. **Inquire if there are separation of duties constraints.** For example, you may have an application with two app roles, *Western Sales* and *Eastern Sales*, and you want to ensure that a user can only have one sales territory at a time. Include a list of any pairs of app roles that are incompatible for your application, so that if a user has one role, they aren't allowed to request the second role.
active-directory Identity Governance Automation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-automation.md
# Automate Microsoft Entra ID Governance tasks via Azure Automation and Microsoft Graph
-[Azure Automation](../../automation/overview.md) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra ID tasks from a simple script.
+[Azure Automation](../../automation/overview.md) is an Azure cloud service that allows you to automate common or repetitive systems management and processes. Microsoft Graph is the Microsoft unified API endpoint for Microsoft Entra features that manage users, groups, access packages, access reviews, and other resources in the directory. You can manage Microsoft Entra ID at scale from the PowerShell command line, using the [Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). You can also include the Microsoft Graph PowerShell cmdlets from a [PowerShell-based runbook in Azure Automation](/azure/automation/automation-intro), so that you can automate Microsoft Entra tasks from a simple script.
Azure Automation and the PowerShell Graph SDK supports certificate-based authentication and application permissions, so you can have Azure Automation runbooks authenticate to Microsoft Entra ID without needing a user context.
active-directory Identity Governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/identity-governance-overview.md
In addition to the features listed above, additional Microsoft Entra features fr
|Policy and role management|Admin can define Conditional Access policies for run-time access to applications. Resource owners can define policies for user's access via access packages.|[Conditional Access](../conditional-access/overview.md) and [Entitlement management](entitlement-management-overview.md) policies| |Access certification|Admins can enable recurring access recertification for: SaaS apps, on-premises apps, cloud group memberships, Microsoft Entra ID or Azure Resource role assignments. Automatically remove resource access, block guest access and delete guest accounts.|[Access reviews](access-reviews-overview.md), also surfaced in [PIM](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)| |Fulfillment and provisioning|Automatic provisioning and deprovisioning into Microsoft Entra connected apps, including via SCIM, LDAP, SQL and into SharePoint Online sites. |[user provisioning](../app-provisioning/user-provisioning.md)|
-|Reporting and analytics|Admins can retrieve audit logs of recent user provisioning and sign on activity. Integration with Azure Monitor and 'who has access' via access packages.|[Microsoft Entra ID reports](../reports-monitoring/overview-reports.md) and [monitoring](../reports-monitoring/overview-monitoring.md)|
+|Reporting and analytics|Admins can retrieve audit logs of recent user provisioning and sign on activity. Integration with Azure Monitor and 'who has access' via access packages.|[Microsoft Entra reports](../reports-monitoring/overview-reports.md) and [monitoring](../reports-monitoring/overview-monitoring.md)|
|Privileged access|Just-in-time and scheduled access, alerting, approval workflows for Microsoft Entra roles (including custom roles) and Azure Resource roles.|[Microsoft Entra PIM](../privileged-identity-management/pim-configure.md)| |Auditing|Admins can be alerted of creation of admin accounts.|[Microsoft Entra PIM alerts](../privileged-identity-management/pim-how-to-configure-security-alerts.md)|
active-directory Lifecycle Workflow Audits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/lifecycle-workflow-audits.md
After filtering this information, you're also able to see other information in t
- [Lifecycle Workflow History](lifecycle-workflow-history.md) - [Check the status of a workflow](check-status-workflow.md)-- [Microsoft Entra ID audit activity reference](../reports-monitoring/reference-audit-activities.md)
+- [Microsoft Entra audit activity reference](../reports-monitoring/reference-audit-activities.md)
active-directory Services And Integration Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/governance/services-and-integration-partners.md
The descriptions and linked pages are provided by the partners themselves. You c
|[Edgile, a Wipro company](https://aka.ms/EdgileEntraIDGov) |"Edgile, a Wipro company is excited to be a Microsoft Launch Partner for Microsoft Entra ID Governance. Our deep and broad experience in IGA and security will ensure your project is a success. Our project accelerators will reduce your risk and deliver results faster." | |[EY](https://aka.ms/EYEntraIDGov) |"The EY organization, a trusted global leader in professional services, creates a better working world with people at the center, leveraging technology at scale and driving innovation at speed. The EY-Microsoft Alliance collaborates on innovative identity management solutions with Microsoft Entra, transforming the way businesses protect and manage identities, creating a future where trust and safety are paramount." | |[InSpark](https://aka.ms/InSparkEntraIDGov) | "InSpark is a Dutch Microsoft partner helping customers to go from Zero-to-Hero with the full Microsoft cloud portfolio. The Microsoft Entra ID Governance stack is one of our strong focus points as we believe securing and protecting your digital identity and the access it has is crucial in today's world."|
-|[Invoke](https://aka.ms/InvokeEntraIDGov) |"Invoke's Identity Solution Journey begins with assessments, building trust by showcasing security & compliance risk mitigation, along with productivity gains. In cost-sensitive markets, they deliver economic assessments, reporting cost savings by transitioning to a Microsoft-centric solution. By partnering with the Microsoft Entra ID team, they jointly empower customers to achieve more." |
+|[Invoke](https://aka.ms/InvokeEntraIDGov) |"Invoke's Identity Solution Journey begins with assessments, building trust by showcasing security & compliance risk mitigation, along with productivity gains. In cost-sensitive markets, they deliver economic assessments, reporting cost savings by transitioning to a Microsoft-centric solution. By partnering with the Microsoft Entra team, they jointly empower customers to achieve more." |
|[KPMG](https://aka.ms/KPMGEntraIDGov) |"KPMG and Microsoft further strengthen their alliance by delivering a comprehensive identity governance proposition. By adeptly navigating the complexities of identity governance, the combination of Microsoft Entra advanced tools with KPMG Powered Enterprise helps drive functional transformation. This synergy can propel accelerated digital capabilities, enhance operational efficiency, fortify security and ensure compliance."| |[Oxford Computer Group](https://aka.ms/OCGEntraIDGov) |"Oxford Computer Group's customer base includes some of the largest and most recognizable companies in the US and beyond. Our solutions include Identity Lifecycle Management, Identity and Access Management, Entitlements, Conditional Access, Separation of Duties, Attestation, SOX, Risk Assessments for IAM, Audit Remediation, External Identities, and Verifiable Credentials - nearly every aspect of Identity Governance. "| |[PwC](https://aka.ms/PwCEntraIDGov) |"Organizations use identity and access management to build trust, and doing so sustainably often requires the right technology and a multi-disciplinary team. Our team can help you implement Microsoft Entra ID Governance from strategy through execution by collaborating with you and our network of professionals by focusing on three key aspects: people, process, and technology."|
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md
Look under the 'status' section of the return object for relevant details
- [What is Microsoft Entra Connect cloud sync?](what-is-cloud-sync.md) - [Transformations](how-to-transformation.md)-- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
+- [Microsoft Entra Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md
Disables accidentalDeletionPrevention tenant feature
Disable-AADCloudSyncToolsDirSyncAccidentalDeletionPrevention -tenantId <TenantId> ```
-This cmdlet requires `TenantId` of the Azure AD tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Azure AD Connect (ADSync, not Cloud Sync), is enabled and disables it.
+This cmdlet requires `TenantId` of the Microsoft Entra tenant. It will verify if Accidental Deletion Prevention feature, set on the tenant with Microsoft Entra Connect (ADSync, not Cloud Sync), is enabled and disables it.
#### Example: ``` powershell
active-directory Concept Azure Ad Connect Sync Declarative Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/concept-azure-ad-connect-sync-declarative-provisioning.md
Here is an example:
In *Out to AD - User Exchange hybrid* the following flow can be found: `IIF([cloudSOAExchMailbox] = True,[cloudMSExchSafeSendersHash],IgnoreThisFlow)`
-This expression should be read as: if the user mailbox is located in Microsoft Entra ID, then flow the attribute from Microsoft Entra ID to AD. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD.
+This expression should be read as: if the user mailbox is located in Microsoft Entra ID, then flow the attribute from Microsoft Entra ID to Active Directory. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD.
### ImportedValue
active-directory Four Steps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/four-steps.md
To learn more, go read [Monitor AD FS using Microsoft Entra Connect Health](./ho
### Use Azure Monitor to collect data logs for analytics
-[Azure Monitor](../../../azure-monitor/overview.md) is a unified monitoring portal for all Microsoft Entra ID logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources.
+[Azure Monitor](../../../azure-monitor/overview.md) is a unified monitoring portal for all Microsoft Entra logs, which provides deep insights, advanced analytics, and smart machine learning. With Azure Monitor, you can consume metrics and logs within the portal and via APIs to gain more visibility into the state and performance of your resources. It enables a single pane of glass experience within the portal while enabling a wide range of product integrations via APIs and data export options that support traditional third-party SIEM systems. Azure Monitor also gives you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources.
![Azure Monitor](./media/four-steps/image1.png)
active-directory How To Bypassdirsyncoverrides https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-bypassdirsyncoverrides.md
Get-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -FromAzureAD
### Set _MobilePhone_ and _AlternateMobilePhones_ properties in Microsoft Entra ID: ```powershell
-Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD '999888777' -OtherMobileInAD '0987654','1234567'
+Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '999888777' -AlternateMobilePhonesInAAD '0987654','1234567'
``` ### Set _Mobile_ and _otherMobile_ properties in on-premises Active Directory: ```powershell
-Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '999888777' -AlternateMobilePhonesInAAD '0987654','1234567'
+Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD '999888777' -OtherMobileInAD '0987654','1234567'
``` <a name='clear-mobilephone-and-alternatemobilephones-properties-in-azure-ad'></a>
Set-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD '99988
### Clear _MobilePhone_ and _AlternateMobilePhones_ properties in Microsoft Entra ID: ```powershell
-Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD -OtherMobileInAD
+Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -AlternateMobilePhonesInAAD
``` ### Clear _Mobile_ and _otherMobile_ properties in on-premises Active Directory: ```powershell
-Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobilePhoneInAAD -AlternateMobilePhonesInAAD
+Clear-ADSyncToolsDirSyncOverridesUser 'User1@Contoso.com' -MobileInAD -OtherMobileInAD
``` ## Next Steps
active-directory How To Connect Fed O365 Certs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-o365-certs.md
# Renew federation certificates for Microsoft 365 and Microsoft Entra ID ## Overview
-For successful federation between Microsoft Entra ID and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Microsoft Entra ID should match what is configured in Microsoft Entra ID. Any mismatch can lead to broken trust. Microsoft Entra ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access).
+For successful federation between Microsoft Entra ID and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Microsoft Entra ID should match what is configured in Microsoft Entra ID. Any mismatch can lead to broken trust. Microsoft Entra ID ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access).
> [!NOTE] > This article provides information on manging your federation cerficates. For information on emergency rotation see [Emergency Rotation of the AD FS certificates](how-to-connect-emergency-ad-fs-certificate-rotation.md)
active-directory How To Connect Fed Saml Idp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-fed-saml-idp.md
This table shows requirements for specific attributes in the SAML 2.0 message.
|Attribute|Description| | -- | -- | |NameID|The value of this assertion must be the same as the Microsoft Entra userΓÇÖs ImmutableID. It can be up to 64 alpha numeric characters. Any non-html safe characters must be encoded, for example a ΓÇ£+ΓÇ¥ character is shown as ΓÇ£.2BΓÇ¥.|
-|IDPEmail|The User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The userΓÇÖs UserPrincipalName (UPN) in Azure AD/Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Microsoft Entra ID).|
+|IDPEmail|The User Principal Name (UPN) is listed in the SAML response as an element with the name IDPEmail The userΓÇÖs UserPrincipalName (UPN) in Microsoft Entra ID / Microsoft 365. The UPN is in email address format. UPN value in Windows Microsoft 365 (Microsoft Entra ID).|
|Issuer|Required to be a URI of the identity provider. Do not reuse the Issuer from the sample messages. If you have multiple top-level domains in your Microsoft Entra tenants the Issuer must match the specified URI setting configured per domain.| >[!IMPORTANT]
active-directory How To Connect Group Writeback V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-group-writeback-v2.md
To verify if Active Directory has been prepared for Exchange, see [Prepare Activ
## Meet prerequisites for public preview The following are prerequisites for group writeback: -- A Microsoft Entra ID P1 or P2 1 license
+- A Microsoft Entra ID P1 or P2 license
- Microsoft Entra Connect version 2.0.89.0 or later An optional prerequisite is Exchange Server 2016 CU15 or later. You need it only for configuring cloud groups with an Exchange hybrid. For more information, seeΓÇ»[Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites). If you haven't [prepared Active Directory for Exchange](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019&preserve-view=true), mail-related attributes of groups won't be written back.
active-directory How To Connect Health Adfs Risky Ip Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-adfs-risky-ip-workbook.md
Additionally, it's possible for a single IP address to attempt multiple logins a
1. Connect Health for AD FS installed and updated to the latest agent. 2. A Log Analytics Workspace with the ΓÇ£ADFSSignInLogsΓÇ¥ stream enabled. 3. Permissions to use the Microsoft Entra ID Monitor Workbooks. To use Workbooks, you need:-- A Microsoft Entra tenant with a premium (P1 or P2) license.
+- A Microsoft Entra tenant with a Microsoft Entra ID P1 or P2 license.
- Access to a Log Analytics Workspace and the following roles in Microsoft Entra ID (if accessing Log Analytics through [Microsoft Entra admin center](https://entra.microsoft.com)): Security administrator, Security reader, Reports reader, Global administrator
active-directory How To Connect Health Agent Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-health-agent-install.md
The following table lists requirements for using Microsoft Entra Connect Health:
| Requirement | Description | | | |
-| You have a Microsoft Entra ID P1 or P2 (P1 or P2) Subscription. |Microsoft Entra Connect Health is a feature of Microsoft Entra ID P1 or P2 (P1 or P2). For more information, see [Sign up for Microsoft Entra ID P1 or P2](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). |
+| You have a Microsoft Entra ID P1 or P2 subscription. |Microsoft Entra Connect Health is a feature of Microsoft Entra ID P1 or P2. For more information, see [Sign up for Microsoft Entra ID P1 or P2](../../fundamentals/get-started-premium.md). <br /><br />To start a free 30-day trial, see [Start a trial](https://azure.microsoft.com/trial/get-started-active-directory/). |
| You're a global administrator in Microsoft Entra ID. |Currently, only Global Administrator accounts can install and configure health agents. For more information, see [Administering your Microsoft Entra directory](../../fundamentals/whatis.md). <br /><br /> By using Azure role-based access control (Azure RBAC), you can allow other users in your organization to access Microsoft Entra Connect Health. For more information, see [Azure RBAC for Microsoft Entra Connect Health](how-to-connect-health-operations.md#manage-access-with-azure-rbac). <br /><br />**Important**: Use a work or school account to install the agents. You can't use a Microsoft account to install the agents. For more information, see [Sign up for Azure as an organization](../../fundamentals/sign-up-organization.md). |
-| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Microsoft Entra Domain Services (Microsoft Entra DS) infrastructure, you must install the agent on the domain controllers. |
+| The Microsoft Entra Connect Health agent is installed on each targeted server. | Health agents must be installed and configured on targeted servers so that they can receive data and provide monitoring and analytics capabilities. <br /><br />For example, to get data from your Active Directory Federation Services (AD FS) infrastructure, you must install the agent on the AD FS server and on the Web Application Proxy server. Similarly, to get data from your on-premises Microsoft Entra Domain Services infrastructure, you must install the agent on the domain controllers. |
| The Azure service endpoints have outbound connectivity. | During installation and runtime, the agent requires connectivity to Microsoft Entra Connect Health service endpoints. If firewalls block outbound connectivity, add the [outbound connectivity endpoints](how-to-connect-health-agent-install.md#outbound-connectivity-to-azure-service-endpoints) to an allowlist. | |Outbound connectivity is based on IP addresses. | For information about firewall filtering based on IP addresses, see [Azure IP ranges](https://www.microsoft.com/download/details.aspx?id=56519).| | TLS inspection for outbound traffic is filtered or disabled. | The agent registration step or data upload operations might fail if there's TLS inspection or termination for outbound traffic at the network layer. For more information, see [Set up TLS inspection](/previous-versions/tn-archive/ee796230(v=technet.10)). |
To download and install the Microsoft Entra Connect Health agent:
- See the [installation instructions](#install-the-agent-for-ad-fs). - Get started using Microsoft Entra Connect Health for sync: - [Download and install the latest version of Microsoft Entra Connect](https://go.microsoft.com/fwlink/?linkid=615771). The health agent for sync is installed as part of the Microsoft Entra Connect installation (version 1.0.9125.0 or later).-- Get started using Microsoft Entra Connect Health for Microsoft Entra DS:
- - [Download the Microsoft Entra Connect Health agent for Microsoft Entra DS](https://go.microsoft.com/fwlink/?LinkID=820540).
+- Get started using Microsoft Entra Connect Health for Microsoft Entra Domain
+ - [Download the Microsoft Entra Connect Health agent for Microsoft Entra Domain Services](https://go.microsoft.com/fwlink/?LinkID=820540).
- See the [installation instructions](#install-the-agent-for-azure-ad-ds). ## Install the agent for AD FS
To verify that the agent has been installed, look for the following services on
:::image type="content" source="media/how-to-connect-health-agent-install/services.png" alt-text="Screenshot that shows the running Microsoft Entra Connect Health for sync services on the server."::: > [!NOTE]
-> Remember that you must have Microsoft Entra ID P1 or P2 (P1 or P2) to use Microsoft Entra Connect Health. If you don't have Microsoft Entra ID P1 or P2, you can't complete the configuration in the [Microsoft Entra admin center](https://entra.microsoft.com). For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements).
+> Remember that you must have Microsoft Entra ID P1 or P2 to use Microsoft Entra Connect Health. If you don't have Microsoft Entra ID P1 or P2, you can't complete the configuration in the [Microsoft Entra admin center](https://entra.microsoft.com). For more information, see the [requirements](how-to-connect-health-agent-install.md#requirements).
<a name='manually-register-azure-ad-connect-health-for-sync'></a>
When you're prompted for authentication, use the same Global Administrator accou
<a name='install-the-agent-for-azure-ad-ds'></a>
-## Install the agent for Microsoft Entra DS
+<a name='install-the-agent-for-microsoft-entra-ds'></a>
+
+## Install the agent for Microsoft Entra Domain Services
To start the agent installation, double-click the *.exe* file that you downloaded. In the first window, select **Install**.
To start the agent installation, double-click the *.exe* file that you downloade
When the installation finishes, select **Configure Now**. A Command Prompt window opens. PowerShell runs `Register-AzureADConnectHealthADDSAgent`. When you're prompted, sign in to Azure. After you sign in, PowerShell continues. When it finishes, you can close PowerShell. The configuration is complete. At this point, the services should be started automatically, allowing the agent to monitor and gather data. If you haven't met all the prerequisites outlined in the previous sections, warnings appear in the PowerShell window. Be sure to complete the [requirements](how-to-connect-health-agent-install.md#requirements) before you install the agent. The following screenshot shows an example of these warnings. To verify that the agent is installed, look for the following services on the domain controller:
Check out the following related articles:
- [Microsoft Entra Connect Health operations](how-to-connect-health-operations.md) - [Using Microsoft Entra Connect Health with AD FS](how-to-connect-health-adfs.md) - [Using Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md)-- [Using Microsoft Entra Connect Health with Microsoft Entra DS](how-to-connect-health-adds.md)
+- [Using Microsoft Entra Connect Health with Microsoft Entra Domain Services](how-to-connect-health-adds.md)
- [Microsoft Entra Connect Health FAQ](reference-connect-health-faq.yml) - [Microsoft Entra Connect Health version history](reference-connect-health-version-history.md)
active-directory How To Connect Install Existing Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-install-existing-tenant.md
The match is only evaluated for new objects coming from Connect. If you change a
If Microsoft Entra ID finds an object where the attribute values are the same for an object coming from Connect and that it is already present in Microsoft Entra ID, then the object in Microsoft Entra ID is taken over by Connect. The previously cloud-managed object is flagged as on-premises managed. All attributes in Microsoft Entra ID with a value in on-premises AD are overwritten with the on-premises value. > [!WARNING]
-> Since all attributes in Microsoft Entra ID are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Azure AD/Microsoft 365 not present in AD DS.
+> Since all attributes in Microsoft Entra ID are going to be overwritten by the on-premises value, make sure you have good data on-premises. For example, if you only have managed email address in Microsoft 365 and not kept it updated in on-premises AD DS, then you lose any values in Microsoft Entra ID / Microsoft 365 not present in AD DS.
> [!IMPORTANT] > If you use password sync, which is always used by express settings, then the password in Microsoft Entra ID is overwritten with the password in on-premises AD. If your users are used to manage different passwords, then you need to inform them that they should use the on-premises password when you have installed Connect.
If you matched your objects with a soft-match, then the **sourceAnchor** is adde
### Hard-match vs Soft-match For a new installation of Connect, there is no practical difference between a soft- and a hard-match. The difference is in a disaster recovery situation. If you have lost your server with Microsoft Entra Connect, you can reinstall a new instance without losing any data. An object with a sourceAnchor is sent to Connect during initial install. The match can then be evaluated by the client (Microsoft Entra Connect), which is a lot faster than doing the same in Microsoft Entra ID. A hard match is evaluated both by Connect and by Microsoft Entra ID. A soft match is only evaluated by Microsoft Entra ID.
- We have added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We advise customers to disable soft matching unless they need it to take over cloud only accounts. This [article](/powershell/module/msonline/set-msoldirsyncfeature) shows how to disable Soft Matching.
+We have added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We advise customers to disable soft matching unless they need it to take over cloud only accounts.
+
+To disable Soft Matching, use the [Update-MgDirectoryOnPremiseSynchronization](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdirectoryonpremisesynchronization) Microsoft Graph PowerShell cmdlet:
+
+```powershell
+Import-Module Microsoft.Graph.Beta.Identity.DirectoryManagement
+
+Connect-MgGraph -Scopes "OnPremDirectorySynchronization.ReadWrite.All"
+$onPremisesDirectorySynchronizationId = "<TenantID>"
+$params = @{
+ features = @{
+ blockSoftMatchEnabled = $true
+ }
+}
+Update-MgDirectoryOnPremiseSynchronization -OnPremisesDirectorySynchronizationId $onPremisesDirectorySynchronizationId -BodyParameter $params
+```
+
+> [!NOTE]
+>
+> blockSoftMatchEnabled - Use to block soft match for all objects if enabled for the tenant. Customers are encouraged to enable this feature and keep it enabled until soft matching is required again for their tenancy. This flag should be enabled again after any soft matching has been completed and is no longer needed.
### Other objects than users For mail-enabled groups and contacts, you can soft-match based on proxyAddresses. Hard-match is not applicable since you can only update the sourceAnchor/immutableID (using PowerShell) on Users only. For groups that aren't mail-enabled, there is currently no support for soft-match or hard-match.
To prevent untrusted on-premises users from matching with a cloud user that has
3. Trigger a sync. 4. Optionally add the directory roles back to the user object in cloud once the matching has occurred. -- <a name='create-a-new-on-premises-active-directory-from-data-in-azure-ad'></a> ## Create a new on-premises Active Directory from data in Microsoft Entra ID
If the only reason why you plan to add on-premises AD is to support LOBs (Line-o
## Next steps Learn more about [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).+
active-directory How To Connect Staged Rollout https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-staged-rollout.md
Staged Rollout allows you to selectively test groups of users with cloud authentication capabilities like Microsoft Entra multifactor authentication, Conditional Access, Identity Protection for leaked credentials, Identity Governance, and others, before cutting over your domains. This article discusses how to make the switch. Before you begin the Staged Rollout, however, you should consider the implications if one or more of the following conditions is true: -- You're currently using an on-premises multifactor authentication server.
+- You're currently using an on-premises Multi-Factor Authentication Server.
- You're using smart cards for authentication. - Your current server offers certain federation-only features.
active-directory How To Connect Sync Change The Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-change-the-configuration.md
The inbound synchronization rule permits the attribute value to flow from the so
| | | | | adminDescription | NOTSTARTWITH | User\_ |
- The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. In this example, we use the same scoping filter used in the *In from AD ΓÇô User Common* out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Microsoft Entra User writeback feature. You might need to tweak the scoping filter according to your Microsoft Entra Connect deployment.
+ The scoping filter determines to which on-premises AD objects this inbound synchronization rule is applied. In this example, we use the same scoping filter used in the *In from AD ΓÇô User Common* out-of-box synchronization rule, which prevents the synchronization rule from being applied to User objects created through the Microsoft Entra user writeback feature. You might need to tweak the scoping filter according to your Microsoft Entra Connect deployment.
6. Go to the **Transformation** tab and implement the desired transformation rule. For example, if you have designated an unused on-premises AD attribute (such as extensionAttribute1) as the source attribute for the UserType, you can implement a direct attribute flow:
active-directory How To Connect Sync Endpoint Api V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-endpoint-api-v2.md
Microsoft has deployed a new endpoint (API) for Microsoft Entra Connect that imp
> It will not be made available in the Azure German cloud ## PrerequisitesΓÇ»
-In order to use the new V2 endpoint, you'll need to use Microsoft Entra Connect v2.0. When you deploy AADConnect V2.0, the V2 endpoint will be automatically enabled.
+In order to use the new V2 endpoint, you'll need to use Azure AD v2.0. When you deploy AADConnect V2.0, the V2 endpoint will be automatically enabled.
There is a known issue where upgrading to the latest 1.6 build resets the group membership limit to 50k. When a server is upgraded to AADConnect 1.6, then the customer should reapply the rule changes that they applied when initially increasing the group membership limit to 250k before they enable sync for the server. ## Frequently asked questionsΓÇ»
active-directory How To Connect Sync Service Manager Ui Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/how-to-connect-sync-service-manager-ui-connectors.md
Title: Connectors in the Azure AD Synchronization Service Manager UI'
+ Title: Connectors in the Microsoft Entra Synchronization Service Manager UI'
description: Understand the Connectors tab in the Synchronization Service Manager for Microsoft Entra Connect. documentationcenter: ''
active-directory Howto Troubleshoot Upn Changes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/howto-troubleshoot-upn-changes.md
For example, if you add labs.contoso.com and change the user UPNs and email to r
>[!IMPORTANT] > If you change the suffix in Active Directory, add and verify a matching custom domain name in Microsoft Entra ID.
- > [Add your custom domain name using the Microsoft Entra portal](../../fundamentals/add-custom-domain.md)
+ > [Add your custom domain name using the Microsoft Entra admin center](../../fundamentals/add-custom-domain.md)
![Screenshot of the Add customer domain option, under Custom domain names.](./media/howto-troubleshoot-upn-changes/custom-domains.png)
active-directory Plan Connect User Signin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/plan-connect-user-signin.md
The Microsoft Entra sign-in page lists the UPN suffixes that are defined for on-
| State | Description | Action needed | |: |: |: | | Verified |Microsoft Entra Connect found a matching verified domain in Microsoft Entra ID. All users for this domain can sign in by using their on-premises credentials. |No action is needed. |
-| Not verified |Microsoft Entra Connect found a matching custom domain in Microsoft Entra ID, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified. | [Verify the custom domain in Azure AD.](../../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) |
+| Not verified |Microsoft Entra Connect found a matching custom domain in Microsoft Entra ID, but it isn't verified. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix after synchronization if the domain isn't verified. | [Verify the custom domain in Microsoft Entra ID.](../../fundamentals/add-custom-domain.md#verify-your-custom-domain-name) |
| Not added |Microsoft Entra Connect didn't find a custom domain that corresponded to the UPN suffix. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix if the domain isn't added and verified in Azure. | [Add and verify a custom domain that corresponds to the UPN suffix.](../../fundamentals/add-custom-domain.md) | The Microsoft Entra sign-in page lists the UPN suffixes that are defined for on-premises Active Directory and the corresponding custom domain in Microsoft Entra ID with the current verification status. In a custom installation, you can now select the attribute for the user principal name on the **Microsoft Entra sign-in** page.
You can change the user sign-in method from federation, password hash synchroniz
On the next page, you're asked to provide the credentials for Microsoft Entra ID.
-![Screenshot that shows where you should type the credentials for Azure AD.](./media/plan-connect-user-signin/changeusersignin2.png)
+![Screenshot that shows where you should type the credentials for Microsoft Entra ID.](./media/plan-connect-user-signin/changeusersignin2.png)
On the **User sign-in** page, select the desired user sign-in.
active-directory Reference Connect Adsynctools https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-adsynctools.md
Import ImmutableID from Microsoft Entra ID
Import-ADSyncToolsSourceAnchor [-Output] <String> [-IncludeSyncUsersFromRecycleBin] [<CommonParameters>] ``` ### DESCRIPTION
-Generates a file with all Azure AD Synchronized users containing the ImmutableID value in GUID format
+Generates a file with all Microsoft Entra ID synchronized users containing the ImmutableID value in GUID format
Requirements: MSOnline PowerShell Module ### EXAMPLES #### EXAMPLE 1
active-directory Reference Connect Health Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-health-version-history.md
Title: Azure AD Connect Health Version History
-description: This document describes the releases for Azure AD Connect Health and what has been included in those releases.
+ Title: Microsoft Entra Connect Health Version History
+description: This document describes the releases for Microsoft Entra Connect Health and what has been included in those releases.
documentationcenter: ''
-# Azure AD Connect Health: Version Release History
-The Azure Active Directory team regularly updates Azure AD Connect Health with new features and functionality. This article lists the versions and features that have been released.
+# Microsoft Entra Connect Health: Version Release History
+The Microsoft Entra team regularly updates Microsoft Entra Connect Health with new features and functionality. This article lists the versions and features that have been released.
> [!NOTE]
-> Azure AD Connect Health agents are updated automatically when new version is released.
+> Microsoft Entra Connect Health agents are updated automatically when new version is released.
>
-Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about [Azure AD Connect release history](./reference-connect-version-history.md)
+Microsoft Entra Connect Health for Sync is integrated with Microsoft Entra Connect installation. Read more about [Microsoft Entra Connect release history](./reference-connect-version-history.md)
For feature feedback, vote at [Connect Health User Voice channel](https://feedback.azure.com/d365community/forum/22920db1-ad25-ec11-b6e6-000d3a4f0789) ## May / June 2023 **Agent Updates**
-Microsoft Azure AD Connect Health ADFS Agents (versions 4.5.x)
+Microsoft Entra Connect Health ADFS Agents (versions 4.5.x)
-- New version of the Azure AD Connect Health ADFS agent that uses an updated architecture.
+- New version of the Microsoft Entra Connect Health ADFS agent that uses an updated architecture.
- Updated installer package - Migration to MSAL authentication library - New pre-requisite checks
Microsoft Azure AD Connect Health ADFS Agents (versions 4.5.x)
## 27 March 2023 **Agent Update**
-Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Download Center Only)
+Microsoft Entra Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Download Center Only)
- We created a fix for so that the agents would be FIPS compliant - the change was to have the agents use ΓÇÿCloudStorageAccount.UseV1MD5 = falseΓÇÖ so the agent only uses only FIPS compliant cryptography, otherwise Azure blob client causes FIPs exceptions to be thrown.
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
## 19 January 2023 **Agent Update**-- Azure AD Connect Health agent for Azure AD Connect (version 3.2.2188.23)
- - We fixed a bug where, under certain circumstances, Azure AD Connect sync errors were not getting uploaded or shown in the portal.
+- Microsoft Entra Connect Health agent for Microsoft Entra Connect (version 3.2.2188.23)
+ - We fixed a bug where, under certain circumstances, Microsoft Entra Connect Sync errors were not getting uploaded or shown in the portal.
## September 2021 **Agent Update**-- Azure AD Connect Health agent for AD FS (version 3.1.113.0)
+- Microsoft Entra Connect Health agent for AD FS (version 3.1.113.0)
- Fix to extract device information such as device compliance and managed status, device OS, and device OS version from AD FS audits in certain device based authentication scenarios. - Fix to populate OAuth Application info in failure cases and categorizing OAuth failures with more specific error codes - Fix for alerts on broken WMI calls on the customer machine. Now such calls the result/status would be set to "notRun". ## May 2021 **Agent Update**-- Azure AD Connect Health agent for AD FS (version 3.1.99.0)
+- Microsoft Entra Connect Health agent for AD FS (version 3.1.99.0)
- Fix for low unique user count value in AD FS application activity report - Fix for sign-ins with empty or default GUID CorrelationId ## March 2021 **Agent Update** -- Azure AD Connect Health agent for AD FS (version 3.1.95.0)
+- Microsoft Entra Connect Health agent for AD FS (version 3.1.95.0)
- Fix to resolve NT4 formatted username to a UPN during sign-in events. - Fix to identify incorrect application identifier scenarios with a dedicated error code. - Changes to add a new property for OAuth client identifier.
- - Fix to display correct values in the **Protocol** and **Authentication Type** fields in Azure AD sign-in report for certain sign-in scenarios.
- - Fix to display IP addresses in Azure AD sign-in report's IP chain field in order of the request.
+ - Fix to display correct values in the **Protocol** and **Authentication Type** fields in Microsoft Entra sign-in report for certain sign-in scenarios.
+ - Fix to display IP addresses in Microsoft Entra sign-in report's IP chain field in order of the request.
- Changes to introduce a new field to differentiate if secondary authentication was requested during a sign-in.
- - Fix for AD FS application identifier property to display in Azure AD sign-in report.
+ - Fix for AD FS application identifier property to display in Microsoft Entra sign-in report.
## April 2020 **Agent Update** -- Azure AD Connect Health agent for AD FS (version 3.1.77.0)
+- Microsoft Entra Connect Health agent for AD FS (version 3.1.77.0)
- Bug fix for ΓÇ£Invalid Service Principal Name (SPN) for AD FS serviceΓÇ¥ alert, for which the alert was reporting incorrectly. ## July 2019 **Agent Update**
-* Azure AD Connect Health agent for AD FS (version 3.1.59.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.59.0)
1. Text change in TestWindowsTransport 2. Changes for AD FS RP upload
-* Azure AD Connect Health agent for AD FS (version 3.1.56.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.56.0)
1. Add TestWindowsTransport test and remove WsTrust endpoints checks in CheckOffice365Endpoints test 2. Log OS and .NET information 3. Increase RP configuration message upload size to 1MB. 4. Bug fixes
-* Azure AD Connect Health agent for AD DS (version 3.1.56.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.1.56.0)
1. Log OS and .NET information 2. Bug fixes ## May 2019 **Agent Update:**
-* Azure AD Connect Health agent for AD FS (version 3.1.51.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.51.0)
1. Bug fix to distinguish between multiple sign ins that share the same client-request-id. 2. Bug fix to parse bad username/password errors on language localized servers. ## April 2019 **Agent Update:**
-* Azure AD Connect Health agent for AD FS (version 3.1.46.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.46.0)
1. Fix Check Duplicate SPN alert process for ADFS ## March 2019 **Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.1.41.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.1.41.0)
1. .NET version collection 2. Improvement of performance counter collection when missing certain categories 3. Bug fix on preventing spawning of multiple Monitoring Agent instances
-* Azure AD Connect Health agent for AD FS (version 3.1.41.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.41.0)
1. Integrate and upgrade of AD FS test scripts using ADFSToolBox 2. Implement .NET version collection 3. Improvement of performance counter collection when missing certain categories
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
## November 2018 **New GA features:**
-* Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
+* Microsoft Entra Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
**Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.1.24.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.1.24.0)
1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement 2. Reduce Global Catalog alert noise 3. Health agent registration bug fixes
-* Azure AD Connect Health agent for AD FS (version 3.1.24.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.24.0)
1. Transport Layer Security (TLS) protocol version 1.2 compliance and enforcement 2. Support of Test-ADFSRequestToken for localized operating system 3. Solved diagnostic agent EventHandler locking issue 4. Health agent registration bug fixes ## August 2018
-* Azure AD Connect Health agent for Sync (version 3.1.7.0) released with Azure AD Connect version 1.1.880.0
+* Microsoft Entra Connect Health agent for Sync (version 3.1.7.0) released with Microsoft Entra Connect version 1.1.880.0
1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync) ## June 2018 **New preview features:**
-* Azure AD Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
+* Microsoft Entra Connect Health for Sync - Diagnose and remediate duplicated attribute sync errors from the portal
**Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.1.7.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.1.7.0)
1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync)
-* Azure AD Connect Health agent for AD FS (version 3.1.7.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.7.0)
1. Hotfix for [high CPU issue of monitoring agent with .NET Framework KB releases](https://support.microsoft.com/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync) 2. Test results fixes on ADFS Server 2016 secondary server
-* Azure AD Connect Health agent for AD FS (version 3.1.2.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.1.2.0)
1. Hotfix for agent memory management and related alerts specifically for version 3.0.244.0 ## May 2018 **Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.0.244.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.0.244.0)
1. Agent privacy improvement 2. Bug fixes and general improvements
-* Azure AD Connect Health agent for AD FS (version 3.0.244.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.0.244.0)
1. Agent Diagnostics Service and related PowerShell module improvements 2. Agent privacy improvement 3. Bug fixes and general improvements
-* Azure AD Connect Health agent for Sync (version 3.0.164.0) released with Azure AD Connect version 1.1.819.0
+* Microsoft Entra Connect Health agent for Sync (version 3.0.164.0) released with Microsoft Entra Connect version 1.1.819.0
1. Agent privacy improvement 2. Bug fixes and general improvements ## March 2018 **New preview features:**
-* Azure AD Connect Health for AD FS - Risky IP report and alert.
+* Microsoft Entra Connect Health for AD FS - Risky IP report and alert.
**Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.0.176.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.0.176.0)
1. Agent availability improvements 2. Bug fixes and general improvements
-* Azure AD Connect Health agent for AD FS (version 3.0.176.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.0.176.0)
1. Agent availability improvements 2. Bug fixes and general improvements
-* Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.750.0
+* Microsoft Entra Connect Health agent for Sync (version 3.0.129.0) released with Microsoft Entra Connect version 1.1.750.0
1. Agent availability improvements 2. Bug fixes and general improvements ## December 2017 **Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.0.145.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.0.145.0)
1. Agent availability improvements 2. Added new agent troubleshooting commands 3. Bug fixes and general improvements
-* Azure AD Connect Health agent for AD FS (version 3.0.145.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.0.145.0)
1. Added new agent troubleshooting commands 2. Agent availability improvements 3. Bug fixes and general improvements
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
## October 2017 **Agent Update:**
- * Azure AD Connect Health agent for Sync (version 3.0.129.0) released with Azure AD Connect version 1.1.649.0
-<br></br> Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent for Sync. This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Azure AD Connect version 1.1.649.0.
+ * Microsoft Entra Connect Health agent for Sync (version 3.0.129.0) released with Microsoft Entra Connect version 1.1.649.0
+<br></br> Fixed a version compatibility issue between Microsoft Entra Connect and Microsoft Entra Connect Health Agent for Sync. This issue affects customers who are performing Microsoft Entra Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Microsoft Entra Connect Synchronization Service to Microsoft Entra Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Microsoft Entra Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Microsoft Entra Connect version 1.1.649.0.
## July 2017 **Agent Update:**
-* Azure AD Connect Health agent for AD DS (version 3.0.68.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.0.68.0)
1. Bug fixes and general improvements 2. Sovereign cloud support
-* Azure AD Connect Health agent for AD FS (version 3.0.68.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.0.68.0)
1. Bug fixes and general improvements 2. Sovereign cloud support
-* Azure AD Connect Health agent for Sync (version 3.0.68.0) released with Azure AD Connect version 1.1.614.0
+* Microsoft Entra Connect Health agent for Sync (version 3.0.68.0) released with Microsoft Entra Connect version 1.1.614.0
1. Support for Microsoft Azure Government Cloud and Microsoft Cloud Germany ## April 2017 **Agent Update:**
-* Azure AD Connect Health agent for AD FS (version 3.0.12.0)
+* Microsoft Entra Connect Health agent for AD FS (version 3.0.12.0)
1. Bug fixes and general improvements
-* Azure AD Connect Health agent for AD DS (version 3.0.12.0)
+* Microsoft Entra Connect Health agent for AD DS (version 3.0.12.0)
1. Performance counters upload improvements 2. Bug fixes and general improvements ## October 2016 **Agent Update:**
-* Azure AD Connect Health agent for AD FS (version 2.6.408.0)
+* Microsoft Entra Connect Health agent for AD FS (version 2.6.408.0)
* Improvements in detecting client IP addresses in authentication requests * Bug Fixes related to Alerts
-* Azure AD Connect Health agent for AD DS (version 2.6.408.0)
+* Microsoft Entra Connect Health agent for AD DS (version 2.6.408.0)
* Bug fixes related to Alerts.
-* Azure AD Connect Health agent for Sync (version 2.6.353.0) released with Azure AD Connect version 1.1.281.0
+* Microsoft Entra Connect Health agent for Sync (version 2.6.353.0) released with Microsoft Entra Connect version 1.1.281.0
* Provide the required data for the Synchronization Error Reports * Bug fixes related to Alerts **New preview features:**
-* Synchronization Error Reports for Azure AD Connect
+* Synchronization Error Reports for Microsoft Entra Connect
**New features:**
-* Azure AD Connect Health for AD FS - IP address field is available in the report about top 50 users with bad username/password.
+* Microsoft Entra Connect Health for AD FS - IP address field is available in the report about top 50 users with bad username/password.
## July 2016 **New preview features:**
-* [Azure AD Connect Health for AD DS](how-to-connect-health-adds.md).
+* [Microsoft Entra Connect Health for AD DS](how-to-connect-health-adds.md).
## January 2016 **Agent Update:**
-* Azure AD Connect Health agent for AD FS (version 2.6.91.1512)
+* Microsoft Entra Connect Health agent for AD FS (version 2.6.91.1512)
**New features:**
-* [Test Connectivity Tool for Azure AD Connect Health Agents](how-to-connect-health-agent-install.md#test-connectivity-to-azure-ad-connect-health-service)
+* [Test Connectivity Tool for Microsoft Entra Connect Health Agents](how-to-connect-health-agent-install.md#test-connectivity-to-azure-ad-connect-health-service)
## November 2015 **New features:**
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
**New preview features:**
-* [Azure AD Connect Health for sync](how-to-connect-health-sync.md).
+* [Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md).
**Fixed issues:**
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
* Support to configure Unauthenticated HTTP Proxy * Support to configure agent on Server core * Improvements to Alerts for AD FS
-* Improvements in Azure AD Connect Health Agent for AD FS for connectivity and data upload.
+* Improvements in Microsoft Entra Connect Health Agent for AD FS for connectivity and data upload.
**Fixed issues:** * Bug fixes in Usage Insights for AD FS Error types. ## June 2015
-**Initial release of Azure AD Connect Health for AD FS and AD FS Proxy.**
+**Initial release of Microsoft Entra Connect Health for AD FS and AD FS Proxy.**
**New features:**
Azure AD Connect Health AD DS and ADFS Health Agents (version 3.2.2256.26, Downl
* Easy access to AD FS topology and patterns in AD FS Performance Counters. * Trend in successful token requests on AD FS servers grouped by Applications, Authentication Methods, Request Network Location etc. * Trends in failed request on AD FS servers grouped by Applications, Error Types etc.
-* Simpler Agent Deployment using Azure AD Global Administrator credentials.
+* Simpler Agent Deployment using Microsoft Entra Global Administrator credentials.
## Next steps Learn more about [Monitor your on-premises identity infrastructure and synchronization services in the cloud](./whatis-azure-ad-connect.md).
active-directory Reference Connect Version History Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history-archive.md
Title: 'Azure AD Connect: Version release history archive'
-description: This article lists all archived releases of Azure AD Connect and Azure AD Sync
+ Title: 'Microsoft Entra Connect: Version release history archive'
+description: This article lists all archived releases of Microsoft Entra Connect and Azure AD Sync
-# Azure AD Connect: Version release history archive
+# Microsoft Entra Connect: Version release history archive
-The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions are applicable to all audiences.
+The Microsoft Entra team regularly updates Microsoft Entra Connect with new features and functionality. Not all additions are applicable to all audiences.
>[!NOTE]
-> This article contains version reference information about all archived versions of Azure AD - 1.5.42.0 and older. For current releases, see the [Azure AD Connect Version release history](reference-connect-version-history.md)
+> This article contains version reference information about all archived versions of Microsoft Entra ID - 1.5.42.0 and older. For current releases, see the [Microsoft Entra Connect Version release history](reference-connect-version-history.md)
## 1.5.42.0
The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect wi
07/10/2020: Released for download ### Functional changes
-Includes a public preview of the functionality to export the configuration of an existing Azure AD Connect server into a .JSON file. This file can be used when installing a new Azure AD Connect server to create a copy of the original server.
+Includes a public preview of the functionality to export the configuration of an existing Microsoft Entra Connect server into a .JSON file. This file can be used when installing a new Microsoft Entra Connect server to create a copy of the original server.
A detailed description of this new feature can be found in [this article](./how-to-connect-import-export-config.md) ### Fixed issues - Fixed a bug where there would be a false warning about the local DB size on the localized builds during upgrade. - Fixed a bug where there would be a false error in the app events for the account name/domain name swap.-- Fixed an error where Azure AD Connect would fail to install on a DC, giving error "member not found".
+- Fixed an error where Microsoft Entra Connect would fail to install on a DC, giving error "member not found".
## 1.5.30.0
This hotfix build fixes an issue where unselected domains were getting incorrect
>[!NOTE]
->This version includes the new Azure AD Connect sync V2 endpoint API. This new V2 endpoint is currently in public preview. This version or later is required to use the new V2 endpoint API. However, simply installing this version does not enable the V2 endpoint. You will continue to use the V1 endpoint unless you enable the V2 endpoint. You need to follow the steps under [Azure AD Connect sync V2 endpoint API (public preview)](how-to-connect-sync-endpoint-api-v2.md) in order to enable it and opt-in to the public preview.
+>This version includes the new Microsoft Entra Connect Sync V2 endpoint API. This new V2 endpoint is currently in public preview. This version or later is required to use the new V2 endpoint API. However, simply installing this version does not enable the V2 endpoint. You will continue to use the V1 endpoint unless you enable the V2 endpoint. You need to follow the steps under [Microsoft Entra Connect Sync V2 endpoint API (public preview)](how-to-connect-sync-endpoint-api-v2.md) in order to enable it and opt-in to the public preview.
## 1.5.29.0
This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro
### Functional changes ADSyncAutoUpgrade -- Added support for the mS-DS-ConsistencyGuid feature for group objects. Allows you to move groups between forests or reconnect groups in AD to Azure AD where the AD group objectID has changed. For more information, see [Moving groups between forests](how-to-connect-migrate-groups.md).
+- Added support for the mS-DS-ConsistencyGuid feature for group objects. Allows you to move groups between forests or reconnect groups in AD to Microsoft Entra ID where the AD group objectID has changed. For more information, see [Moving groups between forests](how-to-connect-migrate-groups.md).
- The mS-DS-ConsistencyGuid attribute is automatically set on all synced groups and you don't have to do anything to enable this feature. - Removed the Get-ADSyncRunProfile because it's no longer in use. - Changed the warning you see when attempting to use an Enterprise Admin or Domain Admin account for the AD DS connector account to provide more context.
This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro
### Fixed issues -- Fixed a bug in the group writeback forest/OU selector on rerunning the Azure AD Connect wizard after disabling the feature.
+- Fixed a bug in the group writeback forest/OU selector on rerunning the Microsoft Entra Connect wizard after disabling the feature.
- Introduced a new error page that will be displayed if the required DCOM registry values are missing with a new help link. Information is also written to log files. -- Fixed an issue with the creation of the Azure Active Directory synchronization account where enabling Directory Extensions or PHS may fail because the account hasn't propagated across all service replicas before attempted use.
+- Fixed an issue with the creation of the Microsoft Entra synchronization account where enabling Directory Extensions or PHS may fail because the account hasn't propagated across all service replicas before attempted use.
- Fixed a bug in the sync errors compression utility that wasn't handling surrogate characters correctly. - Fixed a bug in the auto upgrade that left the server in the scheduler suspended state.
This hotfix build fixes an issue in build 1.5.20.0 if you've cloned the **In fro
### Release status 12/9/2019: Release for download. Not available through auto-upgrade. ### New features and improvements-- We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. Provides a performance improvement during password synchronization from Azure AD to Azure AD Domain Services.
+- We updated Password Hash Sync for Microsoft Entra Domain Services to properly account for padding in Kerberos hashes. Provides a performance improvement during password synchronization from Microsoft Entra ID to Microsoft Entra Domain Services.
- We added support for reliable sessions between the authentication agent and service bus. - We added a DNS cache for websocket connections between authentication agent and cloud services. - We added the ability to target specific agent from cloud to test for agent connectivity. ### Fixed issues-- Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login Windows credentials instead of the admin credentials provided while running ps. As a result of which it wasn't possible to enable DSSO in multiple forest through the Azure AD Connect user interface. -- A fix was made to enable DSSO simultaneously in all forest through the Azure AD Connect user interface
+- Release 1.4.18.0 had a bug where the PowerShell cmdlet for DSSO was using the login Windows credentials instead of the admin credentials provided while running ps. As a result of which it wasn't possible to enable DSSO in multiple forest through the Microsoft Entra Connect user interface.
+- A fix was made to enable DSSO simultaneously in all forest through the Microsoft Entra Connect user interface
## 1.4.32.0 ### Release status 11/08/2019: Released for download. Not available through auto-upgrade. >[!IMPORTANT]
->Due to an internal schema change in this release of Azure AD Connect, if you manage AD FS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher
+>Due to an internal schema change in this release of Microsoft Entra Connect, if you manage AD FS trust relationship configuration settings using MSOnline PowerShell then you must update your MSOnline PowerShell module to version 1.1.183.57 or higher
### Fixed issues
-This version fixes an issue with existing Hybrid Azure AD joined devices. This release contains a new device sync rule that corrects this issue.
-This rule change may cause deletion of obsolete devices from Azure AD. These device objects aren't used by Azure AD during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Azure AD exceeding the Export Deletion Threshold, it's advised to allow the deletions to go through. [How to allow deletes to flow when they exceed the deletion threshold](how-to-connect-sync-feature-prevent-accidental-deletes.md)
+This version fixes an issue with existing Microsoft Entra hybrid joined devices. This release contains a new device sync rule that corrects this issue.
+This rule change may cause deletion of obsolete devices from Microsoft Entra ID. These device objects aren't used by Microsoft Entra ID during Conditional Access authorization. For some customers, the number of devices that will be deleted through this rule change can exceed the deletion threshold. If you see the deletion of device objects in Microsoft Entra exceeding the Export Deletion Threshold, it's advised to allow the deletions to go through. [How to allow deletes to flow when they exceed the deletion threshold](how-to-connect-sync-feature-prevent-accidental-deletes.md)
## 1.4.25.0
We fixed a bug in the sync errors compression utility that wasn't handling surro
## 1.4.18.0 >[!WARNING]
->We are investigating an incident where some customers are experiencing an issue with existing Hybrid Azure AD joined devices after upgrading to this version of Azure AD Connect. We advise customers who have deployed Hybrid Azure AD join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.
+>We are investigating an incident where some customers are experiencing an issue with existing Microsoft Entra hybrid joined devices after upgrading to this version of Microsoft Entra Connect. We advise customers who have deployed Microsoft Entra hybrid join to postpone upgrading to this version until the root cause of these issues are fully understood and mitigated. More information will be provided as soon as possible.
>[!IMPORTANT]
->With this version of Azure AD Connect some customers may see some or all of their Windows devices disappear from Azure AD. These device identities aren't used by Azure AD during Conditional Access authorization. For more information, see [Understanding Azure AD Connect 1.4.xx.x device disappearance](/troubleshoot/azure/active-directory/reference-connect-device-disappearance)
+>With this version of Microsoft Entra Connect some customers may see some or all of their Windows devices disappear from Microsoft Entra ID. These device identities aren't used by Microsoft Entra ID during Conditional Access authorization. For more information, see [Understanding Microsoft Entra Connect 1.4.xx.x device disappearance](/troubleshoot/azure/active-directory/reference-connect-device-disappearance)
### Release status
We fixed a bug in the sync errors compression utility that wasn't handling surro
### New features and improvements - New troubleshooting tooling helps troubleshoot "user not syncing", "group not syncing" or "group member not syncing" scenarios.-- Add support for national clouds in Azure AD Connect troubleshooting script.
+- Add support for national clouds in Microsoft Entra Connect troubleshooting script.
- Customers should be informed that the deprecated WMI endpoints for MIIS_Service have now been removed. Any WMI operations should now be done via PS cmdlets. - Security improvement by resetting constrained delegation on AZUREADSSOACC object. - When adding/editing a sync rule, if there are any attributes used in the rule that are in the connector schema, but not added to the connector, the attributes will automatically be added to the connector. The same is true for the object type the rule affects. If anything is added to the connector, the connector will be marked for full import on the next sync cycle.-- Using an Enterprise or Domain admin as the connector account is no longer supported in new Azure AD Connect Deployments. Current Azure AD Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release.
+- Using an Enterprise or Domain admin as the connector account is no longer supported in new Microsoft Entra Connect Deployments. Current Microsoft Entra Connect deployments using an Enterprise or Domain admin as the connector account will not be affected by this release.
- In the Synchronization Manager, a full sync is run on rule creation/edit/deletion. A pop-up will appear on any rule change notifying the user if full import or full sync is going to be run. - Added mitigation steps for password errors to 'connectors > properties > connectivity' page.-- Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the Azure AD Connect wizard.
+- Added a deprecation warning for the sync service manager on the connector properties page. This warning notifies the user that changes should be made through the Microsoft Entra Connect wizard.
- Added new error for issues with a user's password policy. - Prevent misconfiguration of group filtering by domain and OU filters. Group filtering will show an error when the domain/OU of the entered group is already filtered out. Group filtering will keep the user from moving forward until the issue is resolved. - Users can no longer create a connector for Active Directory Domain Services or Windows Azure Active Directory in the Synchronization Service Manager UI. - Fixed accessibility of custom UI controls in the Synchronization Service Manager.-- Enabled six federation management tasks for all sign-in methods in Azure AD Connect. (Previously, only the "Update AD FS TLS/SSL certificate" task was available for all sign-ins.)-- Added a warning when changing the sign-in method from federation to PHS or PTA that all Azure AD domains and users will be converted to managed authentication.-- Removed token-signing certificates from the "Reset Azure AD and AD FS trust" task and added a separate sub-task to update these certificates.
+- Enabled six federation management tasks for all sign-in methods in Microsoft Entra Connect. (Previously, only the "Update AD FS TLS/SSL certificate" task was available for all sign-ins.)
+- Added a warning when changing the sign-in method from federation to PHS or PTA that all Microsoft Entra domains and users will be converted to managed authentication.
+- Removed token-signing certificates from the "Reset Microsoft Entra ID and AD FS trust" task and added a separate sub-task to update these certificates.
- Added a new federation management task called "Manage certificates" which has sub-tasks to update the TLS or token-signing certificates for the AD FS farm. - Added a new federation management sub-task called "Specify primary server" which allows administrators to specify a new primary server for the AD FS farm. - Added a new federation management task called "Manage servers" which has sub-tasks to deploy an AD FS server, deploy a Web Application Proxy server, and specify primary server.
We fixed a bug in the sync errors compression utility that wasn't handling surro
- For Auto upgrade, if any conflicting app is running from 6 hours, kill it and continue with upgrade. - Limit the number of attributes a customer can select to 100 per object when selecting directory extensions. This limit will prevent the error from occurring during export as Azure has a maximum of 100 extension attributes per object. - Fixed a bug to make the AD Connectivity script more robust.-- Fixed a bug to make Azure AD Connect install on a machine using an existing Named Pipes WCF service more robust.
+- Fixed a bug to make Microsoft Entra Connect install on a machine using an existing Named Pipes WCF service more robust.
- Improved diagnostics and troubleshooting around group policies that don't allow the ADSync service to start when initially installed. - Fixed a bug where display name for a Windows computer was written incorrectly. - Fix a bug where OS type for a Windows computer was written incorrectly.-- Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Azure AD domain join, which only works for Windows-10 devices.
+- Fixed a bug where non-Windows 10 computers were syncing unexpectedly. Note that the effect of this change is that non-Windows-10 computers that were previously synced will now be deleted. This does not affect any features as the sync of Windows computers is only used for Hybrid Microsoft Entra domain join, which only works for Windows-10 devices.
- Added several new (internal) cmdlets to the ADSync PowerShell module. ## 1.3.21.0 >[!IMPORTANT]
->There is a known issue with upgrading Azure AD Connect from an earlier version to 1.3.21.0 where the Microsoft 365 portal does not reflect the updated version even though Azure AD Connect upgraded successfully.
+>There is a known issue with upgrading Microsoft Entra Connect from an earlier version to 1.3.21.0 where the Microsoft 365 portal does not reflect the updated version even though Microsoft Entra Connect upgraded successfully.
>
-> To resolve this issue, you need to import the **AdSync** module and then run the `Set-ADSyncDirSyncConfiguration` PowerShell cmdlet on the Azure AD Connect server. You can use the following steps:
+> To resolve this issue, you need to import the **AdSync** module and then run the `Set-ADSyncDirSyncConfiguration` PowerShell cmdlet on the Microsoft Entra Connect server. You can use the following steps:
> >1. Open PowerShell in administrator mode. >2. Run `Import-Module "ADSync"`.
We fixed a bug in the sync errors compression utility that wasn't handling surro
### Fixed issues -- Fixed an elevation of privilege vulnerability that exists in Microsoft Azure Active Directory Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information, see [security update](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1000).
+- Fixed an elevation of privilege vulnerability that exists in Microsoft Entra Connect build 1.3.20.0. This vulnerability, under certain conditions, may allow an attacker to execute two PowerShell cmdlets in the context of a privileged account, and perform privileged actions. This security update addresses the issue by disabling these cmdlets. For more information, see [security update](https://portal.msrc.microsoft.com/security-guidance/advisory/CVE-2019-1000).
## 1.3.20.0
We fixed a bug in the sync errors compression utility that wasn't handling surro
- Upgrade to ADAL 3.19.8 to pick up a WS-Trust fix for Ping and add support for new Azure instances - Modify Group Sync Rules to flow samAccountName, DomainNetbios and DomainFQDN to cloud - needed for claims - Modified Default Sync Rule Handling ΓÇô read more [here](how-to-connect-fix-default-rules.md).-- Added a new agent running as a Windows service. This agent, named ΓÇ£Admin AgentΓÇ¥, enables deeper remote diagnostics of the Azure AD Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent, see [What is the Azure AD Connect Admin Agent?](whatis-aadc-admin-agent.md).
+- Added a new agent running as a Windows service. This agent, named ΓÇ£Admin AgentΓÇ¥, enables deeper remote diagnostics of the Microsoft Entra Connect server to help Microsoft Engineers troubleshoot when you open a support case. This agent is not installed and enabled by default. For more information on how to install and enable the agent, see [What is the Microsoft Entra Connect Admin Agent?](whatis-aadc-admin-agent.md).
- Updated the End User License Agreement (EULA) -- Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Azure AD Relying Party Trust as part of the upgrade process. -- Added an Azure AD trust management task that provides two options: analyze/update trust and reset trust. -- Changed the AD FS Azure AD Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Azure AD domain updates).
+- Added auto upgrade support for deployments that use AD FS as their login type. This also removed the requirement of updating the AD FS Microsoft Entra ID Relying Party Trust as part of the upgrade process.
+- Added a Microsoft Entra ID trust management task that provides two options: analyze/update trust and reset trust.
+- Changed the AD FS Microsoft Entra ID Relying Party trust behavior so that it always uses the -SupportMultipleDomain switch (includes trust and Microsoft Entra domain updates).
- Changed the install new AD FS farm behavior so that it requires a .pfx certificate by removing the option of using a pre-installed certificate. - Updated the install new AD FS farm workflow so that it only allows deploying 1 AD FS and 1 WAP server. All additional servers will be done after initial installation.
We fixed a bug in the sync errors compression utility that wasn't handling surro
- Fix PS Permissions script to refine GWB permissions - Fix VSS Errors with LocalDB - Fix misleading error message when object type is not in scope -- Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Azure AD Connect.
+- Corrected an issue where installation of Azure AD PowerShell on a server could potentially cause an assembly conflict with Microsoft Entra Connect.
- Fixed PHS bug on Staging Server when Connector Credentials are updated in the Synchronization Service Manager UI. - Fixed some memory leaks - Miscellaneous Autoupgrade fixes
We fixed a bug in the sync errors compression utility that wasn't handling surro
### Fixed issues
-This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Azure AD Connect. For more information on applicable connectors, see version 1.1.911.0 in [Connector Version Release History](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history).
+This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Microsoft Entra Connect. For more information on applicable connectors, see version 1.1.911.0 in [Connector Version Release History](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history).
## 1.2.69.0
This hotfix build fixes a regression in the previous build where Password Writeb
### New features and improvements -- Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.-- Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD. These same diagnostics can also be run directly through PowerShell using the Test- AdSyncAzureServiceConnectivity Cmdlet. -- Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in the ADConnectivityTools PowerShell module. For more information, see [What is the ADConnectivityTool PowerShell Module?](how-to-connect-adconnectivitytools.md)-- Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back
+- Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Microsoft Entra ID was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Microsoft Entra ID will now no longer clear the on-premises value of this attribute if the cloud value is not set.
+- Added diagnostics in the Microsoft Entra Connect wizard to investigate and identify Connectivity issues to Microsoft Entra ID. These same diagnostics can also be run directly through PowerShell using the Test- AdSyncAzureServiceConnectivity Cmdlet.
+- Added diagnostics in the Microsoft Entra Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through PowerShell using the Start-ConnectivityValidation function in the ADConnectivityTools PowerShell module. For more information, see [What is the ADConnectivityTool PowerShell Module?](how-to-connect-adconnectivitytools.md)
+- Added an AD schema version pre-check for Microsoft Entra hybrid join and device write-back
- Changed the Directory Extension page attribute search to be non-case sensitive.-- Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. For more information, see [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md)
+- Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Microsoft Entra Connect is installed. For more information, see [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md)
### Fixed issues -- Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used.
+- Fixed a bug where Microsoft Entra Connect Upgrade would fail if SQL Always On was being used.
- Fixed a bug to correctly parse OU names that contain a forward slash. - Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode. - Fixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools - Fixed a bug that would block customers from using numeric values in the first character of a host name. -- Fixed a bug where Azure AD Connect would allow invalid partitions and container selection
+- Fixed a bug where Microsoft Entra Connect would allow invalid partitions and container selection
- Fixed the ΓÇ£Invalid PasswordΓÇ¥ error message when Desktop SSO is enabled. - Various Bug fixes for AD FS Trust Management - When configuring Device Writeback - fixed the schema check to look for the msDs-DeviceContainer object class (introduced on WS2012 R2)
This hotfix build fixes a regression in the previous build where Password Writeb
### Fixed issues
-Azure AD Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix addresses this issue and allows Upgrade to succeed.
+Microsoft Entra Connect Upgrade fails if SQL Always On Availability is configured for the ADSync DB. This hotfix addresses this issue and allows Upgrade to succeed.
## 1.1.880.0
Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t
### New features and improvements -- The Ping Federate integration in Azure AD Connect is now available for General Availability. [Learn more about how to federated Azure AD with Ping Federate](./plan-connect-user-signin.md#federation-with-pingfederate)-- Azure AD Connect now creates the backup of Azure AD trust in AD FS every time an update is made and stores it in a separate file for easy restore if required. [Learn more about the new functionality and Azure AD trust management in Azure AD Connect](./how-to-connect-azure-ad-trust.md).
+- The Ping Federate integration in Microsoft Entra Connect is now available for General Availability. [Learn more about how to federated Microsoft Entra ID with Ping Federate](./plan-connect-user-signin.md#federation-with-pingfederate)
+- Microsoft Entra Connect now creates the backup of Microsoft Entra ID trust in AD FS every time an update is made and stores it in a separate file for easy restore if required. [Learn more about the new functionality and Microsoft Entra ID trust management in Microsoft Entra Connect](./how-to-connect-azure-ad-trust.md).
- New troubleshooting tooling helps troubleshoot changing primary email address and hiding account from global address list-- Azure AD Connect was updated to include the latest SQL Server 2012 Native Client
+- Microsoft Entra Connect was updated to include the latest SQL Server 2012 Native Client
- When you switch user sign-in to Password Hash Synchronization or Pass-through Authentication in the "Change user sign-in" task, the Seamless Single Sign-On checkbox is enabled by default. - Added support for Windows Server Essentials 2019-- The Azure AD Connect Health agent was updated to the latest version 3.1.7.0
+- The Microsoft Entra Connect Health agent was updated to the latest version 3.1.7.0
- During an upgrade, if the installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. This will allow the user to take corrective actions and resume later. Old Behavior: If there was any modified out-of-box rule then manual upgrade was overwriting those rules without giving any warning to the user and sync scheduler was disabled without informing user. New Behavior: User will be prompted with warning before overwriting the modified out-of-box sync rules. User will have choice to stop the upgrade process and resume later after taking corrective action. - Provide a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS compliant environment and a link to documentation that provides a work around for this issue. - UI update to improve federation tasks in the wizard, which are now under a separate sub group for federation.
Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t
### Fixed issues -- Fixed a bug where the Azure AD Connect server would show high CPU usage after upgrading to .NET 4.7.2
+- Fixed a bug where the Microsoft Entra Connect server would show high CPU usage after upgrading to .NET 4.7.2
- Fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue - Fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager -- Fixed a bug where Azure AD Connect can not get registry setting information
+- Fixed a bug where Microsoft Entra Connect can not get registry setting information
- Fixed a bug that created issues when the user goes forward/back in the wizard - Fixed a bug to prevent an error happening due to incorrect multi-thread handing in the wizard-- When Group Sync Filtering page encounters an LDAP error when resolving security groups, Azure AD Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug.
+- When Group Sync Filtering page encounters an LDAP error when resolving security groups, Microsoft Entra Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug.
- Fixed a bug where permissions for STK and NGC keys (ms-DS-KeyCredentialLink attribute on User/Device objects for WHfB) were not correctly set. - Fixed a bug where 'Set-ADSyncRestrictedPermissionsΓÇÖ wasn't called correctly - Adding support for permission granting on Group Writeback in Azure ADConnect's installation wizard
Azure AD Connect Upgrade fails if SQL Always On Availability is configured for t
New features and improvements -- This release includes the public preview of the integration of PingFederate in Azure AD Connect. With this release, customers can easily, and reliably configure their Azure Active Directory environment to leverage PingFederate as their federation provider. To learn more about how to use this new feature, please visit our [online documentation](plan-connect-user-signin.md#federation-with-pingfederate). -- Updated the Azure AD Connect Wizard Troubleshooting Utility, where it now analyzes more error scenarioΓÇÖs, such as Linked Mailboxes and AD Dynamic Groups. Read more about the troubleshooting utility [here](tshoot-connect-objectsync.md).-- Device Writeback configuration is now managed solely within the Azure AD Connect Wizard.
+- This release includes the public preview of the integration of PingFederate in Microsoft Entra Connect. With this release, customers can easily, and reliably configure their Microsoft Entra environment to leverage PingFederate as their federation provider. To learn more about how to use this new feature, please visit our [online documentation](plan-connect-user-signin.md#federation-with-pingfederate).
+- Updated the Microsoft Entra Connect Wizard Troubleshooting Utility, where it now analyzes more error scenarioΓÇÖs, such as Linked Mailboxes and AD Dynamic Groups. Read more about the troubleshooting utility [here](tshoot-connect-objectsync.md).
+- Device Writeback configuration is now managed solely within the Microsoft Entra Connect Wizard.
- A new PowerShell Module called ADSyncTools.psm1 is added that can be used to troubleshoot SQL Connectivity issues and various other troubleshooting utilities. Read more about the ADSyncTools module [here](tshoot-connect-tshoot-sql-connectivity.md). - A new additional task ΓÇ£Configure device optionsΓÇ¥ has been added. You can use the task to configure the following two operations:
- - **Hybrid Azure AD join**: If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
+ - **Microsoft Entra hybrid join**: If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Microsoft Entra ID, you can implement Microsoft Entra hybrid joined devices. These are devices that are both, joined to your on-premises Active Directory and your Microsoft Entra ID.
- **Device writeback**: Device writeback is used to enable Conditional Access based on devices to AD FS (2012 R2 or higher) protected devices >[!NOTE]
New features and improvements
- This release updates the SQL Server Express installation to SQL Server 2012 SP4, which, among others, provides fixes for several security vulnerabilities. Please see [here](https://support.microsoft.com/help/4018073/sql-server-2012-service-pack-4-release-information) for more information about SQL Server 2012 SP4. - Sync Rule Processing: outbound Join sync rules with no Join Condition should be de-applied if the parent sync rule is no longer applicable - Several accessibility fixes have been applied to the Synchronization Service Manager UI and the Sync Rules Editor-- Azure AD Connect Wizard: Error creating AD Connector account when Azure AD Connect is in a workgroup-- Azure AD Connect Wizard: On the Azure AD Sign-in page display the verification checkbox whenever there is any mismatch in AD domains and Azure AD Verified domains
+- Microsoft Entra Connect Wizard: Error creating AD Connector account when Microsoft Entra Connect is in a workgroup
+- Microsoft Entra Connect Wizard: On the Microsoft Entra Sign-in page display the verification checkbox whenever there is any mismatch in AD domains and Microsoft Entra ID Verified domains
- Auto-upgrade PowerShell fix to set auto upgrade state correctly in certain cases after auto upgrade attempted.-- Azure AD Connect Wizard: Updated telemetry to capture previously missing information-- Azure AD Connect Wizard: The following changes have been made when you use the **Change user sign-in** task to switch from AD FS to Pass-through Authentication:
- - The Pass-through Authentication Agent is installed on the Azure AD Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed.
+- Microsoft Entra Connect Wizard: Updated telemetry to capture previously missing information
+- Microsoft Entra Connect Wizard: The following changes have been made when you use the **Change user sign-in** task to switch from AD FS to Pass-through Authentication:
+ - The Pass-through Authentication Agent is installed on the Microsoft Entra Connect server and the Pass-through Authentication feature is enabled, before we convert domain(s) from federated to managed.
- Users are no longer converted from federated to managed. Only domain(s) are converted.-- Azure AD Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character Regex update to support special characters-- Azure AD Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change -- Azure AD Connect Wizard: AD FS support for the dual federation scenario-- Azure AD Connect Wizard: AD FS Claims aren't updated for added domain when converting a managed domain to federated-- Azure AD Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure AD Connect related products. We will now attempt to uninstall the stale products.-- Azure AD Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication agent fails-- Azure AD Connect Wizard: Removed "Configuration" container from Domain OU Filtering page
+- Microsoft Entra Connect Wizard: AD FS Multi Domain Regex is not correct when user UPN has ' special character Regex update to support special characters
+- Microsoft Entra Connect Wizard: Remove spurious "Configure source anchor attribute" message when no change
+- Microsoft Entra Connect Wizard: AD FS support for the dual federation scenario
+- Microsoft Entra Connect Wizard: AD FS Claims aren't updated for added domain when converting a managed domain to federated
+- Microsoft Entra Connect Wizard: During detection of installed packages, we find stale Dirsync/Azure AD Sync/Azure AD Connect related products. We will now attempt to uninstall the stale products.
+- Microsoft Entra Connect Wizard: Correct Error Message Mapping when installation of passthrough authentication agent fails
+- Microsoft Entra Connect Wizard: Removed "Configuration" container from Domain OU Filtering page
- Sync Engine install: remove unnecessary legacy logic that occasionally failed from Sync Engine install msi-- Azure AD Connect Wizard: Fix pop-up help text on Optional Features page for Password Hash Sync
+- Microsoft Entra Connect Wizard: Fix pop-up help text on Optional Features page for Password Hash Sync
- Sync Engine runtime: Fix the scenario where a CS object has an imported delete and Sync Rules attempt to re-provision the object. - Sync Engine runtime: Add help link for Online connectivity troubleshooting guide to the event log for an Import Error - Sync Engine runtime: Reduced memory usage of Sync Scheduler when enumerating Connectors-- Azure AD Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read privileges-- Azure AD Connect Wizard: Improve logging of Domain and OU filtering selections-- Azure AD Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario-- Azure AD Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate-- Azure AD Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain
+- Microsoft Entra Connect Wizard: Fix an issue resolving a custom Sync Service Account which has no AD Read privileges
+- Microsoft Entra Connect Wizard: Improve logging of Domain and OU filtering selections
+- Microsoft Entra Connect Wizard: AD FS Add default claims to federation trust created for MFA scenario
+- Microsoft Entra Connect Wizard: AD FS Deploy WAP: Adding server fails to use new certificate
+- Microsoft Entra Connect Wizard: DSSO exception when onPremCredentials aren't initialized for a domain
- Preferentially flow the AD distinguishedName attribute from the Active User object. - Fixed a cosmetic bug were the Precedence of the first OOB Sync Rule was set to 99 instead of 100
New features and improvements
Status 4/12/2018: Released for download only >[!NOTE]
->This release is a hotfix for Azure AD Connect
-### Azure AD Connect sync
+>This release is a hotfix for Microsoft Entra Connect
+<a name='azure-ad-connect-sync'></a>
+
+### Microsoft Entra Connect Sync
#### Fixed issues Corrected an issue were automatic Azure instance discovery for China tenants was occasionally failing.
There was a problem in the configuration retry logic that would result in an Arg
## 1.1.750.0 Status 3/22/2018: Released for auto-upgrade and download. >[!NOTE]
->When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.
+>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Microsoft Entra connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Microsoft Entra Connect environment, make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.
>[!NOTE]
->ΓÇ£AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. To ensure that your Azure AD Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet:
+>ΓÇ£AutoUpgrade functionality was incorrectly disabled for some tenants who deployed builds later than 1.1.524.0. To ensure that your Microsoft Entra Connect instance is still eligible for AutoUpgrade, run the following PowerShell cmdlet:
ΓÇ£Set-ADSyncAutoUpgrade -AutoupGradeState EnabledΓÇ¥
-### Azure AD Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issues * Set-ADSyncAutoUpgrade cmdlet would previously block Autoupgrade if auto-upgrade state is set to Suspended. This functionality has now changed so it does not block AutoUpgrade of future builds.
-* Changed the **User Sign-in** page option "Password Synchronization" to "Password Hash Synchronization". Azure AD Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. For more information, see [Implement password hash synchronization with Azure AD Connect sync](how-to-connect-password-hash-synchronization.md)
+* Changed the **User Sign-in** page option "Password Synchronization" to "Password Hash Synchronization". Microsoft Entra Connect synchronizes password hashes, not passwords, so this aligns with what is actually occurring. For more information, see [Implement password hash synchronization with Microsoft Entra Connect Sync](how-to-connect-password-hash-synchronization.md)
## 1.1.749.0 Status: Released to select customers >[!NOTE]
->When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Azure AD connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Azure AD Connect environment, please make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.
-### Azure AD Connect
+>When the upgrade to this new version completes, it will automatically trigger a full sync and full import for the Microsoft Entra connector and a full sync for the AD connector. Since this may take some time, depending on the size of your Microsoft Entra Connect environment, please make sure that you've taken the necessary steps to support this or hold off on upgrading until you've found a convenient moment to do so.
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issues * Fix timing window on background tasks for Partition Filtering page when switching to next page.
Status: Released to select customers
* Fixed a bug where certificates with SAN wildcards failed a prerequisite check.
-* Fixed a bug which causes miiserver.exe to crash during an Azure AD connector export.
+* Fixed a bug which causes miiserver.exe to crash during a Microsoft Entra connector export.
-* Fixed a bug which bad password attempt logged on DC when running the Azure AD Connect wizard to change configuration.
+* Fixed a bug which bad password attempt logged on DC when running the Microsoft Entra Connect wizard to change configuration.
#### New features and improvements
Status: Released to select customers
* application telemetry - admin can switch this class of data on/off at will
-* Azure AD Health data - admin must visit the health portal to control their health settings.
+* Microsoft Entra Health data - admin must visit the health portal to control their health settings.
Once the service policy has been changed, the agents will read and enforce it. * Added device write-back configuration actions and a progress bar for page initialization
Status: Released to select customers
The changes will take care of following: 1. Express Installations 2. Custom Installations with Auto-Create account
-3. Changed the installer so it doesn't require SA privilege on clean install of Azure AD Connect
+3. Changed the installer so it doesn't require SA privilege on clean install of Microsoft Entra Connect
-* Added a new utility to troubleshoot synchronization issues for a specific object. It is available under 'Troubleshoot Object Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task. Currently, the utility checks for the following:
+* Added a new utility to troubleshoot synchronization issues for a specific object. It is available under 'Troubleshoot Object Synchronization' option of Microsoft Entra Connect Wizard Troubleshoot Additional Task. Currently, the utility checks for the following:
- * UserPrincipalName mismatch between synchronized user object and the user account in Azure AD Tenant.
+ * UserPrincipalName mismatch between synchronized user object and the user account in Microsoft Entra tenant.
* If the object is filtered from synchronization due to domain filtering * If the object is filtered from synchronization due to organizational unit (OU) filtering * Added a new utility to synchronize the current password hash stored in the on-premises Active Directory for a specific user account.
-The utility does not require a password change. It is available under 'Troubleshoot Password Hash Synchronization' option of Azure AD Connect Wizard Troubleshoot Additional Task.
+The utility does not require a password change. It is available under 'Troubleshoot Password Hash Synchronization' option of Microsoft Entra Connect Wizard Troubleshoot Additional Task.
The utility does not require a password change. It is available under 'Troublesh
Status: December 12th, 2017 >[!NOTE]
->This release is a security related hotfix for Azure AD Connect
-### Azure AD Connect
-An improvement has been added to Azure AD Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section [Lock down access to the AD DS account](#lock) are automatically applied when Azure AD Connect creates the AD DS account.
+>This release is a security related hotfix for Microsoft Entra Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
+An improvement has been added to Microsoft Entra Connect version 1.1.654.0 (and after) to ensure that the recommended permission changes described under section [Lock down access to the AD DS account](#lock) are automatically applied when Microsoft Entra Connect creates the AD DS account.
-- When setting up Azure AD Connect, the installing administrator can either provide an existing AD DS account, or let Azure AD Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Azure AD Connect during setup. They aren't applied to existing AD DS account provided by the installing administrator.-- For customers who have upgraded from an older version of Azure AD Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Azure AD.
+- When setting up Microsoft Entra Connect, the installing administrator can either provide an existing AD DS account, or let Microsoft Entra Connect automatically create the account. The permission changes are automatically applied to the AD DS account that is created by Microsoft Entra Connect during setup. They aren't applied to existing AD DS account provided by the installing administrator.
+- For customers who have upgraded from an older version of Microsoft Entra Connect to 1.1.654.0 (or after), the permission changes will not be retroactively applied to existing AD DS accounts created prior to the upgrade. They will only be applied to new AD DS accounts created after the upgrade. This occurs when you are adding new AD forests to be synchronized to Microsoft Entra ID.
>[!NOTE]
->This release only removes the vulnerability for new installations of Azure AD Connect where the service account is created by the installation process. For existing installations, or in cases where you provide the account yourself, you should ensure that this vulnerability does not exist.
+>This release only removes the vulnerability for new installations of Microsoft Entra Connect where the service account is created by the installation process. For existing installations, or in cases where you provide the account yourself, you should ensure that this vulnerability does not exist.
#### <a name="lock"></a> Lock down access to the AD DS account Lock down access to the AD DS account by implementing the following permission changes in the on-premises AD:
Allow | Authenticated Users | Read Permissions | This object |
#### PowerShell script to tighten a pre-existing service account
-To use the PowerShell script, to apply these settings, to a pre-existing AD DS account, (ether provided by your organization or created by a previous installation of Azure AD Connect, please download the script from the provided link above.
+To use the PowerShell script, to apply these settings, to a pre-existing AD DS account, (ether provided by your organization or created by a previous installation of Microsoft Entra Connect, please download the script from the provided link above.
##### Usage:
Set-ADSyncRestrictedPermissions -ObjectDN "CN=TestAccount1,CN=Users,DC=bvtadwbac
``` ### Was this vulnerability used to gain unauthorized access?
-To see if this vulnerability was used to compromise your Azure AD Connect configuration you should verify the last password reset date of the service account. If the timestamp in unexpected, further investigation, via the event log, for that password reset event, should be undertaken.
+To see if this vulnerability was used to compromise your Microsoft Entra Connect configuration you should verify the last password reset date of the service account. If the timestamp in unexpected, further investigation, via the event log, for that password reset event, should be undertaken.
For more information, see [Microsoft Security Advisory 4056318](/security-updates/securityadvisories/2017/4056318)
For more information, see [Microsoft Security Advisory 4056318](/security-update
Status: October 27 2017 >[!NOTE]
->This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
-### Azure AD Connect
+>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature.
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issue
-* Fixed a version compatibility issue between Azure AD Connect and Azure AD Connect Health Agent (for sync). This issue affects customers who are performing Azure AD Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Azure AD Connect Synchronization Service to Azure AD Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Azure AD Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Azure AD Connect version 1.1.649.0.
+* Fixed a version compatibility issue between Microsoft Entra Connect and Microsoft Entra Connect Health Agent (for sync). This issue affects customers who are performing Microsoft Entra Connect in-place upgrade to version 1.1.647.0, but currently has Health Agent version 3.0.127.0. After the upgrade, the Health Agent can no longer send health data about Microsoft Entra Connect Synchronization Service to Microsoft Entra Health Service. With this fix, Health Agent version 3.0.129.0 is installed during Microsoft Entra Connect in-place upgrade. Health Agent version 3.0.129.0 does not have compatibility issue with Microsoft Entra Connect version 1.1.649.0.
## 1.1.647.0 Status: October 19 2017 > [!IMPORTANT]
-> There is a known compatibility issue between Azure AD Connect version 1.1.647.0 and Azure AD Connect Health Agent (for sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Azure AD Connect Synchronization Service (including object synchronization errors and run history data) to Azure AD Health Service. Before manually upgrading your Azure AD Connect deployment to version 1.1.647.0, please verify the current version of Azure AD Connect Health Agent installed on your Azure AD Connect server. You can do so by going to *Control Panel → Add Remove Programs* and look for application *Microsoft Azure AD Connect Health Agent for Sync*. If its version is 3.0.127.0, it's recommended that you wait for the next Azure AD Connect version to be available before upgrade. If the Health Agent version isn't 3.0.127.0, it's fine to proceed with the manual, in-place upgrade. This issue does not affect swing upgrade or customers who are performing new installation of Azure AD Connect.
+> There is a known compatibility issue between Microsoft Entra Connect version 1.1.647.0 and Microsoft Entra Connect Health Agent (for sync) version 3.0.127.0. This issue prevents the Health Agent from sending health data about the Microsoft Entra Connect Synchronization Service (including object synchronization errors and run history data) to Microsoft Entra Health Service. Before manually upgrading your Microsoft Entra Connect deployment to version 1.1.647.0, please verify the current version of Microsoft Entra Connect Health Agent installed on your Microsoft Entra Connect server. You can do so by going to *Control Panel → Add Remove Programs* and look for application *Microsoft Entra Connect Health Agent for Sync*. If its version is 3.0.127.0, it's recommended that you wait for the next Microsoft Entra Connect version to be available before upgrade. If the Health Agent version isn't 3.0.127.0, it's fine to proceed with the manual, in-place upgrade. This issue does not affect swing upgrade or customers who are performing new installation of Microsoft Entra Connect.
> >
-### Azure AD Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issues
-* Fixed an issue with the *Change user sign-in* task in Azure AD Connect wizard:
+* Fixed an issue with the *Change user sign-in* task in Microsoft Entra Connect wizard:
- * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **enabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.
+ * The issue occurs when you've an existing Microsoft Entra Connect deployment with Password Synchronization **enabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.
* By design, the wizard does not disable Password Synchronization when you update the user sign-in method using the *Change user sign-in* task. This is to avoid disruption to customers who want to keep Password Synchronization, even though they are enabling Pass-through Authentication or federation as their primary user sign-in method. * If you wish to disable Password Synchronization after updating the user sign-in method, you must execute the *Customize Synchronization Configuration* task in the wizard. When you navigate to the *Optional features* page, uncheck the *Password Synchronization* option.
- * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.
+ * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Microsoft Entra Connect deployment with Password Synchronization enabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". Before the change is applied, the wizard incorrectly shows the "*Disable Password Synchronization*" prompt. However, Password Synchronization remains enabled after the change is applied. With this fix, the wizard no longer shows the prompt.
-* Fixed an issue with the *Change user sign-in* task in Azure AD Connect wizard:
+* Fixed an issue with the *Change user sign-in* task in Microsoft Entra Connect wizard:
- * The issue occurs when you've an existing Azure AD Connect deployment with Password Synchronization **disabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.
+ * The issue occurs when you've an existing Microsoft Entra Connect deployment with Password Synchronization **disabled**, and you are trying to set the user sign-in method as *Pass-through Authentication*. When the change is applied, the wizard enables both Pass-through Authentication and Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.
- * Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication. When you set the user sign-in method as *Pass-through Authentication*, the wizard would enable both Pass-through Authentication and Password Synchronization. Recently, Password Synchronization was removed as a pre-requisite. As part of Azure AD Connect version 1.1.557.0, a change was made to Azure AD Connect to not enable Password Synchronization when you set the user sign-in method as *Pass-through Authentication*. However, the change was only applied to Azure AD Connect installation. With this fix, the same change is also applied to the *Change user sign-in* task.
+ * Previously, Password Synchronization was a pre-requisite for enabling Pass-through Authentication. When you set the user sign-in method as *Pass-through Authentication*, the wizard would enable both Pass-through Authentication and Password Synchronization. Recently, Password Synchronization was removed as a pre-requisite. As part of Microsoft Entra Connect version 1.1.557.0, a change was made to Microsoft Entra Connect to not enable Password Synchronization when you set the user sign-in method as *Pass-through Authentication*. However, the change was only applied to Microsoft Entra Connect installation. With this fix, the same change is also applied to the *Change user sign-in* task.
- * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Azure AD Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". When the change is applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.
+ * Note that the same issue also occurs if you try to enable/disable Seamless Single Sign-On. Specifically, you've an existing Microsoft Entra Connect deployment with Password Synchronization disabled and the user sign-in method is already configured as *Pass-through Authentication*. Using the *Change user sign-in* task, you try to check/uncheck the *Enable Seamless Single Sign-On* option while the user sign-in method remains configured as "Pass-through Authentication". When the change is applied, the wizard enables Password Synchronization. With this fix, the wizard no longer enables Password Synchronization.
-* Fixed an issue that caused Azure AD Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. With this fix, Azure AD Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade.
+* Fixed an issue that caused Microsoft Entra Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Microsoft Entra Connect. With this fix, Microsoft Entra Connect only requires the administrator to have db_owner privilege to the ADSync database during upgrade.
-* Fixed an Azure AD Connect Upgrade issue that affected customers who have enabled [Seamless Single Sign-On](./how-to-connect-sso.md). After Azure AD Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Azure AD Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard.
+* Fixed a Microsoft Entra Connect Upgrade issue that affected customers who have enabled [Seamless Single Sign-On](./how-to-connect-sso.md). After Microsoft Entra Connect is upgraded, Seamless Single Sign-On incorrectly appears as disabled in Microsoft Entra Connect wizard, even though the feature remains enabled and fully functional. With this fix, the feature now appears correctly as enabled in the wizard.
-* Fixed an issue that caused Azure AD Connect wizard to always show the ΓÇ£*Configure Source Anchor*ΓÇ¥ prompt on the *Ready to Configure* page, even if no changes related to Source Anchor were made.
+* Fixed an issue that caused Microsoft Entra Connect wizard to always show the ΓÇ£*Configure Source Anchor*ΓÇ¥ prompt on the *Ready to Configure* page, even if no changes related to Source Anchor were made.
-* When performing manual in-place upgrade of Azure AD Connect, the customer is required to provide the Global Administrator credentials of the corresponding Azure AD tenant. Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Azure AD tenant. While upgrade appears to complete successfully, certain configurations aren't correctly persisted with the upgrade. With this change, the wizard prevents the upgrade from proceeding if the credentials provided don't match the Azure AD tenant.
+* When performing manual in-place upgrade of Microsoft Entra Connect, the customer is required to provide the Global Administrator credentials of the corresponding Microsoft Entra tenant. Previously, upgrade could proceed even though the Global Administrator's credentials belonged to a different Microsoft Entra tenant. While upgrade appears to complete successfully, certain configurations aren't correctly persisted with the upgrade. With this change, the wizard prevents the upgrade from proceeding if the credentials provided don't match the Microsoft Entra tenant.
-* Removed redundant logic that unnecessarily restarted Azure AD Connect Health service at the beginning of a manual upgrade.
+* Removed redundant logic that unnecessarily restarted Microsoft Entra Connect Health service at the beginning of a manual upgrade.
#### New features and improvements
-* Added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Azure AD Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Azure AD Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the Hybrid Identity Administrator credentials provided during setup.
+* Added logic to simplify the steps required to set up Microsoft Entra Connect with Microsoft Germany Cloud. Previously, you are required to update specific registry keys on the Microsoft Entra Connect server for it to work correctly with Microsoft Germany Cloud, as described in this article. Now, Microsoft Entra Connect can automatically detect if your tenant is in Microsoft Germany Cloud based on the Hybrid Identity Administrator credentials provided during setup.
+
+<a name='azure-ad-connect-sync'></a>
-### Azure AD Connect Sync
+### Microsoft Entra Connect Sync
> [!NOTE]
-> Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Azure AD Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the [built-in scheduler](./how-to-connect-sync-feature-scheduler.md).
+> Note: The Synchronization Service has a WMI interface that lets you develop your own custom scheduler. This interface is now deprecated and will be removed from future versions of Microsoft Entra Connect shipped after June 30, 2018. Customers who want to customize synchronization schedule should use the [built-in scheduler](./how-to-connect-sync-feature-scheduler.md).
#### Fixed issues
-* When Azure AD Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue.
+* When Microsoft Entra Connect wizard creates the AD Connector account required to synchronize changes from on-premises Active Directory, it does not correctly assign the account the permission required to read PublicFolder objects. This issue affects both Express installation and Custom installation. This change fixes the issue.
-* Fixed an issue that caused the Azure AD Connect Wizard troubleshooting page to not render correctly for administrators running from Windows Server 2016.
+* Fixed an issue that caused the Microsoft Entra Connect Wizard troubleshooting page to not render correctly for administrators running from Windows Server 2016.
#### New features and improvements
-* When troubleshooting Password Synchronization using the Azure AD Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status.
+* When troubleshooting Password Synchronization using the Microsoft Entra Connect wizard troubleshooting page, the troubleshooting page now returns domain-specific status.
-* Previously, if you tried to enable Password Hash Synchronization, Azure AD Connect does not verify whether the AD Connector account has required permissions to synchronize password hashes from on-premises AD. Now, Azure AD Connect wizard will verify and warn you if the AD Connector account does not have sufficient permissions.
+* Previously, if you tried to enable Password Hash Synchronization, Microsoft Entra Connect does not verify whether the AD Connector account has required permissions to synchronize password hashes from on-premises AD. Now, Microsoft Entra Connect wizard will verify and warn you if the AD Connector account does not have sufficient permissions.
### AD FS Management #### Fixed issue
-* Fixed an issue related to the use of [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. This issue affects customers who have configured *Federation with AD FS* as the user sign-in method. When you execute *Configure Source Anchor* task in the wizard, Azure AD Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Azure AD Connect attempts to update the claim rules for ImmutableId in AD FS. However, this step failed because Azure AD Connect didn't have the administrator credentials required to configure AD FS. With this fix, Azure AD Connect now prompts you to enter the administrator credentials for AD FS when you execute the *Configure Source Anchor* task.
+* Fixed an issue related to the use of [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. This issue affects customers who have configured *Federation with AD FS* as the user sign-in method. When you execute *Configure Source Anchor* task in the wizard, Microsoft Entra Connect switches to using *ms-DS-ConsistencyGuid as source attribute for immutableId. As part of this change, Microsoft Entra Connect attempts to update the claim rules for ImmutableId in AD FS. However, this step failed because Microsoft Entra Connect didn't have the administrator credentials required to configure AD FS. With this fix, Microsoft Entra Connect now prompts you to enter the administrator credentials for AD FS when you execute the *Configure Source Anchor* task.
## 1.1.614.0 Status: September 05 2017
-### Azure AD Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Known issues
-* There is a known issue that is causing Azure AD Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Azure AD Connect. Dbo permissions aren't sufficient.
+* There is a known issue that is causing Microsoft Entra Connect upgrade to fail with error "*Unable to upgrade the Synchronization Service*". Further, the Synchronization Service can no longer start with event error "*The service was unable to start because the version of the database is newer than the version of the binaries installed*". The issue occurs when the administrator performing the upgrade does not have sysadmin privilege to the SQL server that is being used by Microsoft Entra Connect. Dbo permissions aren't sufficient.
-* There is a known issue with Azure AD Connect Upgrade that is affecting customers who have enabled [Seamless Single Sign-On](how-to-connect-sso.md). After Azure AD Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. A fix for this issue will be provided in future release. Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard.
+* There is a known issue with Microsoft Entra Connect Upgrade that is affecting customers who have enabled [Seamless Single Sign-On](how-to-connect-sso.md). After Microsoft Entra Connect is upgraded, the feature appears as disabled in the wizard, even though the feature remains enabled. A fix for this issue will be provided in future release. Customers who are concerned about this display issue can manually fix it by enabling Seamless Single Sign-On in the wizard.
#### Fixed issues
-* Fixed an issue that prevented Azure AD Connect from updating the claims rules in on-premises AD FS while enabling the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. The issue occurs if you try to enable the feature for an existing Azure AD Connect deployment that has AD FS configured as the sign-in method. The issue occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD FS.
-* Fixed an issue that caused Azure AD Connect to fail installation if the on-premises AD forest has NTLM disabled. The issue is due to Azure AD Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. This causes Kerberos authentication to fail and Azure AD Connect wizard to fall back to using NTLM.
+* Fixed an issue that prevented Microsoft Entra Connect from updating the claims rules in on-premises AD FS while enabling the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature. The issue occurs if you try to enable the feature for an existing Microsoft Entra Connect deployment that has AD FS configured as the sign-in method. The issue occurs because the wizard does not prompt for ADFS credentials before trying to update the claims rules in AD FS.
+* Fixed an issue that caused Microsoft Entra Connect to fail installation if the on-premises AD forest has NTLM disabled. The issue is due to Microsoft Entra Connect wizard not providing fully qualified credentials when creating the security contexts required for Kerberos authentication. This causes Kerberos authentication to fail and Microsoft Entra Connect wizard to fall back to using NTLM.
+
+<a name='azure-ad-connect-sync'></a>
-### Azure AD Connect Sync
+### Microsoft Entra Connect Sync
#### Fixed issues * Fixed an issue where new synchronization rule cannot be created if the Tag attribute isnΓÇÖt populated.
-* Fixed an issue that caused Azure AD Connect to connect to on-premises AD for Password Synchronization using NTLM, even though Kerberos is available. This issue occurs if the on-premises AD topology has one or more domain controllers that were restored from a backup.
+* Fixed an issue that caused Microsoft Entra Connect to connect to on-premises AD for Password Synchronization using NTLM, even though Kerberos is available. This issue occurs if the on-premises AD topology has one or more domain controllers that were restored from a backup.
* Fixed an issue that caused full synchronization steps to occur unnecessarily after upgrade. In general, running full synchronization steps is required after upgrade if there are changes to out-of-box synchronization rules. The issue was due to an error in the change detection logic that incorrectly detected a change when encountering synchronization rule expression with newline characters. Newline characters are inserted into sync rule expression to improve readability.
-* Fixed an issue that can cause the Azure AD Connect server to not work correctly after Automatic Upgrade. This issue affects Azure AD Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to article [Azure AD Connect is not working correctly after an automatic upgrade](https://support.microsoft.com/help/4038479/azure-ad-connect-is-not-working-correctly-after-an-automatic-upgrade).
+* Fixed an issue that can cause the Microsoft Entra Connect server to not work correctly after Automatic Upgrade. This issue affects Microsoft Entra Connect servers with version 1.1.443.0 (or earlier). For details about the issue, refer to article [Microsoft Entra Connect is not working correctly after an automatic upgrade](https://support.microsoft.com/help/4038479/azure-ad-connect-is-not-working-correctly-after-an-automatic-upgrade).
* Fixed an issue that can cause Automatic Upgrade to be retried every 5 minutes when errors are encountered. With the fix, Automatic Upgrade retries with exponential back-off when errors are encountered. * Fixed an issue where password synchronization event 611 is incorrectly shown in Windows Application Event logs as **informational** instead of **error**. Event 611 is generated whenever password synchronization encounters an issue.
-* Fixed an issue in the Azure AD Connect wizard that allows Group writeback feature to be enabled without selecting an OU required for Group writeback.
+* Fixed an issue in the Microsoft Entra Connect wizard that allows Group writeback feature to be enabled without selecting an OU required for Group writeback.
#### New features and improvements
-* Added a Troubleshoot task to Azure AD Connect wizard under Additional Tasks. Customers can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues.
-* Azure AD Connect now supports a new installation mode called **Use Existing Database**. This installation mode allows customers to install Azure AD Connect that specifies an existing ADSync database. For more information about this feature, refer to article [Use an existing database](how-to-connect-install-existing-database.md).
-* For improved security, Azure AD Connect now defaults to using TLS1.2 to connect to Azure AD for directory synchronization. Previously, the default was TLS1.0.
-* When Azure AD Connect Password Synchronization Agent starts up, it tries to connect to Azure AD well-known endpoint for password synchronization. Upon successful connection, it's redirected to a region-specific endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it's restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available.
-* To synchronize changes from an on-premises AD forest, an AD DS account is required. You can either (i) create the AD DS account yourself and provide its credential to Azure AD Connect, or (ii) provide an Enterprise Admin's credentials and let Azure AD Connect create the AD DS account for you. Previously, (i) is the default option in the Azure AD Connect wizard. Now, (ii) is the default option.
+* Added a Troubleshoot task to Microsoft Entra Connect wizard under Additional Tasks. Customers can leverage this task to troubleshoot issues related to password synchronization and collect general diagnostics. In the future, the Troubleshoot task will be extended to include other directory synchronization-related issues.
+* Microsoft Entra Connect now supports a new installation mode called **Use Existing Database**. This installation mode allows customers to install Microsoft Entra Connect that specifies an existing ADSync database. For more information about this feature, refer to article [Use an existing database](how-to-connect-install-existing-database.md).
+* For improved security, Microsoft Entra Connect now defaults to using TLS1.2 to connect to Microsoft Entra ID for directory synchronization. Previously, the default was TLS1.0.
+* When Microsoft Entra Connect Password Synchronization Agent starts up, it tries to connect to Microsoft Entra well-known endpoint for password synchronization. Upon successful connection, it's redirected to a region-specific endpoint. Previously, the Password Synchronization Agent caches the region-specific endpoint until it's restarted. Now, the agent clears the cache and retries with the well-known endpoint if it encounters connection issue with the region-specific endpoint. This change ensures that password synchronization can failover to a different region-specific endpoint when the cached region-specific endpoint is no longer available.
+* To synchronize changes from an on-premises AD forest, an AD DS account is required. You can either (i) create the AD DS account yourself and provide its credential to Microsoft Entra Connect, or (ii) provide an Enterprise Admin's credentials and let Microsoft Entra Connect create the AD DS account for you. Previously, (i) is the default option in the Microsoft Entra Connect wizard. Now, (ii) is the default option.
-### Azure AD Connect Health
+<a name='azure-ad-connect-health'></a>
+
+### Microsoft Entra Connect Health
#### New features and improvements * Added support for Microsoft Azure Government Cloud and Microsoft Cloud Germany.
Status: September 05 2017
* The Initialize-ADSyncNGCKeysWriteBack cmdlet in the AD prep PowerShell module was incorrectly applying ACLs to the device registration container and would therefore only inherit existing permissions. This was updated so that the sync service account has the correct permissions. #### New features and improvements
-* The Azure AD Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online and not just token retrieval from ADFS.
-* When setting up a new ADFS farm using Azure AD Connect, the page asking for ADFS credentials was moved so that it now occurs before the user is asked to provide ADFS and WAP servers. This allows Azure AD Connect to check that the account specified has the correct permissions.
-* During Azure AD Connect upgrade, we will no longer fail an upgrade if the ADFS Azure AD Trust fails to update. If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust via the Azure AD Connect additional task.
+* The Microsoft Entra Connect Verify ADFS Login task was updated so that it verifies logins against Microsoft Online and not just token retrieval from ADFS.
+* When setting up a new ADFS farm using Microsoft Entra Connect, the page asking for ADFS credentials was moved so that it now occurs before the user is asked to provide ADFS and WAP servers. This allows Microsoft Entra Connect to check that the account specified has the correct permissions.
+* During Microsoft Entra Connect upgrade, we will no longer fail an upgrade if the ADFS Microsoft Entra ID Trust fails to update. If that happens, the user will be shown an appropriate warning message and should proceed to reset the trust via the Microsoft Entra Connect additional task.
### Seamless Single Sign-On #### Fixed issues
-* Fixed an issue that caused Azure AD Connect wizard to return an error if you try to enable [Seamless Single Sign-On](how-to-connect-sso.md). The error message is *ΓÇ£Configuration of Microsoft Azure AD Connect Authentication Agent failed.ΓÇ¥* This issue affects existing customers who had manually upgraded the preview version of the Authentication Agents for [Pass-through Authentication](how-to-connect-sso.md) based on the steps described in this [article](how-to-connect-pta-upgrade-preview-authentication-agents.md).
+* Fixed an issue that caused Microsoft Entra Connect wizard to return an error if you try to enable [Seamless Single Sign-On](how-to-connect-sso.md). The error message is *ΓÇ£Configuration of Microsoft Entra Connect Authentication Agent failed.ΓÇ¥* This issue affects existing customers who had manually upgraded the preview version of the Authentication Agents for [Pass-through Authentication](how-to-connect-sso.md) based on the steps described in this [article](how-to-connect-pta-upgrade-preview-authentication-agents.md).
## 1.1.561.0 Status: July 23 2017
-### Azure AD Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issue * Fixed an issue that caused the out-of-box synchronization rule ΓÇ£Out to AD - User ImmutableIdΓÇ¥ to be removed:
- * The issue occurs when Azure AD Connect is upgraded, or when the task option *Update Synchronization Configuration* in the Azure AD Connect wizard is used to update Azure AD Connect synchronization configuration.
+ * The issue occurs when Microsoft Entra Connect is upgraded, or when the task option *Update Synchronization Configuration* in the Microsoft Entra Connect wizard is used to update Microsoft Entra Connect synchronization configuration.
- * This synchronization rule is applicable to customers who have enabled the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). This feature was introduced in version 1.1.524.0 and after. When the synchronization rule is removed, Azure AD Connect can no longer populate on-premises AD ms-DS-ConsistencyGuid attribute with the ObjectGuid attribute value. It does not prevent new users from being provisioned into Azure AD.
+ * This synchronization rule is applicable to customers who have enabled the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor). This feature was introduced in version 1.1.524.0 and after. When the synchronization rule is removed, Microsoft Entra Connect can no longer populate on-premises AD ms-DS-ConsistencyGuid attribute with the ObjectGuid attribute value. It does not prevent new users from being provisioned into Microsoft Entra ID.
- * The fix ensures that the synchronization rule will no longer be removed during upgrade, or during configuration change, as long as the feature is enabled. For existing customers who have been affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading to this version of Azure AD Connect.
+ * The fix ensures that the synchronization rule will no longer be removed during upgrade, or during configuration change, as long as the feature is enabled. For existing customers who have been affected by this issue, the fix also ensures that the synchronization rule is added back after upgrading to this version of Microsoft Entra Connect.
* Fixed an issue that causes out-of-box synchronization rules to have precedence value that is less than 100:
Status: July 23 2017
* The fix prevents the issue from occurring during upgrade. However, it does not restore the precedence values for existing customers who have been affected by the issue. A separate fix will be provided in the future to help with the restoration.
-* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled.
+* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled.
-* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *ΓÇ£An error was encountered while refreshing domains: Unable to cast object of type ΓÇÿSystem.Collections.ArrayListΓÇÖ to type ΓÇÿMicrosoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.ΓÇ¥* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button.
+* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *ΓÇ£An error was encountered while refreshing domains: Unable to cast object of type ΓÇÿSystem.Collections.ArrayListΓÇÖ to type ΓÇÿMicrosoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.ΓÇ¥* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Microsoft Entra Connect using the Refresh button.
#### New features and improvements
Status: July 23 2017
* You've enabled the user writeback feature. >[!NOTE]
- >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
+ >The scope expansion of the Automatic Upgrade feature affects customers with Microsoft Entra Connect build 1.1.105.0 and after. If you don't want your Microsoft Entra Connect server to be automatically upgraded, you must run following cmdlet on your Microsoft Entra Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
## 1.1.558.0 Status: Will not be released. Changes in this build are included in version 1.1.561.0.
-### Azure AD Connect
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issue * Fixed an issue that caused the out-of-box synchronization rule ΓÇ£Out to AD - User ImmutableIdΓÇ¥ to be removed when OU-based filtering configuration is updated. This synchronization rule is required for the [ms-DS-ConsistencyGuid as Source Anchor feature](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor).
-* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled.
+* Fixed an issue where the [Domain and OU Filtering screen](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard is showing *Sync all domains and OUs* option as selected, even though OU-based filtering is enabled.
-* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *ΓÇ£An error was encountered while refreshing domains: Unable to cast object of type ΓÇÿSystem.Collections.ArrayListΓÇÖ to type ΓÇÿMicrosoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.ΓÇ¥* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Azure AD Connect using the Refresh button.
+* Fixed an issue that caused the [Configure Directory Partitions screen](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) in the Synchronization Service Manager to return an error if the *Refresh* button is clicked. The error message is *ΓÇ£An error was encountered while refreshing domains: Unable to cast object of type ΓÇÿSystem.Collections.ArrayListΓÇÖ to type ΓÇÿMicrosoft.DirectoryServices.MetadirectoryServices.UI.PropertySheetBase.MaPropertyPages.PartitionObject.ΓÇ¥* The error occurs when new AD domain has been added to an existing AD forest and you are trying to update Microsoft Entra Connect using the Refresh button.
#### New features and improvements
Status: Will not be released. Changes in this build are included in version 1.1.
* You've enabled the user writeback feature. >[!NOTE]
- >The scope expansion of the Automatic Upgrade feature affects customers with Azure AD Connect build 1.1.105.0 and after. If you don't want your Azure AD Connect server to be automatically upgraded, you must run following cmdlet on your Azure AD Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
+ >The scope expansion of the Automatic Upgrade feature affects customers with Microsoft Entra Connect build 1.1.105.0 and after. If you don't want your Microsoft Entra Connect server to be automatically upgraded, you must run following cmdlet on your Microsoft Entra Connect server: `Set-ADSyncAutoUpgrade -AutoUpgradeState disabled`. For more information about enabling/disabling Automatic Upgrade, refer to article [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
## 1.1.557.0 Status: July 2017 >[!NOTE]
->This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
-### Azure AD Connect
+>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature.
+<a name='azure-ad-connect'></a>
+
+### Microsoft Entra Connect
#### Fixed issue
-* Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it's still a valid domain. This issue occurs when your Azure AD tenant has more than one verified domains that can be used for configuring the service connection point.
+* Fixed an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it's still a valid domain. This issue occurs when your Microsoft Entra tenant has more than one verified domains that can be used for configuring the service connection point.
#### New features and improvements
-* Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Azure AD Connect support for the different service instances, refer to article [Azure AD Connect: Special considerations for instances](reference-connect-instances.md).
+* Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Microsoft Entra Connect support for the different service instances, refer to article [Microsoft Entra Connect: Special considerations for instances](reference-connect-instances.md).
* The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the service connection point. ### Pass-through Authentication #### New features and improvements
-* The name of the agent required for Pass-through Authentication has been changed from *Microsoft Azure AD Application Proxy Connector* to *Microsoft Azure AD Connect Authentication Agent*.
+* The name of the agent required for Pass-through Authentication has been changed from *Microsoft Entra application proxy Connector* to *Microsoft Entra Connect Authentication Agent*.
* Enabling Pass-through Authentication no longer enables Password Hash Synchronization by default.
Status: July 2017
Status: June 2017 > [!IMPORTANT]
-> There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full Import and Full Synchronization steps after upgrade. Details of the changes are described below. To temporarily defer Full Import and Full Synchronization steps after upgrade, refer to article [How to defer full synchronization after upgrade](how-to-upgrade-previous-version.md#how-to-defer-full-synchronization-after-upgrade).
+> There are schema and sync rule changes introduced in this build. Microsoft Entra Connect Synchronization Service will trigger Full Import and Full Synchronization steps after upgrade. Details of the changes are described below. To temporarily defer Full Import and Full Synchronization steps after upgrade, refer to article [How to defer full synchronization after upgrade](how-to-upgrade-previous-version.md#how-to-defer-full-synchronization-after-upgrade).
> >
-### Azure AD Connect Sync
+<a name='azure-ad-connect-sync'></a>
+
+### Microsoft Entra Connect Sync
#### Known issue
-* There is an issue that affects customers who are using [OU-based filtering](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) with Azure AD Connect sync. When you navigate to the [Domain and OU Filtering page](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Azure AD Connect wizard, the following behavior is expected:
+* There is an issue that affects customers who are using [OU-based filtering](how-to-connect-sync-configure-filtering.md#organizational-unitbased-filtering) with Microsoft Entra Connect Sync. When you navigate to the [Domain and OU Filtering page](how-to-connect-install-custom.md#domain-and-ou-filtering) in the Microsoft Entra Connect wizard, the following behavior is expected:
* If OU-based filtering is enabled, the **Sync selected domains and OUs** option is selected. * Otherwise, the **Sync all domains and OUs** option is selected.
-The issue that arises is that the **Sync all domains and OUs option** is always selected when you run the Wizard. This occurs even if OU-based filtering was previously configured. Before saving any Azure AD Connect configuration changes, make sure the **Sync selected domains and OUs option is selected** and confirm that all OUs that need to synchronize are enabled again. Otherwise, OU-based filtering will be disabled.
+The issue that arises is that the **Sync all domains and OUs option** is always selected when you run the Wizard. This occurs even if OU-based filtering was previously configured. Before saving any Microsoft Entra Connect configuration changes, make sure the **Sync selected domains and OUs option is selected** and confirm that all OUs that need to synchronize are enabled again. Otherwise, OU-based filtering will be disabled.
#### Fixed issues
-* Fixed an issue with Password writeback that allows an Azure AD Administrator to reset the password of an on-premises AD privileged user account. The issue occurs when Azure AD Connect is granted the Reset Password permission over the privileged account. The issue is addressed in this version of Azure AD Connect by not allowing an Azure AD Administrator to reset the password of an arbitrary on-premises AD privileged user account unless the administrator is the owner of that account. For more information, refer to [Security Advisory 4033453](/security-updates/SecurityAdvisories/2017/4033453).
+* Fixed an issue with Password writeback that allows a Microsoft Entra Administrator to reset the password of an on-premises AD privileged user account. The issue occurs when Microsoft Entra Connect is granted the Reset Password permission over the privileged account. The issue is addressed in this version of Microsoft Entra Connect by not allowing a Microsoft Entra Administrator to reset the password of an arbitrary on-premises AD privileged user account unless the administrator is the owner of that account. For more information, refer to [Security Advisory 4033453](/security-updates/SecurityAdvisories/2017/4033453).
-* Fixed an issue related to the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature where Azure AD Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Azure AD Connect and the *User identities exist across multiple directories option* is selected. When such configuration is used, the resultant synchronization rules don't populate the sourceAnchorBinary attribute in the Metaverse. The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated:
+* Fixed an issue related to the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature where Microsoft Entra Connect does not writeback to on-premises AD ms-DS-ConsistencyGuid attribute. The issue occurs when there are multiple on-premises AD forests added to Microsoft Entra Connect and the *User identities exist across multiple directories option* is selected. When such configuration is used, the resultant synchronization rules don't populate the sourceAnchorBinary attribute in the Metaverse. The sourceAnchorBinary attribute is used as the source attribute for ms-DS-ConsistencyGuid attribute. As a result, writeback to the ms-DSConsistencyGuid attribute does not occur. To fix the issue, following sync rules have been updated to ensure that the sourceAnchorBinary attribute in the Metaverse is always populated:
* In from AD - InetOrgPerson AccountEnabled.xml * In from AD - InetOrgPerson Common.xml * In from AD - User AccountEnabled.xml * In from AD - User Common.xml * In from AD - User Join SOAInAAD.xml
-* Previously, even if the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature isnΓÇÖt enabled, the ΓÇ£Out to AD ΓÇô User ImmutableIdΓÇ¥ synchronization rule is still added to Azure AD Connect. The effect is benign and does not cause writeback of ms-DS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.
+* Previously, even if the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature isnΓÇÖt enabled, the ΓÇ£Out to AD ΓÇô User ImmutableIdΓÇ¥ synchronization rule is still added to Microsoft Entra Connect. The effect is benign and does not cause writeback of ms-DS-ConsistencyGuid attribute to occur. To avoid confusion, logic has been added to ensure that the sync rule is only added when the feature is enabled.
* Fixed an issue that caused password hash synchronization to fail with error event 611. This issue occurs after one or more domain controllers have been removed from on-premises AD. At the end of each password synchronization cycle, the synchronization cookie issued by on-premises AD contains Invocation IDs of the removed domain controllers with USN (Update Sequence Number) value of 0. The Password Synchronization Manager is unable to persist synchronization cookie containing USN value of 0 and fails with error event 611. During the next synchronization cycle, the Password Synchronization Manager reuses the last persisted synchronization cookie that does not contain USN value of 0. This causes the same password changes to be resynchronized. With this fix, the Password Synchronization Manager persists the synchronization cookie correctly.
-* Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically. The fix is automatically applied when upgrade installer for this Azure AD Connect version is executed once.
+* Previously, even if Automatic Upgrade has been disabled using the Set-ADSyncAutoUpgrade cmdlet, the Automatic Upgrade process continues to check for upgrade periodically, and relies on the downloaded installer to honor disablement. With this fix, the Automatic Upgrade process no longer checks for upgrade periodically. The fix is automatically applied when upgrade installer for this Microsoft Entra Connect version is executed once.
#### New features and improvements * Previously, the [ms-DS-ConsistencyGuid as Source Anchor](./plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor) feature was available to new deployments only. Now, it's available to existing deployments. More specifically:
- * To access the feature, start the Azure AD Connect wizard and choose the *Update Source Anchor* option.
+ * To access the feature, start the Microsoft Entra Connect wizard and choose the *Update Source Anchor* option.
* This option is only visible to existing deployments that are using objectGuid as sourceAnchor attribute. * When configuring the option, the wizard validates the state of the ms-DS-ConsistencyGuid attribute in your on-premises Active Directory. If the attribute isn't configured on any user object in the directory, the wizard uses the ms-DS-ConsistencyGuid as the sourceAnchor attribute. If the attribute is configured on one or more user objects in the directory, the wizard concludes the attribute is being used by other applications and is not suitable as sourceAnchor attribute and does not permit the Source Anchor change to proceed. If you are certain that the attribute isn't used by existing applications, you need to contact Support for information on how to suppress the error.
-* Specific to **userCertificate** attribute on Device objects, Azure AD Connect now looks for certificates values required for [Connecting domain-joined devices to Azure AD for Windows 10 experience](../../devices/hybrid-join-plan.md) and filters out the rest before synchronizing to Azure AD. To enable this behavior, the out-of-box sync rule ΓÇ£Out to AAD - Device Join SOAInADΓÇ¥ has been updated.
+* Specific to **userCertificate** attribute on Device objects, Microsoft Entra Connect now looks for certificates values required for [Connecting domain-joined devices to Microsoft Entra ID for Windows 10 experience](../../devices/hybrid-join-plan.md) and filters out the rest before synchronizing to Microsoft Entra ID. To enable this behavior, the out-of-box sync rule ΓÇ£Out to Microsoft Entra ID - Device Join SOAInADΓÇ¥ has been updated.
-* Azure AD Connect now supports writeback of Exchange Online **cloudPublicDelegates** attribute to on-premises AD **publicDelegates** attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. To support this feature, a new out-of-box sync rule ΓÇ£Out to AD ΓÇô User Exchange Hybrid PublicDelegates writebackΓÇ¥ has been added. This sync rule is only added to Azure AD Connect when Exchange Hybrid feature is enabled.
+* Microsoft Entra Connect now supports writeback of Exchange Online **cloudPublicDelegates** attribute to on-premises AD **publicDelegates** attribute. This enables the scenario where an Exchange Online mailbox can be granted SendOnBehalfTo rights to users with on-premises Exchange mailbox. To support this feature, a new out-of-box sync rule ΓÇ£Out to AD ΓÇô User Exchange Hybrid PublicDelegates writebackΓÇ¥ has been added. This sync rule is only added to Microsoft Entra Connect when Exchange Hybrid feature is enabled.
-* Azure AD Connect now supports synchronizing the **altRecipient** attribute from Azure AD. To support this change, following out-of-box sync rules have been updated to include the required attribute flow:
+* Microsoft Entra Connect now supports synchronizing the **altRecipient** attribute from Microsoft Entra ID. To support this change, following out-of-box sync rules have been updated to include the required attribute flow:
* In from AD ΓÇô User Exchange
- * Out to AAD ΓÇô User ExchangeOnline
+ * Out to Microsoft Entra ID ΓÇô User ExchangeOnline
-* The **cloudSOAExchMailbox** attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes. To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule ΓÇ£In from AAD ΓÇô User Exchange HybridΓÇ¥, has been updated from:
+* The **cloudSOAExchMailbox** attribute in the Metaverse indicates whether a given user has Exchange Online mailbox or not. Its definition has been updated to include additional Exchange Online RecipientDisplayTypes as such Equipment and Conference Room mailboxes. To enable this change, the definition of the cloudSOAExchMailbox attribute, which is found under out-of-box sync rule ΓÇ£In from Microsoft Entra ID ΓÇô User Exchange HybridΓÇ¥, has been updated from:
``` CBool(IIF(IsNullOrEmpty([cloudMSExchRecipientDisplayType]),NULL,BitAnd([cloudMSExchRecipientDisplayType],&amp;HFF) = 0))
The issue that arises is that the **Sync all domains and OUs option** is always
* Group: domainFQDN * Person: distinguishedName
- * Following attributes have been added to Azure AD Connector schema:
+ * Following attributes have been added to Microsoft Entra Connector schema:
* Group: OnPremisesSamAccountName * Group: NetBiosName * Group: DnsDomainName * User: OnPremisesDistinguishedName
-* The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment. The parameter is used to specify which region the corresponding Azure Active Directory tenant is hosted in. Valid values include:
+* The ADSyncDomainJoinedComputerSync cmdlet script now has a new optional parameter named AzureEnvironment. The parameter is used to specify which region the corresponding Microsoft Entra tenant is hosted in. Valid values include:
* AzureCloud (default) * AzureChinaCloud * AzureGermanyCloud
The issue that arises is that the **Sync all domains and OUs option** is always
#### Issues fixed
-* Following URLs are new WS-Federation endpoints introduced by Azure AD to improve resiliency against authentication outage and will be added to on-premises AD FS replying party trust configuration:
+* Following URLs are new WS-Federation endpoints introduced by Microsoft Entra ID to improve resiliency against authentication outage and will be added to on-premises AD FS replying party trust configuration:
* https:\//ests.login.microsoftonline.com/login.srf * https:\//stamp2.login.microsoftonline.com/login.srf * https://ccs.login.microsoftonline.com/login.srf * https://ccs-sdf.login.microsoftonline.com/login.srf
-* Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. The issue occurs if there are multiple verified domains in the Azure AD tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The issue is resolved by updating the regex used by the claim rules.
+* Fixed an issue that caused AD FS to generate incorrect claim value for IssuerID. The issue occurs if there are multiple verified domains in the Microsoft Entra tenant and the domain suffix of the userPrincipalName attribute used to generate the IssuerID claim is at least 3-levels deep (for example, johndoe@us.contoso.com). The issue is resolved by updating the regex used by the claim rules.
#### New features and improvements
-* Previously, the ADFS Certificate Management feature provided by Azure AD Connect can only be used with ADFS farms managed through Azure AD Connect. Now, you can use the feature with ADFS farms that aren't managed using Azure AD Connect.
+* Previously, the ADFS Certificate Management feature provided by Microsoft Entra Connect can only be used with ADFS farms managed through Microsoft Entra Connect. Now, you can use the feature with ADFS farms that aren't managed using Microsoft Entra Connect.
## 1.1.524.0 Released: May 2017 > [!IMPORTANT]
-> There are schema and sync rule changes introduced in this build. Azure AD Connect Synchronization Service will trigger Full Import and Full Sync steps after upgrade. Details of the changes are described below.
+> There are schema and sync rule changes introduced in this build. Microsoft Entra Connect Synchronization Service will trigger Full Import and Full Sync steps after upgrade. Details of the changes are described below.
> > **Fixed issues:**
-Azure AD Connect sync
+Microsoft Entra Connect Sync
-* Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
-* During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error *ΓÇ£An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.ΓÇ¥* To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
-* There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization aren't created. Healing logic is included in this build of Azure AD Connect. When customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them.
+* Fixed an issue that causes Automatic Upgrade to occur on the Microsoft Entra Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
+* During DirSync in-place upgrade, Microsoft Entra Connect creates a Microsoft Entra service account to be used by the Microsoft Entra connector for synchronizing with Microsoft Entra ID. After the account is created, Microsoft Entra Connect authenticates with Microsoft Entra ID using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error *ΓÇ£An error has occurred executing Configure Azure AD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.ΓÇ¥* To improve the resiliency of DirSync upgrade, Microsoft Entra Connect now retries the authentication step.
+* There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization aren't created. Healing logic is included in this build of Microsoft Entra Connect. When customer upgrades to this build, Microsoft Entra Connect detects missing run profiles and creates them.
* Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error *ΓÇ£An item with the same key has already been addedΓÇ¥*. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped.
-* During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
+* During Express installation, Microsoft Entra Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Microsoft Entra Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
* Fixed an issue that causes DirSync upgrade to fail with error *ΓÇ£a deadlock occurred in sql server which trying to acquire an application lockΓÇ¥* when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.
-* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Azure AD Connect sync configuration using Azure AD Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously.
-* To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Azure AD Connect wizard.
-* Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema.
-* Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the Azure AD Connect Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
-* When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message *ΓÇ£The provisioned object is too large. Trim the number of attribute values on this object.ΓÇ¥* At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message *ΓÇ£Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.ΓÇ¥* To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received.
+* Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Microsoft Entra Connect sync configuration using Microsoft Entra Connect wizard. This issue is caused by the wizard performing a pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously.
+* To configure OU filtering, you can either use the Microsoft Entra Connect wizard or the Synchronization Service Manager. Previously, if you use the Microsoft Entra Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you don't want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Microsoft Entra Connect wizard.
+* Fixed an issue that causes stored procedures required by Microsoft Entra Connect to be created under the schema of the installing admin, instead of under the dbo schema.
+* Fixed an issue that causes the TrackingId attribute returned by Microsoft Entra ID to be omitted in the Microsoft Entra Connect Server Event Logs. The issue occurs if Microsoft Entra Connect receives a redirection message from Microsoft Entra ID and Microsoft Entra Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
+* When Microsoft Entra Connect receives LargeObject error from Microsoft Entra ID, Microsoft Entra Connect generates an event with EventID 6941 and message *ΓÇ£The provisioned object is too large. Trim the number of attribute values on this object.ΓÇ¥* At the same time, Microsoft Entra Connect also generates a misleading event with EventID 6900 and message *ΓÇ£Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.ΓÇ¥* To minimize confusion, Microsoft Entra Connect no longer generates the latter event when LargeObject error is received.
* Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for Generic LDAP connector. **New features/improvements:**
-Azure AD Connect sync
+Microsoft Entra Connect Sync
* Sync Rule Changes ΓÇô The following sync rule changes have been implemented: * Updated default sync rule set to not export attributes **userCertificate** and **userSMIMECertificate** if the attributes have more than 15 values. * AD attributes **employeeID** and **msExchBypassModerationLink** are now included in the default sync rule set. * AD attribute **photo** has been removed from default sync rule set.
- * Added **preferredDataLocation** to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
- * Added **userType** to the Metaverse schema and Azure AD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
-
-* Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it's empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section [Azure AD Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor).
-* New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues. For information about using the cmdlet, refer to article [Troubleshoot password hash synchronization with Azure AD Connect sync](tshoot-connect-password-hash-synchronization.md).
-* Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. You can enable the feature using Azure AD Connect wizard under Optional Features. To find out more about this feature, refer to article [Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders](https://techcommunity.microsoft.com/t5/exchange/office-365-directory-based-edge-blocking-support-for-on-premises/m-p/74218).
-* Azure AD Connect requires an AD DS account to synchronize from on-premises AD. Previously, if you installed Azure AD Connect using the Express mode, you could provide the credentials of an Enterprise Admin account and Azure AD Connect would create the AD DS account required. However, for a custom installation and adding forests to an existing deployment, you were required to provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during a custom installation and let Azure AD Connect create the AD DS account required.
-* Azure AD Connect now supports SQL AOA. You must enable SQL AOA before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it's recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.
-* If you are using LocalDB as the database for your Azure AD Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.
-* To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.
-* Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Azure AD Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made using the Azure AD Connect wizard only. It is not applicable to OU filtering update made using the Synchronization Service Manager.
+ * Added **preferredDataLocation** to the Metaverse schema and Microsoft Entra Connector schema. Customers who want to update either attributes in Microsoft Entra ID can implement custom sync rules to do so.
+ * Added **userType** to the Metaverse schema and Microsoft Entra Connector schema. Customers who want to update either attributes in Microsoft Entra ID can implement custom sync rules to do so.
+
+* Microsoft Entra Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects. Further, Microsoft Entra Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it's empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section [Microsoft Entra Connect: Design concepts - Using ms-DS-ConsistencyGuid as sourceAnchor](plan-connect-design-concepts.md#using-ms-ds-consistencyguid-as-sourceanchor).
+* New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues. For information about using the cmdlet, refer to article [Troubleshoot password hash synchronization with Microsoft Entra Connect Sync](tshoot-connect-password-hash-synchronization.md).
+* Microsoft Entra Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Microsoft Entra ID. You can enable the feature using Microsoft Entra Connect wizard under Optional Features. To find out more about this feature, refer to article [Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders](https://techcommunity.microsoft.com/t5/exchange/office-365-directory-based-edge-blocking-support-for-on-premises/m-p/74218).
+* Microsoft Entra Connect requires an AD DS account to synchronize from on-premises AD. Previously, if you installed Microsoft Entra Connect using the Express mode, you could provide the credentials of an Enterprise Admin account and Microsoft Entra Connect would create the AD DS account required. However, for a custom installation and adding forests to an existing deployment, you were required to provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during a custom installation and let Microsoft Entra Connect create the AD DS account required.
+* Microsoft Entra Connect now supports SQL AOA. You must enable SQL AOA before installing Microsoft Entra Connect. During installation, Microsoft Entra Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Microsoft Entra Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it's recommended that you set the RegisterAllProvidersIP property to 0. This recommendation is because Microsoft Entra Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.
+* If you are using LocalDB as the database for your Microsoft Entra Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.
+* To reduce the amount of storage space required, Microsoft Entra Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Microsoft Entra Connect to this version, Microsoft Entra Connect performs a one-time compression on existing sync error details.
+* Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Microsoft Entra Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made using the Microsoft Entra Connect wizard only. It is not applicable to OU filtering update made using the Synchronization Service Manager.
* Previously, Group-based filtering supports Users, Groups, and Contact objects only. Now, Group-based filtering also supports Computer objects.
-* Previously, you can delete Connector Space data without disabling Azure AD Connect sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted.
-* Previously, you must disable PowerShell transcription for Azure AD Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage sync configuration. You must disable PowerShell transcription if you are using Azure AD Connect wizard to manage ADFS configuration.
+* Previously, you can delete Connector Space data without disabling Microsoft Entra Connect Sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted.
+* Previously, you must disable PowerShell transcription for Microsoft Entra Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Microsoft Entra Connect wizard to manage sync configuration. You must disable PowerShell transcription if you are using Microsoft Entra Connect wizard to manage ADFS configuration.
Azure AD Connect sync
Released: April 2017 **Fixed issues:**
-* Fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server.
+* Fixed the issue where Microsoft Entra Connect will not install successfully on localized version of Windows Server.
## 1.1.484.0 Released: April 2017 **Known issues:**
-* This version of Azure AD Connect will not install successfully if the following conditions are all true:
- 1. You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect.
+* This version of Microsoft Entra Connect will not install successfully if the following conditions are all true:
+ 1. You are performing either DirSync in-place upgrade or fresh installation of Microsoft Entra Connect.
2. You are using a localized version of Windows Server where the name of built-in Administrator group on the server isn't "Administrators".
- 3. You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of providing your own full SQL.
+ 3. You are using the default SQL Server 2012 Express LocalDB installed with Microsoft Entra Connect instead of providing your own full SQL.
**Fixed issues:**
-Azure AD Connect sync
+Microsoft Entra Connect Sync
* Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors. * Fixed an issue where the Synchronization Service immediately stops processing a run profile when it's encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you've a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.
-* Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.
-* Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.
-* Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.
+* Fixed an issue that causes the Microsoft Entra Connector update to be skipped during Automatic Upgrade.
+* Fixed an issue that causes Microsoft Entra Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.
+* Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Microsoft Entra Connector.
* Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector. AD FS management
-* Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server.
+* Fixed an issue where the Microsoft Entra Connect wizard fails if the AD FS primary node has been moved to another server.
Desktop SSO
-* Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.
+* Fixed an issue in the Microsoft Entra Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.
**New features/improvements:**
-Azure AD Connect sync
-* Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Azure AD Connect only. When installing Azure AD Connect:
- * By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account.
- * If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.
+Microsoft Entra Connect Sync
+* Microsoft Entra Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Microsoft Entra Connect only. When installing Microsoft Entra Connect:
+ * By default, Microsoft Entra Connect wizard will create a Virtual Service Account and uses it as its service account.
+ * If you are installing on a domain controller, Microsoft Entra Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.
* You can override the default behavior by providing one of the following: * A Group Managed Service Account * A Managed Service Account * A domain user account * A local user account
-* Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
+* Previously, if you upgrade to a new build of Microsoft Entra Connect containing connectors update or sync rule changes, Microsoft Entra Connect will trigger a full sync cycle. Now, Microsoft Entra Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
* Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.
-* On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it's easy for the service configuration to be incorrectly configured by Azure AD Connect when you've an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.
-* Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.
-* Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.
-* The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article [Abandoning the Azure AD Connect Sync encryption key](./how-to-connect-sync-change-serviceacct-pass.md#abandoning-the-adsync-service-account-encryption-key).
-* Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you've abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this process is no longer required.
+* On your Microsoft Entra tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it's easy for the service configuration to be incorrectly configured by Microsoft Entra Connect when you've an active and a staging server. Now, Microsoft Entra Connect will attempt to keep the service configuration consistent with your active Microsoft Entra Connect server only.
+* Microsoft Entra Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.
+* Previously, Export to Microsoft Entra ID times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.
+* The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article [Abandoning the Microsoft Entra Connect Sync encryption key](./how-to-connect-sync-change-serviceacct-pass.md#abandoning-the-adsync-service-account-encryption-key).
+* Previously, if you change the Microsoft Entra Connect Sync service account password, the Synchronization Service will not be able start correctly until you've abandoned the encryption key and reinitialized the Microsoft Entra Connect Sync service account password. Now, this process is no longer required.
Desktop SSO
-* Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required.
+* Microsoft Entra Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required.
## 1.1.443.0 Released: March 2017 **Fixed issues:**
-Azure AD Connect sync
-* Fixed an issue which causes Azure AD Connect wizard to fail if the display name of the Azure AD Connector does not contain the initial onmicrosoft.com domain assigned to the Azure AD tenant.
-* Fixed an issue which causes Azure AD Connect wizard to fail while making connection to SQL database when the password of the Sync Service Account contains special characters such as apostrophe, colon and space.
-* Fixed an issue which causes the error ΓÇ£The dimage has an anchor that is different than the imageΓÇ¥ to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.
-* Fixed an issue which causes the error ΓÇ£The object located by DN is a phantomΓÇ¥ to occur on an Azure AD Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.
+Microsoft Entra Connect Sync
+* Fixed an issue which causes Microsoft Entra Connect wizard to fail if the display name of the Microsoft Entra Connector does not contain the initial onmicrosoft.com domain assigned to the Microsoft Entra tenant.
+* Fixed an issue which causes Microsoft Entra Connect wizard to fail while making connection to SQL database when the password of the Sync Service Account contains special characters such as apostrophe, colon and space.
+* Fixed an issue which causes the error ΓÇ£The dimage has an anchor that is different than the imageΓÇ¥ to occur on a Microsoft Entra Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.
+* Fixed an issue which causes the error ΓÇ£The object located by DN is a phantomΓÇ¥ to occur on a Microsoft Entra Connect server in staging mode, after you've temporarily excluded an on-premises AD object from syncing and then included it again for syncing.
AD FS management
-* Fixed an issue where Azure AD Connect wizard does not update AD FS configuration and set the right claims on the relying party trust after Alternate Login ID is configured.
-* Fixed an issue where Azure AD Connect wizard is unable to correctly handle AD FS servers whose service accounts are configured using userPrincipalName format instead of sAMAccountName format.
+* Fixed an issue where Microsoft Entra Connect wizard does not update AD FS configuration and set the right claims on the relying party trust after Alternate Login ID is configured.
+* Fixed an issue where Microsoft Entra Connect wizard is unable to correctly handle AD FS servers whose service accounts are configured using userPrincipalName format instead of sAMAccountName format.
Pass-through Authentication
-* Fixed an issue which causes Azure AD Connect wizard to fail if Pass Through Authentication is selected but registration of its connector fails.
-* Fixed an issue which causes Azure AD Connect wizard to bypass validation checks on sign-in method selected when Desktop SSO feature is enabled.
+* Fixed an issue which causes Microsoft Entra Connect wizard to fail if Pass Through Authentication is selected but registration of its connector fails.
+* Fixed an issue which causes Microsoft Entra Connect wizard to bypass validation checks on sign-in method selected when Desktop SSO feature is enabled.
Password Reset
-* Fixed an issue which may cause the Azure Azure AD Connect server to not attempt to re-connect if the connection was killed by a firewall or proxy.
+* Fixed an issue which may cause the Azure Microsoft Entra Connect server to not attempt to re-connect if the connection was killed by a firewall or proxy.
**New features/improvements:**
-Azure AD Connect sync
+Microsoft Entra Connect Sync
* Get-ADSyncScheduler cmdlet now returns a new Boolean property named SyncCycleInProgress. If the returned value is true, it means that there is a scheduled synchronization cycle in progress.
-* Destination folder for storing Azure AD Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files.
+* Destination folder for storing Microsoft Entra Connect installation and setup logs has been moved from %localappdata%\AADConnect to %programdata%\AADConnect to improve accessibility to the log files.
AD FS management * Added support for updating AD FS Farm TLS/SSL Certificate. * Added support for managing AD FS 2016. * You can now specify existing gMSA (Group Managed Service Account) during AD FS installation.
-* You can now configure SHA-256 as the signature hash algorithm for Azure AD relying party trust.
+* You can now configure SHA-256 as the signature hash algorithm for Microsoft Entra ID relying party trust.
Password Reset * Introduced improvements to allow the product to function in environments with more stringent firewall rules.
Released: December 2016
* Fixed the issue where the issuerid claim rule for Active Directory Federation Services (AD FS) is missing in this build. >[!NOTE]
->This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
+>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature.
## 1.1.371.0 Released: December 2016 **Known issue:**
-* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure Active Directory (Azure AD). If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after the installation/upgrade. For details on adding the issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md).
+* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after the installation/upgrade. For details on adding the issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md).
**Fixed issue:**
-* If Port 9090 is not opened for the outbound connection, the Azure AD Connect installation or upgrade fails.
+* If Port 9090 is not opened for the outbound connection, the Microsoft Entra Connect installation or upgrade fails.
>[!NOTE]
->This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
+>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature.
## 1.1.370.0 Released: December 2016 **Known issues:**
-* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md).
+* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md).
* Port 9090 must be open outbound to complete installation. **New features:**
Released: December 2016
* Pass-through Authentication (Preview). >[!NOTE]
->This build is not available to customers through the Azure AD Connect Auto Upgrade feature.
+>This build is not available to customers through the Microsoft Entra Connect Auto Upgrade feature.
## 1.1.343.0 Released: November 2016 **Known issue:**
-* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Azure AD. If you are using Azure AD Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Azure AD](how-to-connect-install-multiple-domains.md).
+* The issuerid claim rule for AD FS is missing in this build. The issuerid claim rule is required if you are federating multiple domains with Microsoft Entra ID. If you are using Microsoft Entra Connect to manage your on-premises AD FS deployment, upgrading to this build removes the existing issuerid claim rule from your AD FS configuration. You can work around the issue by adding the issuerid claim rule after installation/upgrade. For details on adding issuerid claim rule, refer to this article on [Multiple domain support for federating with Microsoft Entra ID](how-to-connect-install-multiple-domains.md).
**Fixed issues:**
-* Sometimes, installing Azure AD Connect fails because it's unable to create a local service account whose password meets the level of complexity specified by the organization's password policy.
+* Sometimes, installing Microsoft Entra Connect fails because it's unable to create a local service account whose password meets the level of complexity specified by the organization's password policy.
* Fixed an issue where join rules aren't reevaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you've two or more join rules whose join conditions are mutually exclusive.
-* Fixed an issue where inbound synchronization rules (from Azure AD), which don't contain join rules, aren't processed if they have lower precedence values than those containing join rules.
+* Fixed an issue where inbound synchronization rules (from Microsoft Entra ID), which don't contain join rules, aren't processed if they have lower precedence values than those containing join rules.
**Improvements:**
-* Added support for installing Azure AD Connect on Windows Server 2016 Standard or higher.
-* Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
+* Added support for installing Microsoft Entra Connect on Windows Server 2016 Standard or higher.
+* Added support for using SQL Server 2016 as the remote database for Microsoft Entra Connect.
## 1.1.281.0 Released: August 2016
Released: August 2016
**Fixed issues:** * Changes to sync interval don't take place until after the next sync cycle is complete.
-* Azure AD Connect wizard does not accept an Azure AD account whose username starts with an underscore (\_).
-* Azure AD Connect wizard fails to authenticate the Azure AD account if the account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned.
-* Uninstalling staging server disables password synchronization in Azure AD tenant and causes password synchronization to fail with active server.
+* Microsoft Entra Connect wizard does not accept a Microsoft Entra account whose username starts with an underscore (\_).
+* Microsoft Entra Connect wizard fails to authenticate the Microsoft Entra account if the account password contains too many special characters. Error message "Unable to validate credentials. An unexpected error has occurred." is returned.
+* Uninstalling staging server disables password synchronization in Microsoft Entra tenant and causes password synchronization to fail with active server.
* Password synchronization fails in uncommon cases when there is no password hash stored on the user.
-* When Azure AD Connect server is enabled for staging mode, password writeback is not temporarily disabled.
-* Azure AD Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled.
-* Configuration changes to password synchronization and password writeback aren't persisted by Azure AD Connect wizard when server is in staging mode.
+* When Microsoft Entra Connect server is enabled for staging mode, password writeback is not temporarily disabled.
+* Microsoft Entra Connect wizard does not show the actual password synchronization and password writeback configuration when server is in staging mode. It always shows them as disabled.
+* Configuration changes to password synchronization and password writeback aren't persisted by Microsoft Entra Connect wizard when server is in staging mode.
**Improvements:** * Updated the Start-ADSyncSyncCycle cmdlet to indicate whether it's able to successfully start a new sync cycle or not. * Added the Stop-ADSyncSyncCycle cmdlet to terminate sync cycle and operation, which are currently in progress. * Updated the Stop-ADSyncScheduler cmdlet to terminate sync cycle and operation, which are currently in progress.
-* When configuring [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) in Azure AD Connect wizard, the Azure AD attribute of type "Teletex string" can now be selected.
+* When configuring [Directory extensions](how-to-connect-sync-feature-directory-extensions.md) in Microsoft Entra Connect wizard, the Microsoft Entra attribute of type "Teletex string" can now be selected.
## 1.1.189.0 Released: June 2016 **Fixed issues and improvements:**
-* Azure AD Connect can now be installed on a FIPS-compliant server.
+* Microsoft Entra Connect can now be installed on a FIPS-compliant server.
* For password synchronization, see [Password hash sync and FIPS](how-to-connect-password-hash-synchronization.md#password-hash-synchronization-and-fips). * Fixed an issue where a NetBIOS name could not be resolved to the FQDN in the Active Directory Connector.
Released: May 2016
**New features:**
-* Warns and helps you verify domains if you didnΓÇÖt do it before running Azure AD Connect.
+* Warns and helps you verify domains if you didnΓÇÖt do it before running Microsoft Entra Connect.
* Added support for [Microsoft Cloud Germany](reference-connect-instances.md#microsoft-cloud-germany). * Added support for the latest [Microsoft Azure Government cloud](reference-connect-instances.md#microsoft-azure-government) infrastructure with new URL requirements.
Released: February 2016
* Upgrade from earlier releases does not work if the installation is not in the default C:\Program Files folder. * If you install and clear **Start the synchronization process** at the end of the installation wizard, running the installation wizard a second time will not enable the scheduler. * The scheduler doesn't work as expected on servers where the US-en date/time format is not used. It will also block `Get-ADSyncScheduler` to return correct times.
-* If you installed an earlier release of Azure AD Connect with AD FS as the sign-in option and upgrade, you cannot run the installation wizard again.
+* If you installed an earlier release of Microsoft Entra Connect with AD FS as the sign-in option and upgrade, you cannot run the installation wizard again.
## 1.1.105.0 Released: February 2016
Released: February 2016
**New features:** * [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) feature for Express settings customers.
-* Support for the Hybrid Identity Administrator by using Azure AD Multi-Factor Authentication and Privileged Identity Management in the installation wizard.
- * You need to allow your proxy to also allow traffic to ```https://secure.aadcdn.microsoftonline-p.com``` if you use Multi-Factor Authentication.
- * You need to add ```https://secure.aadcdn.microsoftonline-p.com``` to your trusted sites list for Multi-Factor Authentication to properly work.
+* Support for the Hybrid Identity Administrator by using Microsoft Entra multifactor Authentication and Privileged Identity Management in the installation wizard.
+ * You need to allow your proxy to also allow traffic to ```https://secure.aadcdn.microsoftonline-p.com``` if you use multifactor authentication.
+ * You need to add ```https://secure.aadcdn.microsoftonline-p.com``` to your trusted sites list for multifactor authentication to properly work.
* Allow changing the user's sign-in method after initial installation. * Allow [Domain and OU filtering](how-to-connect-install-custom.md#domain-and-ou-filtering) in the installation wizard. This also allows connecting to forests where not all domains are available. * [Scheduler](how-to-connect-sync-feature-scheduler.md) is built in to the sync engine.
Released: December 2015
**Fixed issues:** * Password sync might not work when you change passwords in Active Directory Domain Services (AD DS), but works when you do set a password.
-* When you've a proxy server, authentication to Azure AD might fail during installation, or if an upgrade is canceled on the configuration page.
-* Updating from a previous release of Azure AD Connect with a full SQL Server instance fails if you aren't a SQL Server system administrator (SA).
-* Updating from a previous release of Azure AD Connect with a remote SQL Server shows the ΓÇ£Unable to access the ADSync SQL databaseΓÇ¥ error.
+* When you've a proxy server, authentication to Microsoft Entra ID might fail during installation, or if an upgrade is canceled on the configuration page.
+* Updating from a previous release of Microsoft Entra Connect with a full SQL Server instance fails if you aren't a SQL Server system administrator (SA).
+* Updating from a previous release of Microsoft Entra Connect with a remote SQL Server shows the ΓÇ£Unable to access the ADSync SQL databaseΓÇ¥ error.
## 1.0.9125.0 Released: November 2015 **New features:**
-* Can reconfigure AD FS to Azure AD trust.
+* Can reconfigure AD FS to Microsoft Entra ID trust.
* Can refresh the Active Directory schema and regenerate sync rules. * Can disable a sync rule. * Can define "AuthoritativeNull" as a new literal in a sync rule. **New preview features:**
-* [Azure AD Connect Health for sync](how-to-connect-health-sync.md).
-* Support for [Azure AD Domain Services](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e) password synchronization.
+* [Microsoft Entra Connect Health for sync](how-to-connect-health-sync.md).
+* Support for [Microsoft Entra Domain Services](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e) password synchronization.
**New supported scenario:**
Released: November 2015
* The password retry queue is infinite and the previous limit of 5,000 objects to be retired has been removed. * Not able to connect to Active Directory with Windows Server 2016 forest-functional level. * Not able to change the group that is used for group filtering after the initial installation.
-* No longer creates a new user profile on the Azure AD Connect server for every user doing a password change with password writeback enabled.
+* No longer creates a new user profile on the Microsoft Entra Connect server for every user doing a password change with password writeback enabled.
* Not able to use Long Integer values in sync rules scopes. * The check box "device writeback" remains disabled if there are unreachable domain controllers.
Released: August 2015
**New features:**
-* The Azure AD Connect installation wizard is now localized to all Windows Server languages.
-* Added support for account unlock when using Azure AD password management.
+* The Microsoft Entra Connect installation wizard is now localized to all Windows Server languages.
+* Added support for account unlock when using Microsoft Entra password management.
**Fixed issues:**
-* Azure AD Connect installation wizard crashes if another user continues installation rather than the person who first started the installation.
-* If a previous uninstallation of Azure AD Connect fails to uninstall Azure AD Connect sync cleanly, it's not possible to reinstall.
-* Cannot install Azure AD Connect using Express installation if the user is not in the root domain of the forest or if a non-English version of Active Directory is used.
+* Microsoft Entra Connect installation wizard crashes if another user continues installation rather than the person who first started the installation.
+* If a previous uninstallation of Microsoft Entra Connect fails to uninstall Microsoft Entra Connect Sync cleanly, it's not possible to reinstall.
+* Cannot install Microsoft Entra Connect using Express installation if the user is not in the root domain of the forest or if a non-English version of Active Directory is used.
* If the FQDN of the Active Directory user account cannot be resolved, a misleading error message ΓÇ£Failed to commit the schemaΓÇ¥ is shown. * If the account used on the Active Directory Connector is changed outside the wizard, the wizard fails on subsequent runs.
-* Azure AD Connect sometimes fails to install on a domain controller.
+* Microsoft Entra Connect sometimes fails to install on a domain controller.
* Cannot enable and disable ΓÇ£Staging modeΓÇ¥ if extension attributes have been added. * Password writeback fails in some configurations because of a bad password on the Active Directory Connector. * DirSync cannot be upgraded if a distinguished name (DN) is used in attribute filtering.
Released: August 2015
## 1.0.8641.0 Released: June 2015
-**Initial release of Azure AD Connect.**
+**Initial release of Microsoft Entra Connect.**
-Changed name from Azure AD Sync to Azure AD Connect.
+Changed name from Azure AD Sync to Microsoft Entra Connect.
**New features:**
Released: May 2015
**Fixed issues:**
-* Password writeback from Azure AD is failing with an Azure Service Bus connectivity error.
+* Password writeback from Microsoft Entra ID is failing with an Azure Service Bus connectivity error.
## 1.0.491.0413 Released: April 2015
Released: April 2015
**Fixed issues and improvements:** * The Active Directory Connector does not process deletes correctly if the recycle bin is enabled and there are multiple domains in the forest.
-* The performance of import operations has been improved for the Azure Active Directory Connector.
-* When a group has exceeded the membership limit (by default, the limit's set to 50,000 objects), the group was deleted in Azure Active Directory. With the new behavior, the group is not deleted, an error is thrown, and new membership changes aren't exported.
+* The performance of import operations has been improved for the Microsoft Entra Connector.
+* When a group has exceeded the membership limit (by default, the limit's set to 50,000 objects), the group was deleted in Microsoft Entra ID. With the new behavior, the group is not deleted, an error is thrown, and new membership changes aren't exported.
* A new object cannot be provisioned if a staged delete with the same DN is already present in the connector space. * Some objects are marked for synchronization during a delta sync even though there's no change staged on the object. * Forcing a password sync also removes the preferred DC list.
Released: February 2015
* Password Sync honors the cloudFiltered attribute that is used by attribute filtering. Filtered objects are no longer in scope for password synchronization. * In rare situations where the topology had many domain controllers, password sync doesnΓÇÖt work.
-* ΓÇ£Stopped-serverΓÇ¥ when importing from the Azure AD Connector after device management has been enabled in Azure AD/Intune.
+* ΓÇ£Stopped-serverΓÇ¥ when importing from the Microsoft Entra Connector after device management has been enabled in Azure AD/Intune.
* Joining Foreign Security Principals (FSPs) from multiple domains in same forest causes an ambiguous-join error. ## 1.0.475.1202
Released: October 2014
**New features:**
-* Password synchronization from multiple on-premises Active Directory to Azure AD.
+* Password synchronization from multiple on-premises Active Directory to Microsoft Entra ID.
* Localized installation UI to all Windows Server languages. **Upgrading from AADSync 1.0 GA**
Released: September 2014
**Initial release of Azure AD Sync.** ## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](../whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/reference-connect-version-history.md
Title: 'Azure AD Connect: Version release history'
-description: This article lists all releases of Azure AD Connect and Azure AD Sync.
+ Title: 'Microsoft Entra Connect: Version release history'
+description: This article lists all releases of Microsoft Entra Connect and Azure AD Sync.
ms.assetid: ef2797d7-d440-4a9a-a648-db32ad137494
-# Azure AD Connect: Version release history
+# Microsoft Entra Connect: Version release history
-The Azure Active Directory (Azure AD) team regularly updates Azure AD Connect with new features and functionality. Not all additions apply to all audiences.
+The Microsoft Entra team regularly updates Microsoft Entra Connect with new features and functionality. Not all additions apply to all audiences.
This article helps you keep track of the versions that have been released and understand what the changes are in the latest version. ## Looking for the latest versions?
-You can upgrade your Azure AD Connect server from all supported versions with the latest versions:
+You can upgrade your Microsoft Entra Connect server from all supported versions with the latest versions:
-You can download the latest version of Azure AD Connect 2.0 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). See the [release notes for the latest V2.0 release](reference-connect-version-history.md#21200).\
+You can download the latest version of Microsoft Entra Connect 2.0 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594). See the [release notes for the latest V2.0 release](reference-connect-version-history.md#21200).\
Get notified about when to revisit this page for updates by copying and pasting this URL: `https://aka.ms/aadconnectrss` into your ![RSS feed reader icon](media/reference-connect-version-history/feed-icon-16x16.png) feed reader.
The following table lists related topics:
Topic | Details | |
-Steps to upgrade from Azure AD Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Azure AD Connect release.
-Required permissions | For permissions required to apply an update, see [Azure AD Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade).
+Steps to upgrade from Microsoft Entra Connect | Different methods to [upgrade from a previous version to the latest](how-to-upgrade-previous-version.md) Microsoft Entra Connect release.
+Required permissions | For permissions required to apply an update, see [Microsoft Entra Connect: Accounts and permissions](reference-connect-accounts-permissions.md#upgrade).
-## Retiring Azure AD Connect 1.x versions
+<a name='retiring-azure-ad-connect-1x-versions'></a>
+
+## Retiring Microsoft Entra Connect 1.x versions
> [!IMPORTANT]
-> Action required: Synchronization will stop working on October 1, 2023, for any customers still running Azure AD Connect Sync V1. Customers using cloud sync or Azure AD Connect V2 will remain fully operational with no action required. For more information and next step guidance, see [Decommission Azure AD Connect V1](https://aka.ms/DecommissionAADConnectV1) if an upgrade is required.
+> Action required: Synchronization will stop working on October 1, 2023, for any customers still running Microsoft Entra Connect Sync V1. Customers using cloud sync or Microsoft Entra Connect V2 will remain fully operational with no action required. For more information and next step guidance, see [Decommission Azure AD Connect V1](https://aka.ms/DecommissionAADConnectV1) if an upgrade is required.
+
+<a name='retiring-azure-ad-connect-2x-versions'></a>
-## Retiring Azure AD Connect 2.x versions
+## Retiring Microsoft Entra Connect 2.x versions
> [!IMPORTANT]
-> We will begin retiring past versions of Azure AD Connect Sync 2.x 12 months from the date they are superseded by a newer version.
+> We will begin retiring past versions of Microsoft Entra Connect Sync 2.x 12 months from the date they are superseded by a newer version.
> This policy will go into effect on 15 March 2023, when we will retire all versions that are superseded by a newer version on 15 March 2022. > > Currently only builds 2.1.16.0 (release August 8th 2022) or later are supported. >
-> If you are not already using the latest release version of Azure AD Connect Sync, you should upgrade your Azure AD Connect Sync software before that date.
+> If you are not already using the latest release version of Microsoft Entra Connect Sync, you should upgrade your Microsoft Entra Connect Sync software before that date.
-If you run a retired version of Azure AD Connect, it might unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools, and service enhancements. If you require support, we might not be able to provide you with the level of service your organization needs.
+If you run a retired version of Microsoft Entra Connect, it might unexpectedly stop working. You also might not have the latest security fixes, performance improvements, troubleshooting and diagnostic tools, and service enhancements. If you require support, we might not be able to provide you with the level of service your organization needs.
-To learn more about what has changed in V2.0 and how this change affects you, see [Azure AD Connect V2.0](whatis-azure-ad-connect-v2.md).
+To learn more about what has changed in V2.0 and how this change affects you, see [Microsoft Entra Connect V2.0](whatis-azure-ad-connect-v2.md).
-To learn more about how to upgrade Azure AD Connect to the latest version, see [Azure AD Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md).
+To learn more about how to upgrade Microsoft Entra Connect to the latest version, see [Microsoft Entra Connect: Upgrade from a previous version to the latest](./how-to-upgrade-previous-version.md).
-For version history information on retired versions, see [Azure AD Connect: Version release history archive](reference-connect-version-history-archive.md).
+For version history information on retired versions, see [Microsoft Entra Connect: Version release history archive](reference-connect-version-history-archive.md).
> [!NOTE]
-> Releasing a new version of Azure AD Connect requires several quality-control steps to ensure the operation functionality of the service. While we go through this process, the version number of a new release and the release status are updated to reflect the most recent state.
+> Releasing a new version of Microsoft Entra Connect requires several quality-control steps to ensure the operation functionality of the service. While we go through this process, the version number of a new release and the release status are updated to reflect the most recent state.
-Not all releases of Azure AD Connect are made available for autoupgrade. The release status indicates whether a release is made available for autoupgrade or for download only. If autoupgrade was enabled on your Azure AD Connect server, that server automatically upgrades to the latest version of Azure AD Connect that's released for autoupgrade. Not all Azure AD Connect configurations are eligible for autoupgrade.
+Not all releases of Microsoft Entra Connect are made available for autoupgrade. The release status indicates whether a release is made available for autoupgrade or for download only. If autoupgrade was enabled on your Microsoft Entra Connect server, that server automatically upgrades to the latest version of Microsoft Entra Connect that's released for autoupgrade. Not all Microsoft Entra Connect configurations are eligible for autoupgrade.
Auto-upgrade is meant to push all important updates and critical fixes to you. It isn't necessarily the latest version because not all versions will require or include a fix to a critical security issue. (This example is just one of many.) Critical issues are usually addressed with a new version provided via autoupgrade. If there are no such issues, there are no updates pushed out by using autoupgrade. In general, if you're using the latest autoupgrade version, you should be good. If you want all the latest features and updates, check this page and install what you need.
-To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
+To read more about autoupgrade, see [Microsoft Entra Connect: Automatic upgrade](how-to-connect-install-automatic-upgrade.md).
## 2.2.1.0
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Functional Changes - We have enabled Auto Upgrade for tenants with custom synchronization rules. Note that deleted (not disabled) default rules will be re-created and enabled upon Auto Upgrade.
+ - We have added Microsoft Entra Connect Agent Updater service to the install. This new service will be used for future auto upgrades.
- We have removed the Synchronization Service WebService Connector Config program from the install. - Default sync rule ΓÇ£In from AD ΓÇô User CommonΓÇ¥ was updated to flow the employeeType attribute.
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Bug fixes
+ - We fixed a bug where the new employeeLeaveDateTime attribute wasn't syncing correctly in version 2.1.19.0. Note that if the incorrect attribute was already used in a rule, then the rule must be updated with the new attribute and any objects in the Microsoft Entra connector space that have the incorrect attribute must be removed with the "Remove-ADSyncCSObject" cmdlet, and then a full sync cycle must be run.
## 2.1.19.0
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Functional changes
+ - We added a new attribute 'employeeLeaveDateTime' for syncing to Microsoft Entra ID. To learn more about how to use this attribute to manage your users' life cycles, please refer to [this article](../../governance/how-to-lifecycle-workflow-sync-attributes.md)
### Bug fixes
+ - we fixed a bug where Microsoft Entra Connect Password writeback stopped with error code "SSPR_0029 ERROR_ACCESS_DENIED"
## 2.1.18.0
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Bug fixes - we fixed a bug where upgrade from version 1.6 to version 2.1 got stuck in a loop due to IsMemberOfLocalGroup enumeration.
+ - we fixed a bug where the Microsoft Entra Connect Configuration Wizard was sending incorrect credentials (username format) while validating if Enterprise Admin.
## 2.1.16.0
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
7/6/2022: Released for download, will be made available for autoupgrade soon. > [!IMPORTANT]
-> We have discovered a security vulnerability in the Azure AD Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Azure AD Connect server(s) to this version to mitigate the vulnerability.
+> We have discovered a security vulnerability in the Microsoft Entra Connect Admin Agent. If you have installed the Admin Agent previously it is important that you update your Microsoft Entra Connect server(s) to this version to mitigate the vulnerability.
### Functional changes
+ - We have removed the public preview functionality for the Admin Agent from Microsoft Entra Connect. We won't provide this functionality going forward.
- We added support for two new attributes: employeeOrgDataCostCenter and employeeOrgDataDivision.
+ - We added CertificateUserIds attribute to Microsoft Entra Connector static schema.
+ - The Microsoft Entra Connect wizard will now abort if write event logs permission is missing.
- We updated the AADConnect health endpoints to support the US government clouds. - We added new cmdlets ΓÇ£Get-ADSyncToolsDuplicateUsersSourceAnchor and Set-ADSyncToolsDuplicateUsersSourceAnchorΓÇ£ to fix bulk "source anchor has changed" errors. When a new forest is added to AADConnect with duplicate user objects, the objects are running into bulk "source anchor has changed" errors. This is happening due to the mismatch between msDsConsistencyGuid & ImmutableId. More information about this module and the new cmdlets can be found in [this article](./reference-connect-adsynctools.md).
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
- We fixed a bug to prevent database corruption when using localDB. - We added timeout and size limit errors to the connection log. - We fixed a bug where, if child domain has a user with same name as parent domain user that happens to be an enterprise admin, the group membership failed.
+ - We updated the expressions used in the "In from Microsoft Entra ID - Group SOAInAAD" rule to limit the description attribute to 448 characters.
- We made a change to set extended rights for "Unexpire Password" for Password Reset. - We modified the AD connector upgrade to refresh the schema ΓÇô we no longer show constructed and non-replicated attributes in the Wizard during upgrade. - We fixed a bug in ADSyncConfig functions ConvertFQDNtoDN and ConvertDNtoFQDN - If a user decides to set variables called '$dn' or '$fqdn', these variables will no longer be used inside the script scope.
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Functional changes -- We updated the Azure AD Connect Health component in this release from version 3.1.110.0 to version 3.2.1823.12. This new version provides compliance of the Azure AD Connect Health component with the [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips) requirements.
+- We updated the Microsoft Entra Connect Health component in this release from version 3.1.110.0 to version 3.2.1823.12. This new version provides compliance of the Microsoft Entra Connect Health component with the [Federal Information Processing Standards (FIPS)](https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips) requirements.
## 2.0.89.0
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Bug fixes - We fixed a bug in version 2.0.88.0 where, under certain conditions, linked mailboxes of disabled users and mailboxes of certain resource objects, were getting deleted.-- We fixed an issue which causes upgrade to Azure AD Connect version 2.x to fail, when using SQL localdb along with a VSA service account for ADSync.
+- We fixed an issue which causes upgrade to Microsoft Entra Connect version 2.x to fail, when using SQL localdb along with a VSA service account for ADSync.
## 2.0.88.0 > [!NOTE]
-> This release requires Windows Server 2016 or newer. It fixes a vulnerability that's present in version 2.0 of Azure AD Connect and other bug fixes and minor feature updates.
+> This release requires Windows Server 2016 or newer. It fixes a vulnerability that's present in version 2.0 of Microsoft Entra Connect and other bug fixes and minor feature updates.
### Release status
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
- We upgraded the version of Microsoft.Data.OData from 5.8.1 to 5.8.4 to fix a vulnerability. - Accessibility fixes:
- - We made the Azure AD Connect wizard resizable to account for different zoom levels and screen resolutions.
+ - We made the Microsoft Entra Connect wizard resizable to account for different zoom levels and screen resolutions.
- We named elements to satisfy accessibility requirements. - We fixed a bug where miisserver failed because of a null reference.-- We fixed a bug to ensure the desktop SSO value persists after upgrading Azure AD Connect to a newer version.
+- We fixed a bug to ensure the desktop SSO value persists after upgrading Microsoft Entra Connect to a newer version.
- We modified the inetorgperson sync rules to fix an issue with account/resource forests. - We fixed a radio button test to display a **Link More** link.
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
- We made a change so that group writeback DN is now configurable with the display name of the synced group. - We removed the hard requirement for exchange schema when you enable group writeback.-- Azure AD Kerberos changes:
+- Microsoft Entra Kerberos changes:
- We extended the PowerShell command to support custom top-level names for trusted object creation.
- - We made a change to set an official brand name for the Azure AD Kerberos feature.
+ - We made a change to set an official brand name for the Microsoft Entra Kerberos feature.
## 1.6.16.0 > [!NOTE]
-> This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server.
+> This release is an update release of Microsoft Entra Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server.
>
-> Don't install this release on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31, 2022. Upgrade your Server OS and Azure AD Connect version before that date.
+> Don't install this release on Windows Server 2016 or newer. This release includes SQL Server 2012 components and will be retired on August 31, 2022. Upgrade your Server OS and Microsoft Entra Connect version before that date.
> > When you upgrade to this V1.6 build or any newer builds, the group membership limit resets to 50,000. When a server is upgraded to this build, or any newer 1.6 builds, reapply the rule changes you applied when you initially increased the group membership limit to 250,000 before you enable sync for the server.
To read more about autoupgrade, see [Azure AD Connect: Automatic upgrade](how-to
### Bug fixes -- We fixed a bug where the autoupgrade process attempted to upgrade Azure AD Connect servers that are running older Windows OS version 2008 or 2008 R2 and failed. These versions of Windows Server are no longer supported. In this release, we only attempt autoupgrade on machines that run Windows Server 2012 or newer.
+- We fixed a bug where the autoupgrade process attempted to upgrade Microsoft Entra Connect servers that are running older Windows OS version 2008 or 2008 R2 and failed. These versions of Windows Server are no longer supported. In this release, we only attempt autoupgrade on machines that run Windows Server 2012 or newer.
- We fixed an issue where, under certain conditions, miisserver failed because of an access violation exception. ### Known issues
When you upgrade to this V1.6 build or any newer builds, the group membership li
## 2.0.28.0 > [!NOTE]
-> This release is a maintenance update release of Azure AD Connect. It requires Windows Server 2016 or newer.
+> This release is a maintenance update release of Microsoft Entra Connect. It requires Windows Server 2016 or newer.
### Release status
A change was made that allows a user to deselect objects and attributes from the
## 1.6.14.2 > [!NOTE]
-> This release is an update release of Azure AD Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server.
+> This release is an update release of Microsoft Entra Connect. This version is intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server.
We'll begin auto-upgrading eligible tenants when this version is available for download. Auto-upgrade will take a few weeks to complete.
When you upgrade to this V1.6 build or any newer builds, the group membership li
### Functional changes - We added the latest versions of Microsoft Identity Manager (MIM) Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Azure AD Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
### Bug fixes
When you upgrade to this V1.6 build or any newer builds, the group membership li
## 2.0.25.1 > [!NOTE]
-> This release is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. It fixes a security issue that's present in version 2.0 of Azure AD Connect and includes other bug fixes.
+> This release is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. It fixes a security issue that's present in version 2.0 of Microsoft Entra Connect and includes other bug fixes.
### Release status
When you upgrade to this V1.6 build or any newer builds, the group membership li
### Bug fixes -- We fixed a security issue where an unquoted path was used to point to the Azure AD Connect service. This path is now a quoted path.-- We fixed an import configuration issue with writeback enabled when you use the existing Azure AD Connector account.
+- We fixed a security issue where an unquoted path was used to point to the Microsoft Entra Connect service. This path is now a quoted path.
+- We fixed an import configuration issue with writeback enabled when you use the existing Microsoft Entra Connector account.
- We fixed an issue in Set-ADSyncExchangeHybridPermissions and other related cmdlets, which were broken from V1.6 because of an invalid inheritance type.-- We fixed an issue with the cmdlet we published in a previous release to set the TLS version. The cmdlet overwrote the keys, which destroyed any values that were in them. Now a new key is created only if one doesn't already exist. We added a warning to let users know the TLS registry changes aren't exclusive to Azure AD Connect and might affect other applications on the same server.
+- We fixed an issue with the cmdlet we published in a previous release to set the TLS version. The cmdlet overwrote the keys, which destroyed any values that were in them. Now a new key is created only if one doesn't already exist. We added a warning to let users know the TLS registry changes aren't exclusive to Microsoft Entra Connect and might affect other applications on the same server.
- We added a check to enforce autoupgrade for V2.0 to require Windows Server 2016 or newer. - We added the Replicating Directory Changes permission in the Set-ADSyncBasicReadPermissions cmdlet. - We made a change to prevent UseExistingDatabase and import configuration from being used together because they could contain conflicting configuration settings. - We made a change to allow a user with the Application Admin role to change the App Proxy service configuration. - We removed the (Preview) label from the labels of **Import/Export** settings. This functionality is generally available. - We changed some labels that still referred to Company Administrator. We now use the role name Global Administrator.-- We created new Azure AD Kerberos PowerShell cmdlets (\*-AADKerberosServer) to add a Claims Transform rule to the Azure AD Service Principal.
+- We created new Microsoft Entra Kerberos PowerShell cmdlets (\*-AADKerberosServer) to add a Claims Transform rule to the Microsoft Entra service principal.
### Functional changes - We added the latest versions of MIM Connectors (1.1.1610.0). For more information, see the [release history page of the MIM Connectors](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#1116100-september-2021).-- We added a configuration option to disable the Soft Matching feature in Azure AD Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
+- We added a configuration option to disable the Soft Matching feature in Microsoft Entra Connect. We recommend that you disable Soft Matching unless you need it to take over cloud-only accounts. To disable Soft Matching, see [this reference article](/powershell/module/msonline/set-msoldirsyncfeature#example-2--block-soft-matching-for-the-tenant).
## 2.0.10.0
When you upgrade to this V1.6 build or any newer builds, the group membership li
8/19/2021: Released for download only, not available for autoupgrade > [!NOTE]
-> This is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. This hotfix addresses an issue that's present in version 2.0 and in Azure AD Connect version 1.6. If you're running Azure AD Connect on an older Windows server, install the [1.6.13.0](#16130) build instead.
+> This is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. This hotfix addresses an issue that's present in version 2.0 and in Microsoft Entra Connect version 1.6. If you're running Microsoft Entra Connect on an older Windows server, install the [1.6.13.0](#16130) build instead.
### Release status
When you upgrade to this V1.6 build or any newer builds, the group membership li
### Known issues
-Under certain circumstances, the installer for this version displays an error that states TLS 1.2 isn't enabled and stops the installation. This issue occurs because of an error in the code that verifies the registry setting for TLS 1.2. We'll correct this issue in a future release. If you see this issue, follow the instructions to enable TLS 1.2 in [TLS 1.2 enforcement for Azure AD Connect](reference-connect-tls-enforcement.md).
+Under certain circumstances, the installer for this version displays an error that states TLS 1.2 isn't enabled and stops the installation. This issue occurs because of an error in the code that verifies the registry setting for TLS 1.2. We'll correct this issue in a future release. If you see this issue, follow the instructions to enable TLS 1.2 in [TLS 1.2 enforcement for Microsoft Entra Connect](reference-connect-tls-enforcement.md).
### Bug fixes
We fixed a bug that occurred when a domain was renamed and Password Hash Sync fa
## 1.6.13.0 > [!NOTE]
-> This release is a hotfix update release of Azure AD Connect. It's intended to be used by customers who are running Azure AD Connect on a server with Windows Server 2012 or 2012 R2.
+> This release is a hotfix update release of Microsoft Entra Connect. It's intended to be used by customers who are running Microsoft Entra Connect on a server with Windows Server 2012 or 2012 R2.
8/19/2021: Released for download only, not available for autoupgrade
There are no functional changes in this release.
### Bug fixes > [!NOTE]
-> This release is a hotfix update release of Azure AD Connect. This release requires Windows Server 2016 or newer. It addresses an issue that's present in version 2.0.8.0. This issue isn't present in Azure AD Connect version 1.6.
+> This release is a hotfix update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. It addresses an issue that's present in version 2.0.8.0. This issue isn't present in Microsoft Entra Connect version 1.6.
We fixed a bug that occurred when you synced a large number of Password Hash Sync transactions and the Event log entry length exceeded the maximum-allowed length for a Password Hash Sync event entry. We now split the lengthy log entry into multiple entries. ## 2.0.8.0 > [!NOTE]
-> This release is a security update release of Azure AD Connect. This release requires Windows Server 2016 or newer. If you're using an older version of Windows Server, use [version 1.6.11.3](#16113).
+> This release is a security update release of Microsoft Entra Connect. This release requires Windows Server 2016 or newer. If you're using an older version of Windows Server, use [version 1.6.11.3](#16113).
This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability, see the CVE.
-To download the latest version of Azure AD Connect 2.0, see the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594).
+To download the latest version of Microsoft Entra Connect 2.0, see the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=47594).
### Release status
There are no functional changes in this release.
## 1.6.11.3 > [!NOTE]
-> This release is a security update release of Azure AD Connect. It's intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update an Azure AD Connect V2.0 server.
+> This release is a security update release of Microsoft Entra Connect. It's intended to be used by customers who are running an older version of Windows Server and can't upgrade their server to Windows Server 2016 or newer at this time. You can't use this version to update a Microsoft Entra Connect V2.0 server.
This release addresses a vulnerability as documented in [this CVE](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36949). For more information about this vulnerability, see the CVE.
There are no functional changes in this release.
## 2.0.3.0 > [!NOTE]
-> This release is a major release of Azure AD Connect. For more information, see [Introduction to Azure AD Connect V2.0](whatis-azure-ad-connect-v2.md).
+> This release is a major release of Microsoft Entra Connect. For more information, see [Introduction to Microsoft Entra Connect V2.0](whatis-azure-ad-connect-v2.md).
### Release status
There are no functional changes in this release.
### Functional changes - We upgraded the LocalDB components of SQL Server to SQL 2019.-- This release requires Windows Server 2016 or newer because of the requirements of SQL Server 2019. An in-place upgrade of Windows Server on an Azure AD Connect server isn't supported. For this reason, you might need to use a [swing migration](how-to-upgrade-previous-version.md#swing-migration).-- We enforce the use of TLS 1.2 in this release. If you enabled your Windows Server for TLS 1.2, Azure AD Connect uses this protocol. If TLS 1.2 isn't enabled on the server, you'll see an error message when you attempt to install Azure AD Connect. The installation won't continue until you've enabled TLS 1.2. You can use the new Set-ADSyncToolsTls12 cmdlets to enable TLS 1.2 on your server.-- We made a change so that with this release, you can use the Hybrid Identity Administrator role to authenticate when you install Azure AD Connect. You no longer need to use the Global Administrator role.
+- This release requires Windows Server 2016 or newer because of the requirements of SQL Server 2019. An in-place upgrade of Windows Server on a Microsoft Entra Connect server isn't supported. For this reason, you might need to use a [swing migration](how-to-upgrade-previous-version.md#swing-migration).
+- We enforce the use of TLS 1.2 in this release. If you enabled your Windows Server for TLS 1.2, Microsoft Entra Connect uses this protocol. If TLS 1.2 isn't enabled on the server, you'll see an error message when you attempt to install Microsoft Entra Connect. The installation won't continue until you've enabled TLS 1.2. You can use the new Set-ADSyncToolsTls12 cmdlets to enable TLS 1.2 on your server.
+- We made a change so that with this release, you can use the Hybrid Identity Administrator role to authenticate when you install Microsoft Entra Connect. You no longer need to use the Global Administrator role.
- We upgraded the Visual C++ runtime library to version 14 as a prerequisite for SQL Server 2019. - We updated this release to use the Microsoft Authentication Library for authentication. We removed the older Azure AD Authentication Library, which will be retired in 2022. - We no longer apply permissions on AdminSDHolders following Windows security guidance. We changed the parameter SkipAdminSdHolders to IncludeAdminSdHolders in the ADSyncConfig.psm1 module.-- We made a change so that passwords are now reevaluated when an expired password is "unexpired," no matter if the password itself is changed. If the password is set to "Must change password at next logon" for a user, and this flag is cleared (which "unexpires" the password), the unexpired status and the password hash are synced to Azure AD. In Azure AD, when the user attempts to sign in, they can use the unexpired password.
-To sync an expired password from Active Directory to Azure AD, use the feature in Azure AD Connect to [synchronize temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon). Enable password writeback to use this feature so that the password the user updates is written back to Active Directory.
+- We made a change so that passwords are now reevaluated when an expired password is "unexpired," no matter if the password itself is changed. If the password is set to "Must change password at next logon" for a user, and this flag is cleared (which "unexpires" the password), the unexpired status and the password hash are synced to Microsoft Entra ID. In Microsoft Entra ID, when the user attempts to sign in, they can use the unexpired password.
+To sync an expired password from Active Directory to Microsoft Entra ID, use the feature in Microsoft Entra Connect to [synchronize temporary passwords](how-to-connect-password-hash-synchronization.md#synchronizing-temporary-passwords-and-force-password-change-on-next-logon). Enable password writeback to use this feature so that the password the user updates is written back to Active Directory.
- We added two new cmdlets to the ADSyncTools module to enable or retrieve TLS 1.2 settings from the Windows Server: - Get-ADSyncToolsTls12 - Set-ADSyncToolsTls12
-You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as needed. TLS 1.2 must be enabled on the server for the installation or Azure AD Connect to succeed.
+You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as needed. TLS 1.2 must be enabled on the server for the installation or Microsoft Entra Connect to succeed.
- We revamped ADSyncTools with several new and improved cmdlets. The [ADSyncTools article](reference-connect-adsynctools.md) has more details about these cmdlets. The following cmdlets have been added or updated:
You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as
- Set-ADSyncToolsMsDsConsistencyGuid - Trace-ADSyncToolsADImport - Trace-ADSyncToolsLdapQuery-- We now use the V2 endpoint for import and export. We fixed an issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. To learn more about the V2 endpoint, see [Azure AD Connect sync V2 endpoint](how-to-connect-sync-endpoint-api-v2.md).-- We added the following new user properties to sync from on-premises Active Directory to Azure AD:
+- We now use the V2 endpoint for import and export. We fixed an issue in the Get-ADSyncAADConnectorExportApiVersion cmdlet. To learn more about the V2 endpoint, see [Microsoft Entra Connect Sync V2 endpoint](how-to-connect-sync-endpoint-api-v2.md).
+- We added the following new user properties to sync from on-premises Active Directory to Microsoft Entra ID:
- employeeType - employeeHireDate >[!NOTE]
You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as
- We updated the Generic LDAP Connector and the Generic SQL Connector to the latest versions. To learn more about these connectors, see the reference documentation for: - [Generic LDAP Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap) - [Generic SQL Connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericsql)-- In the Microsoft 365 admin center, we now report the Azure AD Connect client version whenever there's export activity to Azure AD. This reporting ensures that the Microsoft 365 admin center always has the most up-to-date Azure AD Connect client version, and that it can detect when you're using an outdated version.
+- In the Microsoft 365 admin center, we now report the Microsoft Entra Connect client version whenever there's export activity to Microsoft Entra ID. This reporting ensures that the Microsoft 365 admin center always has the most up-to-date Microsoft Entra Connect client version, and that it can detect when you're using an outdated version.
### Bug fixes - We fixed an accessibility bug where the screen reader announced an incorrect role of the **Learn More** link. - We fixed a bug where sync rules with large precedence values (for example, 387163089) caused an upgrade to fail. We updated the sproc mms_UpdateSyncRulePrecedence to cast the precedence number as an integer prior to incrementing the value. - We fixed a bug where group writeback permissions weren't set on the sync account if a group writeback configuration was imported. We now set the group writeback permissions if group writeback is enabled on the imported configuration.-- We updated the Azure AD Connect Health agent version to 3.1.110.0 to fix an installation failure.-- We're seeing an issue with nondefault attributes from exported configurations where directory extension attributes are configured. In the process of importing these configurations to a new server or installation, the attribute inclusion list is overridden by the directory extension configuration step. As a result, after import, only default and directory extension attributes are selected in the sync service manager. Nondefault attributes aren't included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work. We now refresh the Azure AD Connector before configuring the directory extension to keep existing attributes from the attribute inclusion list.
+- We updated the Microsoft Entra Connect Health agent version to 3.1.110.0 to fix an installation failure.
+- We're seeing an issue with nondefault attributes from exported configurations where directory extension attributes are configured. In the process of importing these configurations to a new server or installation, the attribute inclusion list is overridden by the directory extension configuration step. As a result, after import, only default and directory extension attributes are selected in the sync service manager. Nondefault attributes aren't included in the installation, so the user must manually reenable them from the sync service manager if they want their imported sync rules to work. We now refresh the Microsoft Entra Connector before configuring the directory extension to keep existing attributes from the attribute inclusion list.
- We fixed an accessibility issue where the page header's font weight was set as Light. Font weight is now set to Bold for the page title, which applies to the header of all pages. - We renamed the function Get-AdObject in ADSyncSingleObjectSync.ps1 to Get-AdDirectoryObject to prevent ambiguity with the Active Directory cmdlet. - We removed the condition that allowed duplicate rule precedence. The SQL function mms_CheckSynchronizationRuleHasUniquePrecedence had allowed duplicates precedence on outbound sync rules on different connectors. - We fixed a bug where the Single Object Sync cmdlet fails if the attribute flow data is null. An example is on exporting a delete operation. - We fixed a bug where the installation fails because the ADSync bootstrap service can't be started. We now add Sync Service Account to the Local Builtin User Group before starting the bootstrap service.-- We fixed an accessibility issue where the active tab on Azure AD Connect wizard wasn't showing the correct color on High Contrast theme. The selected color code was being overwritten because of a missing condition in the normal color code configuration.
+- We fixed an accessibility issue where the active tab on Microsoft Entra Connect wizard wasn't showing the correct color on High Contrast theme. The selected color code was being overwritten because of a missing condition in the normal color code configuration.
- We addressed an issue where you were allowed to deselect objects and attributes used in sync rules by using the UI and PowerShell. We now show friendly error messages if you try to deselect any attribute or object that's used in any sync rules.-- We made some updates to the "migrate settings code" to check and fix backward compatibility issues when the script runs on an older version of Azure AD Connect.
+- We made some updates to the "migrate settings code" to check and fix backward compatibility issues when the script runs on an older version of Microsoft Entra Connect.
- We fixed a bug that occurred when PHS tried to look up an incomplete object. It didn't use the same algorithm to resolve the DC as it used originally to fetch the passwords. In particular, it ignored affinitized DC information. The Incomplete object lookup should use the same logic to locate the DC in both instances.-- We fixed a bug where Azure AD Connect can't read Application Proxy items by using Microsoft Graph because of a permissions issue with calling Microsoft Graph directly based on the Azure AD Connect client identifier. To fix this issue, we removed the dependency on Microsoft Graph and instead use Azure AD PowerShell to work with the App Proxy Application objects.
+- We fixed a bug where Microsoft Entra Connect can't read Application Proxy items by using Microsoft Graph because of a permissions issue with calling Microsoft Graph directly based on the Microsoft Entra Connect client identifier. To fix this issue, we removed the dependency on Microsoft Graph and instead use Azure AD PowerShell to work with the App Proxy Application objects.
- We removed the writeback member limit from the Out to AD - Group SOAInAAD Exchange sync rule. - We fixed a bug that occurred when you changed connector account permissions. If an object came in scope that hadn't changed since the last delta import, a delta import wouldn't import it. We now display a warning to alert you of the issue. - We fixed an accessibility issue where the screen reader wasn't reading the radio button position. We added positional text to the radio button accessibility text field. - We updated the Pass-Thru Authentication Agent bundle. The older bundle didn't have the correct reply URL for the HIP's first-party application in US Government.-- We fixed a bug where a stopped-extension-dll-exception error on Azure AD Connector exported after clean installing the Azure AD Connect version 1.6.X.X, which defaulted to using DirSyncWebServices API V2, by using an existing database. Previously, the setting export version to V2 was only being done for upgrades. We changed it so that it's set on clean install.
+- We fixed a bug where a stopped-extension-dll-exception error on Microsoft Entra Connector exported after clean installing the Microsoft Entra Connect version 1.6.X.X, which defaulted to using DirSyncWebServices API V2, by using an existing database. Previously, the setting export version to V2 was only being done for upgrades. We changed it so that it's set on clean install.
- We removed the ADSyncPrep.psm1 module from the installation because it's no longer used. ### Known issues -- The Azure AD Connect wizard shows the **Import Synchronization Settings** option as **Preview**, although this feature is generally available.
+- The Microsoft Entra Connect wizard shows the **Import Synchronization Settings** option as **Preview**, although this feature is generally available.
- Some Active Directory connectors might be installed in a different order when you use the output of the migrate settings script to install the product.-- The **User Sign In** options page in the Azure AD Connect wizard mentions Company Administrator. This term is no longer used and needs to be replaced by Global Administrator.
+- The **User Sign In** options page in the Microsoft Entra Connect wizard mentions Company Administrator. This term is no longer used and needs to be replaced by Global Administrator.
- The **Export settings** option is broken when the **Sign In** option has been configured to use PingFederate.-- While Azure AD Connect can now be deployed by using the Hybrid Identity Administrator role, configuring Self-Service Password Reset, Passthru Authentication, or single sign-on still requires a user with the Global Administrator role.-- When you import the Azure AD Connect configuration while you deploy to connect with a different tenant than the original Azure AD Connect configuration, directory extension attributes aren't configured correctly.
+- While Microsoft Entra Connect can now be deployed by using the Hybrid Identity Administrator role, configuring Self-Service Password Reset, Passthru Authentication, or single sign-on still requires a user with the Global Administrator role.
+- When you import the Microsoft Entra Connect configuration while you deploy to connect with a different tenant than the original Microsoft Entra Connect configuration, directory extension attributes aren't configured correctly.
## 1.6.4.0 > [!NOTE]
-> The Azure AD Connect sync V2 endpoint API is now available in these Azure environments:
+> The Microsoft Entra Connect Sync V2 endpoint API is now available in these Azure environments:
> > - Azure Commercial > - Microsoft Azure operated by 21Vianet
You can use these cmdlets to retrieve the TLS 1.2 enablement status or set it as
### Bug fixes
-This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that release, the Azure AD Connect Health feature wasn't registered correctly and didn't work. If you deployed build 1.6.2.4, update your Azure AD Connect server with this build to register the Health feature correctly.
+This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that release, the Microsoft Entra Connect Health feature wasn't registered correctly and didn't work. If you deployed build 1.6.2.4, update your Microsoft Entra Connect server with this build to register the Health feature correctly.
## 1.6.2.4 > [!IMPORTANT] > Update per March 30, 2021: We've discovered an issue in this build. After installation of this build, the Health services aren't registered. We recommend that you not install this build. We'll release a hotfix shortly.
-> If you already installed this build, you can manually register the Health services by using the cmdlet, as shown in [Azure AD Connect Health agent installation](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync).
+> If you already installed this build, you can manually register the Health services by using the cmdlet, as shown in [Microsoft Entra Connect Health agent installation](./how-to-connect-health-agent-install.md#manually-register-azure-ad-connect-health-for-sync).
- This release will be made available for download only. - The upgrade to this release will require a full synchronization because of sync rule changes.-- This release defaults the Azure AD Connect server to the new V2 endpoint.
+- This release defaults the Microsoft Entra Connect server to the new V2 endpoint.
### Release status
This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that
### Functional changes - We updated default sync rules to limit membership in writeback groups to 50,000 members.
- - We added new default sync rules for limiting the membership count in group writeback (Out to AD - Group Writeback Member Limit) and group sync to Azure AD (Out to AAD - Group Writeup Member Limit) groups.
+ - We added new default sync rules for limiting the membership count in group writeback (Out to AD - Group Writeback Member Limit) and group sync to Microsoft Entra ID (Out to Microsoft Entra ID - Group Writeup Member Limit) groups.
- We added a member attribute to the Out to AD - Group SOAInAAD - Exchange rule to limit members in writeback groups to 50,000. - We updated sync rules to support group writeback V2:
- - If the In from AAD - Group SOAInAAD rule is cloned and Azure AD Connect is upgraded:
+ - If the In from Microsoft Entra ID - Group SOAInAAD rule is cloned and Microsoft Entra Connect is upgraded:
- The updated rule will be disabled by default, so targetWritebackType will be null.
- - Azure AD Connect will write back all Cloud Groups (including Azure AD Security Groups enabled for writeback) as Distribution Groups.
- - If the Out to AD - Group SOAInAAD rule is cloned and Azure AD Connect is upgraded:
+ - Microsoft Entra Connect will write back all Cloud Groups (including Microsoft Entra Security Groups enabled for writeback) as Distribution Groups.
+ - If the Out to AD - Group SOAInAAD rule is cloned and Microsoft Entra Connect is upgraded:
- The updated rule will be disabled by default. A new sync rule, Out to AD - Group SOAInAAD - Exchange, which is added will be enabled.
- - Depending on the Cloned Custom Sync Rule's precedence, Azure AD Connect will flow the Mail and Exchange attributes.
+ - Depending on the Cloned Custom Sync Rule's precedence, Microsoft Entra Connect will flow the Mail and Exchange attributes.
- If the Cloned Custom Sync Rule doesn't flow some Mail and Exchange attributes, the new Exchange Sync Rule will add those attributes. - We added support for [Selective Password Hash Synchronization](./how-to-connect-selective-password-hash-synchronization.md).-- We added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Azure AD Connect sync configuration.-- Azure AD Connect now supports the Hybrid Identity Administrator role for configuring the service.-- We updated the Azure AD ConnectHealth agent to 3.1.83.0.
+- We added the new [Single Object Sync cmdlet](./how-to-connect-single-object-sync.md). Use this cmdlet to troubleshoot your Microsoft Entra Connect Sync configuration.
+- Microsoft Entra Connect now supports the Hybrid Identity Administrator role for configuring the service.
+- We updated the Microsoft Entra Connect Health agent to 3.1.83.0.
- We introduced a new version of the [ADSyncTools PowerShell module](./reference-connect-adsynctools.md), which has several new or improved cmdlets: - Clear-ADSyncToolsMsDsConsistencyGuid - ConvertFrom-ADSyncToolsAadDistinguishedName
This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that
- We removed the **Explicit** column from the **CS Search** page in the old sync UI. - We added to the UI for the group writeback flow to prompt users for credentials or to configure their own permissions by using the ADSyncConfig module if credentials weren't already provided in an earlier step. - We added the ability to autocreate a managed service account for an ADSync service account on a DC.-- We added the ability to set and get the Azure AD DirSync feature group writeback V2 in the existing cmdlets:
+- We added the ability to set and get the Microsoft Entra DirSync feature group writeback V2 in the existing cmdlets:
- Set-ADSyncAADCompanyFeature - Get-ADSyncAADCompanyFeature
This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that
- We increased granularity for Set-ADSyncPasswordHashSyncPermissions cmdlet. - We updated the PHS permissions script (Set-ADSyncPasswordHashSyncPermissions) to include an optional ADobjectDN parameter. - We made an accessibility bug fix. The screen reader now describes the UX element that holds the list of forests as **Forests list** instead of **Forest List list**.-- We updated screen reader output for some items in the Azure AD Connect wizard. We updated the button hover color to satisfy contrast requirements. We updated Synchronization Service Manager title color to satisfy contrast requirements.-- We fixed an issue with installing Azure AD Connect from exported configuration having custom extension attributes.
+- We updated screen reader output for some items in the Microsoft Entra Connect wizard. We updated the button hover color to satisfy contrast requirements. We updated Synchronization Service Manager title color to satisfy contrast requirements.
+- We fixed an issue with installing Microsoft Entra Connect from exported configuration having custom extension attributes.
- We added a condition to skip checking for extension attributes in the target schema while applying the sync rule. - We added appropriate permissions on installation if the group writeback feature is enabled. - We fixed duplicate default sync rule precedence on import.
This release fixes a bug that occurred in version 1.6.2.4. After upgrade to that
- We modified policy import and export to fail if custom rule has duplicate precedence. - We fixed a bug in the domain selection logic. - We fixed an issue with build 1.5.18.0 if you use mS-DS-ConsistencyGuid as the source anchor and have cloned the In from AD - Group Join rule.-- Fresh Azure AD Connect installations will use the Export Deletion Threshold stored in the cloud if there's one available and if there isn't a different one passed in.-- We fixed an issue where Azure AD Connect wouldn't read Active Directory displayName changes of hybrid-joined devices.
+- Fresh Microsoft Entra Connect installations will use the Export Deletion Threshold stored in the cloud if there's one available and if there isn't a different one passed in.
+- We fixed an issue where Microsoft Entra Connect wouldn't read Active Directory displayName changes of hybrid-joined devices.
## 1.5.45.0
This is a bug fix release. There are no functional changes in this release.
## Next steps
-Learn more about how to [integrate your on-premises identities with Azure AD](../whatis-hybrid-identity.md).
+Learn more about how to [integrate your on-premises identities with Microsoft Entra ID](../whatis-hybrid-identity.md).
active-directory Tshoot Connect Sync Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/tshoot-connect-sync-errors.md
-# Understanding errors during Azure AD synchronization
+# Understanding errors during Microsoft Entra synchronization
Errors can occur when identity data is synced from Windows Server Active Directory to Microsoft Entra ID. This article provides an overview of different types of sync errors, some of the possible scenarios that cause those errors, and potential ways to fix the errors. This article includes common error types and might not cover all possible errors.
active-directory Whatis Azure Ad Connect V2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/connect/whatis-azure-ad-connect-v2.md
-# Introduction to Microsoft Entra Connect V2.0
+# Introduction to Microsoft Entra Connect V2.0
Microsoft Entra Connect was released several years ago. Since this time, several of the components that Microsoft Entra Connect uses have been scheduled for deprecation and updated to newer versions. Attempting to update all of these components individually would take time and planning.
active-directory Howto Identity Protection Graph Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md
Microsoft Graph is the Microsoft unified API endpoint and the home of [Microsoft
To successfully complete this tutorial, make sure you have the required prerequisites: - Microsoft Graph PowerShell SDK is installed. For more information, see the article [Install the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/installation?view=graph-powershell-1.0&preserve-view=true).-- Identity Protection is available in the beta version of Microsoft Graph PowerShell. Run the following command to set your profile to beta.-
- ```powershell
- # Connect to Graph beta Endpoint
- Select-MgProfile -Name 'beta'
- ```
--- Microsoft Graph PowerShell using a global administrator role and the appropriate permissions. The IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All Or IdentityRiskyUser.ReadWrite.All delegated permissions are required. To set the permissions to IdentityRiskEvent.Read.All and IdentityRiskyUser.ReadWrite.All, run:
+- Microsoft Graph PowerShell using a [Security Administrator](../roles/permissions-reference.md#security-administrator) role. The IdentityRiskEvent.Read.All, IdentityRiskyUser.ReadWrite.All Or IdentityRiskyUser.ReadWrite.All delegated permissions are required. To set the permissions to IdentityRiskEvent.Read.All and IdentityRiskyUser.ReadWrite.All, run:
```powershell Connect-MgGraph -Scopes "IdentityRiskEvent.Read.All","IdentityRiskyUser.ReadWrite.All"
active-directory Howto Identity Protection Remediate Unblock https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md
Previously updated : 11/11/2022 Last updated : 09/07/2023
After completing your [investigation](howto-identity-protection-investigate-risk
All active risk detections contribute to the calculation of the user's risk level. The user risk level is an indicator (low, medium, high) of the probability that the user's account has been compromised. As an administrator, after thorough investigation of the risky users and the corresponding risky sign-ins and detections, you want to remediate the risky users so that they're no longer at risk and won't be blocked.
-Identity Protection marks some risk detections and the corresponding risky sign-ins as dismissed with risk state "Dismissed" and risk detail "Microsoft Entra ID Protection assessed sign-in safe". It takes this action, because those events were no longer determined to be risky.
+Microsoft Entra ID Protection marks some risk detections and the corresponding risky sign-ins as dismissed with risk state **Dismissed** and risk detail **Azure AD Identity Protection assessed sign-in safe**. It takes this action, because those events were no longer determined to be risky.
Administrators have the following options to remediate:
Administrators have the following options to remediate:
### Self-remediation with risk-based policy
-You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as Microsoft Entra multifactor authentication or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users are reported with the risk state "Remediated" instead of "At risk".
+You can allow users to self-remediate their sign-in risks and user risks by setting up [risk-based policies](howto-identity-protection-configure-risk-policies.md). If users pass the required access control, such as multifactor authentication or secure password change, then their risks are automatically remediated. The corresponding risk detections, risky sign-ins, and risky users are reported with the risk state **Remediated** instead of **At risk**.
-Here are the prerequisites on users before risk-based policies can be applied to them to allow self-remediation of risks:
+The prerequisites for users before risk-based policies can be applied to allow self-remediation of risks are:
- To perform MFA to self-remediate a sign-in risk: - The user must have registered for Microsoft Entra multifactor authentication. - To perform secure password change to self-remediate a user risk: - The user must have registered for Microsoft Entra multifactor authentication.
- - For hybrid users that are synced from on-premises to cloud, password writeback must have been enabled on them.
+ - For hybrid users that are synced from on-premises to cloud, password writeback must be enabled.
If a risk-based policy is applied to a user during sign-in before the above prerequisites are met, then the user is blocked. This block action is because they aren't able to perform the required access control, and admin intervention is required to unblock the user.
-Risk-based policies are configured based on risk levels and only apply if the risk level of the sign-in or user matches the configured level. Some detections may not raise risk to the level where the policy applies, and administrators need to handle those risky users manually. Administrators may determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.
+Risk-based policies are configured based on risk levels and only apply if the risk level of the sign-in or user matches the configured level. Some detections might not raise risk to the level where the policy applies, and administrators need to handle those risky users manually. Administrators can determine that extra measures are necessary like [blocking access from locations](../conditional-access/howto-conditional-access-policy-location.md) or lowering the acceptable risk in their policies.
### Self-remediation with self-service password reset
-If a user has registered for self-service password reset (SSPR), then they can also remediate their own user risk by performing a self-service password reset.
+If a user has registered for self-service password reset (SSPR), then they can remediate their own user risk by performing a self-service password reset.
### Manual password reset
-If requiring a password reset using a user risk policy isn't an option, administrators can remediate a risky user by requiring a password reset.
+If requiring a password reset using a user risk policy isn't an option, or time is of the essence, administrators can remediate a risky user by requiring a password reset.
-Administrators are given two options when resetting a password for their users:
+Administrators have options they can choose from:
- **Generate a temporary password** - By generating a temporary password, you can immediately bring an identity back into a safe state. This method requires contacting the affected users because they need to know what the temporary password is. Because the password is temporary, the user is prompted to change the password to something new during the next sign-in.
+ - They can generate passwords for cloud and hybrid users in the Microsoft Entra admin center.
+ - They can generate passwords for hybrid users from an on-premises directory when password hash synchronization and the [Allow on-premises password change to reset user risk](#allow-on-premises-password-reset-to-remediate-user-risks-preview) setting is enabled.
-- **Require the user to reset password** - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator. This method only applies to users that are registered for Microsoft Entra multifactor authentication and SSPR. For users that haven't been registered, this option isn't available.
+ > [!WARNING]
+ > Don't select the option **User must change password at next logon**. This is unsupported.
+
+- **Require the user to reset password** - Requiring the users to reset passwords enables self-recovery without contacting help desk or an administrator.
+ - Cloud and hybrid users can complete a secure password change. This method only applies to users that can perform MFA already. For users that haven't registered, this option isn't available.
+ - Hybrid users can complete a password change by pressing Ctrl+Alt+Del and changing their password from an on-premises or hybrid joined Windows device, when password hash synchronization and the [Allow on-premises password change to reset user risk](#allow-on-premises-password-reset-to-remediate-user-risks-preview) setting is enabled.
+
+#### Allow on-premises password reset to remediate user risks (Preview)
+
+Organizations who have enabled [password hash synchronization](../hybrid/connect/whatis-phs.md) can allow password changes on-premises to remediate user risk.
+
+This configuration provides organizations two new capabilities:
+
+- Risky hybrid users can self-remediate without administrators intervention. When a password is changed on-premises, user risk is now automatically remediated within Entra ID Protection, bringing the user to a safe state.
+- Organizations can proactively deploy [user risk policies that require password changes](howto-identity-protection-configure-risk-policies.md#user-risk-policy-in-conditional-access) to confidently protect their hybrid users. This option strengthens your organization's security posture and simplifies security management by ensuring that user risks are promptly addressed, even in complex hybrid environments.
++
+To configure this setting
+
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Operator](../roles/permissions-reference.md#security-operator).
+1. Browse to **Protection** > **Identity Protection** > **Settings**.
+1. Check the box to **Allow on-premises password change to reset user risk**.
+1. Select **Save**.
### Dismiss user risk
To Dismiss user risk in the [Microsoft Entra admin center](https://entra.microso
When you select **Dismiss user risk**, the user is no longer at risk, and all the risky sign-ins of this user and corresponding risk detections are dismissed as well.
-Because this method doesn't have an impact on the user's existing password, it doesn't bring their identity back into a safe state.
+Because this method doesn't affect the user's existing password, it doesn't bring their identity back into a safe state.
#### Risk state and detail based on dismissal of risk
It isn't possible for administrators to dismiss risk for users who have been del
## Unblocking users
-An administrator may choose to block a sign-in based on their risk policy or investigations. A block may occur based on either sign-in or user risk.
+An administrator can choose to block a sign-in based on their risk policy or investigations. A block can occur based on either sign-in or user risk.
### Unblocking based on user risk
To unblock an account based on sign-in risk, administrators have the following o
Using the Microsoft Graph PowerShell SDK Preview module, organizations can manage risk using PowerShell. The preview modules and sample code can be found in the [Microsoft Entra GitHub repo](https://github.com/AzureAD/IdentityProtectionTools).
-The `Invoke-AzureADIPDismissRiskyUser.ps1` script included in the repo allows organizations to dismiss all risky users in their directory.
+The `Invoke-AzureADIPDismissRiskyUser.ps1` script included in the repository allows organizations to dismiss all risky users in their directory.
## Next steps
-To get an overview of Microsoft Entra ID Protection, see the [Microsoft Entra ID Protection overview](overview-identity-protection.md).
+[Simulate a high user risk](howto-identity-protection-graph-api.md#confirm-users-compromised-using-powershell)
active-directory Howto Identity Protection Risk Feedback https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/identity-protection/howto-identity-protection-risk-feedback.md
An Identity Protection detection is an indicator of suspicious activity from an
## Why should I give risk feedback to Microsoft Entra IDΓÇÖs risk assessments?
-There are several reasons why you should give Microsoft Entra ID risk feedback:
+There are several reasons why you should give Microsoft Entra risk feedback:
- **You found Microsoft Entra IDΓÇÖs user or sign-in risk assessment incorrect**. For example, a sign-in shown in ΓÇÿRisky sign-insΓÇÖ report was benign and all the detections on that sign-in were false positives. - **You validated that Microsoft Entra IDΓÇÖs user or sign-in risk assessment was correct**. For example, a sign-in shown in ΓÇÿRisky sign-insΓÇÖ report was indeed malicious and you want Microsoft Entra ID to know that all the detections on that sign-in were true positives.
active-directory Application Sign In Unexpected User Consent Prompt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-prompt.md
Determining whether an individual user can consent to an application can be conf
## Next steps -- [Apps, permissions, and consent in Microsoft Entra ID (v1.0 endpoint)](../develop/quickstart-register-app.md)
+- [Apps, permissions, and consent in Azure Active Directory (v1.0 endpoint)](../develop/quickstart-register-app.md)
-- [Scopes, permissions, and consent in the Microsoft Entra ID (v2.0 endpoint)](../develop/permissions-consent-overview.md)
+- [Scopes, permissions, and consent in the Microsoft identity platform (v2.0 endpoint)](../develop/permissions-consent-overview.md)
- [Unexpected error when performing consent to an application](application-sign-in-unexpected-user-consent-error.md)
active-directory Cloudflare Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/cloudflare-integration.md
Integrate Cloudflare Zero Trust account with an instance of Microsoft Entra ID.
![Screenshot of the Login methods option on Authentication.](./media/cloudflare-integration/login-methods.png)
-5. Under **Select an identity provider**, select **Azure AD.**
+5. Under **Select an identity provider**, select **Microsoft Entra ID**.
![Screenshot of the Microsoft Entra option under Select an identity provider.](./media/cloudflare-integration/idp.png) 6. The **Add Azure ID** dialog appears. 7. Enter Microsoft Entra instance credentials and make needed selections.
- ![Screenshot of options and selections for Add Azure AD.](./media/cloudflare-integration/add-idp.png)
+ ![Screenshot of options and selections for Add Microsoft Entra ID.](./media/cloudflare-integration/add-idp.png)
8. Select **Save**.
active-directory F5 Big Ip Header Advanced https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-header-advanced.md
A virtual server is a BIG-IP data plane object represented by a virtual IP addre
Use the BIG-IPs session management setting to define the conditions for user session termination or continuation. Create policy with **Access Policy** > **Access Profiles**. Select an application from the list.
-Regarding SLO functionality, a SLO URI in Microsoft Entra ensures an IdP-initiated sign-out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Microsoft Entra SAML sign-out endpoint, for SP initiated sign-out. Therefore, enable the APM to know when a user signs out.
+Regarding SLO functionality, a SLO URI in Microsoft Entra ID ensures an IdP-initiated sign-out from the MyApps portal terminates the session between the client and the BIG-IP APM. The imported application federation metadata.xml provides the APM with the Microsoft Entra SAML sign-out endpoint, for SP initiated sign-out. Therefore, enable the APM to know when a user signs out.
If there's no BIG-IP web portal, the user can't instruct the APM to sign out. If the user signs out of the application, the BIG-IP is oblivious to the action. The application session can be reinstated through SSO. Therefore, SP-initiated sign out needs careful consideration.
active-directory F5 Big Ip Kerberos Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-kerberos-easy-button.md
Prior BIG-IP experience isn't necessary, but you need:
## BIG-IP configuration methods
-This tutorial covers the latest Guided Configuration 16.1 with an Easy Button template. With the Easy Button, Admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead.
+This tutorial covers the latest Guided Configuration 16.1 with an Easy Button template. With the Easy Button, Admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead.
>[!NOTE] > Replace example strings or values in this article with those for your environment.
Before a client or service can access Microsoft Graph, it must be trusted by the
Initiate the APM Guided Configuration to launch the Easy Button template.
-1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.
+1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Microsoft Entra Application**.
- ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
+ ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
2. Review the configuration steps and select **Next**
active-directory F5 Big Ip Ldap Header Easybutton https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-big-ip-ldap-header-easybutton.md
Prior BIG-IP experience isn't necessary, but you need:
## BIG-IP configuration
-This tutorial uses Guided Configuration 16.1 with an Easy Button template. With the Easy Button, admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled between the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead.
+This tutorial uses Guided Configuration 16.1 with an Easy Button template. With the Easy Button, admins don't go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The deployment and policy management is handled between the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, reducing administrative overhead.
>[!NOTE] >Replace example strings or values in this guide with those for your environment.
This first step creates a tenant app registration to authorize the **Easy Button
Initiate the APM **Guided Configuration** to launch the **Easy Button** template.
-1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Azure AD Application**.
+1. Navigate to **Access > Guided Configuration > Microsoft Integration** and select **Microsoft Entra Application**.
- ![Screenshot of the Azure A D Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
+ ![Screenshot of the Microsoft Entra Application option on Guided Configuration.](./media/f5-big-ip-easy-button-ldap/easy-button-template.png)
2. Review the list of steps and select **Next**
active-directory F5 Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/f5-integration.md
Advanced configuration tutorials:
The BIG-IP version 13.1 Guided Configuration wizard, minimizes time and effort to implement common BIG-IP publishing scenarios. Its workflow framework provides an intuitive deployment experience, for specific access topologies.
-Guided Configuration version 16.x has the Easy Button feature: admins no longer go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The end-to-end deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, without the management overhead of doing so for each app.
+Guided Configuration version 16.x has the Easy Button feature: admins no longer go back and forth between Microsoft Entra ID and a BIG-IP to enable services for SHA. The end-to-end deployment and policy management is handled by the APM Guided Configuration wizard and Microsoft Graph. This integration between BIG-IP APM and Microsoft Entra ID ensures applications support identity federation, SSO, and Microsoft Entra Conditional Access, without the management overhead of doing so for each app.
Tutorials for using Easy Button templates, *F5 BIG-IP Easy Button for SSO to*:
active-directory Hide Application From User Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/hide-application-from-user-portal.md
Title: Hide an Enterprise application
-description: How to hide an Enterprise application from user's experience in Microsoft Entra access portals or Microsoft 365 launchers.
+description: How to hide an Enterprise application from user's experience in Microsoft Entra ID access portals or Microsoft 365 launchers.
active-directory Manage Self Service Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/manage-self-service-access.md
To enable self-service application access, you need:
- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). - One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.-- A Microsoft Entra ID P1 or P2 (P1 or P2) license is required for users to request to join a self-service app and for owners to approve or deny requests. Without a Microsoft Entra ID P1 or P2 license, users can't add self-service apps.
+- A Microsoft Entra ID P1 or P2 license is required for users to request to join a self-service app and for owners to approve or deny requests. Without a Microsoft Entra ID P1 or P2 license, users can't add self-service apps.
## Enable self-service application access to allow users to find their own applications
active-directory Migrate Adfs Plan Management Insights https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-plan-management-insights.md
Microsoft Entra ID provides a centralized access location to manage your migrate
You can also use the [Microsoft Entra admin center](https://entra.microsoft.com) to audit all your apps from a centralized location, -- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Microsoft Entra ID Reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools.
+- **Audit your app** using **Enterprise Applications, Audit**, or access the same information from the [Microsoft Entra reporting API](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md) to integrate into your favorite tools.
- **View the permissions for an app** using **Enterprise Applications, Permissions** for apps using OAuth/OpenID Connect.-- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Microsoft Entra ID Reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md)
+- **Get sign-in insights** using **Enterprise Applications, Sign-Ins**. Access the same information from the [Microsoft Entra reporting API.](../reports-monitoring/howto-configure-prerequisites-for-reporting-api.md)
- **Visualize your appΓÇÖs usage** from the [Microsoft Entra ID Power BI content pack](../reports-monitoring/howto-use-azure-monitor-workbooks.md) ## Exit criteria
active-directory Migrate Adfs Represent Security Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-adfs-represent-security-policies.md
This maps to Microsoft Entra ID in one of the following ways:
1. In the **Users and groups tab**, assign your application to the **All Users** automatic group. You must [enable Dynamic Groups](../enterprise-users/groups-create-rule.md) in your Microsoft Entra tenant for the default **All Users** group to be available.
- :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-3.png" alt-text="Screenshot shows My SaaS Apps in Azure AD.":::
+ :::image type="content" source="media/migrate-adfs-represent-security-policies/permit-access-to-all-users-3.png" alt-text="Screenshot shows My SaaS Apps in Microsoft Entra ID.":::
### Example 2: Allow a group explicitly
active-directory Migrate Okta Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-federation.md
For this tutorial, you configure password hash synchronization and seamless SSO.
1. On the Microsoft Entra Connect server, open the **Microsoft Entra Connect** app. 2. Select **Configure**.
- ![Screenshot of the Microsoft Entra icon and the Configure button in the Microsoft Entra Connect app.](media/migrate-okta-federation/configure.png)
+ ![Screenshot of the Microsoft Entra ID icon and the Configure button in the Microsoft Entra Connect app.](media/migrate-okta-federation/configure.png)
3. Select **Change user sign-in**. 4. Select **Next**.
active-directory Migrate Okta Sign On Policies Conditional Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/migrate-okta-sign-on-policies-conditional-access.md
See the following two sections for licensing and credentials prerequisites.
There are licensing requirements if you switch from Okta sign-on to Conditional Access. The process requires a Microsoft Entra ID P1 license to enable registration for Microsoft Entra multifactor authentication.
-Learn more: [Assign or remove licenses in the Microsoft Entra portal](/azure/active-directory/fundamentals/license-users-groups)
+Learn more: [Assign or remove licenses in the Microsoft Entra admin center](/azure/active-directory/fundamentals/license-users-groups)
### Enterprise Administrator credentials
active-directory Plan Sso Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/plan-sso-deployment.md
Implement your communication plan. Make sure you're letting your users know that
Ensure the application is covered by the following licensing requirements: -- **Microsoft Entra licensing** - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses. For a full list of license requirements, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+- **Microsoft Entra ID licensing** - SSO for pre-integrated enterprise applications is free. However, the number of objects in your directory and the features you wish to deploy may require more licenses. For a full list of license requirements, see [Microsoft Entra pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
- **Application licensing** - You'll need the appropriate licenses for your applications to meet your business needs. Work with the application owner to determine whether the users assigned to the application have the appropriate licenses for their roles within the application. If Microsoft Entra ID manages the automatic provisioning based on roles, the roles assigned in Microsoft Entra ID must align with the number of licenses owned within the application. Improper number of licenses owned in the application may lead to errors during the provisioning or updating of a user account.
active-directory Secure Hybrid Access Integrations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access-integrations.md
Title: Secure hybrid access with Microsoft Entra ID integration
+ Title: Secure hybrid access with Microsoft Entra integration
description: Help customers discover and migrate SaaS applications into Microsoft Entra ID and connect apps that use legacy authentication methods with Microsoft Entra ID.
-# Secure hybrid access with Microsoft Entra partner integrations
+# Secure hybrid access with Microsoft Entra integration
Microsoft Entra ID supports modern authentication protocols that help keep applications secure. However, many business applications work in a protected corporate network, and some use legacy authentication methods. As companies build Zero Trust strategies and support hybrid and cloud environments, there are solutions that connect apps to Microsoft Entra ID and provide authentication for legacy applications.
The following diagram illustrates the user authentication flow:
### Users sign in to the applications
-When users sign in to applications, they use OIDC or SAML. If the applications need to interact with Microsoft Graph or Microsoft Entra ID-protected API, we recommend you configure them to use OICD. This configuration ensures the JWT is applied to interact with Microsoft Graph. If there's no need for applications to interact with Microsoft Graph, or Microsoft Entra protected APIs, then use SAML.
+When users sign in to applications, they use OIDC or SAML. If the applications need to interact with Microsoft Graph or Microsoft Entra protected API, we recommend you configure them to use OICD. This configuration ensures the JWT is applied to interact with Microsoft Graph. If there's no need for applications to interact with Microsoft Graph, or Microsoft Entra protected APIs, then use SAML.
The following diagram shows user authentication flow:
active-directory Secure Hybrid Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/secure-hybrid-access.md
Microsoft partners with various companies that deliver pre-built solutions for o
<a name='secure-hybrid-access-through-azure-ad-partner-integrations'></a>
-### Secure hybrid access through Microsoft Entra partner integrations
+<a name='secure-hybrid-access-through-microsoft-entra-partner-integrations'></a>
+
+### Secure hybrid access through Microsoft Entra ID partner integrations
The following partners offer solutions to support [Conditional Access policies per application](secure-hybrid-access-integrations.md#apply-conditional-access-policies). Use the tables in the following sections to learn about the partners and Microsoft Entra integration documentation.
active-directory Tenant Restrictions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/tenant-restrictions.md
The following configuration is required to enable tenant restrictions through yo
- Clients must trust the certificate chain presented by the proxy for TLS communications. For example, if certificates from an internal public key infrastructure (PKI) are used, the internal issuing root certificate authority certificate must be trusted. -- Microsoft Entra ID P1 or P2 1 licenses are required for use of tenant restrictions.
+- Microsoft Entra ID P1 or P2 licenses are required for use of tenant restrictions.
#### Configuration
active-directory V2 Howto App Gallery Listing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md
To publish your application in the gallery, you must first read and agree to spe
- For password SSO, make sure that your application supports form authentication so that password vaulting can be used. - For federated applications (SAML/WS-Fed), the application should preferably support [software-as-a-service (SaaS) model](https://azure.microsoft.com/overview/what-is-saas/) but it is not mandatory and it can be an on-premises application as well. Enterprise gallery applications must support multiple user configurations and not any specific user.
- - For OpenID Connect, the application should be multitenant and [Microsoft Entra ID consent framework](../develop/application-consent-experience.md) must be correctly implemented. Refer to [this](../develop/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant.
-- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Azure AD](../app-provisioning/use-scim-to-provision-users-and-groups.md).
+ - For OpenID Connect, the application should be multitenant and [Microsoft Entra consent framework](../develop/application-consent-experience.md) must be correctly implemented. Refer to [this](../develop/howto-convert-app-to-be-multi-tenant.md) link to convert the application into multitenant.
+- Provisioning is optional yet highly recommended. To learn more about Microsoft Entra SCIM, see [build a SCIM endpoint and configure user provisioning with Microsoft Entra ID](../app-provisioning/use-scim-to-provision-users-and-groups.md).
You can sign up for a free, test Development account. It's free for 90 days and you get all of the premium Microsoft Entra features with it. You can also extend the account if you use it for development work: [Join the Microsoft 365 Developer Program](/office/developer-program/microsoft-365-developer-program).
active-directory Groups Assign Member Owner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/privileged-identity-management/groups-assign-member-owner.md
# Assign eligibility for a group in Privileged Identity Management
-In Microsoft Entra ID, formerly known as Microsoft Entra ID, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.
+In Azure Active Directory, formerly known as Microsoft Entra ID, you can use Privileged Identity Management (PIM) to manage just-in-time membership in the group or just-in-time ownership of the group.
When a membership or ownership is assigned, the assignment:
active-directory Concept Diagnostic Settings Logs Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-diagnostic-settings-logs-options.md
The `NetworkAccessTrafficLogs` logs are associated with Microsoft Entra Internet
## Next steps -- [Learn about the sign-ins logs](concept-all-sign-ins.md)
+- [Learn about the sign-in logs](concept-all-sign-ins.md)
- [Explore how to access the activity logs](howto-access-activity-logs.md)
active-directory Concept Log Monitoring Integration Options Considerations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-log-monitoring-integration-options-considerations.md
There's a cost for sending data to a Log Analytics workspace, archiving data in
Because the size and cost for sending logs to an endpoint is difficult to predict, the most accurate way to determine your expected costs is to route your logs to an endpoint for day or two. With this snapshot, you can get an accurate prediction for your expected costs. You can also get an estimate of your costs by downloading a sample of your logs and multiplying accordingly to get an estimate for one day.
-Other considerations for sending Microsoft Entra ID logs to Azure Monitor logs are covered in the following Azure Monitor cost details articles:
+Other considerations for sending Microsoft Entra logs to Azure Monitor logs are covered in the following Azure Monitor cost details articles:
- [Azure Monitor logs cost calculations and options](../../azure-monitor/logs/cost-logs.md) - [Azure Monitor cost and usage](../../azure-monitor/usage-estimated-costs.md)
active-directory Concept Sign In Log Activity Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-in-log-activity-details.md
# Learn about the sign-in log activity details
-Microsoft Entra ID logs all sign-ins into an Azure tenant for compliance purposes. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.
+Microsoft Entra logs all sign-ins into an Azure tenant for compliance purposes. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.
- [Learn about the sign-in logs](concept-sign-ins.md). - [Customize and filter the sign-in logs](howto-customize-filter-logs.md)
-This article explains the values on the Basic info tab of the sign-ins log.
+This article explains the values on the Basic info tab of the sign-in log.
## [Basic info](#tab/basic-info)
active-directory Concept Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-sign-ins.md
# What are Microsoft Entra sign-in logs?
-Microsoft Entra ID logs all sign-ins into an Azure tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.
+Microsoft Entra logs all sign-ins into an Azure tenant, which includes your internal apps and resources. As an IT administrator, you need to know what the values in the sign-in logs mean, so that you can interpret the log values correctly.
Reviewing sign-in errors and patterns provides valuable insight into how your users access applications and services. The sign-in logs provided by Microsoft Entra ID are a powerful type of [activity log](overview-reports.md) that you can analyze. This article explains how to access and utilize the sign-in logs.
The classic sign-in logs only include interactive user sign-ins.
Interactive sign-ins are performed *by* a user. They provide an authentication factor to Microsoft Entra ID. That authentication factor could also interact with a helper app, such as the Microsoft Authenticator app. Users can provide passwords, responses to MFA challenges, biometric factors, or QR codes to Microsoft Entra ID or to a helper app. This log also includes federated sign-ins from identity providers that are federated to Microsoft Entra ID. **Report size:** small </br> **Examples:**
You may identify Microsoft Graph events that don't correlate to a service princi
Non-interactive sign-ins are done *on behalf of a* user. These delegated sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, Microsoft Entra ID recognizes when the user's token needs to be refreshed and does so behind the scenes, without interrupting the user's session. In general, the user perceives these sign-ins as happening in the background.
-![Screenshot of the non-interactive user sign-ins log.](media/concept-sign-ins/sign-in-logs-user-noninteractive.png)
+![Screenshot of the non-interactive user sign-in log.](media/concept-sign-ins/sign-in-logs-user-noninteractive.png)
**Report size:** Large </br> **Examples:**
To make it easier to digest the data, non-interactive sign-in events are grouped
:::image type="content" source="media/concept-sign-ins/aggregate-sign-in.png" alt-text="Screenshot of an aggregate sign-in expanded to show all rows." lightbox="media/concept-sign-ins/aggregate-sign-in-expanded.png":::
-When Microsoft Entra ID logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) has a value greater than one in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.
+When Microsoft Entra logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) has a value greater than one in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.
Sign-ins are aggregated in the non-interactive users when the following data matches:
Sign-ins are aggregated in the non-interactive users when the following data mat
Unlike interactive and non-interactive user sign-ins, service principal sign-ins don't involve a user. Instead, they're sign-ins by any nonuser account, such as apps or service principals (except managed identity sign-in, which are in included only in the managed identity sign-in log). In these sign-ins, the app or service provides its own credential, such as a certificate or app secret to authenticate or access resources.
-![Screenshot of the service principal sign-ins log.](media/concept-sign-ins/sign-in-logs-service-principal.png)
+![Screenshot of the service principal sign-in log.](media/concept-sign-ins/sign-in-logs-service-principal.png)
**Report size:** Large </br> **Examples:**
To make it easier to digest the data in the service principal sign-in logs, serv
Managed identities for Azure resources sign-ins are sign-ins that were performed by resources that have their secrets managed by Azure to simplify credential management. A VM with managed credentials uses Microsoft Entra ID to get an Access Token.
-![Screenshot of the managed identity sign-ins log.](media/concept-sign-ins/sign-in-logs-managed-identity.png)
+![Screenshot of the managed identity sign-in log.](media/concept-sign-ins/sign-in-logs-managed-identity.png)
**Report size:** Small </br> **Examples:**
active-directory Concept Usage Insights Report https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/concept-usage-insights-report.md
With the Microsoft Entra **Usage and insights** reports, you can get an applicat
To access the data from Usage and insights you must have: * A Microsoft Entra tenant
-* A Microsoft Entra ID P1 or P2 (P1/P2) license to view the sign-in data
+* A Microsoft Entra ID P1 or P2 license to view the sign-in data
* A user in the Reports Reader, Security Reader, Security Administrator, or Global Administrator role. ## Access Usage and insights
active-directory Howto Access Activity Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-access-activity-logs.md
The required roles and licenses may vary based on the report. Global Administrat
|--|--|--| | Audit | Reports Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Reports Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |
-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 |
-| Usage and insights | Security Reader<br>Reports Reader<br> Security Administrator | Premium P1/P2 |
-| Identity Protection* | Security Administrator<br>Security Operator<br>Security Reader<br>Global Reader | Microsoft Entra ID Free/Microsoft 365 Apps<br>Microsoft Entra ID P1/P2 |
+| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1 or P2 |
+| Usage and insights | Security Reader<br>Reports Reader<br> Security Administrator | Premium P1 or P2 |
+| Identity Protection* | Security Administrator<br>Security Operator<br>Security Reader<br>Global Reader | Microsoft Entra ID Free/Microsoft 365 Apps<br>Microsoft Entra ID P1 or P2 |
*The level of access and capabilities for Identity Protection vary with the role and license. For more information, see the [license requirements for Identity Protection](../identity-protection/overview-identity-protection.md#license-requirements).
-Audit logs are available for features that you've licensed. To access the sign-ins logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it.
+Audit logs are available for features that you've licensed. To access the sign-in logs using the Microsoft Graph API, your tenant must have a Microsoft Entra ID P1 or P2 license associated with it.
## Stream logs to an event hub to integrate with SIEM tools
active-directory Howto Analyze Provisioning Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-analyze-provisioning-logs.md
The Microsoft Entra provisioning logs provide details about the provisioning events that occur in your tenant. You can use the information captured in the provisioning logs to help troubleshoot issues with a provisioned user.
-This article describes the options for downloading the provisioning logs from the Microsoft Entra portal as well as how to analyze the logs. Error codes and special considerations are also included.
+This article describes the options for downloading the provisioning logs from the Microsoft Entra admin center as well as how to analyze the logs. Error codes and special considerations are also included.
## Prerequisites
active-directory Howto Configure Prerequisites For Reporting Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api.md
Programmatic access APIs:
- GET `https://graph.microsoft.com/v1.0/auditLogs/directoryAudits` - GET `https://graph.microsoft.com/v1.0/auditLogs/signIns`
-**Error: Neither tenant is B2C or tenant doesn't have premium license**: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 1 (P1) license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.
+**Error: Neither tenant is B2C or tenant doesn't have premium license**: Accessing sign-in reports requires a Microsoft Entra ID P1 or P2 license. If you see this error message while accessing sign-ins, make sure that your tenant is licensed with a Microsoft Entra ID P1 license.
**Error: User isn't in the allowed roles**: If you see this error message while trying to access audit logs or sign-ins using the API, make sure that your account is part of the **Security Reader** or **Reports Reader** role in your Microsoft Entra tenant.
active-directory Howto Customize Filter Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-customize-filter-logs.md
The required roles and licenses may vary based on the report. Global Administrat
|--|--|--| | Audit | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |
-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 |
-| Conditional Access data in the sign-in logs | Company Administrator<br>Global Reader<br>Security Administrator<br>Security Reader<br>Conditional Access Administrator | Premium P1/P2 |
+| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1 or P2 |
+| Conditional Access data in the sign-in logs | Company Administrator<br>Global Reader<br>Security Administrator<br>Security Reader<br>Conditional Access Administrator | Premium P1 or P2 |
## How to access the activity logs in the Microsoft Entra admin center
active-directory Howto Download Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-download-logs.md
The required roles and licenses may vary based on the report. Global Administrat
|--|--|--| | Audit | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID | | Sign-ins | Report Reader<br>Security Reader<br>Security Administrator<br>Global Reader | All editions of Microsoft Entra ID |
-| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | Premium P1/P2 |
+| Provisioning | Same as audit and sign-ins, plus<br>Security Operator<br>Application Administrator<br>Cloud App Administrator<br>A custom role with `provisioningLogs` permission | P1 or P2 |
## Log download details
active-directory Howto Stream Logs To Event Hub https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-stream-logs-to-event-hub.md
To use this feature, you need the [Splunk Add-on for Microsoft Cloud Services](h
<a name='integrate-azure-ad-logs-with-splunk'></a>
-### Integrate Microsoft Entra ID logs with Splunk
+<a name='integrate-microsoft-entra-id-logs-with-splunk'></a>
+
+### Integrate Microsoft Entra logs with Splunk
1. Open your Splunk instance and select **Data Summary**.
To use this feature, you need a SumoLogic single sign-on enabled subscription.
<a name='integrate-azure-ad-logs-with-sumologic-'></a>
-### Integrate Microsoft Entra ID logs with SumoLogic
+<a name='integrate-microsoft-entra-id-logs-with-sumologic'></a>
+
+### Integrate Microsoft Entra logs with SumoLogic
1. Configure your SumoLogic instance to [collect logs for Microsoft Entra ID](https://help.sumologic.com/docs/integrations/microsoft-azure/active-directory-azure#collecting-logs-for-azure-active-directory).
Download and open the [configuration guide for ArcSight SmartConnector for Azure
<a name='integrate-azure-ad-logs-with-arcsight'></a>
-## Integrate Microsoft Entra ID logs with ArcSight
+<a name='integrate-microsoft-entra-id-logs-with-arcsight'></a>
+
+## Integrate Microsoft Entra logs with ArcSight
1. Complete the steps in the **Prerequisites** section of the ArcSight configuration guide. This section includes the following steps: * Set user permissions in Azure to ensure there's a user with the **owner** role to deploy and configure the connector.
active-directory Howto Troubleshoot Sign In Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-troubleshoot-sign-in-errors.md
The Microsoft Entra sign-in logs enable you to find answers to questions around
- How many users have users signed in over a week? - WhatΓÇÖs the status of these sign-ins?
-In addition, the sign-ins logs can also help you troubleshoot sign-in failures for users in your organization. In this guide, you learn how to isolate a sign-in failure in the sign-ins report, and use it to understand the root cause of the failure. Some common sign-in errors are also described.
+In addition, the sign-in logs can also help you troubleshoot sign-in failures for users in your organization. In this guide, you learn how to isolate a sign-in failure in the sign-ins report, and use it to understand the root cause of the failure. Some common sign-in errors are also described.
## Prerequisites You need:
-* A Microsoft Entra tenant with a Premium P1/P2 license.
+* A Microsoft Entra tenant with a P1 or P2 license.
* A user with the **Reports Reader**, **Security Reader**, **Security Administrator**, or **Global Administrator** role for the tenant. * In addition, any user can access their own sign-ins from https://mysignins.microsoft.com.
active-directory Howto Use Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-recommendations.md
The Microsoft Entra recommendations feature provides you with personalized insights with actionable guidance to: -- Help you identify opportunities to implement best practices for Microsoft Entra ID-related features.
+- Help you identify opportunities to implement best practices for Microsoft Entra related features.
- Improve the state of your Microsoft Entra tenant. - Optimize the configurations for your scenarios.
active-directory Howto Use Sign In Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/howto-use-sign-in-diagnostics.md
You can start the Sign-in diagnostic from a specific sign-in event in the Sign-i
- You can filter your list to make it easier to find specific sign-in events. 1. From the Activity Details window that opens, select the **Launch the Sign-in diagnostic** link.
- ![Screenshot showing how to launch sign-in diagnostics from Azure AD.](./media/overview-sign-in-diagnostics/sign-in-logs-link.png)
+ ![Screenshot showing how to launch sign-in diagnostics from Microsoft Entra ID.](./media/overview-sign-in-diagnostics/sign-in-logs-link.png)
1. Explore the results and take action as necessary. ### From a support request
active-directory Overview Flagged Sign Ins https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-flagged-sign-ins.md
# What are flagged sign-ins in Microsoft Entra ID?
-As an IT admin, when a user failed to sign-in, you want to resolve the issue as soon as possible to unblock your user. Due to the amount of available data in the sign-ins log, locating the right information can be a challenge.
+As an IT admin, when a user failed to sign-in, you want to resolve the issue as soon as possible to unblock your user. Due to the amount of available data in the sign-in log, locating the right information can be a challenge.
This article gives you an overview of a feature that significantly improves the time it takes to resolve user sign-in problems by making the related problems easy to find.
Microsoft Entra sign-in events are critical to understanding what went right or
Flagged Sign-ins is a feature intended to increase the signal to noise ratio for user sign-ins requiring help. The functionality is intended to empower users to raise awareness about sign-in errors they want help with. Admins and help desk workers also benefit from finding the right events more efficiently. Flagged Sign-in events contain the same information as other sign-in events contain with one addition: they also indicate that a user flagged the event for review by admins.
-Flagged sign-ins give the user the ability to enable flagging when an error is seen on a sign-in page and then reproduce that error. The error event then appears as ΓÇ£Flagged for ReviewΓÇ¥ in the Microsoft Entra sign-ins log.
+Flagged sign-ins give the user the ability to enable flagging when an error is seen on a sign-in page and then reproduce that error. The error event then appears as ΓÇ£Flagged for ReviewΓÇ¥ in the Microsoft Entra sign-in log.
In summary, you can use flagged sign-ins to:
active-directory Overview Monitoring Health https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-monitoring-health.md
Audit logs provide you with records of system activities for compliance. This da
### Sign-in logs
-The sign-ins logs enable you to find answers to questions such as:
+The sign-in logs enable you to find answers to questions such as:
- What is the sign-in pattern of a user? - How many users have users signed in over a week?
Monitoring Microsoft Entra activity logs requires routing the log data to a moni
For an overview of how to access, store, and analyze activity logs, see [How to access activity logs](howto-access-activity-logs.md).-
active-directory Overview Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/overview-recommendations.md
Microsoft Entra recommendations now include *identity secure score* recommendati
All these Microsoft Entra recommendations provide you with personalized insights with actionable guidance to: -- Help you identify opportunities to implement best practices for Microsoft Entra ID-related features.
+- Help you identify opportunities to implement best practices for Microsoft Entra related features.
- Improve the state of your Microsoft Entra tenant. - Optimize the configurations for your scenarios.
active-directory Quickstart Access Log With Graph Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-access-log-with-graph-api.md
Title: Analyze Microsoft Entra sign-in logs with the Microsoft Graph API
-description: Learn how to access the sign-ins log and analyze a single sign-in attempt using the Microsoft Graph API.
+description: Learn how to access the sign-in log and analyze a single sign-in attempt using the Microsoft Graph API.
# Quickstart: Access Microsoft Entra logs with the Microsoft Graph API
-With the information in the Microsoft Entra sign-in logs, you can figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-ins log using the Microsoft Graph API.
+With the information in the Microsoft Entra sign-in logs, you can figure out what happened if a sign-in of a user failed. This quickstart shows you how to access the sign-in log using the Microsoft Graph API.
## Prerequisites
To complete the scenario in this quickstart, you need:
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
-The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-ins log.
+The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as Isabella Simonsen using an incorrect password.
-2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-ins log.
+2. Wait for 5 minutes to ensure that you can find a record of the sign-in in the sign-in log.
## Find the failed sign-in
active-directory Quickstart Analyze Sign In https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/quickstart-analyze-sign-in.md
Title: Quickstart guide to analyze a failed Microsoft Entra sign-in
-description: In this quickstart, you learn how you can use the sign-ins log to determine the reason for a failed sign-in to Microsoft Entra ID.
+description: In this quickstart, you learn how you can use the sign-in log to determine the reason for a failed sign-in to Microsoft Entra ID.
-#Customer intent: As an IT admin, you need to know how to use the sign-ins log so that you can fix sign-in issues.
+#Customer intent: As an IT admin, you need to know how to use the sign-in log so that you can fix sign-in issues.
-# Quickstart: Analyze sign-ins with the Microsoft Entra sign-ins log
+# Quickstart: Analyze sign-ins with the Microsoft Entra sign-in log
-With the information in the Microsoft Entra sign-ins log, you can figure out what happened if a sign-in of a user failed. This quickstart shows how to you can locate failed sign-in using the sign-ins log.
+With the information in the Microsoft Entra sign-in log, you can figure out what happened if a sign-in of a user failed. This quickstart shows how to you can locate failed sign-in using the sign-in log.
## Prerequisites
To complete the scenario in this quickstart, you need:
## Perform a failed sign-in
-The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-ins log.
+The goal of this step is to create a record of a failed sign-in in the Microsoft Entra sign-in log.
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as Isabella Simonsen using an incorrect password.
-2. Wait for 5 minutes to ensure that you can find the event in the sign-ins log.
+2. Wait for 5 minutes to ensure that you can find the event in the sign-in log.
## Find the failed sign-in
-This section provides you with the steps to analyze a failed sign-in. Filter the sign-ins log to remove all records that aren't relevant to your analysis. For example, set a filter to display only the records of a specific user. Then you can review the error details. The log details provide helpful information. You can also look up the error using the [sign-in error lookup tool](https://login.microsoftonline.com/error). This tool might provide you with information to troubleshoot a sign-in error.
+This section provides you with the steps to analyze a failed sign-in. Filter the sign-in log to remove all records that aren't relevant to your analysis. For example, set a filter to display only the records of a specific user. Then you can review the error details. The log details provide helpful information. You can also look up the error using the [sign-in error lookup tool](https://login.microsoftonline.com/error). This tool might provide you with information to troubleshoot a sign-in error.
[!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
active-directory Recommendation Remove Unused Credential From Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps.md
Applications that the recommendation identified appear in the list of **Impacted
1. Navigate to the **Certificates & Secrets** section of the app registration.
- ![Screenshot of the Certificates and secrets section of Azure AD.](media/recommendation-remove-unused-credential-from-apps/app-certificates-secrets.png)
+ ![Screenshot of the Certificates and secrets section of Microsoft Entra ID.](media/recommendation-remove-unused-credential-from-apps/app-certificates-secrets.png)
1. Locate the unused credential and remove it.
active-directory Recommendation Renew Expiring Application Credential https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/recommendation-renew-expiring-application-credential.md
Applications that the recommendation identified appear in the list of **Impacted
1. Navigate to the **Certificates & Secrets** section of the app registration. 1. Pick the credential type that you want to rotate and navigate to either **Certificates** or **Client Secret** tab and follow the prompts.
- ![Screenshot of the Certificates and secrets section of Azure AD.](media/recommendation-renew-expiring-application-credential/app-certificates-secrets.png)
+ ![Screenshot of the Certificates and secrets section of Microsoft Entra ID.](media/recommendation-renew-expiring-application-credential/app-certificates-secrets.png)
1. Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential and doesn't negatively affect customers. 1. Use the Microsoft Entra sign-in logs to validate that the Key ID of the credential matches the one that was recently added.
active-directory Reference Audit Activities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-audit-activities.md
The Self-service password management logs provide insight into changes made to p
- [Microsoft Entra monitoring and health overview](overview-monitoring-health.md). - [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Microsoft Entra ID reports](./howto-configure-prerequisites-for-reporting-api.md)
+- [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md)
active-directory Reference Azure Monitor Sign Ins Log Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md
This article describes the Microsoft Entra sign-in log schema in Azure Monitor.
| ResultDescription | N/A or blank | Provides the error description for the sign-in operation. | | riskDetail | riskDetail | Provides the 'reason' behind a specific state of a risky user, sign-in or a risk detection. The possible values are: `none`, `adminGeneratedTemporaryPassword`, `userPerformedSecuredPasswordChange`, `userPerformedSecuredPasswordReset`, `adminConfirmedSigninSafe`, `aiConfirmedSigninSafe`, `userPassedMFADrivenByRiskBasedPolicy`, `adminDismissedAllRiskForUser`, `adminConfirmedSigninCompromised`, `unknownFutureValue`. The value `none` means that no action has been performed on the user or sign-in so far. <br>**Note:** Details for this property require a Microsoft Entra ID P2 license. Other licenses return the value `hidden`. | | riskEventTypes | riskEventTypes | Risk detection types associated with the sign-in. The possible values are: `unlikelyTravel`, `anonymizedIPAddress`, `maliciousIPAddress`, `unfamiliarFeatures`, `malwareInfectedIPAddress`, `suspiciousIPAddress`, `leakedCredentials`, `investigationsThreatIntelligence`, `generic`, and `unknownFutureValue`. |
-| authProcessingDetails | Azure Active Directory authentication library | Contains Family, Library, and Platform information in format: "Family: Microsoft Authentication Library: ADAL.JS 1.0.0 Platform: JS" |
+| authProcessingDetails | Azure Active Directory Authentication Library | Contains Family, Library, and Platform information in format: "Family: Microsoft Authentication Library: ADAL.JS 1.0.0 Platform: JS" |
| authProcessingDetails | IsCAEToken | Values are True or False | | riskLevelAggregated | riskLevel | Aggregated risk level. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. **Note:** Details for this property are only available for Microsoft Entra ID P2 customers. All other customers will be returned `hidden`. | | riskLevelDuringSignIn | riskLevel | Risk level during sign-in. The possible values are: `none`, `low`, `medium`, `high`, `hidden`, and `unknownFutureValue`. The value `hidden` means the user or sign-in wasn't enabled for Microsoft Entra ID Protection. **Note:** Details for this property are only available for Microsoft Entra ID P2 customers. All other customers will be returned `hidden`. |
active-directory Reference Powershell Reporting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-powershell-reporting.md
Install-module AzureADPreview
For more information on how to connect to Microsoft Entra ID using PowerShell, see the article [Azure AD PowerShell for Graph](/powershell/azure/active-directory/install-adv2).
-With Microsoft Entra ID reports, you can get details on activities around all the write operations in your direction (audit logs) and authentication data (sign-in logs). Although the information is available by using the MS Graph API, now you can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting.
+With Microsoft Entra reports, you can get details on activities around all the write operations in your direction (audit logs) and authentication data (sign-in logs). Although the information is available by using the MS Graph API, now you can retrieve the same data by using the Azure AD PowerShell cmdlets for reporting.
This article gives you an overview of the PowerShell cmdlets to use for audit logs and sign-in logs.
You get access to the audit logs using the `Get-AzureADAuditDirectoryLogs` cmdle
The following image shows an example for this command.
-![Screenshot shows the result of the `Get Azure A D Audit Directory Logs command.](./media/reference-powershell-reporting/get-azureadauditdirectorylogs.png)
+![Screenshot shows the result of the `Get Azure AD Audit Directory Logs` command.](./media/reference-powershell-reporting/get-azureadauditdirectorylogs.png)
The following image shows an example for this command.
The [sign-ins](concept-sign-ins.md) logs provide information about the usage of managed applications and user sign-in activities.
-You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs cmdlet.
+You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs` cmdlet.
| Scenario | PowerShell command |
You get access to the sign-in logs using the `Get-AzureADAuditSignInLogs cmdlet.
The following image shows an example for this command.
-![Screenshot shows the result of the Get Azure A D Audit Sign In Logs command.](./media/reference-powershell-reporting/get-azureadauditsigninlogs.png)
+![Screenshot shows the result of the `Get Azure A D Audit Sign In Logs` command.](./media/reference-powershell-reporting/get-azureadauditsigninlogs.png)
## Next steps -- [Microsoft Entra ID reports overview](overview-reports.md).
+- [Microsoft Entra reports overview](overview-reports.md).
- [Audit logs report](concept-audit-logs.md). -- [Programmatic access to Microsoft Entra ID reports](./howto-configure-prerequisites-for-reporting-api.md)
+- [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md)
active-directory Reference Sla Performance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/reference-sla-performance.md
To access your tenant-level SLA performance:
* [Microsoft Entra monitoring and health overview](overview-monitoring-health.md) * [Programmatic access to Microsoft Entra reports](./howto-configure-prerequisites-for-reporting-api.md)
-* [Microsoft Entra ID risk detections](../identity-protection/overview-identity-protection.md)
-
+* [Microsoft Entra risk detections](../identity-protection/overview-identity-protection.md)
active-directory Tutorial Configure Log Analytics Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/reports-monitoring/tutorial-configure-log-analytics-workspace.md
Title: Configure a log analytics workspace in Microsoft Entra ID
-description: Learn how to configure a Microsoft Entra Log Analytics workspace and run Kusto queries on your identity data.
+description: Learn how to configure a log analytics workspace in Microsoft Entra ID and run Kusto queries on your identity data.
active-directory Admin Units Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/admin-units-manage.md
You can create a new administrative unit by using either the Microsoft Entra adm
1. Browse to **Identity** > **Roles & admins** > **Admin units**.
- ![Screenshot of the Administrative units page in Azure AD.](./media/admin-units-manage/nav-to-admin-units.png)
+ ![Screenshot of the Administrative units page.](./media/admin-units-manage/nav-to-admin-units.png)
1. Select **Add**.
active-directory Permissions Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/permissions-reference.md
This article lists the Microsoft Entra built-in roles you can assign to allow ma
> | [Partner Tier1 Support](#partner-tier1-support) | Do not use - not intended for general use.<br/>[![Privileged label icon.](./medi) | 4ba39ca4-527c-499a-b93d-d9b492c50246 | > | [Partner Tier2 Support](#partner-tier2-support) | Do not use - not intended for general use.<br/>[![Privileged label icon.](./medi) | e00e864a-17c5-4a4b-9c06-f5b95a8d5bd8 | > | [Password Administrator](#password-administrator) | Can reset passwords for non-administrators and Password Administrators.<br/>[![Privileged label icon.](./medi) | 966707d0-3269-4727-9be2-8c3a10f19b9d |
-> | [Permissions Management Administrator](#permissions-management-administrator) | Manage all aspects of Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 |
+> | [Permissions Management Administrator](#permissions-management-administrator) | Manage all aspects of Microsoft Entra Permissions Management. | af78dc32-cf4d-46f9-ba4e-4428526346b5 |
> | [Power Platform Administrator](#power-platform-administrator) | Can create and manage all aspects of Microsoft Dynamics 365, Power Apps and Power Automate. | 11648597-926c-4cf3-9c36-bcebb0ba8dcc | > | [Printer Administrator](#printer-administrator) | Can manage all aspects of printers and printer connectors. | 644ef478-e28f-4e28-b9dc-3fdde9aa0b1f | > | [Printer Technician](#printer-technician) | Can register and unregister printers and update printer status. | e8cef6f1-e4bd-4ea8-bc07-4b8d950f4477 |
This is a [privileged role](privileged-roles-permissions.md). Users with this ro
> | microsoft.commerce.billing/purchases/standard/read | Read purchase services in M365 Admin Center. | > | microsoft.dynamics365/allEntities/allTasks | Manage all aspects of Dynamics 365 | > | microsoft.edge/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Edge |
-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access |
+> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access |
> | microsoft.flow/allEntities/allTasks | Manage all aspects of Microsoft Power Automate | > | microsoft.hardware.support/shippingAddress/allProperties/allTasks | Create, read, update, and delete shipping addresses for Microsoft hardware warranty claims, including shipping addresses created by others | > | microsoft.hardware.support/shippingStatus/allProperties/read | Read shipping status for open Microsoft hardware warranty claims |
This is a [privileged role](privileged-roles-permissions.md). Users with this ro
> | microsoft.office365.userCommunication/allEntities/allTasks | Read and update what's new messages visibility | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center | > | microsoft.office365.yammer/allEntities/allProperties/allTasks | Manage all aspects of Yammer |
-> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |
+> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Permissions Management |
> | microsoft.powerApps/allEntities/allTasks | Manage all aspects of Power Apps | > | microsoft.powerApps.powerBI/allEntities/allTasks | Manage all aspects of Fabric and Power BI | > | microsoft.teams/allEntities/allProperties/allTasks | Manage all resources in Teams |
Users with this role **cannot** do the following:
> | microsoft.commerce.billing/allEntities/allProperties/read | Read all resources of Office 365 billing | > | microsoft.commerce.billing/purchases/standard/read | Read purchase services in M365 Admin Center. | > | microsoft.edge/allEntities/allProperties/read | Read all aspects of Microsoft Edge |
-> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Entra Network Access |
+> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Microsoft Entra Network Access |
> | microsoft.hardware.support/shippingAddress/allProperties/read | Read shipping addresses for Microsoft hardware warranty claims, including existing shipping addresses created by others | > | microsoft.hardware.support/shippingStatus/allProperties/read | Read shipping status for open Microsoft hardware warranty claims | > | microsoft.hardware.support/warrantyClaims/allProperties/read | Read Microsoft hardware warranty claims |
Users with this role **cannot** do the following:
> | microsoft.office365.usageReports/allEntities/allProperties/read | Read Office 365 usage reports | > | microsoft.office365.webPortal/allEntities/standard/read | Read basic properties on all resources in the Microsoft 365 admin center | > | microsoft.office365.yammer/allEntities/allProperties/read | Read all aspects of Yammer |
-> | microsoft.permissionsManagement/allEntities/allProperties/read | Read all aspects of Entra Permissions Management |
+> | microsoft.permissionsManagement/allEntities/allProperties/read | Read all aspects of Microsoft Entra Permissions Management |
> | microsoft.teams/allEntities/allProperties/read | Read all properties of Microsoft Teams | > | microsoft.virtualVisits/allEntities/allProperties/read | Read all aspects of Virtual Visits | > | microsoft.viva.goals/allEntities/allProperties/read | Read all aspects of Microsoft Viva Goals |
Users with this role **cannot** do the following:
> | microsoft.directory/crossTenantAccessPolicy/standard/read | Read basic properties of cross-tenant access policy | > | microsoft.directory/namedLocations/standard/read | Read basic properties of custom rules that define network locations | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties |
-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access |
+> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access |
> | microsoft.office365.messageCenter/messages/read | Read messages in Message Center in the Microsoft 365 admin center, excluding security messages | > | microsoft.office365.serviceHealth/allEntities/allTasks | Read and configure Service Health in the Microsoft 365 admin center | > | microsoft.office365.supportTickets/allEntities/allTasks | Create and manage Microsoft 365 service requests |
Users with this role **cannot** do the following:
Assign the Permissions Management Administrator role to users who need to do the following tasks: -- Manage all aspects of Entra Permissions Management, when the service is present
+- Manage all aspects of Microsoft Entra Permissions Management, when the service is present
Learn more about Permissions Management roles and polices at [View information about roles/policies](../cloud-infrastructure-entitlement-management/how-to-view-role-policy.md). > [!div class="mx-tableFixed"] > | Actions | Description | > | | |
-> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Entra Permissions Management |
+> | microsoft.permissionsManagement/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Permissions Management |
## Power Platform Administrator
Azure Advanced Threat Protection | Monitor and respond to suspicious security ac
> | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health | > | microsoft.azure.supportTickets/allEntities/allTasks | Create and manage Azure support tickets |
-> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Entra Network Access |
+> | microsoft.networkAccess/allEntities/allProperties/allTasks | Manage all aspects of Microsoft Entra Network Access |
> | microsoft.office365.protectionCenter/allEntities/standard/read | Read standard properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/allEntities/basic/update | Update basic properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/allTasks | Create and manage attack payloads in Attack Simulator |
In | Can do
> | microsoft.directory/provisioningLogs/allProperties/read | Read all properties of provisioning logs | > | microsoft.directory/signInReports/allProperties/read | Read all properties on sign-in reports, including privileged properties | > | microsoft.azure.serviceHealth/allEntities/allTasks | Read and configure Azure Service Health |
-> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Entra Network Access |
+> | microsoft.networkAccess/allEntities/allProperties/read | Read all aspects of Microsoft Entra Network Access |
> | microsoft.office365.protectionCenter/allEntities/standard/read | Read standard properties of all resources in the Security and Compliance centers | > | microsoft.office365.protectionCenter/attackSimulator/payload/allProperties/read | Read all properties of attack payloads in Attack Simulator | > | microsoft.office365.protectionCenter/attackSimulator/reports/allProperties/read | Read reports of attack simulation, responses, and associated training |
active-directory Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/prerequisites.md
Previously updated : 03/17/2022 Last updated : 10/10/2023
You must have the Microsoft Graph PowerShell SDK installed:
## Azure AD PowerShell module + To use PowerShell commands to do the following: - List role assignments
To use PowerShell commands to do the following:
You must have the following module installed: -- [Microsoft Entra ID](https://www.powershellgallery.com/packages/AzureAD) (current version)-
+- [Azure AD PowerShell module](https://www.powershellgallery.com/packages/AzureAD) (current version)
<a name='check-azuread-version'></a>
To use Azure AD PowerShell, follow these steps to make sure it is imported into
## AzureADPreview module + To use PowerShell commands to do the following: - Assign roles to users or groups
active-directory Privileged Roles Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/roles/privileged-roles-permissions.md
For example:
| | | | namespace | Product or service that exposes the task and is prepended with `microsoft`. For example, all tasks in Microsoft Entra ID use the `microsoft.directory` namespace. | | entity | Logical feature or component exposed by the service in Microsoft Graph. For example, Microsoft Entra ID exposes User and Groups, OneNote exposes Notes, and Exchange exposes Mailboxes and Calendars. There is a special `allEntities` keyword for specifying all entities in a namespace. This is often used in roles that grant access to an entire product. |
-| propertySet | Specific properties or aspects of the entity for which access is being granted. For example, `microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Azure AD.<ul><li>`allProperties` designates all properties of the entity, including privileged properties.</li><li>`standard` designates common properties, but excludes privileged ones related to `read` action. For example, `microsoft.directory/user/standard/read` includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multifactor authentication.</li><li>`basic` designates common properties, but excludes privileged ones related to the `update` action. The set of properties that you can read may be different from what you can update. ThatΓÇÖs why there are `standard` and `basic` keywords to reflect that.</li></ul> |
+| propertySet | Specific properties or aspects of the entity for which access is being granted. For example, `microsoft.directory/applications/authentication/read` grants the ability to read the reply URL, logout URL, and implicit flow property on the application object in Microsoft Entra ID.<ul><li>`allProperties` designates all properties of the entity, including privileged properties.</li><li>`standard` designates common properties, but excludes privileged ones related to `read` action. For example, `microsoft.directory/user/standard/read` includes the ability to read standard properties like public phone number and email address, but not the private secondary phone number or email address used for multifactor authentication.</li><li>`basic` designates common properties, but excludes privileged ones related to the `update` action. The set of properties that you can read may be different from what you can update. ThatΓÇÖs why there are `standard` and `basic` keywords to reflect that.</li></ul> |
| action | Operation being granted, most typically create, read, update, or delete (CRUD). There is a special `allTasks` keyword for specifying all of the above abilities (create, read, update, and delete). | ## Compare authentication roles
active-directory Akamai Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/akamai-tutorial.md
Click Save and to go Deployment.
### Kerberos Authentication
-In the below example we will publish an Internal web server <code>http://frp-app1.superdemo.live</code> and enable SSO using KCD.
+In the below example we will publish an internal web server at `http://frp-app1.superdemo.live` and enable SSO using KCD.
#### General Tab
active-directory Alibaba Cloud Service Role Based Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md
the **Note** field, click **Upload** to upload the federation metadata file you
6. In the **RAM Role Name** field enter `AADrole`, select `AAD` from the **Select IdP** drop-down list and click OK.
- >[!NOTE]
- >You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information page and the role information page.
+ >[!NOTE]
+ >You can grant permission to the role as needed. After creating the IdP and the corresponding role, we recommend that you save the ARNs of the IdP and the role for subsequent use. You can obtain the ARNs on the IdP information page and the role information page.
7. Associate the Alibaba Cloud RAM role (AADrole) with the Microsoft Entra user (u2):
-To associate the RAM role with the Microsoft Entra user, you must create a role in Microsoft Entra ID by following these steps:
- a. Sign on to the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+ To associate the RAM role with the Microsoft Entra user, you must create a role in Microsoft Entra ID by following these steps:
- b. Click **modify permissions** to obtain required permissions for creating a role.
+ 1. Sign in to the [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
- ![Graph config1](./media/alibaba-cloud-service-role-based-sso-tutorial/graph01.png)
+ 1. Click **modify permissions** to obtain required permissions for creating a role.
- c. Select the following permissions from the list and click **Modify Permissions**, as shown in the following figure.
+ ![Graph config1](./media/alibaba-cloud-service-role-based-sso-tutorial/graph01.png)
- ![Graph config2](./media/alibaba-cloud-service-role-based-sso-tutorial/graph02.png)
+ 1. Select the following permissions from the list and click **Modify Permissions**, as shown in the following figure.
- >[!NOTE]
- >After permissions are granted, log on to the Graph Explorer again.
+ ![Graph config2](./media/alibaba-cloud-service-role-based-sso-tutorial/graph02.png)
- d. On the Graph Explorer page, select **GET** from the first drop-down list and **beta** from the second drop-down list. Then enter `https://graph.microsoft.com/beta/servicePrincipals` in the field next to the drop-down lists, and click **Run Query**.
+ > [!NOTE]
+ > After permissions are granted, sign in to the Graph Explorer again.
- ![Graph config3](./media/alibaba-cloud-service-role-based-sso-tutorial/graph03.png)
+ 1. On the Graph Explorer page, select **GET** from the first drop-down list and **beta** from the second drop-down list. Then enter `https://graph.microsoft.com/beta/servicePrincipals` in the field next to the drop-down lists, and click **Run Query**.
- >[!NOTE]
- >If you are using multiple directories, you can enter `https://graph.microsoft.com/beta/contoso.com/servicePrincipals` in the field of the query.
+ ![Graph config3](./media/alibaba-cloud-service-role-based-sso-tutorial/graph03.png)
- e. In the **Response Preview** section, extract the appRoles property from the 'Service Principal' for subsequent use.
+ > [!NOTE]
+ > If you are using multiple directories, you can enter `https://graph.microsoft.com/beta/contoso.com/servicePrincipals` in the field of the query.
- ![Graph config4](./media/alibaba-cloud-service-role-based-sso-tutorial/graph05.png)
+ 1. In the **Response Preview** section, extract the appRoles property from the 'Service Principal' for subsequent use.
- >[!NOTE]
- >You can locate the appRoles property by entering `https://graph.microsoft.com/beta/servicePrincipals/<objectID>` in the field of the query. Note that the `objectID` is the object ID you have copied from the Microsoft Entra ID **Properties** page.
-
- f. Go back to the Graph Explorer, change the method from **GET** to **PATCH**, paste the following content into the **Request Body** section, and click **Run Query**:
- ```
- {
- "appRoles": [
- {
- "allowedMemberTypes":[
- "User"
- ],
- "description": "msiam_access",
- "displayName": "msiam_access",
- "id": "41be2db8-48d9-4277-8e86-f6d22d35****",
- "isEnabled": true,
- "origin": "Application",
- "value": null
- },
- { "allowedMemberTypes": [
- "User"
- ],
- "description": "Admin,AzureADProd",
- "displayName": "Admin,AzureADProd",
- "id": "68adae10-8b6b-47e6-9142-6476078cdbce",
- "isEnabled": true,
- "origin": "ServicePrincipal",
- "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD"
- }
- ]
- }
- ```
- > [!NOTE]
- > The `value` is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as needed. Microsoft Entra ID will send the value of these roles as the claim value in SAML response. However, you can only add new roles after the `msiam_access` part for the patch operation. To smooth the creation process, we recommend that you use an ID generator, such as GUID Generator, to generate IDs in real time.
-
- g. After the 'Service Principal' is patched with the required role, attach the role with the Microsoft Entra user (u2) by following the steps of **Assign the Microsoft Entra test user** section of the tutorial.
+ ![Graph config4](./media/alibaba-cloud-service-role-based-sso-tutorial/graph05.png)
+
+ > [!NOTE]
+ > You can locate the appRoles property by entering `https://graph.microsoft.com/beta/servicePrincipals/<objectID>` in the field of the query. Note that the `objectID` is the object ID you have copied from the Microsoft Entra ID **Properties** page.
+
+ 1. Go back to the Graph Explorer, change the method from **GET** to **PATCH**, paste the following content into the **Request Body** section, and click **Run Query**:
+
+ ```json
+ {
+ "appRoles": [
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "msiam_access",
+ "displayName": "msiam_access",
+ "id": "41be2db8-48d9-4277-8e86-f6d22d35****",
+ "isEnabled": true,
+ "origin": "Application",
+ "value": null
+ },
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "Admin,AzureADProd",
+ "displayName": "Admin,AzureADProd",
+ "id": "68adae10-8b6b-47e6-9142-6476078cdbce",
+ "isEnabled": true,
+ "origin": "ServicePrincipal",
+ "value": "acs:ram::187125022722****:role/aadrole,acs:ram::187125022722****:saml-provider/AAD"
+ }
+ ]
+ }
+ ```
+
+ > [!NOTE]
+ > The `value` is the ARNs of the IdP and the role you created in the RAM console. Here, you can add multiple roles as needed. Microsoft Entra ID will send the value of these roles as the claim value in SAML response. However, you can only add new roles after the `msiam_access` part for the patch operation. To smooth the creation process, we recommend that you use an ID generator, such as GUID Generator, to generate IDs in real time.
+
+ 1. After the 'Service Principal' is patched with the required role, attach the role with the Microsoft Entra user (u2) by following the steps of **Assign the Microsoft Entra test user** section of the tutorial.
### Configure Alibaba Cloud Service (Role-based SSO) SSO
active-directory Arcgisenterprise Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/arcgisenterprise-tutorial.md
In this section, you'll enable B.Simon to use single sign-on by granting access
## Configure ArcGIS Enterprise SSO --- 1. In a different web browser window, sign in to your ArcGIS Enterprise company site as an administrator -
-1. Select **Organization >EDIT SETTINGS**.
+1. Select **Organization** > **Edit Settings**.
![Screenshot shows the ArcGIS Enterprise Organization tab with Edit settings called out.](./media/arcgisenterprise-tutorial/configure-1.png)
active-directory Aws Multi Accounts Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/aws-multi-accounts-tutorial.md
In this section, you enable Microsoft Entra SSO in the Azure portal and configur
![Screenshot showing where the account ID is displayed on the "Identity and Access Management" pane.](./media/aws-multi-accounts-tutorial/aws-accountid.png)
-1. Sign in to the Azure portal, and then go to **Groups**.
+1. Sign in to the [Azure portal](https://portal.azure.com/), and then browse to **Groups**.
1. Create new groups with the same name as that of the IAM roles you created earlier, and then note the value in the **Object Id** box of each of these new groups.
active-directory Brightidea Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brightidea-tutorial.md
In this section, you'll enable B.Simon to use single sign-on by granting access
![Screenshot shows the Brightidea Identity Provider Setting where you enter information.](./media/brightidea-tutorial/metadata.png)
- * Enter the **SAML Profile Name** like e.g `Azure Ad SSO`
+ * Enter the **SAML Profile Name**, such as `Microsoft Entra SSO`.
* For **Upload Metadata**, click choose file and upload the downloaded metadata file.
active-directory Brivo Onair Identity Connector Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/brivo-onair-identity-connector-provisioning-tutorial.md
Before configuring Brivo Onair Identity Connector for automatic user provisionin
**To add Brivo Onair Identity Connector from the Microsoft Entra application gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Microsoft Entra ID**.
-
- ![The Microsoft Entra button](common/select-azuread.png)
-
-2. Go to **Enterprise applications**, and then select **All applications**.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, select the **New application** button at the top of the pane.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, enter **Brivo Onair Identity Connector**, select **Brivo Onair Identity Connector** in the search box.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Brivo Onair Identity Connector** in the search box.
1. Select **Brivo Onair Identity Connector** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Brivo Onair Identity Connector in the results list](common/search-new-app.png)
## Configuring automatic user provisioning to Brivo Onair Identity Connector
active-directory Check Point Remote Access Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/check-point-remote-access-vpn-tutorial.md
For example:
![screenshot for to Add a new object.](./media/check-point-remote-access-vpn-tutorial/add-new-object.png) 1. Enter a name and a display name, and add/edit an authentication method:
- In case the Login Option will be use on GWs who participate in MEP, in order to allow smooth user experience the Name should start with ΓÇ£SAMLVPN_ΓÇ¥ prefix.
+ In case the Login Option will be use on GWs who participate in MEP, in order to allow smooth user experience the Name should start with `SAMLVPN_` prefix.
![screenshot about Login Option.](./media/check-point-remote-access-vpn-tutorial/login-option.png)
There are two options:
4. In the top right pane, select the **Security Gateway object**.
- 5. In the bottom pane, go to **realms_for_blades > vpn**.
+ 5. In the bottom pane, go to **realms_for_blades** > **vpn**.
6. If you do not want to use an on-premises Active Directory (LDAP), set **do_ldap_fetch** to **false** and **do_generic_fetch** to **true**. Then click **OK**. If you do want to use an on-premises Active Directory (LDAP), set **do_ldap_fetch** to **true** and **do_generic_fetch** to **false**. Then click **OK**.
active-directory Cisco Anyconnect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/cisco-anyconnect.md
To configure the integration of Cisco AnyConnect into Microsoft Entra ID, you ne
1. In the **Add from the gallery** section, type **Cisco AnyConnect** in the search box. 1. Select **Cisco AnyConnect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
-
-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide&preserve-view=true).
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides)
<a name='configure-and-test-azure-ad-sso-for-cisco-anyconnect'></a>
active-directory Corptax Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/corptax-tutorial.md
To configure the integration of Corptax into Microsoft Entra ID, you need to add
**To add Corptax from the gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Microsoft Entra ID** icon.
-
- ![The Microsoft Entra button](common/select_azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise_applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add_new_app.png)
-
-4. In the search box, type **Corptax**, select **Corptax** from result panel then click **Add** button to add the application.
-
- ![Corptax in the results list](common/search_new_app.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Corptax** in the search box.
+1. Select **Corptax** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
<a name='configure-and-test-azure-ad-single-sign-on'></a>
active-directory Directory Services Protector Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/directory-services-protector-tutorial.md
In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by
1. In Step **3 - User Attributes & Claims**, we don't need this information now, so we can skip to Step 4.
-1. In Step **4 ΓÇô Data received from the SAML identity provider**, DSP supports both importing from a metadata URL and importing of a metadata XML provided by Entra ID.
+1. In Step **4 ΓÇô Data received from the SAML identity provider**, DSP supports both importing from a metadata URL and importing of a metadata XML provided by Microsoft Entra ID.
- 1. Select **App federation metadata URL** radio button, and paste the **Metadata URL** in the field from Entra ID, and then select **IMPORT**.
+ 1. Select **App federation metadata URL** radio button, and paste the **Metadata URL** in the field from Microsoft Entra ID, and then select **IMPORT**.
![Screenshot shows settings of the app metadata URL.](./media/directory-services-protector-tutorial/field.png "Application")
active-directory Druva Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/druva-provisioning-tutorial.md
Before configuring and enabling automatic user provisioning, you should decide w
Before configuring Druva for automatic user provisioning with Microsoft Entra ID, you will need to enable SCIM provisioning on Druva.
-1. Sign in to your [Druva Admin Console](https://console.druva.com). Navigate to **Druva > inSync**.
+1. Sign in to your [Druva Admin Console](https://console.druva.com). Navigate to **Druva** > **inSync**.
- ![Druva Admin Console](media/druva-provisioning-tutorial/menubar.png)
+ ![Druva Admin Console](media/druva-provisioning-tutorial/menubar.png)
2. Navigate to **Manage** > **Deployments** > **Users**.
- :::image type="content" source="media/druva-provisioning-tutorial/manage.png" alt-text="Screenshot of the Druva admin console. Manage is highlighted, and the Manage menu is visible. In that menu, under Deployments, Users is highlighted." border="false":::
+ :::image type="content" source="media/druva-provisioning-tutorial/manage.png" alt-text="Screenshot of the Druva admin console. Manage is highlighted, and the Manage menu is visible. In that menu, under Deployments, Users is highlighted." border="false":::
-3. Navigate to **Settings**. Click **Generate Token**.
+3. Navigate to **Settings**. Click **Generate Token**.
- :::image type="content" source="media/druva-provisioning-tutorial/settings.png" alt-text="Screenshot of a page in the Druva admin console. Settings is highlighted, and the Settings tab is open. The Generate token button is highlighted." border="false":::
+ :::image type="content" source="media/druva-provisioning-tutorial/settings.png" alt-text="Screenshot of a page in the Druva admin console. Settings is highlighted, and the Settings tab is open. The Generate token button is highlighted." border="false":::
-4. Copy the **Auth token** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Druva application.
-
- :::image type="content" source="media/druva-provisioning-tutorial/auth.png" alt-text="Screenshot of the Create token page in the Druva admin console. A link labeled Copy Token is available for copying the Auth token value." border="false":::
+4. Copy the **Auth token** value. This value will be entered in the **Secret Token** field in the Provisioning tab of your Druva application.
+
+ :::image type="content" source="media/druva-provisioning-tutorial/auth.png" alt-text="Screenshot of the Create token page in the Druva admin console. A link labeled Copy Token is available for copying the Auth token value." border="false":::
## Add Druva from the gallery
To configure Druva for automatic user provisioning with Microsoft Entra ID, you
1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. 1. In the **Add from the gallery** section, type **Druva**, select **Druva** in the search box. 1. Select **Druva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Druva in the results list](common/search-new-app.png)
+ ![Druva in the results list](common/search-new-app.png)
## Configuring automatic user provisioning to Druva
This section guides you through the steps to configure the Microsoft Entra provi
1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator). 1. Browse to **Identity** > **Applications** > **Enterprise applications**
- ![Enterprise applications blade](common/enterprise-applications.png)
+ ![Enterprise applications blade](common/enterprise-applications.png)
1. In the applications list, select **Druva**.
- ![The Druva link in the Applications list](common/all-applications.png)
+ ![The Druva link in the Applications list](common/all-applications.png)
3. Select the **Provisioning** tab.
- ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
+ ![Screenshot of the Manage options with the Provisioning option called out.](common/provisioning.png)
4. Set the **Provisioning Mode** to **Automatic**.
- ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
+ ![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
-5. Under the Admin Credentials section, input `https://apis.druva.com/insync/scim` in **Tenant URL**. Input the **Auth token** value in **Secret Token**. Click **Test Connection** to ensure Microsoft Entra ID can connect to Druva. If the connection fails, ensure your Druva account has Admin permissions and try again.
+5. Under the Admin Credentials section, input `https://apis.druva.com/insync/scim` in **Tenant URL**. Input the **Auth token** value in **Secret Token**. Click **Test Connection** to ensure Microsoft Entra ID can connect to Druva. If the connection fails, ensure your Druva account has Admin permissions and try again.
- ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png)
+ ![Tenant URL + Token](common/provisioning-testconnection-tenanturltoken.png)
6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications, and select **Send an email notification when a failure occurs**.
- ![Notification Email](common/provisioning-notification-email.png)
+ ![Notification Email](common/provisioning-notification-email.png)
7. Click **Save**. 8. Under the **Mappings** section, select **Synchronize Microsoft Entra users to Druva**.
- ![Druva User Mappings](media/druva-provisioning-tutorial/usermapping.png)
+ ![Druva User Mappings](media/druva-provisioning-tutorial/usermapping.png)
9. Review the user attributes that are synchronized from Microsoft Entra ID to Druva in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Druva for update operations. Select the **Save** button to commit any changes.
- ![Druva User Attributes](media/druva-provisioning-tutorial/userattribute.png)
+ ![Druva User Attributes](media/druva-provisioning-tutorial/userattribute.png)
10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 11. To enable the Microsoft Entra provisioning service for Druva, change the **Provisioning Status** to **On** in the **Settings** section.
- ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
12. Define the users and/or groups that you would like to provision to Druva by choosing the desired values in **Scope** in the **Settings** section.
- ![Provisioning Scope](common/provisioning-scope.png)
+ ![Provisioning Scope](common/provisioning-scope.png)
13. When you are ready to provision, click **Save**.
- ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+ This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Microsoft Entra provisioning service on Druva.
- This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Microsoft Entra provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Microsoft Entra provisioning service on Druva.
+ For more information on how to read the Microsoft Entra provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).
- For more information on how to read the Microsoft Entra provisioning logs, see [Reporting on automatic user account provisioning](../app-provisioning/check-status-user-account-provisioning.md).
-
## Connector limitations * Druva requires **email** as a mandatory attribute.
active-directory F5 Big Ip Headers Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-headers-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP. 1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.+ 2. From the left navigation pane, select the **Microsoft Entra ID** service.
-3. Under Manage, select **App registrations > New registration**.
-4. Enter a display name for your application. For example, `F5 BIG-IP Easy Button`.
+
+3. Under Manage, select **App registrations** > **New registration**.
+
+4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`.
+ 5. Specify who can use the application > **Accounts in this organizational directory only**.+ 6. Select **Register** to complete the initial app registration.+ 7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**: * Application.Read.All
active-directory F5 Big Ip Oracle Enterprise Business Suite Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-enterprise-business-suite-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP.
-1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.
-2. From the left navigation pane, select the **Microsoft Entra ID** service
+2. From the left navigation pane, select the **Microsoft Entra ID** service.
-3. Under Manage, select **App registrations > New registration**
+3. Under Manage, select **App registrations** > **New registration**.
-4. Enter a display name for your application. For example, F5 BIG-IP Easy Button
+4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`.
-5. Specify who can use the application > **Accounts in this organizational directory only**
+5. Specify who can use the application > **Accounts in this organizational directory only**.
-6. Select **Register** to complete the initial app registration
+6. Select **Register** to complete the initial app registration.
7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:
active-directory F5 Big Ip Oracle Jd Edwards Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-oracle-jd-edwards-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
This first step creates a tenant app registration that will be used to authorize the **Easy Button** access to Graph. Through these permissions, the BIG-IP will be allowed to push the configurations required to establish a trust between a SAML SP instance for published application, and Microsoft Entra ID as the SAML IdP.
-1. Sign in to the [Azure portal](https://portal.azure.com/) with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.
-2. From the left navigation pane, select the **Microsoft Entra ID** service
+2. From the left navigation pane, select the **Microsoft Entra ID** service.
-3. Under Manage, select **App registrations > New registration**
+3. Under Manage, select **App registrations** > **New registration**.
-4. Enter a display name for your application. For example, F5 BIG-IP Easy Button
+4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`.
-5. Specify who can use the application > **Accounts in this organizational directory only**
+5. Specify who can use the application > **Accounts in this organizational directory only**.
-6. Select **Register** to complete the initial app registration
+6. Select **Register** to complete the initial app registration.
7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:
active-directory F5 Big Ip Sap Erp Easy Button https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/f5-big-ip-sap-erp-easy-button.md
Before a client or service can access Microsoft Graph, it must be trusted by the
The Easy Button client must also be registered in Microsoft Entra ID, before it is allowed to establish a trust between each SAML SP instance of a BIG-IP published application, and Microsoft Entra ID as the SAML IdP.
-1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights
+1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with Application Administrative rights.
-2. From the left navigation pane, select the **Microsoft Entra ID** service
+2. From the left navigation pane, select the **Microsoft Entra ID** service.
-3. Under Manage, select **App registrations > New registration**
+3. Under Manage, select **App registrations** > **New registration**.
-4. Enter a display name for your application. For example, *F5 BIG-IP Easy Button*
+4. Enter a display name for your application, such as `F5 BIG-IP Easy Button`.
-5. Specify who can use the application > **Accounts in this organizational directory only**
+5. Specify who can use the application > **Accounts in this organizational directory only**.
-6. Select **Register** to complete the initial app registration
+6. Select **Register** to complete the initial app registration.
7. Navigate to **API permissions** and authorize the following Microsoft Graph **Application permissions**:
active-directory Fortigate Ssl Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md
In this section, you'll enable B.Simon to use single sign-on by granting that us
In this section, you'll create a security group in Microsoft Entra ID for the test user. FortiGate will use this security group to grant the user network access via the VPN.
-1. In the left pane of the Azure portal, select **Microsoft Entra ID**. Then select **Groups**.
-1. Select **New group** at the top of the screen.
+1. In the Microsoft Entra admin center, navigate to **Identity** > **Groups** > **New group**.
1. In the **New Group** properties, complete these steps: 1. In the **Group type** list, select **Security**. 1. In the **Group name** box, enter **FortiGateAccess**.
active-directory Highgear Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/highgear-tutorial.md
To configure the integration of HighGear into Microsoft Entra ID, you need to ad
**To add HighGear from the gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Microsoft Entra ID** icon.
-
- ![The Microsoft Entra button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button on the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **HighGear**, select **HighGear** from result panel, and then click the **Add** button to add the application.
-
- ![HighGear in the results list](common/search-new-app.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **HighGear** in the search box.
+1. Select **HighGear** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
<a name='configure-and-test-azure-ad-single-sign-on'></a>
active-directory Insperityexpensable Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/insperityexpensable-tutorial.md
To configure the integration of Insperity ExpensAble into Microsoft Entra ID, yo
**To add Insperity ExpensAble from the gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Microsoft Entra ID** icon.
-
- ![The Microsoft Entra button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button on the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Insperity ExpensAble**, select **Insperity ExpensAble** from the result panel then click the **Add** button to add the application.
-
- ![Insperity ExpensAble in the results list](common/search-new-app.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **InsperityExpensAble** in the search box.
+1. Select **Insperity ExpensAble** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
<a name='configure-and-test-azure-ad-single-sign-on'></a>
active-directory Jamfprosamlconnector Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/jamfprosamlconnector-tutorial.md
In this section, you enable Microsoft Entra SSO.
In this section, you create a test user called B.Simon.
-1. In the left pane in the Azure portal, select **Microsoft Entra ID**, select **Users**, and then select **All users**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Users** > **All users**.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter `B.Simon`.
active-directory Jobscience Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/jobscience-tutorial.md
To configure the integration of Jobscience into Microsoft Entra ID, you need to
**To add Jobscience from the gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Microsoft Entra ID** icon.
-
- ![Active Directory][1]
-
-1. Navigate to **Enterprise applications**. Then go to **All applications**.
-
- ![Screenshot shows the Azure portal Enterprise Applications selected under Manage, with All applications selected.][2]
-
-1. To add new application, click **New application** button on the top of dialog.
-
- ![Screenshot shows New application selected.][3]
-
-1. In the search box, type **Jobscience**.
-
- ![Screenshot shows Add from the gallery with jobscience entered.](./media/jobscience-tutorial/tutorial_jobscience_search.png)
-
-1. In the results panel, select **Jobscience**, and then click **Add** button to add the application.
-
- ![Screenshot shows the results which included Jobscience.](./media/jobscience-tutorial/tutorial_jobscience_addfromgallery.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Jobscience** in the search box.
+1. Select **Jobscience** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
<a name='-configuring-and-testing-azure-ad-single-sign-on'></a>
The objective of this section is to create a test user called Britta Simon.
**To create a test user in Microsoft Entra ID, perform the following steps:**
-1. In the **Azure portal**, on the left navigation pane, click **Microsoft Entra ID** icon.
-
- ![Screenshot shows the Microsoft Entra icon.](./media/jobscience-tutorial/create_aaduser_01.png)
-
-1. To display the list of users, go to **Users and groups** and click **All users**.
+1. In the Microsoft Entra admin center, navigate to **Identity** > **Users** > **All users**.
![Screenshot shows Users and groups selected from the Manage menu, with All users selected.](./media/jobscience-tutorial/create_aaduser_02.png)
active-directory Logzio Cloud Observability For Engineers Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/logzio-cloud-observability-for-engineers-tutorial.md
To be able to access and use the SSO link that is created for a Logz.io-Azure in
To configure SSO for the Logz.io resource in the Azure portal, you need to add the Logz.io - Microsoft Entra Integration from the gallery to your list of managed SaaS apps.
-1. Sign in to the Azure portal using a Microsoft account.
-2. In the Azure portal, in **Logz.io | Overview**, in the **+ Add** menu, select **Enterprise application**.
-
- ![Enterprise application option](./media/logzio-cloud-observability-for-engineers-tutorial/liftr-ovrview-enterprise-apps.png)
-
-3. In the Microsoft Entra Gallery, browse to the **Logz.io - Microsoft Entra Integration** application and select it.
-4. Rename the integration with a relevant name and click **Create**. (In the steps that follow, we used the name **AD app for a logz.io resource**)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Logz.io - Microsoft Entra Integration** in the search box.
+1. Select **Logz.io - Microsoft Entra Integration** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. Rename the integration with a relevant name and click **Create**. (In the steps that follow, we used the name **AD app for a logz.io resource**)
![Rename the integration](./media/logzio-cloud-observability-for-engineers-tutorial/liftr-rename-logzio-ad-integration.png) ##### Copy the Application ID
-In **AD app for a logz.io resource | Overview > Properties**, copy the **Application ID** property.
+In **AD app for a logz.io resource | Overview** > **Properties**, copy the **Application ID** property.
![Copy Application ID](./media/logzio-cloud-observability-for-engineers-tutorial/liftr-copy-application-id-2.png)
active-directory Mediusflow Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/mediusflow-provisioning-tutorial.md
The scenario outlined in this tutorial assumes that you already have the followi
Start by enabling the access of the Microsoft Entra login and the Microsoft Entra configuration feature within MediusFlow by performing the following steps: #### User login
-To enable the login flow to Microsoft 365/Azure AD refer to [this] (https://success.mediusflow.com/documentation/administration_guide/user_login_and_transfer/office365userintegration/#user-login-setup) article.
+To enable the login flow to Microsoft 365 / Microsoft Entra ID, refer to [this](https://success.mediusflow.com/documentation/administration_guide/user_login_and_transfer/office365userintegration/#user-login-setup) article.
#### User transfer configuration To enable the configuration portal of the users for provisioning from Microsoft Entra ID refer to [this](
active-directory Merchlogix Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/merchlogix-provisioning-tutorial.md
Before configuring MerchLogix for automatic user provisioning with Microsoft Ent
**To add MerchLogix from the Microsoft Entra application gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click on the **Microsoft Entra ID** icon.
-
- ![The Microsoft Entra button][1]
-
-2. Navigate to **Enterprise applications** > **All applications**.
-
- ![The Enterprise applications Section][2]
-
-3. To add MerchLogix, click the **New application** button on the top of the dialog.
-
- ![The New application button][3]
-
-4. In the search box, type **MerchLogix**.
-
-5. In the results panel, select **MerchLogix**, and then click the **Add** button to add MerchLogix to your list of SaaS applications.
-
- ![Screenshot of the Add from the galley section with the Enter a name text box called out.][4]
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **MerchLogix** in the search box.
+1. Select **MerchLogix** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
## Assigning users to MerchLogix
For more information on how to read the Microsoft Entra provisioning logs, see [
## Next steps * [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)-
-<!--Image references-->
-[1]: common/select-azuread.png
-[2]: common/enterprise-applications.png
-[3]: common/add-new-app.png
-[4]: common/search-new-app.png
active-directory Miro Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/miro-provisioning-tutorial.md
Before configuring Miro for automatic user provisioning with Microsoft Entra ID,
**To add Miro from the Microsoft Entra application gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Microsoft Entra ID**.
-
- ![The Microsoft Entra button](common/select-azuread.png)
-
-1. Go to **Enterprise applications**, and then select **All applications**.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-1. To add a new application, select the **New application** button at the top of the pane.
-
- ![The New application button](common/add-new-app.png)
-
-1. In the search box, enter **Miro**, select **Miro** in the search box.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Miro** in the search box.
1. Select **Miro** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Miro in the results list](common/search-new-app.png)
## Configuring automatic user provisioning to Miro
active-directory Safety Culture Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/safety-culture-tutorial.md
Follow these steps to enable Microsoft Entra SSO.
1. Click your organization name on the lower-left corner of the page and select **Organization settings**. 1. Select **Security** on the top of the page. 1. Click **Set up** in the **Single sign-on (SSO)** box.
- 1. Select **SAML**, **_not Azure AD_**, as the connection option.
+ 1. Select **SAML**, **_not Microsoft Entra ID_**, as the connection option.
1. Perform the following steps on the below page. ![Screenshot shows sample SSO details from the SafetyCulture web app.](./media/safety-culture-tutorial/connection-details.png "Sample SSO details")
active-directory Sap Cloud Platform Identity Authentication Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md
Before configuring SAP Cloud Identity Services for automatic user provisioning w
**To add SAP Cloud Identity Services from the Microsoft Entra application gallery, perform the following steps:**
-1. In the **[Azure portal](https://portal.azure.com)**, in the left navigation panel, select **Microsoft Entra ID**.
-
- ![Screenshot of the Microsoft Entra button.](common/select-azuread.png)
-
-1. Go to **Enterprise applications**, and then select **All applications**.
-
- ![Screenshot of the Enterprise applications blade.](common/enterprise-applications.png)
-
-1. To add a new application, select the **New application** button at the top of the pane.
-
- ![Screenshot of the New application button.](common/add-new-app.png)
-
-1. In the search box, enter **SAP Cloud Identity Services**, select **SAP Cloud Identity Services** in the search box.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **SAP Cloud Identity Services** in the search box.
1. Select **SAP Cloud Identity Services** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
- ![Screenshot of the SAP Cloud Identity Services in the results list.](common/search-new-app.png)
## Configuring automatic user provisioning to SAP Cloud Identity Services
This section guides you through the steps to configure the Microsoft Entra provi
![Screenshot of the Provisioning Mode dropdown list with the Automatic option called out.](common/provisioning-automatic.png)
-1. Under the **Admin Credentials** section, input `https://<tenantID>.accounts.ondemand.com/service/scim ` in **Tenant URL**. Input the **User ID** and **Password** values retrieved earlier in **Admin Username** and **Admin Password** respectively. Click **Test Connection** to ensure Microsoft Entra ID can connect to SAP Cloud Identity Services. If the connection fails, ensure your SAP Cloud Identity Services account has Admin permissions and try again.
+1. Under the **Admin Credentials** section, input `https://<tenantID>.accounts.ondemand.com/service/scim` in **Tenant URL**. Input the **User ID** and **Password** values retrieved earlier in **Admin Username** and **Admin Password** respectively. Click **Test Connection** to ensure Microsoft Entra ID can connect to SAP Cloud Identity Services. If the connection fails, ensure your SAP Cloud Identity Services account has Admin permissions and try again.
![Screenshot of the Tenant URL and Token.](media/sap-cloud-platform-identity-authentication-provisioning-tutorial/testconnection.png)
active-directory Signalfx Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/signalfx-tutorial.md
In this tutorial, you will configure and test Microsoft Entra SSO in a test envi
Use these instructions to add the SignalFx application to your list of managed SaaS apps.
-1. Log into the Azure portal.
-1. On the left-side navigation window, select **Microsoft Entra ID**.
-1. Select **Enterprise applications**, and then select **All applications**.
-1. Select **New application**.
-1. In the **Add from the gallery** section, in the search box, enter and select **SignalFx**.
- * You may need to wait a few minutes for the application to be added to your tenant.
-1. Leave the Azure portal open, and then open a new web tab.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **SignalFx** in the search box.
+1. Select **SignalFx** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. Leave the Microsoft Entra admin center open, and then open a new browser tab.
## Step 2: Begin SignalFx SSO configuration
Use these instructions to begin the configuration process for the SignalFx SSO.
Use these instructions to enable Microsoft Entra SSO.
-1. Return to the Azure portal, and on the **SignalFx** application integration page, locate the **Manage** section, and then select **Single sign-on**.
+1. Return to the Microsoft Entra admin center, and on the **SignalFx** application integration page, locate the **Manage** section, and then select **Single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
active-directory Slack Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/slack-tutorial.md
In this section, you'll enable B.Simon to use single sign-on by granting access
2. click on your workspace name in the top left, then go to **Settings & administration** -> **Workspace settings**.
- ![Screenshot of Configure single sign-on On Microsoft Azure AD.](./media/slack-tutorial/tutorial-slack-team-settings.png)
+ ![Screenshot of Configure single sign-on for Microsoft Entra ID.](./media/slack-tutorial/tutorial-slack-team-settings.png)
3. In the **Settings & permissions** section, click the **Authentication** tab, and then click **Configure** button at SAML authentication method.
active-directory Solarwinds Orion Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/solarwinds-orion-tutorial.md
application integration page, find the **Manage** section and select **single si
![Screenshot for User Attributes & Claims.](./media/solarwinds-orion-tutorial/group-claim.png) 1. Choose **Security groups**.
-1. If you have Azure AD synchronized with your on-premises AD, change **Source attribute** to **sAMAccountName**. Otherwise, leave it as Group ID.
+1. If you have Microsoft Entra ID synchronized with your on-premises AD, change **Source attribute** to **sAMAccountName**. Otherwise, leave it as Group ID.
1. In the **Advanced options**, tick mark **Customize the name of the group claim** and give OrionGroups as the name.
active-directory Splan Visitor Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/splan-visitor-tutorial.md
Follow these steps to enable Microsoft Entra SSO in the Azure portal:
In this section, you'll create a test user named B.Simon.
-1. On the left pane in the Azure portal, select **Microsoft Entra ID**, select **Users**, and then select **All users**.
+1. In the Microsoft Entra admin center, navigate to **Identity** > **Users** > **All users**.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps: 1. In the **Name** field, enter **B.Simon**.
active-directory Turborater Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/turborater-tutorial.md
TurboRater supports IDP-initiated single sign-on (SSO).
To configure the integration of TurboRater into Microsoft Entra ID, you need to add TurboRater from the Azure Marketplace to your list of managed SaaS apps:
-1. Sign in to the [Azure portal](https://portal.azure.com?azure-portal=true).
-1. In the left pane, select **Microsoft Entra ID**.
-
- ![The Microsoft Entra option](common/select-azuread.png)
-
-1. Go to **Enterprise Applications**, and then select **All Applications**.
-
- ![The Enterprise applications option](common/enterprise-applications.png)
-
-1. To add a new application, select **+ New application** at the top of the pane.
-
- ![The New application option](common/add-new-app.png)
-
-1. In the search box, enter **TurboRater**. In the search results, select **TurboRater**, and then select **Add** to add the application.
-
- ![TurboRater in the results list](common/search-new-app.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **TurboRater** in the search box.
+1. Select **TurboRater** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
<a name='configure-and-test-azure-ad-single-sign-on'></a>
active-directory Workday Mobile Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/workday-mobile-tutorial.md
To ensure that iOS devices are only able to sign in through Workday managed by m
## iOS configuration policies
-1. Sign in to the [Azure portal](https://portal.azure.com/), and sign in.
+1. Sign in to the [Azure portal](https://portal.azure.com/).
1. Search for **Intune** or select the widget from the list. 1. Go to **Client Apps** > **Apps** > **App Configuration Policies**. Then select **+ Add** > **Managed Devices**. 1. Enter a name.
To ensure that iOS devices are only able to sign in through Workday managed by m
## Android configuration policies
-1. Sign in to the [Azure portal](https://portal.azure.com/), and sign in.
+1. Sign in to the [Azure portal](https://portal.azure.com/).
2. Search for **Intune** or select the widget from the list. 3. Go to **Client Apps** > **Apps** > **App Configuration Policies**. Then select **+ Add** > **Managed Devices**. 5. Enter a name.
active-directory Zendesk Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zendesk-provisioning-tutorial.md
The scenario outlined in this tutorial assumes that you already have the followi
## Step 2: Configure Zendesk to support provisioning with Microsoft Entra ID
-1. Log in to [Admin Center](https://support.zendesk.com/hc/en-us/articles/4581766374554#topic_hfg_dyz_1hb), click **Apps and integrations** in the sidebar, then select **APIs > Zendesk APIs**.
+1. Sign in to [Zendesk Admin Center](https://support.zendesk.com/hc/en-us/articles/4581766374554#topic_hfg_dyz_1hb).
+1. Navigate to **Apps and integrations** > **APIs** > **Zendesk APIs**.
1. Click the **Settings** tab, and make sure Token Access is **enabled**. 1. Click the **Add API token** button to the right of **Active API Tokens**.The token is generated and displayed. 1. Enter an **API token description**.
active-directory Zoom Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zoom-tutorial.md
In this section, you'll enable B.Simon to use single sign-on by granting access
a. In the **Sign-in page URL** textbox, paste the value of **Login URL**..
- b. For **Sign-out page URL** value, you need to go to the Azure portal and click on **Microsoft Entra ID** on the left then navigate to **App registrations**.
+ b. For **Sign-out page URL** value, in the Microsoft Entra admin center, navigate to **Identity** > **App registrations**> **Endpoints**.
- c. Click on **Endpoints**
-
- ![Screenshot of The End point button.](./media/zoom-tutorial/endpoint.png)
+ ![Screenshot of The Endpoints button.](./media/zoom-tutorial/endpoint.png)
d. Copy the **SAML-P SIGN-OUT ENDPOINT** and paste it into **Sign-out page URL** textbox.
active-directory Zscaler Two Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/saas-apps/zscaler-two-provisioning-tutorial.md
To complete the steps outlined in this tutorial, you need the following:
Before you configure Zscaler Two for automatic user provisioning with Microsoft Entra ID, you need to add Zscaler Two from the Microsoft Entra application gallery to your list of managed SaaS applications.
-In the [Azure portal](https://portal.azure.com), in the left pane, select **Microsoft Entra ID**:
-
-![Select Microsoft Entra ID](common/select-azuread.png)
-
-Go to **Enterprise applications** and then select **All applications**:
-
-![Enterprise applications](common/enterprise-applications.png)
-
-To add an application, select **New application** at the top of the window:
-
-![Select New application](common/add-new-app.png)
-
-In the search box, enter **Zscaler Two**. Select **Zscaler Two** in the results and then select **Add**.
-
-![Results list](common/search-new-app.png)
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**.
+1. In the **Add from the gallery** section, type **Zscaler Two** in the search box.
+1. Select **Zscaler Two** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
## Assign users to Zscaler Two
active-directory Configure Cmmc Level 2 Additional Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/configure-cmmc-level-2-additional-controls.md
The following table provides a list of practice statement and objectives, and Mi
| AU.L2-3.3.1<br><br>**Practice statement:** Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit logs (for example, event types to be logged) to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;<br>[b.] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;<br>[c.] audit records are created (generated);<br>[d.] audit records, once created, contain the defined content;<br>[e.] retention requirements for audit records are defined; and<br>[f.] audit records are retained as defined.<br><br>AU.L2-3.3.2<br><br>**Practice statement:** Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.<br><br>**Objectives:**<br>Determine if:<br>[a.] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and<br>[b.] audit records, once created, contain the defined content. | All operations are audited within the Microsoft Entra audit logs. Each audit log entry contains a userΓÇÖs immutable objectID that can be used to uniquely trace an individual system user to each action. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification.<br>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) | | AU.L2-3.3.4<br><br>**Practice statement:** Alert if an audit logging process fails.<br><br>**Objectives:**<br>Determine if:<br>[a.] personnel or roles to be alerted if an audit logging process failure is identified;<br>[b.] types of audit logging process failures for which alert will be generated are defined; and<br>[c] identified personnel or roles are alerted in the event of an audit logging process failure. | Azure Service Health notifies you about Azure service incidents so you can take action to mitigate downtime. Configure customizable cloud alerts for Microsoft Entra ID. <br>[What is Azure Service Health?](../../service-health/overview.md)<br>[Three ways to get notified about Azure service issues](https://azure.microsoft.com/blog/three-ways-to-get-notified-about-azure-service-issues/)<br>[Azure Service Health](https://azure.microsoft.com/get-started/azure-portal/service-health/) | | AU.L2-3.3.6<br><br>**Practice statement:** Provide audit record reduction and report generation to support on-demand analysis and reporting.<br><br>**Objectives:**<br>Determine if:<br>[a.] an audit record reduction capability that supports on-demand analysis is provided; and<br>[b.] a report generation capability that supports on-demand reporting is provided. | Ensure Microsoft Entra events are included in event logging strategy. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts. <br>[Audit activity reports in the Azure portal](../reports-monitoring/concept-audit-logs.md)<br>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md)<br>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
-| AU.L2-3.3.8<br><br>**Practice statement:** Protect audit information and audit logging tools from unauthorized access, modification, and deletion.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit information is protected from unauthorized access;<br>[b.] audit information is protected from unauthorized modification;<br>[c.] audit information is protected from unauthorized deletion;<br>[d.] audit logging tools are protected from unauthorized access;<br>[e.] audit logging tools are protected from unauthorized modification; and<br>[f.] audit logging tools are protected from unauthorized deletion.<br><br>AU.L2-3.3.9<br><br>**Practice statement:** Limit management of audit logging functionality to a subset of privileged users.<br><br>**Objectives:**<br>Determine if:<br>[a.] a subset of privileged users granted access to manage audit logging functionality is defined; and<br>[b.] management of audit logging functionality is limited to the defined subset of privileged users. | Microsoft Entra ID logs are retained by default for 30 days. These logs are unable to modified or deleted and are only accessible to limited set of privileged roles.<br>[Sign-in logs in Microsoft Entra ID](../reports-monitoring/concept-sign-ins.md)<br>[Audit logs in Microsoft Entra ID](../reports-monitoring/concept-audit-logs.md)
+| AU.L2-3.3.8<br><br>**Practice statement:** Protect audit information and audit logging tools from unauthorized access, modification, and deletion.<br><br>**Objectives:**<br>Determine if:<br>[a.] audit information is protected from unauthorized access;<br>[b.] audit information is protected from unauthorized modification;<br>[c.] audit information is protected from unauthorized deletion;<br>[d.] audit logging tools are protected from unauthorized access;<br>[e.] audit logging tools are protected from unauthorized modification; and<br>[f.] audit logging tools are protected from unauthorized deletion.<br><br>AU.L2-3.3.9<br><br>**Practice statement:** Limit management of audit logging functionality to a subset of privileged users.<br><br>**Objectives:**<br>Determine if:<br>[a.] a subset of privileged users granted access to manage audit logging functionality is defined; and<br>[b.] management of audit logging functionality is limited to the defined subset of privileged users. | Microsoft Entra logs are retained by default for 30 days. These logs are unable to modified or deleted and are only accessible to limited set of privileged roles.<br>[Sign-in logs in Microsoft Entra ID](../reports-monitoring/concept-sign-ins.md)<br>[Audit logs in Microsoft Entra ID](../reports-monitoring/concept-audit-logs.md)
## Configuration Management (CM)
The following table provides a list of practice statement and objectives, and Mi
| CMMC practice statement and objectives | Microsoft Entra guidance and recommendations | | - | - |
-| SI.L2-3.14.7<br><br>**Practice statement:**<br><br>**Objectives:** Identify unauthorized use of organizational systems.<br>Determine if:<br>[a.] authorized use of the system is defined; and<br>[b.] unauthorized use of the system is identified. | Consolidate telemetry: Microsoft Entra ID logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require Microsoft Entra hybrid joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
+| SI.L2-3.14.7<br><br>**Practice statement:**<br><br>**Objectives:** Identify unauthorized use of organizational systems.<br>Determine if:<br>[a.] authorized use of the system is defined; and<br>[b.] unauthorized use of the system is identified. | Consolidate telemetry: Microsoft Entra logs to stream to SIEM, such as Azure Sentinel Configure device management policies via MDM (such as Microsoft Intune), Configuration Manager, or group policy objects (GPO) to require Intrusion Detection/Protection (IDS/IPS) such as Microsoft Defender for Endpoint is installed and in use. Use telemetry provided by the IDS/IPS to identify unusual activities or conditions related to inbound and outbound communications traffic or unauthorized use.<br><br>Configure Conditional Access policies to enforce device compliance.<br><br>**Conditional Access**<br>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br>[Require Microsoft Entra hybrid joined device](../conditional-access/concept-conditional-access-grant.md)<br><br>**InTune**<br>[Device compliance policies in Microsoft Intune](/mem/intune/protect/device-compliance-get-started)<br><br>**Defender for Endpoint**<br>[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true) |
### Next steps
active-directory Fedramp Access Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-access-controls.md
Each row in the following table provides prescriptive guidance to help you devel
| FedRAMP Control ID and description | Microsoft Entra guidance and recommendations | | - | - |
-| **AC-2 ACCOUNT MANAGEMENT**<p><p>**The Organization**<br>**(a.)** Identifies and selects the following types of information system accounts to support organizational missions/business functions: [*Assignment: organization-defined information system account types*];<p><p>**(b.)** Assigns account managers for information system accounts;<p><p>**(c.)** Establishes conditions for group and role membership;<p><p>**(d.)** Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;<p><p>**(e.)** Requires approvals by [*Assignment: organization-defined personnel or roles*] for requests to create information system accounts;<p><p>**(f.)** Creates, enables, modifies, disables, and removes information system accounts in accordance with [*Assignment: organization-defined procedures or conditions*];<p><p>**(g.)** Monitors the use of information system accounts;<p><p>**(h.)** Notifies account managers:<br>(1.) When accounts are no longer required;<br>(2.) When users are terminated or transferred; and<br>(3.) When individual information system usage or need-to-know changes;<p><p>**(i.)** Authorizes access to the information system based on:<br>(1.) A valid access authorization;<br>(2.) Intended system usage; and<br>(3.) Other attributes as required by the organization or associated missions/business functions;<p><p>**(j.)** Reviews accounts for compliance with account management requirements [*FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access*]; and<p><p>**(k.)** Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Microsoft Entra user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Microsoft Entra Connect Sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Microsoft Entra ID](../fundamentals/add-users.md)<p>Monitor accounts<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Microsoft Entra entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Microsoft Entra entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Microsoft Entra entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Microsoft Entra ID](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Microsoft Entra ID](../enterprise-users/groups-create-rule.md)<p>&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;<p> |
-| **AC-2(1)**<br>The organization employs automated mechanisms to support the management of information system accounts.| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Microsoft Entra user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Microsoft Entra Connect Sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Microsoft Entra ID?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Microsoft Entra ID](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)|
+| **AC-2 ACCOUNT MANAGEMENT**<p><p>**The Organization**<br>**(a.)** Identifies and selects the following types of information system accounts to support organizational missions/business functions: [*Assignment: organization-defined information system account types*];<p><p>**(b.)** Assigns account managers for information system accounts;<p><p>**(c.)** Establishes conditions for group and role membership;<p><p>**(d.)** Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;<p><p>**(e.)** Requires approvals by [*Assignment: organization-defined personnel or roles*] for requests to create information system accounts;<p><p>**(f.)** Creates, enables, modifies, disables, and removes information system accounts in accordance with [*Assignment: organization-defined procedures or conditions*];<p><p>**(g.)** Monitors the use of information system accounts;<p><p>**(h.)** Notifies account managers:<br>(1.) When accounts are no longer required;<br>(2.) When users are terminated or transferred; and<br>(3.) When individual information system usage or need-to-know changes;<p><p>**(i.)** Authorizes access to the information system based on:<br>(1.) A valid access authorization;<br>(2.) Intended system usage; and<br>(3.) Other attributes as required by the organization or associated missions/business functions;<p><p>**(j.)** Reviews accounts for compliance with account management requirements [*FedRAMP Assignment: monthly for privileged accessed, every six (6) months for non-privileged access*]; and<p><p>**(k.)** Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group. | **Implement account lifecycle management for customer-controlled accounts. Monitor the use of accounts and notify account managers of account lifecycle events. Review accounts for compliance with account management requirements every month for privileged access and every six months for nonprivileged access.**<p>Use Microsoft Entra ID to provision accounts from external HR systems, on-premises Active Directory, or directly in the cloud. All account lifecycle operations are audited within the Microsoft Entra audit logs. You can collect and analyze logs by using a Security Information and Event Management (SIEM) solution such as Microsoft Sentinel. Alternatively, you can use Azure Event Hubs to integrate logs with third-party SIEM solutions to enable monitoring and notification. Use Microsoft Entra entitlement management with access reviews to ensure compliance status of accounts.<p>Provision accounts<br><li>[Plan cloud HR application to Microsoft Entra user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Microsoft Entra Connect Sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[Add or delete users using Microsoft Entra ID](../fundamentals/add-users.md)<p>Monitor accounts<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)<p>Review accounts<br><li>[What is Microsoft Entra entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of an access package in Microsoft Entra entitlement management](../governance/entitlement-management-access-reviews-create.md)<br><li>[Review access of an access package in Microsoft Entra entitlement management](../governance/entitlement-management-access-reviews-review-access.md)<p>Resources<br><li>[Administrator role permissions in Microsoft Entra ID](../roles/permissions-reference.md)<br><li>[Dynamic Groups in Microsoft Entra ID](../enterprise-users/groups-create-rule.md)<p>&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;&emsp;<p> |
+| **AC-2(1)**<br>The organization employs automated mechanisms to support the management of information system accounts.| **Employ automated mechanisms to support management of customer-controlled accounts.**<p>Configure automated provisioning of customer-controlled accounts from external HR systems or on-premises Active Directory. For applications that support application provisioning, configure Microsoft Entra ID to automatically create user identities and roles in cloud software as a solution (SaaS) applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. To ease monitoring of account usage, you can stream Microsoft Entra ID Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs directly into Microsoft Sentinel or Event Hubs.<p>Provision<br><li>[Plan cloud HR application to Microsoft Entra user provisioning](../app-provisioning/plan-cloud-hr-provision.md)<br><li>[Microsoft Entra Connect Sync: Understand and customize synchronization](../hybrid/connect/how-to-connect-sync-whatis.md)<br><li>[What is automated SaaS app user provisioning in Microsoft Entra ID?](../app-provisioning/user-provisioning.md)<br><li>[SaaS app integration tutorials for use with Microsoft Entra ID](../saas-apps/tutorial-list.md)<p>Monitor and audit<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Microsoft Sentinel: Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)|
| **AC-2(2)**<br>The information system automatically [*FedRAMP Selection: disables*] temporary and emergency accounts after [*FedRAMP Assignment: 24 hours from last use*].<p><p>**AC-02(3)**<br>The information system automatically disables inactive accounts after [*FedRAMP Assignment: thirty-five (35) days for user accounts*].<p><p>**AC-2 (3) Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB/AO. Where user management is a function of the service, reports of activity of consumer users shall be made available. | **Employ automated mechanisms to support automatically removing or disabling temporary and emergency accounts after 24 hours from last use and all customer-controlled accounts after 35 days of inactivity.**<p>Implement account management automation with Microsoft Graph and Microsoft Graph PowerShell. Use Microsoft Graph to monitor sign-in activity and Microsoft Graph PowerShell to take action on accounts in the required time frame. <p>Determine inactivity<br><li>[Manage inactive user accounts in Microsoft Entra ID](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br><li>[Manage stale devices in Microsoft Entra ID](../devices/manage-stale-devices.md)<p>Remove or disable accounts<br><li>[Working with users in Microsoft Graph](/graph/api/resources/users)<br><li>[Get a user](/graph/api/user-get?tabs=http)<br><li>[Update user](/graph/api/user-update?tabs=http)<br><li>[Delete a user](/graph/api/user-delete?tabs=http)<p>Work with devices in Microsoft Graph<br><li>[Get device](/graph/api/device-get?tabs=http)<br><li>[Update device](/graph/api/device-update?tabs=http)<br><li>[Delete device](/graph/api/device-delete?tabs=http)<p> See, [Microsoft Graph PowerShell documentation](/powershell/microsoftgraph)<br><li>[Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser)<br><li>[Update-MgUser](/powershell/module/microsoft.graph.users/update-mguser)<br><li>[Get-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdevice)<br><li>[Update-MgDevice](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdevice) |
-| **AC-2(4)**<br>The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [*FedRAMP Assignment: organization and/or service provider system owner*]. | **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| **AC-2(4)**<br>The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies [*FedRAMP Assignment: organization and/or service provider system owner*]. | **Implement an automated audit and notification system for the lifecycle of managing customer-controlled accounts.**<p>All account lifecycle operations, such as account creation, modification, enabling, disabling, and removal actions, are audited within the Azure audit logs. You can stream the logs directly into Microsoft Sentinel or Event Hubs to help with notification.<p>Audit<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<br><li>[Microsoft Sentinel: Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<P>Notification<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| **AC-2(5)**<br>The organization requires that users log out when [*FedRAMP Assignment: inactivity is anticipated to exceed fifteen (15) minutes*].<p><p>**AC-2 (5) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Should use a shorter timeframe than AC-12 | **Implement device log-out after a 15-minute period of inactivity.**<p>Implement device lock by using a Conditional Access policy that restricts access to compliant devices. Configure policy settings on the device to enforce device lock at the OS level with mobile device management (MDM) solutions such as Intune. Endpoint Manager or group policy objects can also be considered in hybrid deployments. For unmanaged devices, configure the Sign-In Frequency setting to force users to reauthenticate.<P>Conditional Access<br><li>[Require device to be marked as compliant](../conditional-access/concept-conditional-access-grant.md)<br><li>[User sign-in frequency](../conditional-access/howto-conditional-access-session-lifetime.md)<p>MDM policy<br><li>Configure devices for maximum minutes of inactivity until the screen locks and requires a password to unlock ([Android](/mem/intune/configuration/device-restrictions-android), [iOS](/mem/intune/configuration/device-restrictions-ios), [Windows 10](/mem/intune/configuration/device-restrictions-windows-10)). |
-| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables/revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Microsoft Entra Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Microsoft Entra roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)<br><li>[View audit history for Microsoft Entra roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Microsoft Entra ID logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| **AC-2(7)**<p><p>**The organization:**<br>**(a.)** Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;<br>**(b)** Monitors privileged role assignments; and<br>**(c)** Takes [*FedRAMP Assignment: disables/revokes access within an organization-specified timeframe*] when privileged role assignments are no longer appropriate. | **Administer and monitor privileged role assignments by following a role-based access scheme for customer-controlled accounts. Disable or revoke privilege access for accounts when no longer appropriate.**<p>Implement Microsoft Entra Privileged Identity Management with access reviews for privileged roles in Microsoft Entra ID to monitor role assignments and remove role assignments when no longer appropriate. You can stream audit logs directly into Microsoft Sentinel or Event Hubs to help with monitoring.<p>Administer<br><li>[What is Microsoft Entra Privileged Identity Management?](../privileged-identity-management/pim-configure.md)<br><li>[Activation maximum duration](../privileged-identity-management/pim-how-to-change-default-settings.md?tabs=new)<p>Monitor<br><li>[Create an access review of Microsoft Entra roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)<br><li>[View audit history for Microsoft Entra roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md?tabs=new)<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<br><li>[Tutorial: Stream Microsoft Entra logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| **AC-2(11)**<br>The information system enforces [*Assignment: organization-defined circumstances and/or usage conditions*] for [*Assignment: organization-defined information system accounts*]. | **Enforce usage of customer-controlled accounts to meet customer-defined conditions or circumstances.**<p>Create Conditional Access policies to enforce access control decisions across users and devices.<p>Conditional Access<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[What is Conditional Access?](../conditional-access/overview.md) |
-| **AC-2(12)**<p><p>**The organization:**<br>**(a)** Monitors information system accounts for [*Assignment: organization-defined atypical use*]; and<br>**(b)** Reports atypical usage of information system accounts to [*FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization*].<p><p>**AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:**<br> Required for privileged accounts. | **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Microsoft Entra ID Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Microsoft Entra ID Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| **AC-2(12)**<p><p>**The organization:**<br>**(a)** Monitors information system accounts for [*Assignment: organization-defined atypical use*]; and<br>**(b)** Reports atypical usage of information system accounts to [*FedRAMP Assignment: at a minimum, the ISSO and/or similar role within the organization*].<p><p>**AC-2 (12) (a) and AC-2 (12) (b) Additional FedRAMP Requirements and Guidance:**<br> Required for privileged accounts. | **Monitor and report customer-controlled accounts with privileged access for atypical usage.**<p>For help with monitoring of atypical usage, you can stream Identity Protection logs, which show risky users, risky sign-ins, and risk detections, and audit logs, which help with correlation with privilege assignment, directly into a SIEM solution such as Microsoft Sentinel. You can also use Event Hubs to integrate logs with third-party SIEM solutions.<p>Identity protection<br><li>[What is Microsoft Entra ID Protection?](../identity-protection/overview-identity-protection.md)<br><li>[Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<br><li>[Microsoft Entra ID Protection notifications](../identity-protection/howto-identity-protection-configure-notifications.md)<p>Monitor accounts<br><li>[What is Microsoft Sentinel?](../../sentinel/overview.md)<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<br><li>[Connect Microsoft Entra data to Microsoft Sentinel](../../sentinel/connect-azure-active-directory.md) <br><li>[Tutorial: Stream logs to an Azure event hub](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| **AC-2(13)**<br>The organization disables accounts of users posing a significant risk in [*FedRAMP Assignment: one (1) hour*] of discovery of the risk.|**Disable customer-controlled accounts of users that pose a significant risk in one hour.**<p>In Microsoft Entra ID Protection, configure and enable a user risk policy with the threshold set to High. Create Conditional Access policies to block access for risky users and risky sign-ins. Configure risk policies to allow users to self-remediate and unblock subsequent sign-in attempts.<p>Identity protection<br><li>[What is Microsoft Entra ID Protection?](../identity-protection/overview-identity-protection.md)<p>Conditional Access<br><li>[What is Conditional Access?](../conditional-access/overview.md)<br><li>[Create a Conditional Access policy](../authentication/tutorial-enable-azure-mfa.md?bc=/azure/active-directory/conditional-access/breadcrumb/toc.json&toc=/azure/active-directory/conditional-access/toc.json)<br><li>[Conditional Access: User risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Conditional Access: Sign-in risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk-user.md)<br><li>[Self-remediation with risk policy](../identity-protection/howto-identity-protection-remediate-unblock.md) | | **AC-6(7)**<p><p>**The organization:**<br>**(a.)** Reviews [*FedRAMP Assignment: at a minimum, annually*] the privileges assigned to [*FedRAMP Assignment: all users with privileges*] to validate the need for such privileges; and<br>**(b.)** Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs. | **Review and validate all users with privileged access every year. Ensure privileges are reassigned (or removed if necessary) to align with organizational mission and business requirements.**<p>Use Microsoft Entra entitlement management with access reviews for privileged users to verify if privileged access is required. <p>Access reviews<br><li>[What is Microsoft Entra entitlement management?](../governance/entitlement-management-overview.md)<br><li>[Create an access review of Microsoft Entra roles in Privileged Identity Management](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md)<br><li>[Review access of an access package in Microsoft Entra entitlement management](../governance/entitlement-management-access-reviews-review-access.md) | | **AC-7 Unsuccessful Login Attempts**<p><p>**The organization:**<br>**(a.)** Enforces a limit of [*FedRAMP Assignment: not more than three (3)*] consecutive invalid logon attempts by a user during a [*FedRAMP Assignment: fifteen (15) minutes*]; and<br>**(b.)** Automatically [Selection: locks the account/node for a [*FedRAMP Assignment: minimum of three (3) hours or until unlocked by an administrator]; delays next logon prompt according to [Assignment: organization-defined delay algorithm*]] when the maximum number of unsuccessful attempts is exceeded. | **Enforce a limit of no more than three consecutive failed login attempts on customer-deployed resources within a 15-minute period. Lock the account for a minimum of three hours or until unlocked by an administrator.**<p>Enable custom smart lockout settings. Configure lockout threshold and lockout duration in seconds to implement these requirements. <p>Smart lockout<br><li>[Protect user accounts from attacks with Microsoft Entra smart lockout](../authentication/howto-password-smart-lockout.md)<br><li>[Manage Microsoft Entra smart lockout values](../authentication/howto-password-smart-lockout.md) |
active-directory Fedramp Identification And Authentication Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-identification-and-authentication-controls.md
Each row in the following table provides prescriptive guidance to help you devel
| **IA-2(5)**<br>The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed. | **When multiple users have access to a shared or group account password, require each user to first authenticate by using an individual authenticator.**<p>Use an individual account per user. If a shared account is required, Microsoft Entra ID permits binding of multiple authenticators to an account so that each user has an individual authenticator. <p>Resources<br><li>[How it works: Microsoft Entra multifactor authentication](../authentication/concept-mfa-howitworks.md)<br> <li>[Manage authentication methods for Microsoft Entra multifactor authentication](../authentication/howto-mfa-userdevicesettings.md) | | **IA-2(8)**<br>The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. | **Implement replay-resistant authentication mechanisms for network access to privileged accounts.**<p>Configure Conditional Access policies to require multifactor authentication for all users. All Microsoft Entra authentication methods at authentication assurance level 2 and 3 use either nonce or challenges and are resistant to replay attacks.<p>References<br> <li>[Conditional Access: Require multifactor authentication for all users](../conditional-access/howto-conditional-access-policy-all-users-mfa.md)<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md) | | **IA-2(11)**<br>The information system implements multifactor authentication for remote access to privileged and nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [*FedRAMP Assignment: FIPS 140-2, NIAP* Certification, or NSA approval*].<br><br>*National Information Assurance Partnership (NIAP)<br>**Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** PIV = separate device. Refer to NIST SP 800-157 Guidelines for Derived Personal Identity Verification (PIV) Credentials. FIPS 140-2 means validated by the Cryptographic Module Validation Program (CMVP). | **Implement Microsoft Entra multifactor authentication to access customer-deployed resources remotely so that one of the factors is provided by a device separate from the system gaining access where the device meets FIPS-140-2, NIAP certification, or NSA approval.**<p>See guidance for IA-02(1-4). Microsoft Entra authentication methods to consider at AAL3 meeting the separate device requirements are:<p> FIDO2 security keys<br> <li>Windows Hello for Business with hardware TPM (TPM is recognized as a valid "something you have" factor by NIST 800-63B Section 5.1.7.1.)<br> <li>Smart card<p>References<br><li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<br> <li>[NIST 800-63B Section 5.1.7.1](https://pages.nist.gov/800-63-3/sp800-63b.html) |
-| **IA-2(12)*<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.<br><br>**IA-2 (12) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Include Common Access Card (CAC), that is, the DoD technical implementation of PIV/FIPS 201/HSPD-12. | **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Microsoft Entra ID with setting **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` (recommended) or SupportsMfa to `$True` to direct multifactor authentication requests originating at Microsoft Entra ID to AD FS. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Microsoft Entra multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration)<br> <li>[Microsoft Entra Connect: Seamless single sign-on](../hybrid/connect/how-to-connect-sso.md) |
+| **IA-2(12)*<br>The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials.<br><br>**IA-2 (12) Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** Include Common Access Card (CAC), that is, the DoD technical implementation of PIV/FIPS 201/HSPD-12. | **Accept and verify personal identity verification (PIV) credentials. This control isn't applicable if the customer doesn't deploy PIV credentials.**<p>Configure federated authentication by using Active Directory Federation Services (AD FS) to accept PIV (certificate authentication) as both primary and multifactor authentication methods and issue the multifactor authentication (MultipleAuthN) claim when PIV is used. Configure the federated domain in Microsoft Entra ID with setting **federatedIdpMfaBehavior** to `enforceMfaByFederatedIdp` (recommended) or SupportsMfa to `$True` to direct multifactor authentication requests originating at Microsoft Entra ID to Active Directory Federation Services. Alternatively, you can use PIV for sign-in on Windows devices and later use integrated Windows authentication along with seamless single sign-on. Windows Server and client verify certificates by default when used for authentication. <p>Resources<br><li>[What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md)<br> <li>[Configure AD FS support for user certificate authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br> <li>[Configure authentication policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies)<br> <li>[Secure resources with Microsoft Entra multifactor authentication and AD FS](../authentication/howto-mfa-adfs.md)<br><li>[New-MgDomainFederationConfiguration](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration)<br> <li>[Microsoft Entra Connect: Seamless single sign-on](../hybrid/connect/how-to-connect-sso.md) |
| **IA-3 Device Identification and Authentication**<br>The information system uniquely identifies and authenticates [*Assignment: organization-defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network*] connection. | **Implement device identification and authentication prior to establishing a connection.**<p>Configure Microsoft Entra ID to identify and authenticate Microsoft Entra registered, Microsoft Entra joined, and Microsoft Entra hybrid joined devices.<p> Resources<br><li>[What is a device identity?](../devices/overview.md)<br> <li>[Plan a Microsoft Entra devices deployment](../devices/plan-device-deployment.md)<br><li>[Require managed devices for cloud app access with Conditional Access](../conditional-access/concept-conditional-access-grant.md) | | **IA-04 Identifier Management**<br>The organization manages information system identifiers for users and devices by:<br>**(a.)** Receiving authorization from [*FedRAMP Assignment at a minimum, the ISSO (or similar role within the organization)*] to assign an individual, group, role, or device identifier;<br>**(b.)** Selecting an identifier that identifies an individual, group, role, or device;<br>**(c.)** Assigning the identifier to the intended individual, group, role, or device;<br>**(d.)** Preventing reuse of identifiers for [*FedRAMP Assignment: at least two (2) years*]; and<br>**(e.)** Disabling the identifier after [*FedRAMP Assignment: thirty-five (35) days (see requirements and guidance)*]<br>**IA-4e Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines the time period of inactivity for device identifiers.<br>**Guidance:** For DoD clouds, see DoD cloud website for specific DoD requirements that go above and beyond FedRAMP.<br><br>**IA-4(4)**<br>The organization manages individual identifiers by uniquely identifying each individual as [*FedRAMP Assignment: contractors; foreign nationals*]. | **Disable account identifiers after 35 days of inactivity and prevent their reuse for two years. Manage individual identifiers by uniquely identifying each individual (for example, contractors and foreign nationals).**<p>Assign and manage individual account identifiers and status in Microsoft Entra ID in accordance with existing organizational policies defined in AC-02. Follow AC-02(3) to automatically disable user and device accounts after 35 days of inactivity. Ensure that organizational policy maintains all accounts that remain in the disabled state for at least two years. After this time, you can remove them. <p>Determine inactivity<br> <li>[Manage inactive user accounts in Microsoft Entra ID](../reports-monitoring/howto-manage-inactive-user-accounts.md)<br> <li>[Manage stale devices in Microsoft Entra ID](../devices/manage-stale-devices.md)<br> <li>[See AC-02 guidance](fedramp-access-controls.md) | | **IA-5 Authenticator Management**<br>The organization manages information system authenticators by:<br>**(a.)** Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;<br>**(b.)** Establishing initial authenticator content for authenticators defined by the organization;<br>**(c.)** Ensuring that authenticators have sufficient strength of mechanism for their intended use;<br>**(d.)** Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;<br>**(e.)** Changing default content of authenticators prior to information system installation;<br>**(f.)** Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;<br>**(g.)** Changing/refreshing authenticators [*Assignment: organization-defined time period by authenticator type*].<br>**(h.)** Protecting authenticator content from unauthorized disclosure and modification;<br>**(i.)** Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and<br>**(j.)** Changing authenticators for group/role accounts when membership to those accounts changes.<br><br>**IA-5 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Authenticators must be compliant with NIST SP 800-63-3 Digital Identity Guidelines IAL, AAL, FAL level 3. Link https://pages.nist.gov/800-63-3 | **Configure and manage information system authenticators.**<p>Microsoft Entra ID supports various authentication methods. You can use your existing organizational policies for management. See guidance for authenticator selection in IA-02(1-4). Enable users in combined registration for SSPR and Microsoft Entra multifactor authentication and require users to register a minimum of two acceptable multifactor authentication methods to facilitate self-remediation. You can revoke user-configured authenticators at any time with the authentication methods API. <p>Authenticator strength/protecting authenticator content<br> <li>[Achieving NIST authenticator assurance levels with the Microsoft identity platform](nist-overview.md)<p>Authentication methods and combined registration<br> <li>[What authentication and verification methods are available in Microsoft Entra ID?](../authentication/concept-authentication-methods.md)<br> <li>[Combined registration for SSPR and Microsoft Entra multifactor authentication](../authentication/concept-registration-mfa-sspr-combined.md)<p>Authenticator revokes<br> <li>[Microsoft Entra authentication methods API overview](/graph/api/resources/authenticationmethods-overview) |
active-directory Fedramp Other Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/fedramp-other-controls.md
The guidance in the following table pertains to:
| FedRAMP Control ID and description | Microsoft Entra guidance and recommendations | | - | - |
-| **AU-2 Audit Events**<br>**The organization:**<br>**(a.)** Determines that the information system is capable of auditing the following events: [*FedRAMP Assignment: [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes*];<br>**(b.)** Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;<br>**(c.)** Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and<br>**(d.)** Determines that the following events are to be audited in the information system: [*FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event*].<br><br>**AU-2 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.<br><br>**AU-3 Content and Audit Records**<br>The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.<br><br>**AU-3(1)**<br>The information system generates audit records containing the following additional information: [*FedRAMP Assignment: organization-defined additional, more detailed information*].<br><br>**AU-3 (1) Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines audit record types [*FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands*]. The audit record types are approved and accepted by the JAB/AO.<br>**Guidance:** For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.<br><br>**AU-3(2)**<br>The information system provides centralized management and configuration of the content to be captured in audit records generated by [*FedRAMP Assignment: all network, data storage, and computing devices*]. | Ensure the system is capable of auditing events defined in AU-2 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Microsoft Entra audit logs. All authentication and authorization events are audited within Microsoft Entra sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<p>Audit events<li> [Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Microsoft Entra portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li> [Microsoft Sentinel : Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
+| **AU-2 Audit Events**<br>**The organization:**<br>**(a.)** Determines that the information system is capable of auditing the following events: [*FedRAMP Assignment: [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes*];<br>**(b.)** Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;<br>**(c.)** Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and<br>**(d.)** Determines that the following events are to be audited in the information system: [*FedRAMP Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited continually for each identified event*].<br><br>**AU-2 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Coordination between service provider and consumer shall be documented and accepted by the JAB/AO.<br><br>**AU-3 Content and Audit Records**<br>The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.<br><br>**AU-3(1)**<br>The information system generates audit records containing the following additional information: [*FedRAMP Assignment: organization-defined additional, more detailed information*].<br><br>**AU-3 (1) Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider defines audit record types [*FedRAMP Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands*]. The audit record types are approved and accepted by the JAB/AO.<br>**Guidance:** For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.<br><br>**AU-3(2)**<br>The information system provides centralized management and configuration of the content to be captured in audit records generated by [*FedRAMP Assignment: all network, data storage, and computing devices*]. | Ensure the system is capable of auditing events defined in AU-2 Part a. Coordinate with other entities within the organization's subset of auditable events to support after-the-fact investigations. Implement centralized management of audit records.<p>All account lifecycle operations (account creation, modification, enabling, disabling, and removal actions) are audited within the Microsoft Entra audit logs. All authentication and authorization events are audited within Microsoft Entra sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a security information and event management (SIEM) solution such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions.<p>Audit events<li> [Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<li> [Sign-in activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li> [Microsoft Sentinel : Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) |
| **AU-6 Audit Review, Analysis, and Reporting**<br>**The organization:**<br>**(a.)** Reviews and analyzes information system audit records [*FedRAMP Assignment: at least weekly*] for indications of [*Assignment: organization-defined inappropriate or unusual activity*]; and<br>**(b.)** Reports findings to [*Assignment: organization-defined personnel or roles*].<br>**AU-6 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** Coordination between service provider and consumer shall be documented and accepted by the Authorizing Official. In multi-tenant environments, capability and means for providing review, analysis, and reporting to consumer for data pertaining to consumer shall be documented.<br><br>**AU-6(1)**<br>The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.<br><br>**AU-6(3)**<br>The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.<br><br>**AU-6(4)**<br>The information system provides the capability to centrally review and analyze audit records from multiple components within the system.<br><br>**AU-6(5)**<br>The organization integrates analysis of audit records with analysis of [*FedRAMP Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data;* [*Assignment: organization-defined dat). | ## Incident response
The guidance in the following table pertains to:
| FedRAMP Control ID and description | Microsoft Entra guidance and recommendations | | - | - |
-| **IR-4 Incident Handling**<br>**The organization:**<br>**(a.)** Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;<br>**(b.)** Coordinates incident handling activities with contingency planning activities; and<br>**(c.)** Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.<br>**IR-4 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.<br><br>**IR-04(1)**<br>The organization employs automated mechanisms to support the incident handling process.<br><br>**IR-04(2)**<br>The organization includes dynamic reconfiguration of [*FedRAMP Assignment: all network, data storage, and computing devices*] as part of the incident response capability.<br><br>**IR-04(3)**<br>The organization identifies [*Assignment: organization-defined classes of incidents*] and [*Assignment: organization-defined actions to take in response to classes of incident*] to ensure continuation of organizational missions and business functions.<br><br>**IR-04(4)**<br>The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.<br><br>**IR-04(6)**<br>The organization implements incident handling capability for insider threats.<br><br>**IR-04(8)**<br>The organization implements incident handling capability for insider threats.<br>The organization coordinates with [*FedRAMP Assignment: external organizations including consumer incident responders and network defenders and the appropriate consumer incident response team (CIRT)/ Computer Emergency Response Team (CERT) (such as US-CERT, DoD CERT, IC CERT)*] to correlate and share [*Assignment: organization-defined incident information*] to achieve a cross- organization perspective on incident awareness and more effective incident responses.<br><br>**IR-05 Incident Monitoring**<br>The organization tracks and documents information system security incidents.<br><br>**IR-05(1)**<br>The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. | Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking. <p>The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events in the SIEM by using Microsoft Graph PowerShell.<p>Audit events<br><li>[Audit activity reports in the Microsoft Entra portal](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Microsoft Entra portal](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li>[Microsoft Sentinel : Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)|
+| **IR-4 Incident Handling**<br>**The organization:**<br>**(a.)** Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;<br>**(b.)** Coordinates incident handling activities with contingency planning activities; and<br>**(c.)** Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.<br>**IR-4 Additional FedRAMP Requirements and Guidance:**<br>**Requirement:** The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.<br><br>**IR-04(1)**<br>The organization employs automated mechanisms to support the incident handling process.<br><br>**IR-04(2)**<br>The organization includes dynamic reconfiguration of [*FedRAMP Assignment: all network, data storage, and computing devices*] as part of the incident response capability.<br><br>**IR-04(3)**<br>The organization identifies [*Assignment: organization-defined classes of incidents*] and [*Assignment: organization-defined actions to take in response to classes of incident*] to ensure continuation of organizational missions and business functions.<br><br>**IR-04(4)**<br>The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.<br><br>**IR-04(6)**<br>The organization implements incident handling capability for insider threats.<br><br>**IR-04(8)**<br>The organization implements incident handling capability for insider threats.<br>The organization coordinates with [*FedRAMP Assignment: external organizations including consumer incident responders and network defenders and the appropriate consumer incident response team (CIRT)/ Computer Emergency Response Team (CERT) (such as US-CERT, DoD CERT, IC CERT)*] to correlate and share [*Assignment: organization-defined incident information*] to achieve a cross- organization perspective on incident awareness and more effective incident responses.<br><br>**IR-05 Incident Monitoring**<br>The organization tracks and documents information system security incidents.<br><br>**IR-05(1)**<br>The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information. | Implement incident handling and monitoring capabilities. This includes Automated Incident Handling, Dynamic Reconfiguration, Continuity of Operations, Information Correlation, Insider Threats, Correlation with External Organizations, and Incident Monitoring and Automated Tracking. <p>The audit logs record all configuration changes. Authentication and authorization events are audited within the sign-in logs, and any detected risks are audited in the Identity Protection logs. You can stream each of these logs directly into a SIEM solution, such as Microsoft Sentinel. Alternatively, use Azure Event Hubs to integrate logs with third-party SIEM solutions. Automate dynamic reconfiguration based on events in the SIEM by using Microsoft Graph PowerShell.<p>Audit events<br><li>[Audit activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-audit-logs.md)<li>[Sign-in activity reports in the Microsoft Entra admin center](../reports-monitoring/concept-sign-ins.md)<li>[How To: Investigate risk](../identity-protection/howto-identity-protection-investigate-risk.md)<p>SIEM integrations<li>[Microsoft Sentinel : Connect data from Microsoft Entra ID](../../sentinel/connect-azure-active-directory.md)<li>[Stream to Azure event hub and other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)|
## Personnel security
The guidance in the following table pertains to:
| FedRAMP Control ID and description | Microsoft Entra guidance and recommendations | | - | - |
-| **SI-4 Information System Monitoring**<br>**The organization:**<br>**(a.)** Monitors the information system to detect:<br>**(1.)** Attacks and indicators of potential attacks in accordance with [*Assignment: organization-defined monitoring objectives*]; and<br>**(2.)** Unauthorized local, network, and remote connections;<br>**(b.)** Identifies unauthorized use of the information system through [*Assignment: organization-defined techniques and methods*];<br>**(c.)** Deploys monitoring devices (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;<br>**(d.)** Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;<br>**(e.)** Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;<br>**(f.)** Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and<br>**(d.)** Provides [*Assignment: organization-defined information system monitoring information*] to [*Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]*].<br>**SI-4 Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** See US-CERT Incident Response Reporting Guidelines.<br><br>**SI-04(1)**<br> The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. | Implement information system-wide monitoring, and the intrusion detection system. <p>Include all Microsoft Entra ID logs (Audit, Sign-in, Identity Protection) within the information system monitoring solution. <p>Stream Microsoft Entra ID logs into a SIEM solution (see IA-04). &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
+| **SI-4 Information System Monitoring**<br>**The organization:**<br>**(a.)** Monitors the information system to detect:<br>**(1.)** Attacks and indicators of potential attacks in accordance with [*Assignment: organization-defined monitoring objectives*]; and<br>**(2.)** Unauthorized local, network, and remote connections;<br>**(b.)** Identifies unauthorized use of the information system through [*Assignment: organization-defined techniques and methods*];<br>**(c.)** Deploys monitoring devices (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;<br>**(d.)** Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;<br>**(e.)** Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;<br>**(f.)** Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and<br>**(d.)** Provides [*Assignment: organization-defined information system monitoring information*] to [*Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]*].<br>**SI-4 Additional FedRAMP Requirements and Guidance:**<br>**Guidance:** See US-CERT Incident Response Reporting Guidelines.<br><br>**SI-04(1)**<br> The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system. | Implement information system-wide monitoring, and the intrusion detection system. <p>Include all Microsoft Entra logs (Audit, Sign-in, Identity Protection) within the information system monitoring solution. <p>Stream Microsoft Entra logs into a SIEM solution (see IA-04). &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|
## Next steps
active-directory Hipaa Access Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/hipaa-access-controls.md
The following table has access control safeguards from the HIPAA guidance for un
| Recommendation | Action | | - | - |
-| Set up hybrid to utilize Azure AD | [Azure AD Connect](../hybrid/how-to-connect-install-express.md) integrates on-premises directories with Azure AD, supporting the use of single identities to access on-premises applications and cloud services such as Microsoft 365. It orchestrates synchronization between Active Directory (AD) and Azure AD. To get started with Azure AD Connect review the prerequisites, making note of the server requirements and how to prepare your Azure AD tenant for management.</br>[Azure AD Connect sync](../cloud-sync/tutorial-pilot-aadc-aadccp.md) is a provisioning agent that is managed on the cloud. The provisioning agent supports synchronizing to Azure AD from a multi-forest disconnected AD environment. Lightweight agents are installed and can be used with Azure AD connect.</br>We recommend you use **Password Hash Sync** to help reduce the number of passwords and protect against leaked credential detection.|
-| Provision user accounts |[Azure AD](../fundamentals/add-users-azure-active-directory.md) is a cloud-based identity and access management service that provides single sign-on, multi-factor authentication and Conditional Access to guard against security attacks. To create a user account, sign in into the Azure AD portal as a **User Admin** and create a new account by navigating to [All users](../fundamentals/add-users-azure-active-directory.md) in the menu.</br>Azure AD provides support for automated user provisioning for systems and applications. Capabilities include creating, updating, and deleting a user account. Automated provisioning creates new accounts in the right systems for new people when they join a team in an organization, and automated deprovisioning deactivates accounts when people leave the team. Configure provisioning by navigating to the Azure AD portal and selecting [enterprise applications](../app-provisioning/configure-automatic-user-provisioning-portal.md) to add and manage the app settings. |
-|HR-driven provisioning | [Integrating Azure AD account provisioning](../app-provisioning/plan-cloud-hr-provision.md) within a Human Resources (HR) system reduces the risk of excessive access and access no longer required. The HR system becomes the start-of-authority, for newly created accounts, extending the capabilities to account deprovisioning. Automation manages the identity lifecycle and reduces the risk of over-provisioning. This approach follows the security best practice of providing least privilege access. |
-| Create lifecycle workflows | [Lifecycle workflows](../governance/understanding-lifecycle-workflows.md) provide identity governance for automating the joiner/mover/leaver (JML) lifecycle. Lifecycle workflows centralize the workflow process by either using the [built-in templates](../governance/lifecycle-workflow-templates.md) or creating your own custom workflows. this practice helps reduce or potentially remove manual tasks for organizational JML strategy requirements. Within the Azure portal, navigate to **Identity Governance** in the Azure AD menu to review or configure tasks that fit within your organizational requirements. |
-| Manage privileged identities | [Azure AD Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enables management, control, and the ability to monitor access. You provide access when it's needed, on a time-based and approval-based role activation. This approach limits the risk of excessive, unnecessary, or misused access permissions. |
-| Monitoring and alerting | [Identity Protection](../identity-protection/overview-identity-protection.md) provides a consolidated view into risk events and potential vulnerabilities that could affect an organizationΓÇÖs identities. Enabling the protection applies the existing Azure AD anomaly detection capabilities and introduces risk event types that detect anomalies in real-time. Through the Azure AD portal, you can sign-in, audit, and review provisioning logs.</br>The logs can be [downloaded, archived, and streamed](../reports-monitoring/howto-download-logs.md) to your security information and event management (SIEM) tool. Azure AD logs can be located in the monitoring section of the Azure AD menu. The logs can also be sent to [Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md) using an Azure log analytics workspace where you can set up alerting on the connected data.</br>Azure AD uniquely identifies users via the [ID property](/graph/api/resources/user?view=graph-rest-1.0&preserve-view=true) on the respective directory object. This approach enables you to filter for specific identities in the log files. |
+| Set up hybrid to utilize Microsoft Entra ID | [Microsoft Entra Connect](../hybrid/how-to-connect-install-express.md) integrates on-premises directories with Microsoft Entra ID, supporting the use of single identities to access on-premises applications and cloud services such as Microsoft 365. It orchestrates synchronization between Active Directory (AD) and Microsoft Entra ID. To get started with Microsoft Entra Connect review the prerequisites, making note of the server requirements and how to prepare your Microsoft Entra tenant for management.</br>[Microsoft Entra Connect sync](../cloud-sync/tutorial-pilot-aadc-aadccp.md) is a provisioning agent that is managed on the cloud. The provisioning agent supports synchronizing to Microsoft Entra ID from a multi-forest disconnected AD environment. Lightweight agents are installed and can be used with Microsoft Entra Connect.</br>We recommend you use **Password Hash Sync** to help reduce the number of passwords and protect against leaked credential detection.|
+| Provision user accounts |[Microsoft Entra ID](../fundamentals/add-users-azure-active-directory.md) is a cloud-based identity and access management service that provides single sign-on, multi-factor authentication and Conditional Access to guard against security attacks. To create a user account, sign in into the Microsoft Entra admin center as a **User Admin** and create a new account by navigating to [All users](../fundamentals/add-users-azure-active-directory.md) in the menu. </br> Microsoft Entra ID provides support for automated user provisioning for systems and applications. Capabilities include creating, updating, and deleting a user account. Automated provisioning creates new accounts in the right systems for new people when they join a team in an organization, and automated deprovisioning deactivates accounts when people leave the team. Configure provisioning by navigating to the Microsoft Entra admin center and selecting [enterprise applications](../app-provisioning/configure-automatic-user-provisioning-portal.md) to add and manage the app settings. |
+|HR-driven provisioning | [Integrating Microsoft Entra account provisioning](../app-provisioning/plan-cloud-hr-provision.md) within a Human Resources (HR) system reduces the risk of excessive access and access no longer required. The HR system becomes the start-of-authority, for newly created accounts, extending the capabilities to account deprovisioning. Automation manages the identity lifecycle and reduces the risk of over-provisioning. This approach follows the security best practice of providing least privilege access. |
+| Create lifecycle workflows | [Lifecycle workflows](../governance/understanding-lifecycle-workflows.md) provide identity governance for automating the joiner/mover/leaver (JML) lifecycle. Lifecycle workflows centralize the workflow process by either using the [built-in templates](../governance/lifecycle-workflow-templates.md) or creating your own custom workflows. this practice helps reduce or potentially remove manual tasks for organizational JML strategy requirements. Within the Azure portal, navigate to **Identity Governance** in the Microsoft Entra menu to review or configure tasks that fit within your organizational requirements. |
+| Manage privileged identities | [Microsoft Entra Privileged Identity Management (PIM)](../privileged-identity-management/pim-configure.md) enables management, control, and the ability to monitor access. You provide access when it's needed, on a time-based and approval-based role activation. This approach limits the risk of excessive, unnecessary, or misused access permissions. |
+| Monitoring and alerting | [Identity Protection](../identity-protection/overview-identity-protection.md) provides a consolidated view into risk events and potential vulnerabilities that could affect an organizationΓÇÖs identities. Enabling the protection applies the existing Microsoft Entra anomaly detection capabilities and introduces risk event types that detect anomalies in real-time. Through the Microsoft Entra admin center, you can sign-in, audit, and review provisioning logs.</br>The logs can be [downloaded, archived, and streamed](../reports-monitoring/howto-download-logs.md) to your security information and event management (SIEM) tool. Microsoft Entra logs can be located in the monitoring section of the Microsoft Entra menu. The logs can also be sent to [Azure Monitor](../reports-monitoring/concept-activity-logs-azure-monitor.md) using an Azure log analytics workspace where you can set up alerting on the connected data. </br> Microsoft Entra ID uniquely identifies users via the [ID property](/graph/api/resources/user?view=graph-rest-1.0&preserve-view=true) on the respective directory object. This approach enables you to filter for specific identities in the log files. |
## Authorized access control
The following table has HIPAA guidance access control safeguards for emergency a
| Recommendation | Action | | - | - | | Use Azure Recovery Services | [Azure Backups](../../backup/backup-architecture.md) provide the support required to back up vital and sensitive data. Coverage includes storage/databases and cloud infrastructure, along with on-premises windows devices to the cloud. Establish [backup policies](../../backup/backup-architecture.md#backup-policy-essentials) to address backup and recovery process risks. Ensure data is safely stored and can be retrieved with minimal downtime. </br>Azure Site Recovery provides near-constant data replication to ensure copies of are in sync. Initial steps prior to setting up the service are to determine the recovery point objective (RPO) and recovery time objective (RTO) to support your organizational requirements. |
-| Ensure resiliency | [Resiliency](/azure/architecture/framework/resiliency/overview) helps to maintain service levels when there's disruption to business operations and core IT services. The capability spans services, data, Azure AD and AD considerations. Determining a strategic [resiliency plan](/azure/architecture/checklist/resiliency-per-service) to include what systems and data rely on Azure AD and hybrid environments. [Microsoft 365 resiliency](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency) covering the core services, which include Exchange, SharePoint, and OneDrive to protect against data corruption and applying resiliency data points to protect ePHI content. |
+| Ensure resiliency | [Resiliency](/azure/architecture/framework/resiliency/overview) helps to maintain service levels when there's disruption to business operations and core IT services. The capability spans services, data, Microsoft Entra ID, and Active Directory considerations. Determining a strategic [resiliency plan](/azure/architecture/checklist/resiliency-per-service) to include what systems and data rely on Microsoft Entra and hybrid environments. [Microsoft 365 resiliency](/compliance/assurance/assurance-sharepoint-onedrive-data-resiliency) covering the core services, which include Exchange, SharePoint, and OneDrive to protect against data corruption and applying resiliency data points to protect ePHI content. |
| Create break glass accounts | Establishing an emergency or a [break glass account](../roles/security-emergency-access.md) ensures that system and services can still be accessed in unforeseen circumstances, such as network failures or other reasons for administrative access loss. We recommend you don't associate this account with an [individual user](../authentication/concept-authentication-passwordless.md) or account. | ## Workstation security - automatic logoff
active-directory Hipaa Audit Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/hipaa-audit-controls.md
The following content is safeguard guidance from HIPAA. Find Microsoft recommend
| Enable Microsoft Purview | [Microsoft Purview](/purview/purview) helps to manage and monitor data by providing data governance. Using Purview helps to minimize compliance risks and meet regulatory requirements.</br>Microsoft Purview in the governance portal provides a [unified data governance](/microsoft-365/compliance/manage-data-governance) service that helps you manage your on-premises, multicloud and Software-as-service (SaaS) data.</br>Microsoft Purview is a framework, a suite of products that work together to provide visualization of sensitive data lifecycle protection for data, and data loss prevention. | | Enable Microsoft Sentinel | [Microsoft Sentinel](../../sentinel/overview.md) provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions. Microsoft Sentinel collects audit logs and uses built-in AI to help analyze large volumes of data. </br>SIEM enables an organization to detect incidents that could go undetected. | | Configure Azure Monitor | [Use Azure Monitor Logs](../../azure-monitor/logs/data-security.md) collects and organizes logs, expanding to cloud and hybrid environments. It provides recommendations on key areas on how to protect resources combined with Azure trust center. |
-| Enable logging and monitoring | </br>[Logging and monitoring](/security/benchmark/azure/security-control-logging-monitoring) are essential to securing an environment. The data supports investigations and helps detect potential threats by identifying unusual patterns. Enable logging and monitoring of services to reduce the risk of unauthorized access.</br>We recommend you monitor [Azure AD activity logs](../reports-monitoring/howto-access-activity-logs.md). |
+| Enable logging and monitoring | </br>[Logging and monitoring](/security/benchmark/azure/security-control-logging-monitoring) are essential to securing an environment. The data supports investigations and helps detect potential threats by identifying unusual patterns. Enable logging and monitoring of services to reduce the risk of unauthorized access.</br>We recommend you monitor [Microsoft Entra activity logs](../reports-monitoring/howto-access-activity-logs.md). |
| Scan environment for electronic protected health information (ePHI) data | [Microsoft Purview](../../purview/overview.md) can be enabled in audit mode to scan what ePHI is sitting in the data estate and the resources that being used to store that data. This capability helps in establishing data classification and labeling based on the sensitivity of the data. | | Create a data loss prevention (DLP) policy | DLP policies help establish processes to ensure that sensitive data isn't lost, misused, or accessed by unauthorized users. It prevents data breaches and exfiltration.</br>[Microsoft Purview DLP](/microsoft-365/compliance/dlp-policy-reference) examines email messages, navigate to the Microsoft Purview compliance portal to review the polices and customize them for your organization. | | Enable monitoring through Azure Policy | [Azure Policy](../../governance/policy/overview.md) helps to enforce organizational standards, and enables the ability to assess the state of compliance across an environment. This approach ensures consistency, regulatory compliance and monitoring providing security recommendations through [Microsoft Defender for Cloud](../../defender-for-cloud/defender-for-cloud-introduction.md) |
active-directory Hipaa Other Controls https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/hipaa-other-controls.md
The following content provides the guidance from HIPAA followed by a table with
## Person or entity authentication safeguard guidance
-Azure Active Directory meets identity-related practice requirements for implementing HIPAA safeguards. To be HIPAA compliant, implement the safeguards using this guidance along with any other configurations or processes needed.
+Microsoft Entra ID meets identity-related practice requirements for implementing HIPAA safeguards. To be HIPAA compliant, implement the safeguards using this guidance along with any other configurations or processes needed.
For the Audit and Person and Entity Safeguard:
active-directory Memo 22 09 Other Areas Zero Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/memo-22-09-other-areas-zero-trust.md
In Microsoft Entra ID Free tenants, log entries are stored for seven days. Tenan
Ensure a security information and event management (SIEM) tool ingests logs. Use sign-in and audit events to correlate with application, infrastructure, data, device, and network logs.
-We recommend you integrate Microsoft Entra ID logs with Microsoft Sentinel. Configure a connector to ingest Microsoft Entra tenant logs.
+We recommend you integrate Microsoft Entra logs with Microsoft Sentinel. Configure a connector to ingest Microsoft Entra tenant logs.
Learn more:
For the Microsoft Entra tenant, you can configure the diagnostic settings to sen
Learn more:
-* [What is Microsoft Entra ID monitoring?](../reports-monitoring/overview-monitoring.md)
+* [What is Microsoft Entra monitoring?](../reports-monitoring/overview-monitoring.md)
* [Microsoft Entra reporting and monitoring deployment dependencies](../reports-monitoring/plan-monitoring-and-reporting.md) ## Analytics
You can use analytics in the following tools to aggregate information from Micro
* See, [Usage and insights in Microsoft Entra ID](../reports-monitoring/concept-usage-insights-report.md) * **Microsoft Sentinel** analyze information from Microsoft Entra ID: * Microsoft Sentinel User and Entity Behavior Analytics (UEBA) delivers intelligence on potential threats from user, host, IP address, and application entities.
- * Use analytics rule templates to hunt for threats and alerts in your Microsoft Entra ID logs. Your security or operation analyst can triage and remediate threats.
+ * Use analytics rule templates to hunt for threats and alerts in your Microsoft Entra logs. Your security or operation analyst can triage and remediate threats.
* Microsoft Sentinel workbooks help visualize Microsoft Entra data sources. See sign-ins by country/region or applications. * See, [Commonly used Microsoft Sentinel workbooks](../../sentinel/top-workbooks.md) * See, [Visualize collected data](../../sentinel/get-visibility.md)
active-directory Pci Dss Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-dss-guidance.md
To configure Microsoft Entra ID to secure the CDE:
* Enable privileged identity management and access reviews for Microsoft Entra roles, privileged access groups and Azure resources * Use Conditional Access policies to enforce PCI-requirement controls: credential strength, device state, and enforce them based on location, group membership, applications, and risk * Use modern authentication for DCE workloads
-* Archive Microsoft Entra ID logs in security information and event management (SIEM) systems
+* Archive Microsoft Entra logs in security information and event management (SIEM) systems
Where applications and resources use Microsoft Entra ID for identity and access management (IAM), the Microsoft Entra tenant(s) are in scope of PCI audit, and the guidance herein is applicable. Organizations must evaluate identity and resource isolation requirements, between non-PCI and PCI workloads, to determine their best architecture.
active-directory Pci Requirement 10 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-10.md
|PCI-DSS Defined approach requirements|Microsoft Entra guidance and recommendations| |-|-|
-|**10.4.1** The following audit logs are reviewed at least once daily: </br> All security events. </br> Logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Logs of all critical system components. </br> Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).|Include Microsoft Entra ID logs in this process.|
-|**10.4.1.1** Automated mechanisms are used to perform audit log reviews.|Include Microsoft Entra ID logs in this process. Configure automated actions and alerting when Microsoft Entra ID logs are integrated with Azure Monitor. [Deploy Azure Monitor: Alerts and automated actions](/azure/azure-monitor/best-practices-alerts)|
+|**10.4.1** The following audit logs are reviewed at least once daily: </br> All security events. </br> Logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Logs of all critical system components. </br> Logs of all servers and system components that perform security functions (for example, network security controls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers).|Include Microsoft Entra logs in this process.|
+|**10.4.1.1** Automated mechanisms are used to perform audit log reviews.|Include Microsoft Entra logs in this process. Configure automated actions and alerting when Microsoft Entra logs are integrated with Azure Monitor. [Deploy Azure Monitor: Alerts and automated actions](/azure/azure-monitor/best-practices-alerts)|
|**10.4.2** Logs of all other system components (those not specified in Requirement 10.4.1) are reviewed periodically.|Not applicable to Microsoft Entra ID.| |**10.4.2.1** The frequency of periodic log reviews for all other system components (not defined in Requirement 10.4.1) is defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1|Not applicable to Microsoft Entra ID.| |**10.4.3** Exceptions and anomalies identified during the review process are addressed.|Not applicable to Microsoft Entra ID.|
|PCI-DSS Defined approach requirements|Microsoft Entra guidance and recommendations| |-|-|
-|**10.5.1** Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.|Integrate with Azure Monitor and export the logs for long term archival. [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) </br> Learn about Microsoft Entra ID logs data retention policy. [Microsoft Entra data retention](../reports-monitoring/reference-reports-data-retention.md)|
+|**10.5.1** Retain audit log history for at least 12 months, with at least the most recent three months immediately available for analysis.|Integrate with Azure Monitor and export the logs for long term archival. [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) </br> Learn about Microsoft Entra logs data retention policy. [Microsoft Entra data retention](../reports-monitoring/reference-reports-data-retention.md)|
## 10.6 Time-synchronization mechanisms support consistent time settings across all systems.
active-directory Pci Requirement 11 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/standards/pci-requirement-11.md
|PCI-DSS Defined approach requirements|Microsoft Entra guidance and recommendations| |-|-|
-|**11.3.1** Internal vulnerability scans are performed as follows: </br> At least once every three months. </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are performed that confirm all high-risk and critical vulnerabilities (as noted) have been resolved. </br> Scan tool is kept up to date with latest vulnerability information. </br> Scans are performed by qualified personnel and organizational independence of the tester exists.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
-|**11.3.1.1** All other applicable vulnerabilities (those not ranked as high-risk or critical per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: </br> Addressed based on the risk defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. </br> Rescans are conducted as needed.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureAD/AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
-|**11.3.1.2** Internal vulnerability scans are performed via authenticated scanning as follows: </br> Systems that are unable to accept credentials for authenticated scanning are documented. </br> Sufficient privileges are used for those systems that accept credentials for scanning. </br> If accounts used for authenticated scanning can be used for interactive login, they're managed in accordance with Requirement 8.2.2.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
-|**11.3.1.3** Internal vulnerability scans are performed after any significant change as follows: </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV)).|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra ID logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
+|**11.3.1** Internal vulnerability scans are performed as follows: </br> At least once every three months. </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are performed that confirm all high-risk and critical vulnerabilities (as noted) have been resolved. </br> Scan tool is kept up to date with latest vulnerability information. </br> Scans are performed by qualified personnel and organizational independence of the tester exists.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
+|**11.3.1.1** All other applicable vulnerabilities (those not ranked as high-risk or critical per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: </br> Addressed based on the risk defined in the entityΓÇÖs targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. </br> Rescans are conducted as needed.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureAD/AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
+|**11.3.1.2** Internal vulnerability scans are performed via authenticated scanning as follows: </br> Systems that are unable to accept credentials for authenticated scanning are documented. </br> Sufficient privileges are used for those systems that accept credentials for scanning. </br> If accounts used for authenticated scanning can be used for interactive login, they're managed in accordance with Requirement 8.2.2.|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
+|**11.3.1.3** Internal vulnerability scans are performed after any significant change as follows: </br> High-risk and critical vulnerabilities (per the entityΓÇÖs vulnerability risk rankings defined at Requirement 6.3.1) are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a Qualified Security Assessor (QSA) or Approved Scanning Vendor (ASV)).|Include servers that support Microsoft Entra hybrid capabilities. For example, Microsoft Entra Connect, Application proxy connectors, etc. as part of internal vulnerability scans. </br> Organizations using federated authentication: review and address federation system infrastructure vulnerabilities. [What is federation with Microsoft Entra ID?](../hybrid/connect/whatis-fed.md) </br> Review and mitigate risk detections reported by Microsoft Entra ID Protection. Integrate the signals with a SIEM solution to integrate more with remediation workflows or automation. [Risk types and detection](../identity-protection/concept-identity-protection-risks.md) </br> Run the Microsoft Entra assessment tool regularly and address findings. [`AzureADAssessment`](https://github.com/AzureAD/AzureADAssessment) </br> [Security operations for infrastructure](../architecture/security-operations-infrastructure.md) </br> [Integrate Microsoft Entra logs with Azure Monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)|
|**11.3.2** External vulnerability scans are performed as follows: </br> At least once every three months. </br> By a PCI SSC ASV. </br> Vulnerabilities are resolved and ASV Program Guide requirements for a passing scan are met. </br> Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.|Not applicable to Microsoft Entra ID.| |**11.3.2.1** External vulnerability scans are performed after any significant change as follows: </br> Vulnerabilities that are scored 4.0 or higher by the CVSS are resolved. </br> Rescans are conducted as needed. </br> Scans are performed by qualified personnel and organizational independence of the tester exists (not required to be a QSA or ASV).|Not applicable to Microsoft Entra ID.|
active-directory Workload Identities Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identities-faqs.md
pricing](https://www.microsoft.com/security/business/identity-access/microsoft-e
| Authenticate workload identities and tokens to access resources | Use Microsoft Entra ID to protect resource access | Yes| Yes | | Workload identities sign-in activity and audit trail | Monitor and track workload identity behavior | Yes | Yes | | **Managed identities**| Use Microsoft Entra identities in Azure without handling credentials | Yes| Yes |
-| Workload identity federation | Use workloads tested by external Identity Providers (IdPs) to access Microsoft Entra ID protected resources | Yes | Yes |
+| Workload identity federation | Use workloads tested by external Identity Providers (IdPs) to access Microsoft Entra protected resources | Yes | Yes |
| **Conditional Access** | | | | Conditional Access policies for workload identities |Define the condition in which a workload can access a resource, such as an IP range | | Yes | |**Lifecycle Management**| | | |
active-directory Workload Identities Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identities-overview.md
Last updated 08/08/2023
-#Customer intent: As a developer, I want workload identities so I can authenticate with Microsoft Entra ID and access Microsoft Entra ID protected resources.
+#Customer intent: As a developer, I want workload identities so I can authenticate with Microsoft Entra ID and access Microsoft Entra protected resources.
# What are workload identities?
Intelligently detect compromised identities:
Simplify lifecycle management: -- Access Microsoft Entra ID protected resources without needing to manage secrets for workloads that run on Azure using [managed identities](../managed-identities-azure-resources/overview.md?toc=/azure/active-directory/workload-identities?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json).-- Access Microsoft Entra ID protected resources without needing to manage secrets using [workload identity federation](workload-identity-federation.md) for supported scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure.
+- Access Microsoft Entra protected resources without needing to manage secrets for workloads that run on Azure using [managed identities](../managed-identities-azure-resources/overview.md?toc=/azure/active-directory/workload-identities?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json).
+- Access Microsoft Entra protected resources without needing to manage secrets using [workload identity federation](workload-identity-federation.md) for supported scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure.
- Review service principals and applications that are assigned to privileged directory roles in Microsoft Entra ID using [access reviews for service principals](../privileged-identity-management/pim-create-roles-and-resource-roles-review.md?toc=/azure/active-directory/workload-identities/toc.json&bc=/azure/active-directory/workload-identities/breadcrumb/toc.json). ## Next steps
active-directory Workload Identity Federation Block Using Azure Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identity-federation-block-using-azure-policy.md
Title: Block workload identity federation using Azure Policy
-description: Learn how to use a built-in Azure Policy to block workload identity federation on user-assigned managed identities. Govern the use of federated identity credentials on managed identities so that no one can access Microsoft Entra ID protected resources from external workloads.
+description: Learn how to use a built-in Azure Policy to block workload identity federation on user-assigned managed identities. Govern the use of federated identity credentials on managed identities so that no one can access Microsoft Entra protected resources from external workloads.
# Block workload identity federation on managed identities using a policy
-This article describes how to block the creation of federated identity credentials on user-assigned managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can block everyone from using [workload identity federation](workload-identity-federation.md) to access Microsoft Entra ID protected resources. [Azure Policy](../../governance/policy/overview.md) helps enforce certain business rules on your Azure resources and assess compliance of those resources.
+This article describes how to block the creation of federated identity credentials on user-assigned managed identities by using Azure Policy. By blocking the creation of federated identity credentials, you can block everyone from using [workload identity federation](workload-identity-federation.md) to access Microsoft Entra protected resources. [Azure Policy](../../governance/policy/overview.md) helps enforce certain business rules on your Azure resources and assess compliance of those resources.
The Not allowed resource types built-in policy can be used to block the creation of federated identity credentials on user-assigned managed identities.
active-directory Workload Identity Federation Create Trust User Assigned Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identity-federation-create-trust-user-assigned-managed-identity.md
Title: Create a trust relationship between a user-assigned managed identity and an external identity provider
-description: Set up a trust relationship between a user-assigned managed identity in Microsoft Entra ID and an external identity provider. This allows a software workload outside of Azure to access Microsoft Entra ID protected resources without using secrets or certificates.
+description: Set up a trust relationship between a user-assigned managed identity in Microsoft Entra ID and an external identity provider. This allows a software workload outside of Azure to access Microsoft Entra protected resources without using secrets or certificates.
zone_pivot_groups: identity-wif-mi-methods
-#Customer intent: As an application developer, I want to configure a federated credential on a user-assigned managed identity so I can create a trust relationship with an external identity provider and use workload identity federation to access Microsoft Entra ID protected resources without managing secrets.
+#Customer intent: As an application developer, I want to configure a federated credential on a user-assigned managed identity so I can create a trust relationship with an external identity provider and use workload identity federation to access Microsoft Entra protected resources without managing secrets.
# Configure a user-assigned managed identity to trust an external identity provider This article describes how to manage a federated identity credential on a user-assigned managed identity in Microsoft Entra ID. The federated identity credential creates a trust relationship between a user-assigned managed identity and an external identity provider (IdP). Configuring a federated identity credential on a system-assigned managed identity isn't supported.
-After you configure your user-assigned managed identity to trust an external IdP, configure your external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload uses the access token to access Microsoft Entra ID protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).
+After you configure your user-assigned managed identity to trust an external IdP, configure your external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload uses the access token to access Microsoft Entra protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).
In this article, you learn how to create, list, and delete federated identity credentials on a user-assigned managed identity.
active-directory Workload Identity Federation Create Trust https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identity-federation-create-trust.md
Title: Create a trust relationship between an app and an external identity provider
-description: Set up a trust relationship between an app in Microsoft Entra ID and an external identity provider. This allows a software workload outside of Azure to access Microsoft Entra ID protected resources without using secrets or certificates.
+description: Set up a trust relationship between an app in Microsoft Entra ID and an external identity provider. This allows a software workload outside of Azure to access Microsoft Entra protected resources without using secrets or certificates.
zone_pivot_groups: identity-wif-apps-methods
-#Customer intent: As an application developer, I want to configure a federated credential on an app registration so I can create a trust relationship with an external identity provider and use workload identity federation to access Microsoft Entra ID protected resources without managing secrets.
+#Customer intent: As an application developer, I want to configure a federated credential on an app registration so I can create a trust relationship with an external identity provider and use workload identity federation to access Microsoft Entra protected resources without managing secrets.
# Configure an app to trust an external identity provider This article describes how to manage a federated identity credential on an application in Microsoft Entra ID. The federated identity credential creates a trust relationship between an application and an external identity provider (IdP).
-You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload can access Microsoft Entra ID protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).
+You can then configure an external software workload to exchange a token from the external IdP for an access token from Microsoft identity platform. The external workload can access Microsoft Entra protected resources without needing to manage secrets (in supported scenarios). To learn more about the token exchange workflow, read about [workload identity federation](workload-identity-federation.md).
In this article, you learn how to create, list, and delete federated identity credentials on an application in Microsoft Entra ID.
active-directory Workload Identity Federation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/workload-identities/workload-identity-federation.md
Title: Workload identity federation
-description: Use workload identity federation to grant workloads running outside of Azure access to Microsoft Entra ID protected resources without using secrets or certificates. This eliminates the need for developers to store and maintain long-lived secrets or certificates outside of Azure.
+description: Use workload identity federation to grant workloads running outside of Azure access to Microsoft Entra protected resources without using secrets or certificates. This eliminates the need for developers to store and maintain long-lived secrets or certificates outside of Azure.
Last updated 09/15/2023
-#Customer intent: As a developer, I want to learn about workload identity federation so that I can securely access Microsoft Entra ID protected resources from external apps and services without needing to manage secrets.
+#Customer intent: As a developer, I want to learn about workload identity federation so that I can securely access Microsoft Entra protected resources from external apps and services without needing to manage secrets.
# Workload identity federation
-This article provides an overview of workload identity federation for software workloads. Using workload identity federation allows you to access Microsoft Entra ID protected resources without needing to manage secrets (for supported scenarios).
+This article provides an overview of workload identity federation for software workloads. Using workload identity federation allows you to access Microsoft Entra protected resources without needing to manage secrets (for supported scenarios).
You can use workload identity federation in scenarios such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure.
You can use workload identity federation in scenarios such as GitHub Actions, wo
Watch this video to learn why you would use workload identity federation. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWXamJ]
-Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services. When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you. You can only use managed identities, however, for software workloads running in Azure. For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Microsoft Entra ID protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
+Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services. When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you. You can only use managed identities, however, for software workloads running in Azure. For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Microsoft Entra protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources). These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
-You use workload identity federation to configure a [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) or [app registration](../develop/app-objects-and-service-principals.md) in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload uses that access token to access the Microsoft Entra ID protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
+You use workload identity federation to configure a [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) or [app registration](../develop/app-objects-and-service-principals.md) in Microsoft Entra ID to trust tokens from an external identity provider (IdP), such as GitHub or Google. The user-assigned managed identity or app registration in Microsoft Entra ID becomes an identity for software workloads running, for example, in on-premises Kubernetes or GitHub Actions workflows. Once that trust relationship is created, your external software workload exchanges trusted tokens from the external IdP for access tokens from Microsoft identity platform. Your software workload uses that access token to access the Microsoft Entra protected resources to which the workload has been granted access. You eliminate the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
## Supported scenarios
-The following scenarios are supported for accessing Microsoft Entra ID protected resources using workload identity federation:
+The following scenarios are supported for accessing Microsoft Entra protected resources using workload identity federation:
- Workloads running on any Kubernetes cluster (Azure Kubernetes Service (AKS), Amazon Web Services EKS, Google Kubernetes Engine (GKE), or on-premises). Establish a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a Kubernetes workload (described in the [workload identity overview](../../aks/workload-identity-overview.md)). - GitHub Actions. First, configure a trust relationship between your [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Microsoft Entra ID and a GitHub repo in the [Microsoft Entra admin center](https://entra.microsoft.com) or using Microsoft Graph. Then [configure a GitHub Actions workflow](/azure/developer/github/connect-from-azure) to get an access token from Microsoft identity provider and access Azure resources.-- Google Cloud. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Google Cloud. Then configure your software workload running in Google Cloud to get an access token from Microsoft identity provider and access Microsoft Entra ID protected resources. See [Access Microsoft Entra ID protected resources from an app in Google Cloud](https://blog.identitydigest.com/azuread-federate-gcp/).-- Workloads running in Amazon Web Services (AWS). First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Amazon Cognito. Then configure your software workload running in AWS to get an access token from Microsoft identity provider and access Microsoft Entra ID protected resources. See [Workload identity federation with AWS](https://blog.identitydigest.com/azuread-federate-aws/).
+- Google Cloud. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Google Cloud. Then configure your software workload running in Google Cloud to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See [Access Microsoft Entra protected resources from an app in Google Cloud](https://blog.identitydigest.com/azuread-federate-gcp/).
+- Workloads running in Amazon Web Services (AWS). First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and an identity in Amazon Cognito. Then configure your software workload running in AWS to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See [Workload identity federation with AWS](https://blog.identitydigest.com/azuread-federate-aws/).
- Other workloads running in compute platforms outside of Azure. Configure a trust relationship between your [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Microsoft Entra ID and the external IdP for your compute platform. You can use tokens issued by that platform to authenticate with Microsoft identity platform and call APIs in the Microsoft ecosystem. Use the [client credentials flow](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential) to get an access token from Microsoft identity platform, passing in the identity provider's JWT instead of creating one yourself using a stored certificate.-- SPIFFE and SPIRE are a set of platform agnostic, open-source standards for providing identities to your software workloads deployed across platforms and cloud vendors. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a SPIFFE ID for an external workload. Then configure your external software workload to get an access token from Microsoft identity provider and access Microsoft Entra ID protected resources. See [Workload identity federation with SPIFFE and SPIRE](https://blog.identitydigest.com/azuread-federate-spiffe/).
+- SPIFFE and SPIRE are a set of platform agnostic, open-source standards for providing identities to your software workloads deployed across platforms and cloud vendors. First, configure a trust relationship between your user-assigned managed identity or app in Microsoft Entra ID and a SPIFFE ID for an external workload. Then configure your external software workload to get an access token from Microsoft identity provider and access Microsoft Entra protected resources. See [Workload identity federation with SPIFFE and SPIRE](https://blog.identitydigest.com/azuread-federate-spiffe/).
> [!NOTE] > Microsoft Entra ID issued tokens may not be used for federated identity flows. The federated identity credentials flow does not support tokens issued by Microsoft Entra ID.
The following scenarios are supported for accessing Microsoft Entra ID protected
Create a trust relationship between the external IdP and a [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [application](workload-identity-federation-create-trust.md) in Microsoft Entra ID. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure a federated identity either: -- On a user-assigned managed identity through the [Microsoft Entra admin center](https://entra.microsoft.com), Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Microsoft Entra ID protected resources without needing to manage secrets (in supported scenarios). The [steps for configuring the trust relationship](workload-identity-federation-create-trust-user-assigned-managed-identity.md) will differ, depending on the scenario and external IdP.
+- On a user-assigned managed identity through the [Microsoft Entra admin center](https://entra.microsoft.com), Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Microsoft Entra protected resources without needing to manage secrets (in supported scenarios). The [steps for configuring the trust relationship](workload-identity-federation-create-trust-user-assigned-managed-identity.md) will differ, depending on the scenario and external IdP.
- On an app registration in the [Microsoft Entra admin center](https://entra.microsoft.com) or through Microsoft Graph. This configuration allows you to get an access token for your application without needing to manage secrets outside Azure. For more information, learn how to [configure an app to trust an external identity provider](workload-identity-federation-create-trust.md).
-The workflow for exchanging an external token for an access token is the same, however, for all scenarios. The following diagram shows the general workflow of a workload exchanging an external token for an access token and then accessing Microsoft Entra ID protected resources.
+The workflow for exchanging an external token for an access token is the same, however, for all scenarios. The following diagram shows the general workflow of a workload exchanging an external token for an access token and then accessing Microsoft Entra protected resources.
:::image type="content" source="media/workload-identity-federation/workflow.svg" alt-text="Diagram showing an external token exchanged for an access token and accessing Azure" border="false":::
The workflow for exchanging an external token for an access token is the same, h
1. The external workload (the login action in a GitHub workflow, for example) [sends the token to Microsoft identity platform](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential) and requests an access token. 1. Microsoft identity platform checks the trust relationship on the [user-assigned managed identity](workload-identity-federation-create-trust-user-assigned-managed-identity.md) or [app registration](workload-identity-federation-create-trust.md) and validates the external token against the OpenID Connect (OIDC) issuer URL on the external IdP. 1. When the checks are satisfied, Microsoft identity platform issues an access token to the external workload.
-1. The external workload accesses Microsoft Entra ID protected resources using the access token from Microsoft identity platform. A GitHub Actions workflow, for example, uses the access token to publish a web app to Azure App Service.
+1. The external workload accesses Microsoft Entra protected resources using the access token from Microsoft identity platform. A GitHub Actions workflow, for example, uses the access token to publish a web app to Azure App Service.
The Microsoft identity platform stores only the first 100 signing keys when they're downloaded from the external IdP's OIDC endpoint. If the external IdP exposes more than 100 signing keys, you may experience errors when using workload identity federation.
Learn more about how workload identity federation works:
- How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust-user-assigned-managed-identity.md) on a user-assigned managed identity. - How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust.md) on an app registration.-- Read the [workload identity overview](../../aks/workload-identity-overview.md) to learn how to configure a Kubernetes workload to get an access token from Microsoft identity provider and access Microsoft Entra ID protected resources.-- Read the [GitHub Actions documentation](https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Microsoft Entra ID protected resources.
+- Read the [workload identity overview](../../aks/workload-identity-overview.md) to learn how to configure a Kubernetes workload to get an access token from Microsoft identity provider and access Microsoft Entra protected resources.
+- Read the [GitHub Actions documentation](https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Microsoft Entra protected resources.
- How Microsoft Entra ID uses the [OAuth 2.0 client credentials grant](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#third-case-access-token-request-with-a-federated-credential) and a client assertion issued by another IdP to get a token. - For information about the required format of JWTs created by external identity providers, read about the [assertion format](/azure/active-directory/develop/active-directory-certificate-credentials#assertion-format).
ai-services Use Large Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/how-to/use-large-scale.md
[!INCLUDE [Gate notice](../includes/identity-gate-notice.md)]
-This guide is an advanced article on how to scale up from existing PersonGroup and FaceList objects to LargePersonGroup and LargeFaceList objects, respectively. PersonGroups can hold up to 1000 persons in the free tier and 10,000 in the paid tier, while LargePersonGroups can hold up to one million persons in the paid tier.
+This guide shows you how to scale up from existing PersonGroup and FaceList objects to LargePersonGroup and LargeFaceList objects, respectively. PersonGroups can hold up to 1000 persons in the free tier and 10,000 in the paid tier, while LargePersonGroups can hold up to one million persons in the paid tier.
+
+> [!IMPORTANT]
+> The newer data structure **PersonDirectory** is recommended for new development. It can hold up to 75 million identities and does not require manual training. For more information, see the [PersonDirectory guide](./use-persondirectory.md).
This guide demonstrates the migration process. It assumes a basic familiarity with PersonGroup and FaceList objects, the [Train](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/599ae2d16ac60f11b48b5aa4) operation, and the face recognition functions. To learn more about these subjects, see the [face recognition](../concept-face-recognition.md) conceptual guide.
ai-services Overview Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/overview-identity.md
You can use the Face service through a client library SDK or by calling the REST
Or, you can try out the capabilities of Face service quickly and easily in your browser using Vision Studio. > [!div class="nextstepaction"]
-> [Try Vision Studio](https://portal.vision.cognitive.azure.com/)
+> [Try Vision Studio for Face](https://portal.vision.cognitive.azure.com/gallery/face)
This documentation contains the following types of articles: * The [quickstarts](./quickstarts-sdk/identity-client-library.md) are step-by-step instructions that let you make calls to the service and get results in a short period of time.
Optionally, face detection can extract a set of face-related attributes, such as
For more information on face detection and analysis, see the [Face detection](concept-face-detection.md) concepts article. Also see the [Detect API](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395236) reference documentation.
+You can try out Face detection quickly and easily in your browser using Vision Studio.
+
+> [!div class="nextstepaction"]
+> [Try Vision Studio for Face](https://portal.vision.cognitive.azure.com/gallery/face)
+ ## Identity verification
The following image shows an example of a database named `"myfriends"`. Each gro
After you create and train a group, you can do identification against the group with a new detected face. If the face is identified as a person in the group, the person object is returned.
-Try out the capabilities of face identification quickly and easily using Vision Studio.
-> [!div class="nextstepaction"]
-> [Try Vision Studio](https://portal.vision.cognitive.azure.com/)
- ### Verification The verification operation answers the question, "Do these two faces belong to the same person?".
Verification is also a "one-to-one" matching of a face in an image to a single f
For more information about identity verification, see the [Facial recognition](concept-face-recognition.md) concepts guide or the [Identify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f30395239) and [Verify](https://westus.dev.cognitive.microsoft.com/docs/services/563879b61984550e40cbbe8d/operations/563879b61984550f3039523a) API reference documentation.
-Try out the capabilities of face verification quickly and easily using Vision Studio.
-> [!div class="nextstepaction"]
-> [Try Vision Studio](https://portal.vision.cognitive.azure.com/)
## Find similar faces
ai-services Identity Client Library https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/computer-vision/quickstarts-sdk/identity-client-library.md
keywords: face search by image, facial recognition search, facial recognition, f
# Quickstart: Use the Face service+ [!INCLUDE [GDPR-related guidance](../includes/identity-data-notice.md)] [!INCLUDE [Gate notice](../includes/identity-gate-notice.md)]
keywords: face search by image, facial recognition search, facial recognition, f
::: zone-end --
ai-services Quotas Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/openai/quotas-limits.md
To minimize issues related to rate limits, it's a good idea to use the following
### How to request increases to the default quotas and limits
-Quota increase requests can be submitted from the [Quotas](./how-to/quota.md) page of Azure OpenAI Studio. Please note that due to overwhelming demand, we are not currently approving new quota increase requests. Your request will be queued until it can be filled at a later time.
+Quota increase requests can be submitted from the [Quotas](./how-to/quota.md) page of Azure OpenAI Studio. Please note that due to overwhelming demand, quota increase requests are being accepted and will be filled in the order they are received. Priority will be given to customers who generate traffic that consumes the existing quota allocation, and your request may be denied if this condition is not met.
For other rate limits, please [submit a service request](../cognitive-services-support-options.md?context=/azure/ai-services/openai/context/context).
ai-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/policy-reference.md
Title: Built-in policy definitions for Azure AI services description: Lists Azure Policy built-in policy definitions for Azure AI services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
ai-services Batch Synthesis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/speech-service/batch-synthesis.md
curl -v -X POST -H "Ocp-Apim-Subscription-Key: YourSpeechKey" -H "Content-Type:
"inputs": [ { "text": "<speak version='\''1.0'\'' xml:lang='\''en-US'\''>
- <voice xml:lang='\''en-US'\'' xml:gender='\''Female'\'' name='\''en-US-JennyNeural'\''>
+ <voice name='\''en-US-JennyNeural'\''>
The rainbow has seven colors. </voice> </speak>",
The summary file contains the synthesis results for each text input. Here's an e
"results": [ { "texts": [
- "<speak version='1.0' xml:lang='en-US'>\n\t\t\t\t<voice xml:lang='en-US' xml:gender='Female' name='en-US-JennyNeural'>\n\t\t\t\t\tThe rainbow has seven colors.\n\t\t\t\t</voice>\n\t\t\t</speak>"
+ "<speak version='1.0' xml:lang='en-US'>\n\t\t\t\t<voice name='en-US-JennyNeural'>\n\t\t\t\t\tThe rainbow has seven colors.\n\t\t\t\t</voice>\n\t\t\t</speak>"
], "status": "Succeeded", "billingDetails": {
ai-services Translator Container Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ai-services/translator/containers/translator-container-configuration.md
Previously updated : 07/18/2023 Last updated : 10/10/2023 recommendations: false # Configure Translator Docker containers
-Azure AI services provides each container with a common configuration framework. You can easily configure your Translator containers to build Translator application architecture optimized for robust cloud capabilities and edge locality.
+Azure AI services provide each container with a common configuration framework. You can easily configure your Translator containers to build Translator application architecture optimized for robust cloud capabilities and edge locality.
The **Translator** container runtime environment is configured using the `docker run` command arguments. This container has both required and optional settings. The required container-specific settings are the billing settings.
The `Billing` setting specifies the endpoint URI of the _Translator_ resource on
This setting can be found in the following place:
-* Azure portal: **Translator** Overview page, labeled `Endpoint`
+* Azure portal: **Translator** Overview page labeled `Endpoint`
| Required | Name | Data type | Description | | -- | - | | -- |
This setting can be found in the following place:
## Logging settings
+Translator containers support the following logging providers:
+
+|Provider|Purpose|
+|--|--|
+|[Console](/aspnet/core/fundamentals/logging/#console-provider)|The ASP.NET Core `Console` logging provider. All of the ASP.NET Core configuration settings and default values for this logging provider are supported.|
+|[Debug](/aspnet/core/fundamentals/logging/#debug-provider)|The ASP.NET Core `Debug` logging provider. All of the ASP.NET Core configuration settings and default values for this logging provider are supported.|
+|[Disk](#disk-logging)|The JSON logging provider. This logging provider writes log data to the output mount.|
+
+* The `Logging` settings manage ASP.NET Core logging support for your container. You can use the same configuration settings and values for your container that you use for an ASP.NET Core application.
+
+* The `Logging.LogLevel` specifies the minimum level to log. The severity of the `LogLevel` ranges from 0 to 6. When a `LogLevel` is specified, logging is enabled for messages at the specified level and higher: Trace = 0, Debug = 1, Information = 2, Warning = 3, Error = 4, Critical = 5, None = 6.
+
+* Currently, Translator containers have the ability to restrict logs at the **Warning** LogLevel or higher.
+
+The general command syntax for logging is as follows:
+
+```bash
+ -Logging:LogLevel:{Provider}={FilterSpecs}
+```
+
+The following command starts the Docker container with the `LogLevel` set to **Warning** and logging provider set to **Console**. This command prints anomalous or unexpected events during the application flow to the console:
+
+```bash
+docker run --rm -it -p 5000:5000
+-v /mnt/d/TranslatorContainer:/usr/local/models \
+-e apikey={API_KEY} \
+-e eula=accept \
+-e billing={ENDPOINT_URI} \
+-e Languages=en,fr,es,ar,ru \
+-e Logging:LogLevel:Console="Warning"
+mcr.microsoft.com/azure-cognitive-services/translator/text-translation:latest
+
+```
+
+### Disk logging
+
+The `Disk` logging provider supports the following configuration settings:
+
+| Name | Data type | Description |
+||--|-|
+| `Format` | String | The output format for log files.<br/> **Note:** This value must be set to `json` to enable the logging provider. If this value is specified without also specifying an output mount while instantiating a container, an error occurs. |
+| `MaxFileSize` | Integer | The maximum size, in megabytes (MB), of a log file. When the size of the current log file meets or exceeds this value, the logging provider starts a new log file. If -1 is specified, the size of the log file is limited only by the maximum file size, if any, for the output mount. The default value is 1. |
+
+#### Disk provider example
+
+```bash
+docker run --rm -it -p 5000:5000 \
+--memory 2g --cpus 1 \
+--mount type=bind,src=/home/azureuser/output,target=/output \
+-e apikey={API_KEY} \
+-e eula=accept \
+-e billing={ENDPOINT_URI} \
+-e Languages=en,fr,es,ar,ru \
+Eula=accept \
+Billing=<endpoint> \
+ApiKey=<api-key> \
+Logging:Disk:Format=json \
+Mounts:Output=/output
+```
+
+For more information about configuring ASP.NET Core logging support, see [Settings file configuration](/aspnet/core/fundamentals/logging/).
## Mount settings
aks Devops Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/devops-pipeline.md
description: Build and push images to Azure Container Registry; Deploy to Azure
Previously updated : 07/05/2023 Last updated : 10/11/2023 zone_pivot_groups: pipelines-version
https://github.com/MicrosoftDocs/pipelines-javascript-docker
## Create the Azure resources
-Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](../cloud-shell/overview.md) button in the upper-right corner.
-
+Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](../cloud-shell/overview.md) button in the upper-right corner. Use Azure CLI or PowerShell to create an AKS cluster.
### Create a container registry
+#### [Azure CLI](#tab/cli)
+ ```azurecli-interactive # Create a resource group az group create --name myapp-rg --location eastus
az aks create \
--generate-ssh-keys ```
+#### [PowerShell](#tab/powershell)
+
+```powershell
+# Install Azure PowerShell
+Install-Module -Name Az -Repository PSGallery -Force
+
+# The Microsoft.OperationsManagement resource provider must be registered. This is a one-time activity per subscription.
+Register-AzResourceProvider -ProviderNamespace Microsoft.OperationsManagement
+
+# Create a resource group
+New-AzResourceGroup -Name myapp-rg -Location eastus
+
+# Create a container registry
+New-AzContainerRegistry -ResourceGroupName myapp-rg -Name myContainerRegistry -Sku Basic -Location eastus
+
+# Create a log analytics workspace (or use an existing one)
+New-AzOperationalInsightsWorkspace -ResourceGroupName myapp-rg -Name myWorkspace -Location eastus
+
+# Create an AKS cluster with monitoring add-on enabled
+$aksParameters = @{
+ ResourceGroupName = 'myapp-rg'
+ Name = 'myapp'
+ NodeCount = 1
+ AddOnNameToBeEnabled = 'Monitoring'
+ GenerateSshKey = $true
+ WorkspaceResourceId = '/subscriptions/<subscription-id>/resourceGroups/myapp-rg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace'
+}
+
+New-AzAksCluster @aksParameters
+```
+
+
++ ## Sign in to Azure Pipelines Sign in to [Azure Pipelines](https://azure.microsoft.com/services/devops/pipelines). After you sign in, your browser goes to `https://dev.azure.com/my-organization-name` and displays your Azure DevOps dashboard.
https://github.com/MicrosoftDocs/pipelines-javascript-docker
## Create the Azure resources
-Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](../cloud-shell/overview.md) button in the upper-right corner.
+Sign in to the [Azure portal](https://portal.azure.com/), and then select the [Cloud Shell](../cloud-shell/overview.md) button in the upper-right corner. Use Azure CLI or PowerShell to create an AKS cluster.
### Create a container registry
+#### [Azure CLI](#tab/cli)
+ ```azurecli-interactive # Create a resource group az group create --name myapp-rg --location eastus # Create a container registry
-az acr create --resource-group myapp-rg --name myContainerRegistry --sku Basic
+az acr create --resource-group myapp-rg --name mycontainerregistry --sku Basic
# Create a Kubernetes cluster az aks create \
az aks create \
--generate-ssh-keys ```
+#### [PowerShell](#tab/powershell)
+
+```powershell
+# Install Azure PowerShell
+Install-Module -Name Az -Repository PSGallery -Force
+
+# The Microsoft.OperationsManagement resource provider must be registered. This is a one-time activity per subscription.
+Register-AzResourceProvider -ProviderNamespace Microsoft.OperationsManagement
+
+# Create a resource group
+New-AzResourceGroup -Name myapp-rg -Location eastus
+
+# Create a container registry
+New-AzContainerRegistry -ResourceGroupName myapp-rg -Name myContainerRegistry -Sku Basic -Location eastus
+
+# Create a log analytics workspace (or use an existing one)
+New-AzOperationalInsightsWorkspace -ResourceGroupName myapp-rg -Name myWorkspace -Location eastus
+
+# Create an AKS cluster with monitoring add-on enabled
+$aksParameters = @{
+ ResourceGroupName = 'myapp-rg'
+ Name = 'myapp'
+ NodeCount = 1
+ AddOnNameToBeEnabled = 'Monitoring'
+ GenerateSshKey = $true
+ WorkspaceResourceId = '/subscriptions/<subscription-id>/resourceGroups/myapp-rg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace'
+}
+
+New-AzAksCluster @aksParameters
+```
+++ ## Configure authentication
aks Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/policy-reference.md
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
aks Supported Kubernetes Versions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/aks/supported-kubernetes-versions.md
Note the following important changes to make before you upgrade to any of the av
|--||-||-|| | 1.25 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload identity v1.0.0<br>ASC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 18.04 Cgroups V1 <br>ContainerD 1.7<br>| Ubuntu 22.04 by default with cgroupv2 and Overlay VPA 0.13.0 |CgroupsV2 - If you deploy Java applications with the JDK, prefer to use JDK 11.0.16 and later or JDK 15 and later, which fully support cgroup v2 | 1.26 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.9.3<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload identity v1.0.0<br>ASC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0| Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7<br>|No Breaking Changes |None
-| 1.27 | Azure policy 1.0.1<br>Metrics-Server 0.6.3<br>KEDA 2.10.0<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload identity v1.0.0<br>ASC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0|Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7 for Linux and 1.6 for Windows<br>|Keda 2.10.0 |Because of Ubuntu 22.04 FIPS certification status, we'll switch AKS FIPS nodes from 18.04 to 20.04 from 1.27 onwards.
+| 1.27 | Azure policy 1.1.0<br>Metrics-Server 0.6.3<br>KEDA 2.10.0<br>Open Service Mesh 1.2.3<br>Core DNS V1.9.4<br>0.12.0</br>Overlay VPA 0.11.0<br>Azure-Keyvault-SecretsProvider 1.4.1<br>Ingress AppGateway 1.2.1<br>Eraser v1.1.1<br>Azure Workload identity v1.0.0<br>ASC Defender 1.0.56<br>Azure Active Directory Pod Identity 1.8.13.6<br>GitOps 1.7.0<br>KMS 0.5.0|Cilium 1.12.8<br>CNI 1.4.44<br> Cluster Autoscaler 1.8.5.3<br> | OS Image Ubuntu 22.04 Cgroups V2 <br>ContainerD 1.7 for Linux and 1.6 for Windows<br>|Keda 2.10.0 |Because of Ubuntu 22.04 FIPS certification status, we'll switch AKS FIPS nodes from 18.04 to 20.04 from 1.27 onwards.
## Alias minor version
api-management Api Version Retirement Sep 2023 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/breaking-changes/api-version-retirement-sep-2023.md
After 30 September 2023, if you prefer not to update your tools, scripts, and pr
* Terraform azurerm provider: 3.0.0 * **Azure SDKs** - Update the Azure API Management SDKs to the latest versions (or later): - * .NET: 8.0.0 * Go: 1.0.0 * Python: 3.0.0
- * JavaScript: 8.0.1
-
-## More information
+ - JavaScript: 8.0.1
+ - Java: 1.0.0-beta3
+ ## More information
* [Azure CLI](/cli/azure/update-azure-cli) * [Azure PowerShell](/powershell/azure/install-azure-powershell)
After 30 September 2023, if you prefer not to update your tools, scripts, and pr
## Next steps See all [upcoming breaking changes and feature retirements](overview.md).+
api-management Integrate Vnet Outbound https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/integrate-vnet-outbound.md
When an API Management instance is integrated with a virtual network for outboun
- An Azure API Management instance in the [Standard v2](v2-service-tiers-overview.md) pricing tier - A virtual network with a subnet where your API Management backend APIs are hosted
- - The network must be deployed in the same region as your API Management instance
+ - The network must be deployed in the same region and subscription as your API Management instance
- (Optional) For testing, a sample backend API hosted within a different subnet in the virtual network. For example, see [Tutorial: Establish Azure Functions private site access](../azure-functions/functions-create-private-site-access.md). ## Delegate the subnet
If you have an API hosted in the virtual network, you can import it to your Mana
+
api-management Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/policy-reference.md
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
api-management Self Hosted Gateway Settings Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/api-management/self-hosted-gateway-settings-reference.md
Here is an overview of all configuration options:
| config.service.auth.azureAd.authority | Authority URL of Azure AD. | No | `https://login.microsoftonline.com` | v2.3+ | | config.service.auth.tokenAudience | Audience of token used for Azure AD authentication | No | `https://azure-api.net/configuration` | v2.3+ | | config.service.endpoint.disableCertificateValidation | Defines if the self-hosted gateway should validate the server-side certificate of the Configuration API. It is recommended to use certificate validation, only disable for testing purposes and with caution as it can introduce security risk. | No | `false` | v2.0+ |
+| config.service.integration.timeout | Defines the timeout for interacting with the Configuration API. | No | `00:01:40` | v2.3.5+ |
The self-hosted gateway provides support for a few authentication options to integrate with the Configuration API which can be defined by using `config.service.auth`.
app-service Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/policy-reference.md
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
app-service Tutorial Connect Msi Azure Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-msi-azure-database.md
- [Azure Database for PostgreSQL](../postgresql/index.yml) > [!NOTE]
-> This tutorial doesn't include guidance for [Azure Cosmos DB](../cosmos-db/index.yml), which supports Azure Active Directory authentication differently. For more information, see the Azure Cosmos DB documentation, such as [Use system-assigned managed identities to access Azure Cosmos DB data](../cosmos-db/managed-identity-based-authentication.md).
+> This tutorial doesn't include guidance for [Azure Cosmos DB](../cosmos-db/index.yml), which supports Microsoft Entra authentication differently. For more information, see the Azure Cosmos DB documentation, such as [Use system-assigned managed identities to access Azure Cosmos DB data](../cosmos-db/managed-identity-based-authentication.md).
Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the connection strings. This tutorial shows you how to connect to the above-mentioned databases from App Service using managed identities.
Managed identities in App Service make your app more secure by eliminating secre
What you will learn: > [!div class="checklist"]
-> * Configure an Azure AD user as an administrator for your Azure database.
-> * Connect to your database as the Azure AD user.
+> * Configure a Microsoft Entra user as an administrator for your Azure database.
+> * Connect to your database as the Microsoft Entra user.
> * Configure a system-assigned or user-assigned managed identity for an App Service app. > * Grant database access to the managed identity. > * Connect to the Azure database from your code (.NET Framework 4.8, .NET 6, Node.js, Python, Java) using a managed identity.
-> * Connect to the Azure database from your development environment using the Azure AD user.
+> * Connect to the Azure database from your development environment using the Microsoft Entra user.
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
Prepare your environment for the Azure CLI.
[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
-## 1. Grant database access to Azure AD user
+<a name='1-grant-database-access-to-azure-ad-user'></a>
-First, enable Azure Active Directory authentication to the Azure database by assigning an Azure AD user as the administrator of the server. For the scenario in the tutorial, you'll use this user to connect to your Azure database from the local development environment. Later, you set up the managed identity for your App Service app to connect from within Azure.
+## 1. Grant database access to Microsoft Entra user
+
+First, enable Microsoft Entra authentication to the Azure database by assigning a Microsoft Entra user as the administrator of the server. For the scenario in the tutorial, you'll use this user to connect to your Azure database from the local development environment. Later, you set up the managed identity for your App Service app to connect from within Azure.
> [!NOTE]
-> This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).
+> This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Microsoft Entra ID. For more information on allowed Microsoft Entra users, see [Microsoft Entra features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).
-1. If your Azure AD tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md).
+1. If your Microsoft Entra tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Microsoft Entra ID](../active-directory/fundamentals/add-users-azure-active-directory.md).
-1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.
+1. Find the object ID of the Microsoft Entra user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.
```azurecli-interactive azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query [].id --output tsv)
First, enable Azure Active Directory authentication to the Azure database by ass
# [Azure SQL Database](#tab/sqldatabase)
-3. Add this Azure AD user as an Active Directory administrator using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
+3. Add this Microsoft Entra user as an Active Directory administrator using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
```azurecli-interactive az sql server ad-admin create --resource-group <group-name> --server-name <server-name> --display-name ADMIN --object-id $azureaduser ```
- For more information on adding an Active Directory administrator, see [Provision an Azure Active Directory administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
+ For more information on adding an Active Directory administrator, see [Provision a Microsoft Entra administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
# [Azure Database for MySQL](#tab/mysql)
-3. Add this Azure AD user as an Active Directory administrator using [`az mysql server ad-admin create`](/cli/azure/mysql/server/ad-admin#az-mysql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
+3. Add this Microsoft Entra user as an Active Directory administrator using [`az mysql server ad-admin create`](/cli/azure/mysql/server/ad-admin#az-mysql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
```azurecli-interactive az mysql server ad-admin create --resource-group <group-name> --server-name <server-name> --display-name <user-principal-name> --object-id $azureaduser
First, enable Azure Active Directory authentication to the Azure database by ass
# [Azure Database for PostgreSQL](#tab/postgresql)
-3. Add this Azure AD user as an Active Directory administrator using [`az postgres server ad-admin create`](/cli/azure/postgres/server/ad-admin#az-postgres-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
+3. Add this Microsoft Entra user as an Active Directory administrator using [`az postgres server ad-admin create`](/cli/azure/postgres/server/ad-admin#az-postgres-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.
```azurecli-interactive az postgres server ad-admin create --resource-group <group-name> --server-name <server-name> --display-name <user-principal-name> --object-id $azureaduser
Next, you configure your App Service app to connect to SQL Database with a manag
> [!NOTE] > To enable managed identity for a [deployment slot](deploy-staging-slots.md), add `--slot <slot-name>` and use the name of the slot in *\<slot-name>*.
-1. The identity needs to be granted permissions to access the database. In the Cloud Shell, sign in to your database with the following command. Replace _\<server-name>_ with your server name, _\<database-name>_ with the database name your app uses, and _\<aad-user-name>_ and _\<aad-password>_ with your Azure AD user's credentials from [1. Grant database access to Azure AD user]().
+1. The identity needs to be granted permissions to access the database. In the Cloud Shell, sign in to your database with the following command. Replace _\<server-name>_ with your server name, _\<database-name>_ with the database name your app uses, and _\<aad-user-name>_ and _\<aad-password>_ with your Microsoft Entra user's credentials from [1. Grant database access to Microsoft Entra user]().
# [Azure SQL Database](#tab/sqldatabase)
For Azure Database for MySQL and Azure Database for PostgreSQL, the database use
connection.Open(); ```
- [Microsoft.Data.SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication?view=azuresqldb-current&preserve-view=true) provides integrated support of Azure AD authentication. In this case, the [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication?view=azuresqldb-current&preserve-view=true#using-active-directory-default-authentication) uses `DefaultAzureCredential` to retrieve the required token for you and adds it to the database connection directly.
+ [Microsoft.Data.SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication?view=azuresqldb-current&preserve-view=true) provides integrated support of Microsoft Entra authentication. In this case, the [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication?view=azuresqldb-current&preserve-view=true#using-active-directory-default-authentication) uses `DefaultAzureCredential` to retrieve the required token for you and adds it to the database connection directly.
For a more detailed tutorial, see [Tutorial: Connect to SQL Database from .NET App Service without secrets using a managed identity](tutorial-connect-msi-sql-database.md).
For Azure Database for MySQL and Azure Database for PostgreSQL, the database use
The `if` statement sets the MySQL username based on which identity the token applies to. The token is then passed in to the [standard MySQL connection](../mysql/connect-python.md) as the password of the Azure identity.
- The `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` environment variable enables the [Cleartext plugin](https://dev.mysql.com/doc/refman/8.0/en/cleartext-pluggable-authentication.html) in the MySQL Connector (see [Use Azure Active Directory for authentication with MySQL](../mysql/howto-configure-sign-in-azure-ad-authentication.md#compatibility-with-application-drivers)).
+ The `LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN` environment variable enables the [Cleartext plugin](https://dev.mysql.com/doc/refman/8.0/en/cleartext-pluggable-authentication.html) in the MySQL Connector (see [Use Microsoft Entra ID for authentication with MySQL](../mysql/howto-configure-sign-in-azure-ad-authentication.md#compatibility-with-application-drivers)).
# [Azure Database for PostgreSQL](#tab/postgresql)
For Azure Database for MySQL and Azure Database for PostgreSQL, the database use
The `if` statement sets the PostgreSQL username based on which identity the token applies to. The token is then passed in to the [standard PostgreSQL connection](../postgresql/connect-python.md) as the password of the Azure identity.
- Whatever database driver you use, make sure it can send the token as clear text (see [Use Azure Active Directory for authentication with MySQL](../mysql/howto-configure-sign-in-azure-ad-authentication.md#compatibility-with-application-drivers)).
+ Whatever database driver you use, make sure it can send the token as clear text (see [Use Microsoft Entra ID for authentication with MySQL](../mysql/howto-configure-sign-in-azure-ad-authentication.md#compatibility-with-application-drivers)).
--
For Azure Database for MySQL and Azure Database for PostgreSQL, the database use
## 4. Set up your dev environment
- This sample code uses `DefaultAzureCredential` to get a useable token for your Azure database from Azure Active Directory and then adds it to the database connection. While you can customize `DefaultAzureCredential`, it's already versatile by default. It gets a token from the signed-in Azure AD user or from a managed identity, depending on whether you run it locally in your development environment or in App Service.
+ This sample code uses `DefaultAzureCredential` to get a useable token for your Azure database from Microsoft Entra ID and then adds it to the database connection. While you can customize `DefaultAzureCredential`, it's already versatile by default. It gets a token from the signed-in Microsoft Entra user or from a managed identity, depending on whether you run it locally in your development environment or in App Service.
-Without any further changes, your code is ready to be run in Azure. To debug your code locally, however, your develop environment needs a signed-in Azure AD user. In this step, you configure your environment of choice by signing in [with your Azure AD user](#1-grant-database-access-to-azure-ad-user).
+Without any further changes, your code is ready to be run in Azure. To debug your code locally, however, your develop environment needs a signed-in Microsoft Entra user. In this step, you configure your environment of choice by signing in [with your Microsoft Entra user](#1-grant-database-access-to-azure-ad-user).
# [Visual Studio Windows](#tab/windowsclient)
-1. Visual Studio for Windows is integrated with Azure AD authentication. To enable development and debugging in Visual Studio, add your Azure AD user in Visual Studio by selecting **File** > **Account Settings** from the menu, and select **Sign in** or **Add**.
+1. Visual Studio for Windows is integrated with Microsoft Entra authentication. To enable development and debugging in Visual Studio, add your Microsoft Entra user in Visual Studio by selecting **File** > **Account Settings** from the menu, and select **Sign in** or **Add**.
-1. To set the Azure AD user for Azure service authentication, select **Tools** > **Options** from the menu, then select **Azure Service Authentication** > **Account Selection**. Select the Azure AD user you added and select **OK**.
+1. To set the Microsoft Entra user for Azure service authentication, select **Tools** > **Options** from the menu, then select **Azure Service Authentication** > **Account Selection**. Select the Microsoft Entra user you added and select **OK**.
# [Visual Studio for macOS](#tab/macosclient)
-1. Visual Studio for Mac is *not* integrated with Azure AD authentication. However, the Azure Identity client library that you'll use later can also retrieve tokens from Azure CLI. To enable development and debugging in Visual Studio, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
+1. Visual Studio for Mac is *not* integrated with Microsoft Entra authentication. However, the Azure Identity client library that you'll use later can also retrieve tokens from Azure CLI. To enable development and debugging in Visual Studio, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
-1. Sign in to Azure CLI with the following command using your Azure AD user:
+1. Sign in to Azure CLI with the following command using your Microsoft Entra user:
```azurecli az login --allow-no-subscriptions
Without any further changes, your code is ready to be run in Azure. To debug you
# [Visual Studio Code](#tab/vscode)
-1. Visual Studio Code is integrated with Azure AD authentication through the Azure extension. Install the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack" target="_blank">Azure Tools</a> extension in Visual Studio Code.
+1. Visual Studio Code is integrated with Microsoft Entra authentication through the Azure extension. Install the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack" target="_blank">Azure Tools</a> extension in Visual Studio Code.
1. In Visual Studio Code, in the [Activity Bar](https://code.visualstudio.com/docs/getstarted/userinterface), select the **Azure** logo.
Without any further changes, your code is ready to be run in Azure. To debug you
1. The Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable command-line based development, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
-1. Sign in to Azure with the following command using your Azure AD user:
+1. Sign in to Azure with the following command using your Microsoft Entra user:
```azurecli az login --allow-no-subscriptions
Without any further changes, your code is ready to be run in Azure. To debug you
1. The Azure Identity client library that you'll use later can use tokens from Azure PowerShell. To enable command-line based development, [install Azure PowerShell](/powershell/azure/install-azure-powershell) on your local machine.
-1. Sign in to Azure CLI with the following cmdlet using your Azure AD user:
+1. Sign in to Azure CLI with the following cmdlet using your Microsoft Entra user:
```powershell-interactive Connect-AzAccount
Without any further changes, your code is ready to be run in Azure. To debug you
--
-For more information about setting up your dev environment for Azure Active Directory authentication, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/Identity-readme).
+For more information about setting up your dev environment for Microsoft Entra authentication, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/Identity-readme).
-You're now ready to develop and debug your app with the SQL Database as the back end, using Azure AD authentication.
+You're now ready to develop and debug your app with the SQL Database as the back end, using Microsoft Entra authentication.
## 5. Test and publish
-1. Run your code in your dev environment. Your code uses the [signed-in Azure AD user](#1-grant-database-access-to-azure-ad-user)) in your environment to connect to the back-end database. The user can access the database because it's configured as an Azure AD administrator for the database.
+1. Run your code in your dev environment. Your code uses the [signed-in Microsoft Entra user](#1-grant-database-access-to-azure-ad-user)) in your environment to connect to the back-end database. The user can access the database because it's configured as a Microsoft Entra administrator for the database.
1. Publish your code to Azure using the preferred publishing method. In App Service, your code uses the app's managed identity to connect to the back-end database.
You're now ready to develop and debug your app with the SQL Database as the back
- [Does managed identity support SQL Server?](#does-managed-identity-support-sql-server) - [I get the error `Login failed for user '<token-identified principal>'.`](#i-get-the-error-login-failed-for-user-token-identified-principal) - [I made changes to App Service authentication or the associated app registration. Why do I still get the old token?](#i-made-changes-to-app-service-authentication-or-the-associated-app-registration-why-do-i-still-get-the-old-token)-- [How do I add the managed identity to an Azure AD group?](#how-do-i-add-the-managed-identity-to-an-azure-ad-group)
+- [How do I add the managed identity to a Microsoft Entra group?](#how-do-i-add-the-managed-identity-to-an-azure-ad-group)
- [I get the error `mysql: unknown option '--enable-cleartext-plugin'`.](#i-get-the-error-mysql-unknown-optionenable-cleartext-plugin) - [I get the error `SSL connection is required. Please specify SSL options and retry`.](#i-get-the-error-ssl-connection-is-required-please-specify-ssl-options-and-retry) #### Does managed identity support SQL Server?
-Azure Active Directory and managed identities aren't supported for on-premises SQL Server.
+Microsoft Entra ID and managed identities aren't supported for on-premises SQL Server.
#### I get the error `Login failed for user '<token-identified principal>'.`
The managed identity you're attempting to request a token for is not authorized
The back-end services of managed identities also [maintain a token cache](overview-managed-identity.md#configure-target-resource) that updates the token for a target resource only when it expires. If you modify the configuration *after* trying to get a token with your app, you don't actually get a new token with the updated permissions until the cached token expires. The best way to work around this is to test your changes with a new InPrivate (Edge)/private (Safari)/Incognito (Chrome) window. That way, you're sure to start from a new authenticated session.
-#### How do I add the managed identity to an Azure AD group?
+<a name='how-do-i-add-the-managed-identity-to-an-azure-ad-group'></a>
+
+#### How do I add the managed identity to a Microsoft Entra group?
-If you want, you can add the identity to an [Azure AD group](../active-directory/fundamentals/active-directory-manage-groups.md), then grant access to the Azure AD group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called _myAzureSQLDBAccessGroup_:
+If you want, you can add the identity to an [Microsoft Entra group](../active-directory/fundamentals/active-directory-manage-groups.md), then grant access to the Microsoft Entra group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called _myAzureSQLDBAccessGroup_:
```azurecli-interactive groupid=$(az ad group create --display-name myAzureSQLDBAccessGroup --mail-nickname myAzureSQLDBAccessGroup --query objectId --output tsv)
az ad group member add --group $groupid --member-id $msiobjectid
az ad group member list -g $groupid ```
-To grant database permissions for an Azure AD group, see documentation for the respective database type.
+To grant database permissions for a Microsoft Entra group, see documentation for the respective database type.
#### I get the error `mysql: unknown option '--enable-cleartext-plugin'`.
Connecting to the Azure database requires additional settings and is beyond the
What you learned: > [!div class="checklist"]
-> * Configure an Azure AD user as an administrator for your Azure database.
-> * Connect to your database as the Azure AD user.
+> * Configure a Microsoft Entra user as an administrator for your Azure database.
+> * Connect to your database as the Microsoft Entra user.
> * Configure a system-assigned or user-assigned managed identity for an App Service app. > * Grant database access to the managed identity. > * Connect to the Azure database from your code (.NET Framework 4.8, .NET 6, Node.js, Python, Java) using a managed identity.
-> * Connect to the Azure database from your development environment using the Azure AD user.
+> * Connect to the Azure database from your development environment using the Microsoft Entra user.
> [!div class="nextstepaction"] > [How to use managed identities for App Service and Azure Functions](overview-managed-identity.md)
app-service Tutorial Connect Msi Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-msi-sql-database.md
What you will learn:
> [!div class="checklist"] > * Enable managed identities > * Grant SQL Database access to the managed identity
-> * Configure Entity Framework to use Azure AD authentication with SQL Database
-> * Connect to SQL Database from Visual Studio using Azure AD authentication
+> * Configure Entity Framework to use Microsoft Entra authentication with SQL Database
+> * Connect to SQL Database from Visual Studio using Microsoft Entra authentication
> [!NOTE]
->Azure AD authentication is _different_ from [Integrated Windows authentication](/previous-versions/windows/it-pro/windows-server-2003/cc758557(v=ws.10)) in on-premises Active Directory (AD DS). AD DS and Azure AD use completely different authentication protocols. For more information, see [Azure AD Domain Services documentation](../active-directory-domain-services/index.yml).
+>Microsoft Entra authentication is _different_ from [Integrated Windows authentication](/previous-versions/windows/it-pro/windows-server-2003/cc758557(v=ws.10)) in on-premises Active Directory (AD DS). AD DS and Microsoft Entra ID use completely different authentication protocols. For more information, see [Microsoft Entra Domain Services documentation](../active-directory-domain-services/index.yml).
[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
Prepare your environment for the Azure CLI.
[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/articles/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
-## 1. Grant database access to Azure AD user
+<a name='1-grant-database-access-to-azure-ad-user'></a>
-First, enable Azure Active Directory authentication to SQL Database by assigning an Azure AD user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see [Azure AD features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).
+## 1. Grant database access to Microsoft Entra user
-1. If your Azure AD tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Azure Active Directory](../active-directory/fundamentals/add-users-azure-active-directory.md).
+First, enable Microsoft Entra authentication to SQL Database by assigning a Microsoft Entra user as the admin of the server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Microsoft Entra ID. For more information on allowed Microsoft Entra users, see [Microsoft Entra features and limitations in SQL Database](/azure/azure-sql/database/authentication-aad-overview#azure-ad-features-and-limitations).
-1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.
+1. If your Microsoft Entra tenant doesn't have a user yet, create one by following the steps at [Add or delete users using Microsoft Entra ID](../active-directory/fundamentals/add-users-azure-active-directory.md).
+
+1. Find the object ID of the Microsoft Entra user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.
```azurecli-interactive $azureaduser=(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query '[].id' --output tsv) ``` > [!TIP]
- > To see the list of all user principal names in Azure AD, run `az ad user list --query '[].userPrincipalName'`.
+ > To see the list of all user principal names in Microsoft Entra ID, run `az ad user list --query '[].userPrincipalName'`.
>
-1. Add this Azure AD user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).
+1. Add this Microsoft Entra user as an Active Directory admin using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<server-name>* with the server name (without the `.database.windows.net` suffix).
```azurecli-interactive az sql server ad-admin create --resource-group myResourceGroup --server-name <server-name> --display-name ADMIN --object-id $azureaduser ```
-For more information on adding an Active Directory admin, see [Provision an Azure Active Directory administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
+For more information on adding an Active Directory admin, see [Provision a Microsoft Entra administrator for your server](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
## 2. Set up your dev environment # [Visual Studio Windows](#tab/windowsclient)
-1. Visual Studio for Windows is integrated with Azure AD authentication. To enable development and debugging in Visual Studio, add your Azure AD user in Visual Studio by selecting **File** > **Account Settings** from the menu, and select **Sign in** or **Add**.
+1. Visual Studio for Windows is integrated with Microsoft Entra authentication. To enable development and debugging in Visual Studio, add your Microsoft Entra user in Visual Studio by selecting **File** > **Account Settings** from the menu, and select **Sign in** or **Add**.
-1. To set the Azure AD user for Azure service authentication, select **Tools** > **Options** from the menu, then select **Azure Service Authentication** > **Account Selection**. Select the Azure AD user you added and select **OK**.
+1. To set the Microsoft Entra user for Azure service authentication, select **Tools** > **Options** from the menu, then select **Azure Service Authentication** > **Account Selection**. Select the Microsoft Entra user you added and select **OK**.
# [Visual Studio for macOS](#tab/macosclient)
-1. Visual Studio for Mac is *not* integrated with Azure AD authentication. However, the Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable development and debugging in Visual Studio, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
+1. Visual Studio for Mac is *not* integrated with Microsoft Entra authentication. However, the Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable development and debugging in Visual Studio, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
-1. Sign in to Azure CLI with the following command using your Azure AD user:
+1. Sign in to Azure CLI with the following command using your Microsoft Entra user:
```azurecli az login --allow-no-subscriptions
For more information on adding an Active Directory admin, see [Provision an Azur
# [Visual Studio Code](#tab/vscode)
-1. Visual Studio Code is integrated with Azure AD authentication through the Azure extension. Install the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack" target="_blank">Azure Tools</a> extension in Visual Studio Code.
+1. Visual Studio Code is integrated with Microsoft Entra authentication through the Azure extension. Install the <a href="https://marketplace.visualstudio.com/items?itemName=ms-vscode.vscode-node-azure-pack" target="_blank">Azure Tools</a> extension in Visual Studio Code.
1. In Visual Studio Code, in the [Activity Bar](https://code.visualstudio.com/docs/getstarted/userinterface), select the **Azure** logo.
For more information on adding an Active Directory admin, see [Provision an Azur
1. The Azure Identity client library that you'll use later can use tokens from Azure CLI. To enable command-line based development, [install Azure CLI](/cli/azure/install-azure-cli) on your local machine.
-1. Sign in to Azure with the following command using your Azure AD user:
+1. Sign in to Azure with the following command using your Microsoft Entra user:
```azurecli az login --allow-no-subscriptions
For more information on adding an Active Directory admin, see [Provision an Azur
1. The Azure Identity client library that you'll use later can use tokens from Azure PowerShell. To enable command-line based development, [install Azure PowerShell](/powershell/azure/install-azure-powershell) on your local machine.
-1. Sign in to Azure CLI with the following cmdlet using your Azure AD user:
+1. Sign in to Azure CLI with the following cmdlet using your Microsoft Entra user:
```powershell-interactive Connect-AzAccount
For more information on adding an Active Directory admin, see [Provision an Azur
--
-For more information about setting up your dev environment for Azure Active Directory authentication, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/Identity-readme).
+For more information about setting up your dev environment for Microsoft Entra authentication, see [Azure Identity client library for .NET](/dotnet/api/overview/azure/Identity-readme).
-You're now ready to develop and debug your app with the SQL Database as the back end, using Azure AD authentication.
+You're now ready to develop and debug your app with the SQL Database as the back end, using Microsoft Entra authentication.
## 3. Modify your project
The steps you follow for your project depends on whether you're using [Entity Fr
``` > [!NOTE]
- > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Azure Active Directory using various means. If the app is deployed, it gets a token from the app's managed identity. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.
+ > The [Active Directory Default](/sql/connect/ado-net/sql/azure-active-directory-authentication#using-active-directory-default-authentication) authentication type can be used both on your local machine and in Azure App Service. The driver attempts to acquire a token from Microsoft Entra ID using various means. If the app is deployed, it gets a token from the app's managed identity. If the app is running locally, it tries to get a token from Visual Studio, Visual Studio Code, and Azure CLI.
>
- That's everything you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Azure AD user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app. The `DefaultAzureCredential` class caches the token in memory and retrieves it from Azure AD just before expiration. You don't need any custom code to refresh the token.
+ That's everything you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Microsoft Entra user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app. The `DefaultAzureCredential` class caches the token in memory and retrieves it from Microsoft Entra ID just before expiration. You don't need any custom code to refresh the token.
-1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.
+1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Microsoft Entra authentication. This setup lets you run database migrations from Visual Studio.
# [Entity Framework](#tab/ef)
The steps you follow for your project depends on whether you're using [Entity Fr
conn.AccessToken = token.Token; ```
- This code uses [Azure.Identity.DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to get a useable token for SQL Database from Azure Active Directory and then adds it to the database connection. While you can customize `DefaultAzureCredential`, by default it's already versatile. When it runs in App Service, it uses app's system-assigned managed identity. When it runs locally, it can get a token using the logged-in identity of Visual Studio, Visual Studio Code, Azure CLI, and Azure PowerShell.
+ This code uses [Azure.Identity.DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to get a useable token for SQL Database from Microsoft Entra ID and then adds it to the database connection. While you can customize `DefaultAzureCredential`, by default it's already versatile. When it runs in App Service, it uses app's system-assigned managed identity. When it runs locally, it can get a token using the logged-in identity of Visual Studio, Visual Studio Code, Azure CLI, and Azure PowerShell.
1. In *Web.config*, find the connection string called `MyDbConnection` and replace its `connectionString` value with `"server=tcp:<server-name>.database.windows.net;database=<db-name>;"`. Replace _\<server-name>_ and _\<db-name>_ with your server name and database name. This connection string is used by the default constructor in *Models/MyDbContext.cs*.
- That's every thing you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Azure AD user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app.
+ That's every thing you need to connect to SQL Database. When you debug in Visual Studio, your code uses the Microsoft Entra user you configured in [2. Set up your dev environment](#2-set-up-your-dev-environment). You'll set up SQL Database later to allow connection from the managed identity of your App Service app.
-1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.
+1. Type `Ctrl+F5` to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Microsoft Entra authentication. This setup lets you run database migrations from Visual Studio.
--
Here's an example of the output:
### Grant permissions to managed identity > [!NOTE]
-> If you want, you can add the identity to an [Azure AD group](../active-directory/fundamentals/active-directory-manage-groups.md), then grant SQL Database access to the Azure AD group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called _myAzureSQLDBAccessGroup_:
+> If you want, you can add the identity to an [Microsoft Entra group](../active-directory/fundamentals/active-directory-manage-groups.md), then grant SQL Database access to the Microsoft Entra group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called _myAzureSQLDBAccessGroup_:
> > ```azurecli-interactive > $groupid=(az ad group create --display-name myAzureSQLDBAccessGroup --mail-nickname myAzureSQLDBAccessGroup --query objectId --output tsv)
Here's an example of the output:
> ``` >
-1. In the Cloud Shell, sign in to SQL Database by using the SQLCMD command. Replace _\<server-name>_ with your server name, _\<db-name>_ with the database name your app uses, and _\<aad-user-name>_ and _\<aad-password>_ with your Azure AD user's credentials.
+1. In the Cloud Shell, sign in to SQL Database by using the SQLCMD command. Replace _\<server-name>_ with your server name, _\<db-name>_ with the database name your app uses, and _\<aad-user-name>_ and _\<aad-password>_ with your Microsoft Entra user's credentials.
```bash sqlcmd -S <server-name>.database.windows.net -d <db-name> -U <aad-user-name> -P "<aad-password>" -G -l 30
Here's an example of the output:
GO ```
- *\<identity-name>* is the name of the managed identity in Azure AD. If the identity is system-assigned, the name is always the same as the name of your App Service app. For a [deployment slot](deploy-staging-slots.md), the name of its system-assigned identity is *\<app-name>/slots/\<slot-name>*. To grant permissions for an Azure AD group, use the group's display name instead (for example, *myAzureSQLDBAccessGroup*).
+ *\<identity-name>* is the name of the managed identity in Microsoft Entra ID. If the identity is system-assigned, the name is always the same as the name of your App Service app. For a [deployment slot](deploy-staging-slots.md), the name of its system-assigned identity is *\<app-name>/slots/\<slot-name>*. To grant permissions for a Microsoft Entra group, use the group's display name instead (for example, *myAzureSQLDBAccessGroup*).
1. Type `EXIT` to return to the Cloud Shell prompt.
Here's an example of the output:
> The back-end services of managed identities also [maintains a token cache](overview-managed-identity.md#configure-target-resource) that updates the token for a target resource only when it expires. If you make a mistake configuring your SQL Database permissions and try to modify the permissions *after* trying to get a token with your app, you don't actually get a new token with the updated permissions until the cached token expires. > [!NOTE]
- > Azure Active Directory and managed identities are not supported for on-premises SQL Server.
+ > Microsoft Entra ID and managed identities are not supported for on-premises SQL Server.
### Modify connection string
What you learned:
> [!div class="checklist"] > * Enable managed identities > * Grant SQL Database access to the managed identity
-> * Configure Entity Framework to use Azure AD authentication with SQL Database
-> * Connect to SQL Database from Visual Studio using Azure AD authentication
+> * Configure Entity Framework to use Microsoft Entra authentication with SQL Database
+> * Connect to SQL Database from Visual Studio using Microsoft Entra authentication
> [!div class="nextstepaction"] > [Secure with custom domain and certificate](tutorial-secure-domain-certificate.md)
app-service Tutorial Connect Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-connect-overview.md
Your app service may need to connect to other Azure services such as a database,
|Connection method|When to use| |--|--|
-|[Direct connection from App Service managed identity](#connect-to-azure-services-with-managed-identity)|Dependent service [supports managed identity](../active-directory/managed-identities-azure-resources/managed-identities-status.md)<br><br>* Best for enterprise-level security.<br>* Connection to dependent service is secured with managed identity.<br>* Large team or automated connection string and secret management.<br>* Don't manage credentials manually.<br>* Credentials arenΓÇÖt accessible to you.<br>* An Azure Active Directory Identity is required to access. Services include Microsoft Graph or Azure management SDKs.|
+|[Direct connection from App Service managed identity](#connect-to-azure-services-with-managed-identity)|Dependent service [supports managed identity](../active-directory/managed-identities-azure-resources/managed-identities-status.md)<br><br>* Best for enterprise-level security.<br>* Connection to dependent service is secured with managed identity.<br>* Large team or automated connection string and secret management.<br>* Don't manage credentials manually.<br>* Credentials arenΓÇÖt accessible to you.<br>* a Microsoft Entra identity is required to access. Services include Microsoft Graph or Azure management SDKs.|
|[Connect using Key Vault secrets from App Service managed identity](#connect-to-key-vault-with-managed-identity)|Dependent service doesn't support managed identity.<br><br>* Best for enterprise-level security.<br>* Connection includes non-Azure services such as GitHub, Twitter, Facebook, Google<br>* Large team or automated connection string and secret management<br>* Don't manage credentials manually.<br>* Credentials arenΓÇÖt accessible to you.<br>* Manage connection information with environment variables.| |[Connect with app settings](#connect-with-app-settings)|* Best for small team or individual owner of Azure resources.<br>* Stage 1 of multi-stage migration to Azure.<br>* Temporary or proof-of-concept applications.<br>* Manually manage connection information with environment variables.|
The App Service provides [App settings](configure-common.md?tabs=portal#configur
**App Service** managed identity to another Azure service best when: * You don't need to manage Azure credentials. Credentials arenΓÇÖt even accessible to you.
-* You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications.
+* You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication including your own applications.
* Managed identities can be used without any additional cost. **Key Vault** integration from App Service with managed identity best used when:
app-service Tutorial Java Tomcat Connect Managed Identity Postgresql Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-java-tomcat-connect-managed-identity-postgresql-database.md
Title: 'Tutorial: Access data with managed identity in Java'
description: Secure Azure Database for PostgreSQL connectivity with managed identity from a sample Java Tomcat app, and apply it to other Azure services. ms.devlang: java Previously updated : 08/14/2023 Last updated : 10/11/2023
> [!div class="checklist"] > * Create a PostgreSQL database. > * Deploy the sample app to Azure App Service on Tomcat using WAR packaging.
-> * Configure a Spring Boot web application to use Azure AD authentication with PostgreSQL Database.
+> * Configure a Tomcat web application to use Microsoft Entra authentication with PostgreSQL Database.
> * Connect to PostgreSQL Database with Managed Identity using Service Connector. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
cd Passwordless-Connections-for-Java-Apps/Tomcat/
## Create an Azure Database for PostgreSQL
-Follow these steps to create an Azure Database for Postgres in your subscription. The Spring Boot app connects to this database and store its data when running, persisting the application state no matter where you run the application.
+Follow these steps to create an Azure Database for Postgres in your subscription. The Tomcat app connects to this database and store its data when running, persisting the application state no matter where you run the application.
1. Sign into the Azure CLI, and optionally set your subscription if you have more than one connected to your login credentials.
Follow these steps to create an Azure Database for Postgres in your subscription
az group create --name $RESOURCE_GROUP --location $LOCATION ```
-1. Create an Azure Database for PostgreSQL server. The server is created with an administrator account, but it isn't used because we're going to use the Azure Active Directory (Azure AD) admin account to perform administrative tasks.
+1. Create an Azure Database for PostgreSQL server. The server is created with an administrator account, but it isn't used because we're going to use the Microsoft Entra admin account to perform administrative tasks.
### [Flexible Server](#tab/flexible)
app-service Tutorial Multi Region App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-multi-region-app.md
A default workflow file that uses a publish profile to authenticate to App Servi
### How do I disable basic auth on App Service?
-Consider [disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html), which limits access to the FTP and SCM endpoints to users that are backed by Azure Active Directory (Azure AD). If using a continuous deployment tool to deploy your application source code, disabling basic auth will require [extra steps to configure continuous deployment](deploy-github-actions.md). For example, you won't be able to use a publish profile since that authentication mechanism doesn't use Azure AD backed credentials. Instead, you'll need to use either a [service principal or OpenID Connect](deploy-github-actions.md#generate-deployment-credentials).
+Consider [disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html), which limits access to the FTP and SCM endpoints to users that are backed by Microsoft Entra ID. If using a continuous deployment tool to deploy your application source code, disabling basic auth will require [extra steps to configure continuous deployment](deploy-github-actions.md). For example, you won't be able to use a publish profile since that authentication mechanism doesn't use Microsoft Entra backed credentials. Instead, you'll need to use either a [service principal or OpenID Connect](deploy-github-actions.md#generate-deployment-credentials).
To disable basic auth for your App Service, run the following commands for each app and slot by replacing the placeholders for `<web-app-east-us>` and `<web-app-west-us>` with your app names. The first set of commands disables FTP access for the production sites and staging slots, and the second set of commands disables basic auth access to the WebDeploy port and SCM site for the production sites and staging slots.
app-service Tutorial Secure Ntier App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/app-service/tutorial-secure-ntier-app.md
Now that the back-end SCM site is publicly accessible, you need to lock it down
az resource update --resource-group $groupName --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<backend-app-name> --set properties.allow=false ```
-[Disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html) limits access to the FTP and SCM endpoints to users that are backed by Azure Active Directory, which further secures your apps. For more information on disabling basic auth including how to test and monitor logins, see [Disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html).
+[Disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html) limits access to the FTP and SCM endpoints to users that are backed by Microsoft Entra ID, which further secures your apps. For more information on disabling basic auth including how to test and monitor logins, see [Disabling basic auth on App Service](https://azure.github.io/AppService/2020/08/10/securing-data-plane-access.html).
## 6. Configure continuous deployment using GitHub Actions
A default workflow file that uses a publish profile to authenticate to App Servi
#### Is it safe to leave the back-end SCM publicly accessible?
-When you [lock down FTP and SCM access](#5-lock-down-ftp-and-scm-access), it ensures that only Azure AD backed principals can access the SCM endpoint even though it's publicly accessible. This setting should reassure you that your backend web app is still secure.
+When you [lock down FTP and SCM access](#5-lock-down-ftp-and-scm-access), it ensures that only Microsoft Entra backed principals can access the SCM endpoint even though it's publicly accessible. This setting should reassure you that your backend web app is still secure.
#### Is there a way to deploy without opening up the back-end SCM site at all?
application-gateway Diagnostics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/diagnostics.md
Previously updated : 07/25/2023 Last updated : 10/11/2023
You can monitor Azure Application Gateway for Containers resources in the follow
You can use different types of logs in Azure to manage and troubleshoot Application Gateway for Containers. You can access some of these logs through the portal. All logs can be extracted from Azure Blob storage and viewed in different tools, such as [Azure Monitor logs](../../azure-monitor/logs/data-platform-logs.md), Excel, and Power BI. You can learn more about the different types of logs from the following list: * **Activity log**: You can use [Azure activity logs](../../azure-monitor/essentials/activity-log.md) (formerly known as operational logs and audit logs) to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.
-* **Access log**: You can use this log to view Application Gateway for Containers access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. The data may be stored in a storage account, log analytics workspace, or event hub that is specified at time of enable logging.
+* **Access log**: You can use this log to view Application Gateway for Containers access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. The data may be stored in a storage account that is specified at time of enable logging.
### Configure access log
Here an example of the access log emitted in JSON format to a storage account.
"location": "northcentralus" } ```+
+### Limitations
+- Although it's possible to configure logging to log analytics, logs are currently not emitted to a log analytics workspace or event hub. Log analytics and event hub streaming will be supported in a future update.
application-gateway Quickstart Deploy Application Gateway For Containers Alb Controller https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md
You need to complete the following tasks prior to deploying Application Gateway
ALB Controller requires a federated credential with the name of _azure-alb-identity_. Any other federated credential name is unsupported. > [!Note]
- > Assignment of the managed identity immediately after creation may result in an error that the principalId does not exist. Allow about a minute of time to elapse for the identity to replicate in Azure AD prior to delegating the identity.
+ > Assignment of the managed identity immediately after creation may result in an error that the principalId does not exist. Allow about a minute of time to elapse for the identity to replicate in Microsoft Entra ID prior to delegating the identity.
2. Install ALB Controller using Helm
application-gateway Ingress Controller Autoscale Pods https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-autoscale-pods.md
Use following two components:
## Setting up Azure Kubernetes Metric Adapter
-1. First, create an Azure AD service principal and assign it `Monitoring Reader` access over Application Gateway's resource group.
+1. First, create a Microsoft Entra service principal and assign it `Monitoring Reader` access over Application Gateway's resource group.
```azurecli applicationGatewayGroupName="<application-gateway-group-id>"
Use following two components:
az ad sp create-for-rbac -n "azure-k8s-metric-adapter-sp" --role "Monitoring Reader" --scopes applicationGatewayGroupId ```
-1. Now, deploy the [`Azure Kubernetes Metric Adapter`](https://github.com/Azure/azure-k8s-metrics-adapter) using the Azure AD service principal created previously.
+1. Now, deploy the [`Azure Kubernetes Metric Adapter`](https://github.com/Azure/azure-k8s-metrics-adapter) using the Microsoft Entra service principal created previously.
```bash kubectl create namespace custom-metrics
application-gateway Ingress Controller Install Existing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-install-existing.md
resources, and creates and applies Application Gateway config based on the statu
- [Prerequisites](#prerequisites) - [Azure Resource Manager Authentication (ARM)](#azure-resource-manager-authentication)
- - Option 1: [Set up Azure AD workload identity](#set-up-azure-ad-workload-identity) and create Azure Identity on ARMs
+ - Option 1: [Set up Microsoft Entra Workload ID](#set-up-azure-ad-workload-identity) and create Azure Identity on ARMs
- Option 2: [Set up a Service Principal](#using-a-service-principal) - [Install Ingress Controller using Helm](#install-ingress-controller-as-a-helm-chart) - [Shared Application Gateway](#shared-application-gateway): Install AGIC in an environment, where Application Gateway is
This document assumes you already have the following tools and infrastructure in
- [An AKS cluster](../aks/intro-kubernetes.md) with [Azure Container Networking Interface (CNI)](../aks/configure-azure-cni.md) - [Application Gateway v2](./tutorial-autoscale-ps.md) in the same virtual network as the AKS cluster-- [Azure AD workload identity](../aks/workload-identity-overview.md) configured for your AKS cluster
+- [Microsoft Entra Workload ID](../aks/workload-identity-overview.md) configured for your AKS cluster
- [Cloud Shell](https://shell.azure.com/) is the Azure shell environment, which has `az` CLI, `kubectl`, and `helm` installed. These tools are required for commands used to support configuring this deployment. **Backup your Application Gateway's configuration** before installing AGIC:
Gateway should that become necessary
AGIC communicates with the Kubernetes API server and the Azure Resource Manager. It requires an identity to access these APIs.
-## Set up Azure AD workload identity
+<a name='set-up-azure-ad-workload-identity'></a>
-[Azure AD workload identity](../aks/workload-identity-overview.md) is an identity you assign to a software workload, to authenticate and access other services and resources. This identity enables your AKS pod to use this identity and authenticate with other Azure resources. For this configuration, we need authorization
+## Set up Microsoft Entra Workload ID
+
+[Microsoft Entra Workload ID](../aks/workload-identity-overview.md) is an identity you assign to a software workload, to authenticate and access other services and resources. This identity enables your AKS pod to use this identity and authenticate with other Azure resources. For this configuration, we need authorization
for the AGIC pod to make HTTP requests to [ARM](../azure-resource-manager/management/overview.md). 1. Use the Azure CLI [az account set](/cli/azure/account#az-account-set) command to set a specific subscription to be the current active subscription. Then use the [az identity create](/cli/azure/identity#az-identity-create) command to create a managed identity. The identity needs to be created in the [node resource group](../aks/concepts-clusters-workloads.md#node-resource-group). The node resource group is assigned a name by default, such as *MC_myResourceGroup_myAKSCluster_eastus*.
In the first few steps, we install Helm's Tiller on your Kubernetes cluster. Use
1. Edit helm-config.yaml and fill in the values for `appgw` and `armAuth`. > [!NOTE]
- > The `<identity-client-id>` is a property of the Azure AD workload identity you setup in the previous section. You can retrieve this information by running the following command: `az identity show -g <resourcegroup> -n <identity-name>`, where `<resourcegroup>` is the resource group hosting the infrastructure resources related to the AKS cluster, Application Gateway and managed identity.
+ > The `<identity-client-id>` is a property of the Microsoft Entra Workload ID you setup in the previous section. You can retrieve this information by running the following command: `az identity show -g <resourcegroup> -n <identity-name>`, where `<resourcegroup>` is the resource group hosting the infrastructure resources related to the AKS cluster, Application Gateway and managed identity.
1. Install Helm chart `application-gateway-kubernetes-ingress` with the `helm-config.yaml` configuration from the previous step
application-gateway Ingress Controller Install New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/ingress-controller-install-new.md
choose to use another environment, ensure the following command-line tools are i
## Create an Identity
-Follow the steps below to create an Azure Active Directory (Azure AD) [service principal object](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). Record the `appId`, `password`, and `objectId` values - these values will be used in the following steps.
+Follow the steps below to create a Microsoft Entra [service principal object](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object). Record the `appId`, `password`, and `objectId` values - these values will be used in the following steps.
1. Create AD service principal ([Read more about Azure RBAC](../role-based-access-control/overview.md)): ```azurecli
This step will add the following components to your subscription:
- [Application Gateway](./overview.md) v2 - [Virtual Network](../virtual-network/virtual-networks-overview.md) with two [subnets](../virtual-network/virtual-networks-overview.md) - [Public IP Address](../virtual-network/ip-services/virtual-network-public-ip-address.md)-- [Managed Identity](../active-directory/managed-identities-azure-resources/overview.md), which will be used by [Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity/blob/master/README.md)
+- [Managed Identity](../active-directory/managed-identities-azure-resources/overview.md), which will be used by [Microsoft Entra Pod Identity](https://github.com/Azure/aad-pod-identity/blob/master/README.md)
1. Download the Azure Resource Manager template and modify the template as needed. ```bash
resourceGroupName=$(jq -r ".resourceGroupName.value" deployment-outputs.json)
az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName ```
-### Install Azure AD Pod Identity
- Azure Active Directory Pod Identity provides token-based access to
+<a name='install-azure-ad-pod-identity'></a>
+
+### Install Microsoft Entra Pod Identity
+ Microsoft Entra Pod Identity provides token-based access to
[Azure Resource Manager (ARM)](../azure-resource-manager/management/overview.md).
- [Azure AD Pod Identity](https://github.com/Azure/aad-pod-identity) will add the following components to your Kubernetes cluster:
+ [Microsoft Entra Pod Identity](https://github.com/Azure/aad-pod-identity) will add the following components to your Kubernetes cluster:
* Kubernetes [CRDs](https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/): `AzureIdentity`, `AzureAssignedIdentity`, `AzureIdentityBinding` * [Managed Identity Controller (MIC)](https://github.com/Azure/aad-pod-identity#managed-identity-controllermic) component * [Node Managed Identity (NMI)](https://github.com/Azure/aad-pod-identity#node-managed-identitynmi) component
-To install Azure AD Pod Identity to your cluster:
+To install Microsoft Entra Pod Identity to your cluster:
- *Kubernetes RBAC enabled* AKS cluster
application-gateway Private Link Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/private-link-configure.md
The Private link configuration defines the infrastructure used by Application Ga
- **Frontend IP Configuration**: The frontend IP address that private link should forward traffic to on Application Gateway. - **Private IP address settings**: specify at least one IP address 1. Select **Add**.
-1. Within your **Application Gateways** properties blade, obtain and make a note of the **Resource ID**, this is required if you are setting up a Private Endpoint within a different Azure AD tenant.
+1. Within your **Application Gateways** properties blade, obtain and make a note of the **Resource ID**, this is required if you are setting up a Private Endpoint within a different Microsoft Entra tenant.
**Configure Private Endpoint**
application-gateway Private Link https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/application-gateway/private-link.md
Private Link for Application Gateway allows you to connect workloads over a priv
Private Link allows you to extend private connectivity to Application Gateway via a Private Endpoint in the following scenarios: - VNet in the same or different region from Application Gateway - VNet in the same or different subscription from Application Gateway-- VNet in the same or different subscription and the same or different Azure AD tenant from Application Gateway
+- VNet in the same or different subscription and the same or different Microsoft Entra tenant from Application Gateway
You may also choose to block inbound public (Internet) access to Application Gateway and allow access only via private endpoints. Inbound management traffic still needs to be allowed to application gateway. For more information, see [Application Gateway infrastructure configuration](configuration-infrastructure.md#network-security-groups)
attestation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/attestation/policy-reference.md
Title: Built-in policy definitions for Azure Attestation description: Lists Azure Policy built-in policy definitions for Azure Attestation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
automanage Repair Automanage Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automanage/repair-automanage-account.md
If you're using an ARM template or the Azure CLI, you'll need the Principal ID (
- [Azure CLI](/cli/azure/ad/sp): Use the command `az ad sp list --display-name <name of your Automanage Account>`. -- Azure portal: Go to **Azure Active Directory** and search for your Automanage Account by name. Under **Enterprise Applications**, select the Automanage Account name when it appears.
+- Azure portal: Go to **Microsoft Entra ID** and search for your Automanage Account by name. Under **Enterprise Applications**, select the Automanage Account name when it appears.
### Azure portal
automation Automation Runbook Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/automation-runbook-types.md
The following are the current limitations and known issues with PowerShell runbo
**Known issues**
-* Runbooks taking dependency on internal file paths such as `C:\modules` might fail due to changes in service backend infrastructure. Change runbook code to ensure there are no dependencies on internal file paths and use [Get-ChildItem](/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.3) to get the required directory.
-* Modules imported through an ARM template might not load with `Import-module`. As a workaround, create a .zip file (with name as module name) and add the module files directly to the .zip file instead of zipping the named folder (for example - *ModuleNamedZipFile.zip\ModuleFiles*). You can then delete or again add the modules to the new .zip file.
+* Runbooks taking dependency on internal file paths such as `C:\modules` might fail due to changes in service backend infrastructure. Change runbook code to ensure there are no dependencies on internal file paths and use [Get-ChildItem](/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.3) to get the required directory.
* `Get-AzStorageAccount` cmdlet might fail with an error: *The `Get-AzStorageAccount` command was found in the module `Az.Storage`, but the module could not be loaded*.
-* PowerShell 5.1 modules uploaded through .zip files might not load in Runbooks. As a workaround, create a .zip file (with name as module name) and add the module files directly to the .zip file instead of zipping the named folder (for example - *ModuleNamedZipFile.zip\ModuleFiles*). You can then delete or again add the modules to the new .zip file.
* Completed jobs might show a warning message: *Both Az and AzureRM modules were detected on this machine. Az and AzureRM modules cannot be imported in the same session or used in the same script or runbook*. This is just a warning message and does not impact job execution. * PowerShell runbooks can't retrieve an unencrypted [variable asset](./shared-resources/variables.md) with a null value. * PowerShell runbooks can't retrieve a variable asset with `*~*` in the name. * A [Get-Process](/powershell/module/microsoft.powershell.management/get-process) operation in a loop in a PowerShell runbook can crash after about 80 iterations. * A PowerShell runbook can fail if it tries to write a large amount of data to the output stream at once. You can typically work around this issue by having the runbook output just the information needed to work with large objects. For example, instead of using `Get-Process` with no limitations, you can have the cmdlet output just the required parameters as in `Get-Process | Select ProcessName, CPU`. * When you use [ExchangeOnlineManagement](/powershell/exchange/exchange-online-powershell?view=exchange-ps&preserve-view=true) module version: 3.0.0 or higher, you may experience errors. To resolve the issue, ensure that you explicitly upload [PowerShellGet](/powershell/module/powershellget/) and [PackageManagement](/powershell/module/packagemanagement/) modules as well.
-* When you use [New-item cmdlet](/powershell/module/microsoft.powershell.management/new-item), jobs might be suspended. To resolve the issue, follow the mitigation steps:
- 1. Consume the output of `new-item` cmdlet in a variable and **do not** write it to the output stream using `write-output` command.
- - You can use debug or progress stream after you enable it from **Logging and Tracing** setting of the runbook.
- ```powershell-interactive
- $item = New-Item -Path ".\message.txt" -Force -ErrorAction SilentlyContinue
- write-debug $item # or use write-progress $item
- ```
- - Alternatively, you can check if variable is nonempty if required to do so in the script.
- ```powershell-interactive
- $item = New-Item -Path ".\message.txt" -Force -ErrorAction SilentlyContinue
- if($item) { write-output "File Created" }
- ```
- 1. You can also upgrade your runbooks to PowerShell 7.1 or PowerShell 7.2 where the same runbook will work as expected.
* If you import module Az.Accounts with version 2.12.3 or newer, ensure that you import the **Newtonsoft.Json** v10 module explicitly if PowerShell 5.1 runbooks have a dependency on this version of the module. The workaround for this issue is to use PowerShell 7.2 runbooks. # [PowerShell 7.1 (preview)](#tab/lps71)
The following are the current limitations and known issues with PowerShell runbo
**Known issues** - Runbooks taking dependency on internal file paths such as `C:\modules` might fail due to changes in service backend infrastructure. Change runbook code to ensure there are no dependencies on internal file paths and use [Get-ChildItem](/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.3) to get the required directory.-- Modules imported through an ARM template might not load with `Import-module`. As a workaround, create a .zip file (with name as module name) and add the module files directly to the .zip file instead of zipping the named folder (for example - *ModuleNamedZipFile.zip\ModuleFiles*). You can then delete or again add the modules to the new .zip file. - `Get-AzStorageAccount` cmdlet might fail with an error: *The `Get-AzStorageAccount` command was found in the module `Az.Storage`, but the module could not be loaded*. - Executing child scripts using `.\child-runbook.ps1` isn't supported in this preview. **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from `Az.Automation` module) to start another runbook from parent runbook. - Runbook properties defining logging preference isn't supported in PowerShell 7 runtime. **Workaround**: Explicitly set the preference at the start of the runbook as following -- ``` $VerbosePreference = "Continue"
The following are the current limitations and known issues with PowerShell runbo
- PowerShell 7.x doesn't support workflows. For more information, see [PowerShell workflow](/powershell/scripting/whats-new/differences-from-windows-powershell#powershell-workflow) for more details. - PowerShell 7.x currently doesn't support signed runbooks. - Source control integration doesn't support PowerShell 7.2 (preview). Also, PowerShell 7.2 (preview) runbooks in source control get created in Automation account as Runtime 5.1.-- Logging job operations to the Log Analytics workspace through linked workspace or diagnostics settings aren't supported. - Currently, PowerShell 7.2 (preview) runbooks are only supported from Azure portal. Rest API and PowerShell aren't supported. - Az module 8.3.0 is installed by default and can't be managed at the automation account level. Use custom modules to override the Az module to the desired version. - The imported PowerShell 7.2 (preview) module would be validated during job execution. Ensure that all dependencies for the selected module are also imported for successful job execution.
The following are the current limitations and known issues with PowerShell runbo
**Known issues** - Runbooks taking dependency on internal file paths such as `C:\modules` might fail due to changes in service backend infrastructure. Change runbook code to ensure there are no dependencies on internal file paths and use [Get-ChildItem](/powershell/module/microsoft.powershell.management/get-childitem?view=powershell-7.3) to get the required directory.-- Modules imported through an ARM template might not load with `Import-module`. As a workaround, create a .zip file (with name as module name) and add the module files directly to the .zip file instead of zipping the named folder (for example - *ModuleNamedZipFile.zip\ModuleFiles*). You can then delete or again add the modules to the new .zip file. - `Get-AzStorageAccount` cmdlet might fail with an error: *The `Get-AzStorageAccount` command was found in the module `Az.Storage`, but the module could not be loaded*. - Executing child scripts using `.\child-runbook.ps1` is not supported in this preview. **Workaround**: Use `Start-AutomationRunbook` (internal cmdlet) or `Start-AzAutomationRunbook` (from *Az.Automation* module) to start another runbook from parent runbook.
automation Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/automation/policy-reference.md
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-app-configuration Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-app-configuration/policy-reference.md
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-arc Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/release-notes.md
Previously updated : 09/12/2023 Last updated : 10/10/2023 #Customer intent: As a data professional, I want to understand why my solutions would benefit from running with Azure Arc-enabled data services so that I can leverage the capability of the feature.
This article highlights capabilities, features, and enhancements recently released or improved for Azure Arc-enabled data services.
+## October 10, 2023
+
+### Image tag
+
+`v1.24.0_2023-10-10`
+
+For complete release version information, review [Version log](version-log.md#october-10-2023).
+ ## September 12, 2023 ### Image tag
azure-arc Version Log https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/data/version-log.md
Previously updated : 09/12/2023 Last updated : 10/10/2023 #Customer intent: As a data professional, I want to understand what versions of components align with specific releases.
This article identifies the component versions with each release of Azure Arc-enabled data services.
+## October 10, 2023
+
+|Component|Value|
+|--|--|
+|Container images tag |`v1.24.0_2023-10-10`|
+|**CRD names and version:**| |
+|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|
+|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5|
+|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2|
+|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|
+|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4|
+|`monitors.arcdata.microsoft.com`| v1beta1, v1, v3|
+|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6|
+|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1|
+|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v13|
+|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2|
+|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1|
+|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1|
+|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5|
+|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5|
+|Azure Resource Manager (ARM) API version|2023-01-15-preview|
+|`arcdata` Azure CLI extension version|1.5.6 ([Download](https://aka.ms/az-cli-arcdata-ext))|
+|Arc-enabled Kubernetes helm chart extension version|1.24.0|
+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))|
+|SQL Database version | 957 |
+ ## September 12, 2023 |Component|Value|
azure-arc Extensions Release https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/extensions-release.md
Title: "Available extensions for Azure Arc-enabled Kubernetes clusters" Previously updated : 09/29/2023 Last updated : 10/10/2023 description: "See which extensions are currently available for Azure Arc-enabled Kubernetes clusters and view release notes."
The currently supported versions of the `microsoft.flux` extension are described
> [!IMPORTANT] > Eventually, a major version update (v2.x.x) for the `microsoft.flux` extension will be released. When this happens, clusters won't be auto-upgraded to this version, since [auto-upgrade is only supported for minor version releases](extensions.md#upgrade-extension-instance). If you're still using an older API version when the next major version is released, you'll need to update your manifests to the latest API versions, perform any necessary testing, then upgrade your extension manually. For more information about the new API versions (breaking changes) and how to update your manifests, see the [Flux v2 release notes](https://github.com/fluxcd/flux2/releases/tag/v2.0.0).
+### 1.8.0 (October 2023)
+
+> [!NOTE]
+> We have started to roll out this release across regions. We'll remove this note once version 1.8.0 is available to all supported regions.
+
+Flux version: [Release v2.1.1](https://github.com/fluxcd/flux2/releases/tag/v2.1.1)
+
+- source-controller: v1.1.1
+- kustomize-controller: v1.1.0
+- helm-controller: v0.36.1
+- notification-controller: v1.1.0
+- image-automation-controller: v0.36.1
+- image-reflector-controller: v0.30.0
+
+Changes made for this version:
+
+- Upgrades Flux to [v2.1.1](https://github.com/fluxcd/flux2/releases/tag/v2.1.1)
+- Adds support for [AKS clusters with workload identity](tutorial-use-gitops-flux2.md#workload-identity-in-aks-clusters)
+ ### 1.7.7 (September 2023) Flux version: [Release v2.0.1](https://github.com/fluxcd/flux2/releases/tag/v2.0.1)
Changes made for this version:
By default, `waitForReconciliation` is set to false, so when creating a flux configuration, the `provisioningState` returns `Succeeded` once the configuration reaches the cluster and the ARM template or Azure CLI command successfully exits. However, the actual state of the objects being deployed as part of the configuration is tracked by `complianceState`, which can be viewed in the portal or by using Azure CLI. Setting `waitForReconciliation` to true and specifying a `reconciliationWaitDuration` means that the template or CLI deployment will wait for `complianceState` to reach a terminal state (success or failure) before exiting. ([Example](https://github.com/Azure/azure-rest-api-specs/blob/main/specification/kubernetesconfiguration/resource-manager/Microsoft.KubernetesConfiguration/stable/2023-05-01/examples/CreateFluxConfiguration.json#L72))
-### 1.7.3 (April 2023)
-
-Flux version: [Release v0.41.2](https://github.com/fluxcd/flux2/releases/tag/v0.41.2)
--- source-controller: v0.36.1-- kustomize-controller: v0.35.1-- helm-controller: v0.31.2-- notification-controller: v0.33.0-- image-automation-controller: v0.31.0-- image-reflector-controller: v0.26.1-
-Changes made for this version:
--- Upgrades Flux to [v0.41.2](https://github.com/fluxcd/flux2/releases/tag/v0.41.2)-- Fixes issue causing resources that were deployed as part of Flux configuration to persist even when the configuration was deleted with prune flag set to `true`-- Kubelet identity support for image-reflector-controller by [installing the microsoft.flux extension in a cluster with kubelet identity enabled](troubleshooting.md#flux-v2installing-the-microsoftflux-extension-in-a-cluster-with-kubelet-identity-enabled) - ## Dapr extension for Azure Kubernetes Service (AKS) and Arc-enabled Kubernetes [Dapr](https://dapr.io/) is a portable, event-driven runtime that simplifies building resilient, stateless, and stateful applications that run on the cloud and edge and embrace the diversity of languages and developer frameworks. The Dapr extension eliminates the overhead of downloading Dapr tooling and manually installing and managing the runtime on your clusters.
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023 #
azure-arc Tutorial Use Gitops Flux2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/kubernetes/tutorial-use-gitops-flux2.md
Title: "Tutorial: Deploy applications using GitOps with Flux v2" description: "This tutorial shows how to use GitOps with Flux v2 to manage configuration and application deployment in Azure Arc and AKS clusters." Previously updated : 08/16/2023 Last updated : 10/10/2023
az k8s-extension update --resource-group <resource-group> --cluster-name <cluste
If you don't specify values for `memoryThreshold` and `outOfMemoryWatch`, the default memory threshold is set to 95%, with the interval at which to check the memory utilization set to 500 ms.
+### Workload identity in AKS clusters
+
+Starting with [`microsoft.flux` v1.8.0](extensions-release.md#flux-gitops), you can create Flux configurations in [AKS clusters with workload identity enabled](/azure/aks/workload-identity-deploy-cluster). To do so, modify the flux extension as shown in the following steps.
+
+1. Retrieve the [OIDC issuer URL](/azure/aks/workload-identity-deploy-cluster#retrieve-the-oidc-issuer-url) for your cluster.
+1. Create a [managed identity](/azure/aks/workload-identity-deploy-cluster#create-a-managed-identity) and note its client ID.
+1. Create the flux extension on the cluster, using the following command:
+
+ ```azurecli
+ az k8s-extension create --resource-group <resource_group_name> --cluster-name <aks_cluster_name> --cluster-type managedClusters --name flux --extension-type microsoft.flux --config workloadIdentity.enable=true workloadIdentity.azureClientId=<user_assigned_client_id>
+ ```
+
+1. Establish a [federated identity credential](/azure/aks/workload-identity-deploy-cluster#establish-federated-identity-credential). For example:
+
+ ```azurecli
+ # For source-controller
+ az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"flux-system":"source-controller" --audience api://AzureADTokenExchange
+
+ # For image-reflector controller if you plan to enable it during extension creation, it is not deployed by default
+ az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"flux-system":"image-reflector-controller" --audience api://AzureADTokenExchange
+ ```
+
+1. Make sure the custom resource that needs to use workload identity has set `.spec.provider` value to `azure` in the manifest. For example:
+
+ ```json
+ apiVersion: source.toolkit.fluxcd.io/v1beta2
+ kind: HelmRepository
+ metadata:
+ name: acrrepo
+ spec:
+ interval: 10m0s
+ type: <helm_repository_type>
+ url: <helm_repository_link>
+ provider: azure
+ ```
+
+1. Be sure to provide proper permissions for workload identity for the resource that you want source-controller or image-reflector controller to pull. For example, if using Azure Container Registry, `AcrPull` permissions are required.
++ ## Delete the Flux configuration and extension Use the following commands to delete your Flux configuration and, if desired, the Flux extension itself.
azure-arc Network Requirements Consolidated https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/network-requirements-consolidated.md
Title: Azure Arc network requirements description: A consolidated list of network requirements for Azure Arc features and Azure Arc-enabled services. Lists endpoints, ports, and protocols. Previously updated : 09/25/2023 Last updated : 10/05/2023
azure-arc Network Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/network-requirements.md
This article describes the networking requirements for deploying Azure Arc resou
## General network requirements
+Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.
+ [!INCLUDE [network-requirement-principles](../includes/network-requirement-principles.md)] [!INCLUDE [network-requirements](includes/network-requirements.md)]
The default value for `noProxy` is `localhost,127.0.0.1,.svc,10.0.0.0/8,172.16.0
- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details. - Learn about [security configuration and considerations for Azure Arc resource bridge (preview)](security-overview.md). - View [troubleshooting tips for networking issues](troubleshoot-resource-bridge.md#networking-issues).+
azure-arc System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/resource-bridge/system-requirements.md
This article describes the system requirements for deploying Azure Arc resource
Arc resource bridge is used with other partner products, such as [Azure Stack HCI](/azure-stack/hci/manage/azure-arc-vm-management-overview), [Arc-enabled VMware vSphere](../vmware-vsphere/index.yml), and [Arc-enabled System Center Virtual Machine Manager (SCVMM)](../system-center-virtual-machine-manager/index.yml). These products may have additional requirements.
+## Required Azure permissions
+
+- To onboard Arc resource bridge, you must have the [Contributor](/azure/role-based-access-control/built-in-roles) role for the resource group.
+
+- To read, modify, and delete Arc resource bridge, you must have the [Contributor](/azure/role-based-access-control/built-in-roles) role for the resource group.
+ ## Management tool requirements [Azure CLI](/cli/azure/install-azure-cli) is required to deploy the Azure Arc resource bridge on supported private cloud environments.
Management machine requirements:
- Open communication to Control Plane IP (`controlplaneendpoint` parameter in `createconfig` command). - Open communication to Appliance VM IP. - Open communication to the reserved Appliance VM IP.
+- if applicable, communication over port 443 to the private cloud management console (ex: VMware vCenter host machine)
- Internal and external DNS resolution. The DNS server must resolve internal names, such as the vCenter endpoint for vSphere or cloud agent service endpoint for Azure Stack HCI. The DNS server must also be able to resolve external addresses that are [required URLs](network-requirements.md#outbound-connectivity) for deployment. - Internet access
Arc resource bridge uses a MOC login credential called [KVA token](/azure-stack/
## AKS on Azure Stack HCI with Arc resource bridge
-To use AKS and Arc resource bridge together on Azure Stack HCI, AKS must be deployed prior to deploying Arc resource bridge. If Arc resource bridge has already been deployed, AKS can't be deployed unless you delete Arc resource bridge first. Once AKS is deployed to Azure Stack HCI, you can deploy Arc resource bridge.
-
-When you deploy Arc resource bridge with AKS on Azure Stack HCI (AKS Hybrid), the following configurations must be applied:
+When you deploy Arc resource bridge with AKS on Azure Stack HCI (AKS-HCI), the following configurations must be applied:
- Arc resource bridge and AKS-HCI should share the same `vswitchname` and be in the same subnet, sharing the same value for the parameter, `ipaddressprefix` .
For instructions to deploy Arc resource bridge on AKS Hybrid, see [How to instal
+
azure-arc License Extended Security Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/license-extended-security-updates.md
Title: License provisioning guidelines for Extended Security Updates for Windows Server 2012 description: Learn about license provisioning guidelines for Extended Security Updates for Windows Server 2012 through Azure Arc. Previously updated : 09/27/2023 Last updated : 10/10/2023
In this scenario, you can deactivate or decommission the ESU Licenses associated
In this scenario, you should provision a Windows Server 2012 Datacenter license associated with 128 physical cores and link this license to the Arc-enabled Windows Server 2012 R2 VMs running on it. The deletion of the underlying VM also deletes the corresponding Arc-enabled server resource, enabling you to link another Arc-enabled server.
-### Scenario 8: An insurance customer is running a 16 node VMware cluster with 1024 cores, licensed with Windows Server Datacenter for maximum virtualization use rights. There are 120 Windows VMs ranging from 4 to 12 cores, with 44 Windows Server 2012 R2 machines with a total of 506 cores.
+### Scenario 8: An insurance customer is running a 16 node VMware cluster with 1024 physical cores on-premises. 44 of the VMs on the cluster are running Windows Server 2012 R2. Those 44 VMs consume 506 virtual cores, which was calculated by summing up the maximum of 8 or the actual number of cores assigned to each VM.
-In this scenario, you should purchase an Arc ESU Windows Server 2012 Datacenter edition license associated with 506 physical cores and link this license to your 44 machines. Each of the 44 machines should be onboarded to Azure Arc, and can be onboarded at scale with Arc-enabled VMware vSphere (AVS). If you migrate to AVS, these servers are eligible for free WS2012 ESUs.
+In this scenario, you could either license the entire cluster with 1024 Windows Server 2012 Datacenter ESU physical cores or license each VM individually with a total of 506 standard edition virtual cores. In this case, it's cheaper to purchase an Arc ESU Windows Server 2012 Standard edition license associated with 506 virtual cores. You'll need to onboard each of the 44 VMs to Azure Arc and then link the license to the Arc machines. If you migrate the VMs to Azure VMware Solution (AVS), these servers become eligible for free WS2012 ESUs and do not need to be licensed for ESUs through Azure Arc.
## Next steps
azure-arc Network Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/network-requirements.md
Title: Connected Machine agent network requirements description: Learn about the networking requirements for using the Connected Machine agent for Azure Arc-enabled servers. Previously updated : 09/25/2023 Last updated : 10/05/2023
azure-arc Onboard Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/onboard-windows-server.md
+
+ Title: Connect Windows Server machines to Azure through Azure Arc Setup
+description: In this article, you learn how to connect Windows Server machines to Azure Arc using the built-in Windows Server Azure Arc Setup wizard.
Last updated : 10/10/2023+++
+# Connect Windows Server machines to Azure through Azure Arc Setup
+
+Windows Server machines can be onboarded directly to Azure Arc through a graphical wizard included in Windows Server. The wizard automates the onboarding process by checking the necessary prerequisites for successful Azure Arc onboarding and fetching and installing the latest version of the Azure Connected Machine (AzCM) agent. Once the wizard process completes, you're directed to your Window Server machine in the Azure portal, where it can be viewed and managed like any other Azure Arc-enabled resource.
+
+> [!NOTE]
+> This feature only applies to Windows Server 2022 and later. It was released in the [Cumulative Update of 10/10/2023](https://support.microsoft.com/en-us/topic/october-10-2023-kb5031364-os-build-20348-2031-7f1d69e7-c468-4566-887a-1902af791bbc).
+>
+## Prerequisites
+
+* Azure Arc-enabled servers - Review the [prerequisites](prerequisites.md) and verify that your subscription, your Azure account, and resources meet the requirements.
+
+* An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+* Modern browser (Microsoft Edge) for authentication to Microsoft Azure. Configuration of the Azure Connected Machine agent requires authentication to your Azure account, either through interactive authentication on a modern browser or device code log-in on a separate device (if the machine doesn't have a modern browser).
+
+## Launch Azure Arc Setup and connect to Azure Arc
+
+The Azure Arc Setup wizard is launched from a system tray icon at the bottom of the Windows Server machine when the Azure Arc Setup feature is enabled. This feature is enabled by default. Alternatively, you can launch the wizard from a pop-up window in the Server Manager or from the Windows Server Start menu.
+
+1. Select the Azure Arc system tray icon, then select **Launch Azure Arc Setup**.
+
+ :::image type="content" source="media/onboard-windows-server/system-tray-icon.png" alt-text="Screenshot showing Azure Arc system tray icon and window to launch Azure Arc setup process.":::
+
+1. The introduction window of the Azure Arc Setup wizard explains the benefits of onboarding your machine to Azure Arc. When you're ready to proceed, click **Next**.
+
+ :::image type="content" source="media/onboard-windows-server/get-started-with-arc.png" alt-text="Screenshot of the Getting Started page of the wizard.":::
+
+1. The wizard automatically checks for the prerequisites necessary to install the Azure Connected Machine agent on your Windows Server machine. Once this process completes and the agent is installed, select **Configure**.
+
+1. The configuration window details the steps required to configure the Azure Connected Machine agent. When you're ready to begin configuration, select **Next**.
+
+1. Sign-in to Azure by selecting the applicable Azure cloud, and then selecting **Sign in to Azure**. You'll be asked to provide your sign-in credentials.
+
+1. Provide the resource details of how your machine will work within Azure Arc, such as the **Subscription** and **Resource group**, and then select **Next**.
+
+ :::image type="content" source="media/onboard-windows-server/resource-details.png" alt-text="Screenshot of resource details window with fields.":::
+
+1. Select an option for enabling Azure Automanage on your machine, and then click **Next**.
+
+ Azure Automanage machine best practices help enhance reliability, security, and management for virtual machines. To learn more, see [Azure Automanage machine best practices](/azure/automanage/overview-about).
+
+1. Once the configuration completes and your machine is onboarded to Azure Arc, select **Finish**.
+
+1. Go to the Server Manager and select **Local Server** to view the status of the machine in the **Azure Arc Management** field. A successfully onboarded machine has a status of **Enabled**.
+
+ :::image type="content" source="media/onboard-windows-server/server-manager-enabled.png" alt-text="Screenshot of Server Manager local server pane showing machine status is enabled.":::
++
+## Server Manager functions
+
+You can select the **Enabled/Disabled** link in the **Azure Arc Management** field of the Server Manager to launch different functions based on the status of the machine:
+
+- If Azure Arc Setup isn't installed, selecting **Enabled/Disabled** launches the **Add Roles and Features Wizard**.
+- If Azure Arc Setup is installed and the Azure Connected Machine agent hasn't been installed, selecting **Disabled** launches `AzureArcSetup.exe`, the executable file for the Azure Arc Setup wizard.
+- If Azure Arc Setup is installed and the Azure Connected Machine agent is already installed, selecting **Enabled/Disabled** launches `AzureArcConfiguration.exe`, the executable file for configuring the Azure Connected Machine agent to work with your machine.
+
+## Viewing the connected machine
+
+The Azure Arc system tray icon at the bottom of your Windows Server machine indicates if the machine is connected to Azure Arc; a red symbol means the machine does not have the Azure Connected Machine agent installed. To view a connected machine in Azure Arc, select the icon and then select **View Machine in Azure**. You can then view the machine in the [Azure portal](https://portal.azure.com/), just as you would other Azure Arc-enabled resources.
++
+## Uninstalling Azure Arc Setup
+
+To uninstall Azure Arc Setup, follow these steps:
+
+1. In the Server Manager, navigate to the **Remove Roles and Features Wizard**. (See [Remove roles, role services, and features by using the remove Roles and Features Wizard](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard) for more information.)
+
+1. On the Features page, uncheck the box for **Azure Arc Setup**.
+
+1. On the confirmation page, select **Restart the destination server automatically if required**, then select **Remove**.
+
+> [!NOTE]
+> Uninstalling Azure Arc Setup does not uninstall the Azure Connected Machine agent from the machine. For instructions on uninstalling the agent, see [Managing and maintaining the Connected Machine agent](manage-agent.md).
+>
+
+## Next steps
+
+* Troubleshooting information can be found in the [Troubleshoot Azure Connected Machine agent guide](troubleshoot-agent-onboard.md).
+
+* Review the [Planning and deployment guide](plan-at-scale-deployment.md) to plan for deploying Azure Arc-enabled servers at any scale and implement centralized management and monitoring.
+
+* Learn how to manage your machine using [Azure Policy](../../governance/policy/overview.md), for such things as VM [guest configuration](../../governance/machine-configuration/overview.md), verifying the machine is reporting to the expected Log Analytics workspace, enable monitoring with [VM insights](../../azure-monitor/vm/vminsights-enable-policy.md), and much more.
azure-arc Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/policy-reference.md
Title: Built-in policy definitions for Azure Arc-enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc-enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-arc Prepare Extended Security Updates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-arc/servers/prepare-extended-security-updates.md
Title: How to prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc description: Learn how to prepare to deliver Extended Security Updates for Windows Server 2012 through Azure Arc. Previously updated : 09/27/2023 Last updated : 10/05/2023
Delivering ESUs to your Windows Server 2012/2012 R2 machines provides the follow
- **Pay-as-you-go:** Flexibility to sign up for a monthly subscription service with the ability to migrate mid-year. -- **Azure billed:** You can draw down from your existing [Microsoft Azure Consumption Commitment](/marketplace/azure-consumption-commitment-benefit) (MACC) and analyze your costs using [Azure Cost Management and Billing](../../cost-management-billing/cost-management-billing-overview.md).
+- **Azure billed:** You can draw down from your existing [Microsoft Azure Consumption Commitment](/marketplace/azure-consumption-commitment-benefit) (MACC) and analyze your costs using [Microsoft Cost Management and Billing](../../cost-management-billing/cost-management-billing-overview.md).
- **Built-in inventory:** The coverage and enrollment status of Windows Server 2012/2012 R2 ESUs on eligible Arc-enabled servers are identified in the Azure portal, highlighting gaps and status changes.
azure-cache-for-redis Cache Ml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/cache-ml.md
When `show_output=True`, the output of the Docker build process is shown. Once t
{ "name": "DOCKER_REGISTRY_SERVER_URL", "slotSetting": false,
- "value": "https://myml08024f78fd10.azurecr.io"
+ "value": "[server-name].azurecr.io"
}, { "name": "DOCKER_REGISTRY_SERVER_USERNAME", "slotSetting": false,
- "value": "myml08024f78fd10"
+ "value": "[username]"
}, { "name": "DOCKER_REGISTRY_SERVER_PASSWORD",
When `show_output=True`, the output of the Docker build process is shown. Once t
}, { "name": "DOCKER_CUSTOM_IMAGE_NAME",
- "value": "DOCKER|myml08024f78fd10.azurecr.io/package:20190827195524"
+ "value": "DOCKER|[server-name].azurecr.io/package:20190827195524"
} ] ```
azure-cache-for-redis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-cache-for-redis/policy-reference.md
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-edge-hardware-center Azure Edge Hardware Center Resource Move Subscription Resource Group https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-edge-hardware-center/azure-edge-hardware-center-resource-move-subscription-resource-group.md
Before you begin:
- If moving your resource to a different subscription: - Make sure that both the source and destinations subscriptions are active.
- - Make sure that both the source and resource subscriptions exist within the same Azure Active Directory tenant.
+ - Make sure that both the source and resource subscriptions exist within the same Microsoft Entra tenant.
- The destination subscription must be registered to the `Microsoft.EdgeOrder` resource provider. If not, you receive an error stating that the subscription is not registered for a resource type. You might see this error when moving a resource to a new subscription, but that subscription has never been used with that resource type. - If moving your resource to a different resource group, make sure that the account moving the resources must have at least the following permissions:
azure-fluid-relay Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/authentication-authorization.md
One option for building a secure token provider is to create a serverless Azure
Fluid services authenticate incoming calls using a shared client secret, which is not tied to a specific user. User authentication can be added based on the details of your Fluid service.
-One simple option for user authentication would be to simply use an [Azure Function](../../azure-functions/index.yml) as your token provider, and enforce user authentication as a condition of obtaining a token. If an application tries to call the Function it would fail unless authenticated with your auth system. If you're using Azure Active Directory (Azure AD), for example, you might create an Azure AD application for your Azure Function, and tie it to your organization's auth system.
+One simple option for user authentication would be to simply use an [Azure Function](../../azure-functions/index.yml) as your token provider, and enforce user authentication as a condition of obtaining a token. If an application tries to call the Function it would fail unless authenticated with your auth system. If you're using Microsoft Entra ID, for example, you might create a Microsoft Entra application for your Azure Function, and tie it to your organization's auth system.
-In this case the user would sign into your application using Azure AD, through which you would obtain a token to use to call your Azure Function. The Azure Function itself behaves the same, but it's now only accessible to people who have also authenticated with Azure AD.
+In this case the user would sign into your application using Microsoft Entra ID, through which you would obtain a token to use to call your Azure Function. The Azure Function itself behaves the same, but it's now only accessible to people who have also authenticated with Microsoft Entra ID.
Since the Azure Function is now your entry point into obtaining a valid token, only users who have properly authenticated to the Function will then be able to provide that token to the Azure Fluid Relay service from their client application. This two-step approach enables you to use your own custom authentication process in conjunction with the Azure Fluid Relay service.
azure-fluid-relay Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-fluid-relay/concepts/customer-managed-keys.md
Before configuring CMK on your Azure Fluid Relay resource, the following prerequ
- Keys must be stored in an Azure Key Vault. - Keys must be RSA key and not EC key since EC key doesnΓÇÖt support WRAP and UNWRAP. - A user assigned managed identity must be created with necessary permission (GET, WRAP and UNWRAP) to the key vault in step 1. More information [here](../../active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad.md). Please grant GET, WRAP and UNWRAP under Key Permissions in AKV.-- Azure Key Vault, user assigned identity, and the Fluid Relay resource must be in the same region and in the same Azure Active Directory (Azure AD) tenant.
+- Azure Key Vault, user assigned identity, and the Fluid Relay resource must be in the same region and in the same Microsoft Entra tenant.
## Create a Fluid Relay resource with CMK
azure-functions Dotnet Isolated Process Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-functions/dotnet-isolated-process-guide.md
Azure Functions currently can be used with the following preview versions of .NE
| Operating system | .NET preview version | | - | - |
-| Windows | .NET 8 Preview 7 |
-| Linux | .NET 8 RC1 |
+| Windows | .NET 8 RC1 |
+| Linux | .NET 8 RC2 |
### Using a preview .NET SDK
azure-maps Data Driven Style Expressions Web Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/data-driven-style-expressions-web-sdk.md
Title: Data-driven style Expressions in the Azure Maps Web SDK | Microsoft Azure Maps
+ Title: Data-driven style expressions in the Azure Maps Web SDK | Microsoft Azure Maps
description: Learn about data-driven style expressions. See how to use these expressions in the Azure Maps Web SDK to adjust styles in maps.
-# Data-driven Style Expressions (Web SDK)
+# Data-driven style expressions (Web SDK)
-Expressions enable you to apply business logic to styling options that observe the properties defined in each shape in a data source. Expressions can filter data in a data source or a layer. Expressions may consist of conditional logic, like if-statements. And, they can be used to manipulate data using: string operators, logical operators, and mathematical operators.
+Expressions enable you to apply business logic to styling options that observe the properties defined in each shape in a data source. Expressions can filter data in a data source or a layer. Expressions might consist of conditional logic, like if-statements. And, they can be used to manipulate data using: string operators, logical operators, and mathematical operators.
Data-driven styles reduce the amount of code needed to implement business logic around styling. When used with layers, expressions are evaluated at render time on a separate thread. This functionality provides increased performance compared to evaluating business logic on the UI thread.
Math expressions provide mathematical operators to perform data-driven calculati
| `['atan', number]` | number | Calculates the arctangent of the specified number. | | `['ceil', number]` | number | Rounds the number up to the next whole integer. | | `['cos', number]` | number | Calculates the cos of the specified number. |
-| `['distance', Point \| MultiPoint \| LineString \| MultiLineString \| Polygon \| MultiPolygon \| Feature \| FeatureCollection]` | number | Calculates the shortest distance in meters between the evaluated feature and the input geometry. Distance values returned may vary in precision due to loss in precision from encoding geometries, particularly below zoom level 13. |
+| `['distance', Point \| MultiPoint \| LineString \| MultiLineString \| Polygon \| MultiPolygon \| Feature \| FeatureCollection]` | number | Calculates the shortest distance in meters between the evaluated feature and the input geometry. Distance values returned might vary in precision due to loss in precision from encoding geometries, particularly below zoom level 13. |
| `['e']` | number | Returns the mathematical constant `e`. | | `['floor', number]` | number | Rounds the number down to the previous whole integer. | | `['ln', number]` | number | Calculates the natural logarithm of the specified number. |
var layer = new atlas.layer.SymbolLayer(datasource, null, {
The above expression renders a pin on the map with the text "64┬░F" overlaid on top of it as shown in the following image.
-![String operator expression example](media/how-to-expressions/string-operator-expression.png)
## Interpolate and Step expressions
This layer renders the text field in the symbol layer as shown in the following
## Zoom expression
-A `zoom` expression is used to retrieve the current zoom level of the map at render time and is defined as `['zoom']`. This expression returns a number between the minimum and maximum zoom level range of the map. The Azure Maps interactive map controls for web and Android support 25 zoom levels, numbered 0 through 24. Using the `zoom` expression allows styles to be modified dynamically as the zoom level of the map is changed. The `zoom` expression may only be used with `interpolate` and `step` expressions.
+A `zoom` expression is used to retrieve the current zoom level of the map at render time and is defined as `['zoom']`. This expression returns a number between the minimum and maximum zoom level range of the map. The Azure Maps interactive map controls for web and Android support 25 zoom levels, numbered 0 through 24. Using the `zoom` expression allows styles to be modified dynamically as the zoom level of the map is changed. The `zoom` expression can only be used with `interpolate` and `step` expressions.
**Example**
azure-maps How To Use Spatial Io Module https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/how-to-use-spatial-io-module.md
You can load the Azure Maps spatial IO module using one of the two options:
1. Your HTML code should now look like the following code. This sample demonstrates how to read an XML file from a URL. Then, load and display the file's feature data on the map. ```html
- <!DOCTYPE html>
+ <!DOCTYPE html>
<html>- <head> <title>Spatial IO Module Example</title>
You can load the Azure Maps spatial IO module using one of the two options:
} </script> </head>-
- <body onload="GetMap()">
- <div id="myMap"></div>
+ <body onload='GetMap()'>
+ <div id="myMap" style="position:relative;width:100%;min-width:290px;height:600px;"></div>
</body>- </html> ``` 1. Remember to replace `<Your Azure Maps Key>` with your subscription key. You should see results similar to the following image in your HTML file:
- <center>
-
- ![Spatial Data Example](./media/how-to-use-spatial-io-module/spatial-data-example.png)
-
- </center>
+ :::image type="content" source="./media/how-to-use-spatial-io-module/spatial-data-example.png" alt-text="Screenshot of an indoor map demonstrating Spatial Data.":::
## Next steps
Refer to the Azure Maps Spatial IO documentation:
[azure-maps-spatial-io]: https://www.npmjs.com/package/azure-maps-spatial-io [Connect to a WFS service]: spatial-io-connect-wfs-service.md [Core IO operations]: spatial-io-core-operations.md
+[How to use the Azure Maps map control npm package]: how-to-use-npm-package.md
[Leverage core operations]: spatial-io-core-operations.md [Read and write spatial data]: spatial-io-read-write-spatial-data.md [Spatial IO module]: https://www.npmjs.com/package/azure-maps-spatial-io [subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account [Supported data format details]: spatial-io-supported-data-format-details.md
-[How to use the Azure Maps map control npm package]: how-to-use-npm-package.md
azure-maps Migrate From Bing Maps Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps-web-app.md
Loading a map in both SDKs follows the same set of steps;
**Key differences**
-* Bing maps require an account key specified in the script reference of the API or as a map option. Authentication credentials for Azure Maps are specified as options of the map class as either [Shared Key authentication] or [Azure AD].
+* Bing maps require an account key specified in the script reference of the API or as a map option. Authentication credentials for Azure Maps are specified as options of the map class as either [Shared Key authentication] or [Microsoft Entra ID].
* Bing Maps takes in a callback function in the script reference of the API that is used to call an initialization function to load the map. With Azure Maps, the onload event of the page should be used. * When using an ID to reference the `div` element that the map is rendered in, Bing Maps uses an HTML selector (`#myMap`), whereas Azure Maps only uses the ID value (`myMap`). * Coordinates in Azure Maps are defined as Position objects that can be specified as a simple number array in the format `[longitude, latitude]`.
azure-maps Migrate From Bing Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-bing-maps.md
The following table provides a high-level list of Bing Maps features and the rel
<sup>1</sup> While there's no direct replacement for the Bing Maps *Snap to road* service, this functionality can be implemented using the Azure Maps [Route - Get Route Directions] REST API. For a complete code sample demonstrating the snap to road functionality, see the [Basic snap to road logic] sample that demonstrates how to snap individual points to the rendered roads on the map. Also see the [Snap points to logical route path] sample that shows how to snap points to the road network to form a logical path.
-Bing Maps provides basic key-based authentication. Azure Maps provides both basic key-based authentication and highly secure, Azure Active Directory authentication.
+Bing Maps provides basic key-based authentication. Azure Maps provides both basic key-based authentication and highly secure, Microsoft Entra authentication.
## Licensing considerations
Here's an example of a high-level migration plan.
1. Take inventory of what Bing Maps SDKs and services your application is using and verify that Azure Maps provides alternative SDKs and services for you to migrate to. 1. Create an Azure subscription (if you donΓÇÖt already have one) at [azure.com]). 1. Create an [Azure Maps account].
-1. Setup authentication using an Azure Maps [subscription key] or [Azure Active Directory authentication].
+1. Setup authentication using an Azure Maps [subscription key] or [Microsoft Entra authentication].
1. Migrate your application code. 1. Test your migrated application. 1. Deploy your migrated application to production.
To create an Azure Maps account and get access to the Azure Maps platform, follo
1. If you don't have an Azure subscription, create a [free Azure account] before you begin. 2. Sign in to the [Azure portal]. 3. Create an [Azure Maps account].
-4. Get your Azure Maps [subscription key] or setup [Azure Active Directory authentication] for enhanced security.
+4. Get your Azure Maps [subscription key] or setup [Microsoft Entra authentication] for enhanced security.
## Azure Maps technical resources
azure-maps Migrate From Google Maps Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-google-maps-web-app.md
Both SDKs have the same steps to load a map:
**Some key differences**
-* Google Maps requires an account key to be specified in the script reference of the API. Authentication credentials for Azure Maps are specified as options of the map class. This credential can be a subscription key or Azure Active Directory information.
+* Google Maps requires an account key to be specified in the script reference of the API. Authentication credentials for Azure Maps are specified as options of the map class. This credential can be a subscription key or Microsoft Entra information.
* Google Maps accepts a callback function in the script reference of the API, which is used to call an initialization function to load the map. With Azure Maps, the onload event of the page should be used. * When referencing the `div` element in which the map renders, the `Map` class in Azure Maps only requires the `id` value while Google Maps requires a `HTMLElement` object. * Coordinates in Azure Maps are defined as Position objects, which can be specified as a simple number array in the format `[longitude, latitude]`.
azure-maps Migrate From Google Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/migrate-from-google-maps.md
The table provides a high-level list of Azure Maps features, which correspond to
| Maps Embedded API | N/A | | Map URLs | N/A |
-Google Maps provides basic key-based authentication. Azure Maps provides both basic key-based authentication and Azure Active Directory authentication. Azure Active Directory authentication provides more security features, compared to the basic key-based authentication.
+Google Maps provides basic key-based authentication. Azure Maps provides both basic key-based authentication and Microsoft Entra authentication. Microsoft Entra authentication provides more security features, compared to the basic key-based authentication.
## Licensing considerations
A high-level migration plan includes.
1. Take inventory of the Google Maps SDKs and services that your application uses. Verify that Azure Maps provides alternative SDKs and services. 2. If you don't already have one, create an [Azure subscription].
-3. Create an [Azure Maps account] and [subscription key] or [Azure Active Directory authentication].
+3. Create an [Azure Maps account] and [subscription key] or [Microsoft Entra authentication].
4. Migrate your application code. 5. Test your migrated application. 6. Deploy your migrated application to production.
To create an Azure Maps account and get access to the Azure Maps platform, follo
1. If you don't have an Azure subscription, create a [free account] before you begin. 2. Sign in to the [Azure portal]. 3. Create an [Azure Maps account].
-4. Get your Azure Maps [subscription key] or [Azure Active Directory authentication] for enhanced security.
+4. Get your Azure Maps [subscription key] or [Microsoft Entra authentication] for enhanced security.
## Azure Maps technical resources
azure-maps Open Source Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/open-source-projects.md
The following table lists the open-source projects that extend the capabilities
|--|-| | [Azure Maps Code Samples] | A collection of code samples for using Azure Maps in web-based apps. | | [Azure Maps Gov Cloud Code Samples] | A collection of code samples for using Azure Maps through Azure Government Cloud. |
-| [Azure Maps & Azure Active Directory Samples] | A collection of samples that show how to use Azure Active Directory with Azure Maps. |
+| [Azure Maps & Microsoft Entra ID Samples] | A collection of samples that show how to use Microsoft Entra ID with Azure Maps. |
| [LiveMaps] | A sample application that provides live indoor maps visualization of IoT data on top of Azure Maps using Azure Maps Creator. | | [Azure Maps Jupyter Notebook samples] | A collection of Python samples using the Azure Maps REST services. | | [Azure Maps .NET UWP IoT Remote Control] | A sample application that shows how to build a remotely controlled map using Azure Maps and IoT hub services. |
azure-maps Quick Demo Map App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-demo-map-app.md
Once your Azure Maps account is successfully created, retrieve the subscription
:::image type="content" source="./media/quick-demo-map-app/get-key.png" alt-text="Screenshot showing your Azure Maps subscription key in the Azure portal" lightbox="./media/quick-demo-map-app/get-key.png"::: >[!NOTE]
-> This quickstart uses the [Shared Key] authentication approach for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory] authentication.
+> This quickstart uses the [Shared Key] authentication approach for demonstration purposes, but the preferred approach for any production environment is to use [Microsoft Entra ID] authentication.
## Download and update the Azure Maps demo 1. Copy the contents of the file: [Interactive Search Quickstart.html]. 2. Save the contents of this file locally as **AzureMapDemo.html**. Open it in a text editor. 3. Add the **Primary Key** value you got in the preceding section
- 1. Comment out all of the code in the `authOptions` function, this code is used for Azure Active Directory authentication.
+ 1. Comment out all of the code in the `authOptions` function, this code is used for Microsoft Entra authentication.
1. Uncomment the last two lines in the `authOptions` function, this code is used for Shared Key authentication, the approach being used in this quickstart. 1. Replace `<Your Azure Maps Key>` with the subscription key value from the preceding section.
azure-maps Quick Ios App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/quick-ios-app.md
Once your Maps account is successfully created, retrieve the primary key that en
3. Copy the **Primary Key** to your clipboard. Save it locally to use later in this tutorial. >[!NOTE]
-> This quickstart uses [Shared Key authentication] for demonstration purposes, but the preferred approach for any production environment is to use [Azure Active Directory authentication].
+> This quickstart uses [Shared Key authentication] for demonstration purposes, but the preferred approach for any production environment is to use [Microsoft Entra authentication].
<!-- > If you use the Azure subscription key instead of the Azure Maps primary key, your map won't render properly. Also, for security purposes, it is recommended that you rotate between your primary and secondary keys. To rotate keys, update your app to use the secondary key, deploy, then press the cycle/refresh button beside the primary key to generate a new primary key. The old primary key will be disabled. For more information on key rotation, see [Set up Azure Key Vault with key rotation and auditing](../key-vault/secrets/tutorial-rotation-dual.md) -->
azure-maps Web Sdk Migration Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-maps/web-sdk-migration-guide.md
npm install azure-maps-control@latest
## Review authentication methods (optional)
-To enhance security, more authentication methods are included in the Web SDK starting in version 2. The new methods include [Azure Active Directory Authentication] and [Shared Key Authentication]. For more information about Azure Maps web application security, see [Manage Authentication in Azure Maps].
+To enhance security, more authentication methods are included in the Web SDK starting in version 2. The new methods include [Microsoft Entra authentication] and [Shared Key Authentication]. For more information about Azure Maps web application security, see [Manage Authentication in Azure Maps].
## Testing
azure-monitor Agents Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/agents-overview.md
Using Azure Monitor agent, you get immediate benefits as shown below:
- Any change in configuration is rolled out to all agents automatically, without requiring a client side deployment. - Greater transparency and control of more capabilities and services, such as Microsoft Sentinel, Defender for Cloud, and VM Insights. - **Security and Performance**
- - Enhanced security through Managed Identity and Azure Active Directory (Azure AD) tokens (for clients).
+ - Enhanced security through Managed Identity and Microsoft Entra tokens (for clients).
- Higher event throughput that is 25% better than the legacy Log Analytics (MMA/OMS) agents. - **A single agent** that serves all data collection needs across [supported](#supported-operating-systems) servers and client devices. A single agent is the goal, although Azure Monitor Agent is currently converging with the Log Analytics agents.
azure-monitor Azure Monitor Agent Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-manage.md
The following prerequisites must be met prior to installing Azure Monitor Agent.
} ``` We recommend that you use `mi_res_id` as the `identifier-name`. The following sample commands only show usage with `mi_res_id` for the sake of brevity. For more information on `mi_res_id`, `object_id`, and `client_id`, see the [Managed identity documentation](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md#get-a-token-using-http).
- - **System-assigned**: This managed identity is suited for initial testing or small deployments. When used at scale, for example, for all VMs in a subscription, it results in a substantial number of identities created (and deleted) in Azure Active Directory. To avoid this churn of identities, use user-assigned managed identities instead. *For Azure Arc-enabled servers, system-assigned managed identity is enabled automatically* as soon as you install the Azure Arc agent. It's the only supported type for Azure Arc-enabled servers.
+ - **System-assigned**: This managed identity is suited for initial testing or small deployments. When used at scale, for example, for all VMs in a subscription, it results in a substantial number of identities created (and deleted) in Microsoft Entra ID. To avoid this churn of identities, use user-assigned managed identities instead. *For Azure Arc-enabled servers, system-assigned managed identity is enabled automatically* as soon as you install the Azure Arc agent. It's the only supported type for Azure Arc-enabled servers.
- **Not required for Azure Arc-enabled servers**: The system identity is enabled automatically when you [create a data collection rule in the Azure portal](data-collection-rule-azure-monitor-agent.md#create-a-data-collection-rule). - **Networking**: If you use network firewalls, the [Azure Resource Manager service tag](../../virtual-network/service-tags-overview.md) must be enabled on the virtual network for the virtual machine. The virtual machine must also have access to the following HTTPS endpoints:
azure-monitor Azure Monitor Agent Windows Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/agents/azure-monitor-agent-windows-client.md
Here is a comparison between client installer and VM extension for Azure Monitor
|:|:|:| | Agent installation method | Via VM extension | Via client installer | | Agent installed | Azure Monitor Agent | Same |
-| Authentication | Using Managed Identity | Using AAD device token |
+| Authentication | Using Managed Identity | Using Microsoft Entra device token |
| Central configuration | Via Data collection rules | Same |
-| Associating config rules to agents | DCRs associates directly to individual VM resources | DCRs associate to Monitored Object (MO), which maps to all devices within the AAD tenant |
+| Associating config rules to agents | DCRs associates directly to individual VM resources | DCRs associate to Monitored Object (MO), which maps to all devices within the Microsoft Entra tenant |
| Data upload to Log Analytics | Via Log Analytics endpoints | Same | | Feature support | All features documented [here](./azure-monitor-agent-overview.md) | Features dependent on AMA agent extension that don't require additional extensions. This includes support for Sentinel Windows Event filtering | | [Networking options](./azure-monitor-agent-overview.md#networking) | Proxy support, Private link support | Proxy support only |
Here is a comparison between client installer and VM extension for Azure Monitor
| On-premises servers | No | [Virtual machine extension](./azure-monitor-agent-manage.md#virtual-machine-extension-details) (with Azure Arc agent) | Installs the agent using Azure extension framework, provided for on-premises by installing Arc agent | ## Limitations
-1. The Windows client installer supports latest Windows machines only that are **Azure AD joined** or hybrid Azure AD joined. More information under [prerequisites](#prerequisites) below
-2. The Data Collection rules can only target the Azure AD tenant scope, i.e. all DCRs associated to the tenant (via Monitored Object) will apply to all Windows client machines within that tenant with the agent installed using this client installer. **Granular targeting using DCRs is not supported** for Windows client devices yet
+1. The Windows client installer supports latest Windows machines only that are **Microsoft Entra joined** or Microsoft Entra hybrid joined. More information under [prerequisites](#prerequisites) below
+2. The Data Collection rules can only target the Microsoft Entra tenant scope, i.e. all DCRs associated to the tenant (via Monitored Object) will apply to all Windows client machines within that tenant with the agent installed using this client installer. **Granular targeting using DCRs is not supported** for Windows client devices yet
3. No support for Windows machines connected via **Azure private links** 4. The agent installed using the Windows client installer is designed mainly for Windows desktops or workstations that are **always connected**. While the agent can be installed via this method on laptops, it is not optimized for battery consumption and network limitations on a laptop. ## Prerequisites 1. The machine must be running Windows client OS version 10 RS4 or higher. 2. To download the installer, the machine should have [C++ Redistributable version 2015)](/cpp/windows/latest-supported-vc-redist?view=msvc-170&preserve-view=true) or higher
-3. The machine must be domain joined to an Azure AD tenant (AADj or Hybrid AADj machines), which enables the agent to fetch Azure AD device tokens used to authenticate and fetch data collection rules from Azure.
-4. You may need tenant admin permissions on the Azure AD tenant.
+3. The machine must be domain joined to a Microsoft Entra tenant (AADj or Hybrid AADj machines), which enables the agent to fetch Microsoft Entra device tokens used to authenticate and fetch data collection rules from Azure.
+4. You may need tenant admin permissions on the Microsoft Entra tenant.
5. The device must have access to the following HTTPS endpoints: - global.handler.control.monitor.azure.com - `<virtual-machine-region-name>`.handler.control.monitor.azure.com (example: westus.handler.control.azure.com)
Here is a comparison between client installer and VM extension for Azure Monitor
## Create and associate a 'Monitored Object'
-You need to create a 'Monitored Object' (MO) that creates a representation for the Azure AD tenant within Azure Resource Manager (ARM). This ARM entity is what Data Collection Rules are then associated with. **This Monitored Object needs to be created only once for any number of machines in a single AAD tenant**.
-Currently this association is only **limited** to the Azure AD tenant scope, which means configuration applied to the AAD tenant will be applied to all devices that are part of the tenant and running the agent installed via the client installer. Agents installed as virtual machine extension will not be impacted by this.
+You need to create a 'Monitored Object' (MO) that creates a representation for the Microsoft Entra tenant within Azure Resource Manager (ARM). This ARM entity is what Data Collection Rules are then associated with. **This Monitored Object needs to be created only once for any number of machines in a single Microsoft Entra tenant**.
+Currently this association is only **limited** to the Microsoft Entra tenant scope, which means configuration applied to the Microsoft Entra tenant will be applied to all devices that are part of the tenant and running the agent installed via the client installer. Agents installed as virtual machine extension will not be impacted by this.
The image below demonstrates how this works: :::image type="content" source="media/azure-monitor-agent-windows-client/azure-monitor-agent-monitored-object.png" lightbox="media/azure-monitor-agent-windows-client/azure-monitor-agent-monitored-object.png" alt-text="Diagram shows monitored object purpose and association.":::
The image below demonstrates how this works:
Then, proceed with the instructions below to create and associate them to a Monitored Object, using REST APIs or PowerShell commands. ### Permissions required
-Since MO is a tenant level resource, the scope of the permission would be higher than a subscription scope. Therefore, an Azure tenant admin may be needed to perform this step. [Follow these steps to elevate Azure AD Tenant Admin as Azure Tenant Admin](../../role-based-access-control/elevate-access-global-admin.md). It will give the Azure AD admin 'owner' permissions at the root scope. This is needed for all methods described below in this section.
+Since MO is a tenant level resource, the scope of the permission would be higher than a subscription scope. Therefore, an Azure tenant admin may be needed to perform this step. [Follow these steps to elevate Microsoft Entra tenant admin as Azure Tenant Admin](../../role-based-access-control/elevate-access-global-admin.md). It will give the Microsoft Entra admin 'owner' permissions at the root scope. This is needed for all methods described below in this section.
### Using REST APIs
PUT https://management.azure.com/providers/microsoft.insights/providers/microsof
After this step is complete, **reauthenticate** your session and **reacquire** your ARM bearer token. #### 2. Create Monitored Object
-This step creates the Monitored Object for the Azure AD Tenant scope. It will be used to represent client devices that are signed with that Azure AD Tenant identity.
+This step creates the Monitored Object for the Microsoft Entra tenant scope. It will be used to represent client devices that are signed with that Microsoft Entra tenant identity.
**Permissions required**: Anyone who has 'Monitored Object Contributor' at an appropriate scope can perform this operation, as assigned in step 1.
PUT https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{
| Name | In | Type | Description | |:|:|:|:|:|
-| `AADTenantId` | path | string | ID of the Azure AD tenant that the device(s) belong to. The MO will be created with the same ID |
+| `AADTenantId` | path | string | ID of the Microsoft Entra tenant that the device(s) belong to. The MO will be created with the same ID |
**Headers** - Authorization: ARM Bearer Token
In order to update the version, install the new version you wish to update to.
- Error message: "There's a problem with this Windows Installer package. A DLL required for this installer to complete could not be run. …" - Ensure you have installed [C++ Redistributable (>2015)](/cpp/windows/latest-supported-vc-redist?view=msvc-170&preserve-view=true) before installing AMA:
-#### Not AAD joined
+<a name='not-aad-joined'></a>
+
+#### Not Microsoft Entra joined
Error message: "Tenant and device ids retrieval failed"
-1. Run the command `dsregcmd /status`. This should produce the output as `AzureAdJoined : YES` in the 'Device State' section. If not, join the device with an AAD tenant and try installation again.
+1. Run the command `dsregcmd /status`. This should produce the output as `AzureAdJoined : YES` in the 'Device State' section. If not, join the device with a Microsoft Entra tenant and try installation again.
#### Silent install from command prompt fails Make sure to start the installer on administrator command prompt. Silent install can only be initiated from the administrator command prompt.
azure-monitor Action Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/action-groups.md
Global requests from clients can be processed by action group services in any re
|Notification type|Description |Fields| ||||
- |Email Azure Resource Manager role|Send an email to the subscription members, based on their role.<br>A notification email is sent only to the primary email address configured for the Azure AD user.<br>The email is only sent to Azure Active Directory **user** members of the selected role, not to Azure AD groups or service principals.<br> See [Email](#email-azure-resource-manager).|Enter the primary email address configured for the Azure AD user. See [Email](#email-azure-resource-manager).|
+ |Email Azure Resource Manager role|Send an email to the subscription members, based on their role.<br>A notification email is sent only to the primary email address configured for the Microsoft Entra user.<br>The email is only sent to Microsoft Entra ID **user** members of the selected role, not to Microsoft Entra groups or service principals.<br> See [Email](#email-azure-resource-manager).|Enter the primary email address configured for the Microsoft Entra user. See [Email](#email-azure-resource-manager).|
|Email| Ensure that your email filtering and any malware/spam prevention services are configured appropriately. Emails are sent from the following email addresses:<br> * azure-noreply@microsoft.com<br> * azureemail-noreply@microsoft.com<br> * alerts-noreply@mail.windowsazure.com|Enter the email where the notification should be sent.| |SMS|SMS notifications support bi-directional communication. The SMS contains the following information:<br> * Shortname of the action group this alert was sent to<br> * The title of the alert.<br> A user can respond to an SMS to:<br> * Unsubscribe from all SMS alerts for all action groups or a single action group.<br> * Resubscribe to alerts<br> * Request help.<br> For more information about supported SMS replies, see [SMS replies](#sms-replies).|Enter the **Country code** and the **Phone number** for the SMS recipient. If you can't select your country/region code in the Azure portal, SMS isn't supported for your country/region. If your country/region code isn't available, you can vote to have your country/region added at [Share your ideas](https://feedback.azure.com/d365community/idea/e527eaa6-2025-ec11-b6e6-000d3a4f09d0). As a workaround until your country is supported, configure the action group to call a webhook to a third-party SMS provider that supports your country/region.| |Azure app Push notifications|Send notifications to the Azure mobile app. To enable push notifications to the Azure mobile app, provide the For more information about the Azure mobile app, see [Azure mobile app](https://azure.microsoft.com/features/azure-portal/mobile-app/).|In the **Azure account email** field, enter the email address that you use as your account ID when you configure the Azure mobile app. |
Global requests from clients can be processed by action group services in any re
|Functions |Calls an existing HTTP trigger endpoint in functions. For more information, see [Azure Functions](../../azure-functions/functions-get-started.md).<br>When you define the function action, the function's HTTP trigger endpoint and access key are saved in the action definition, for example, `https://azfunctionurl.azurewebsites.net/api/httptrigger?code=<access_key>`. If you change the access key for the function, you must remove and re-create the function action in the action group.<br>Your endpoint must support the HTTP POST method.<br>The function must have access to the storage account. If it doesn't have access, keys aren't available and the function URI isn't accessible.<br>[Learn about restoring access to the storage account](../../azure-functions/functions-recover-storage-account.md).| |ITSM |An ITSM action requires an ITSM connection. To learn how to create an ITSM connection, see [ITSM integration](./itsmc-overview.md). | |Logic apps |You can use [Azure Logic Apps](../../logic-apps/logic-apps-overview.md) to build and customize workflows for integration and to customize your alert notifications.|
- |Secure webhook|When you use a secure webhook action, you must use Azure AD to secure the connection between your action group and your endpoint, which is a protected web API. See [Configure authentication for Secure webhook](#configure-authentication-for-secure-webhook). Secure webhook doesn't support basic authentication. If you're using basic authentication, use the Webhook action.|
+ |Secure webhook|When you use a secure webhook action, you must use Microsoft Entra ID to secure the connection between your action group and your endpoint, which is a protected web API. See [Configure authentication for Secure webhook](#configure-authentication-for-secure-webhook). Secure webhook doesn't support basic authentication. If you're using basic authentication, use the Webhook action.|
|Webhook| If you use the webhook action, your target webhook endpoint must be able to process the various JSON payloads that different alert sources emit.<br>You can't pass security certificates through a webhook action. To use basic authentication, you must pass your credentials through the URI.<br>If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the **Logic Apps** action type to manipulate the alert schema to meet the target webhook's expectations.<br> For information about the rules used for retrying webhook actions, see [Webhook](#webhook).| :::image type="content" source="./media/action-groups/action-group-3-actions.png" alt-text="Screenshot that shows the Actions tab of the Create action group dialog. Several options are visible in the Action type list.":::
When an email address is rate limited, a notification is sent to communicate tha
## Email Azure Resource Manager
-When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is only sent to Azure Active Directory (Azure AD) **user** members of the role. Email isn't sent to Azure AD groups or service principals.
+When you use Azure Resource Manager for email notifications, you can send email to the members of a subscription's role. Email is only sent to Microsoft Entra ID **user** members of the role. Email isn't sent to Microsoft Entra groups or service principals.
A notification email is sent only to the primary email address.
When you set up the Resource Manager role:
1. Assign an entity of type **User** to the role. 1. Make the assignment at the **subscription** level.
-1. Make sure an email address is configured for the user in their **Azure AD profile**.
+1. Make sure an email address is configured for the user in their **Microsoft Entra profile**.
> [!NOTE] >
Webhook action groups use the following rules:
### Configure authentication for Secure webhook
-The secure webhook action authenticates to the protected API by using a Service Principal instance in the Azure AD tenant of the "AZNS AAD Webhook" Azure AD application. To make the action group work, this Azure AD Webhook Service Principal must be added as a member of a role on the target Azure AD application that grants access to the target endpoint.
+The secure webhook action authenticates to the protected API by using a Service Principal instance in the Microsoft Entra tenant of the "AZNS Microsoft Entra Webhook" Microsoft Entra application. To make the action group work, this Microsoft Entra Webhook Service Principal must be added as a member of a role on the target Microsoft Entra application that grants access to the target endpoint.
-For an overview of Azure AD applications and service principals, see [Microsoft identity platform (v2.0) overview](../../active-directory/develop/v2-overview.md). Follow these steps to take advantage of the secure webhook functionality.
+For an overview of Microsoft Entra applications and service principals, see [Microsoft identity platform (v2.0) overview](../../active-directory/develop/v2-overview.md). Follow these steps to take advantage of the secure webhook functionality.
> [!NOTE] >
For an overview of Azure AD applications and service principals, see [Microsoft
If you use the webhook action, your target webhook endpoint must be able to process the various JSON payloads that different alert sources emit. If the webhook endpoint expects a specific schema, for example, the Microsoft Teams schema, use the Logic Apps action to transform the alert schema to meet the target webhook's expectations.
-1. Create an Azure AD application for your protected web API. For more information, see [Protected web API: App registration](../../active-directory/develop/scenario-protected-web-api-app-registration.md). Configure your protected API to be called by a daemon app and expose application permissions, not delegated permissions. For more information about these permissions, see [If your web API is called by a service or daemon app](../../active-directory/develop/scenario-protected-web-api-app-registration.md#if-your-web-api-is-called-by-a-service-or-daemon-app).
+1. Create a Microsoft Entra application for your protected web API. For more information, see [Protected web API: App registration](../../active-directory/develop/scenario-protected-web-api-app-registration.md). Configure your protected API to be called by a daemon app and expose application permissions, not delegated permissions. For more information about these permissions, see [If your web API is called by a service or daemon app](../../active-directory/develop/scenario-protected-web-api-app-registration.md#if-your-web-api-is-called-by-a-service-or-daemon-app).
> [!NOTE] >
- > Configure your protected web API to accept V2.0 access tokens. For more information about this setting, see [Azure Active Directory app manifest](../../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute).
+ > Configure your protected web API to accept V2.0 access tokens. For more information about this setting, see [Microsoft Entra app manifest](../../active-directory/develop/reference-app-manifest.md#accesstokenacceptedversion-attribute).
-1. To enable the action group to use your Azure AD application, use the PowerShell script that follows this procedure.
+1. To enable the action group to use your Microsoft Entra application, use the PowerShell script that follows this procedure.
> [!NOTE] >
- > You must be assigned the [Azure AD Application Administrator role](../../active-directory/roles/permissions-reference.md#all-roles) to run this script.
+ > You must be assigned the [Microsoft Entra Application Administrator role](../../active-directory/roles/permissions-reference.md#all-roles) to run this script.
- 1. Modify the PowerShell script's `Connect-AzureAD` call to use your Azure AD tenant ID.
- 1. Modify the PowerShell script's `$myAzureADApplicationObjectId` variable to use the object ID of your Azure AD application.
+ 1. Modify the PowerShell script's `Connect-AzureAD` call to use your Microsoft Entra tenant ID.
+ 1. Modify the PowerShell script's `$myAzureADApplicationObjectId` variable to use the object ID of your Microsoft Entra application.
1. Run the modified script. > [!NOTE] >
- > The service principal must be assigned an **owner role** of the Azure AD application to be able to create or modify the secure webhook action in the action group.
+ > The service principal must be assigned an **owner role** of the Microsoft Entra application to be able to create or modify the secure webhook action in the action group.
1. Configure the secure webhook action.
azure-monitor Alerts Create New Alert Rule https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-create-new-alert-rule.md
ARM templates for activity log alerts contain additional properties for the cond
||| |resourceId|The resource ID of the affected resource in the activity log event on which the alert is generated.| |category|The category of the activity log event. Possible values are `Administrative`, `ServiceHealth`, `ResourceHealth`, `Autoscale`, `Security`, `Recommendation`, or `Policy`. |
-|caller|The email address or Azure Active Directory identifier of the user who performed the operation of the activity log event. |
+|caller|The email address or Microsoft Entra identifier of the user who performed the operation of the activity log event. |
|level |Level of the activity in the activity log event for the alert. Possible values are `Critical`, `Error`, `Warning`, `Informational`, or `Verbose`.| |operationName |The name of the operation in the activity log event. Possible values are `Microsoft.Resources/deployments/write`. | |resourceGroup |Name of the resource group for the affected resource in the activity log event. |
azure-monitor Alerts Plan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/alerts-plan.md
Use the following actions to attempt automated remediation of the issue identifi
- **IT service management (ITSM)**: Use the ITSM Connector to create work items in your ITSM tool based on alerts from Azure Monitor. You first configure the connector and then use the **ITSM** action in alert rules. - **Webhooks**: Send the alert to an incident management system that supports webhooks such as PagerDuty and Splunk On-Call.-- **Secure webhook**: Integrate ITSM with Azure Active Directory Authentication.
+- **Secure webhook**: Integrate ITSM with Microsoft Entra authentication.
## Minimize alert activity
azure-monitor It Service Management Connector Secure Webhook Connections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/it-service-management-connector-secure-webhook-connections.md
This article shows you how to configure the connection between your IT Service M
Secure Webhook is an updated version of [IT Service Management Connector (ITSMC)](./itsmc-overview.md). Both versions allow you to create work items in an ITSM tool when Azure Monitor sends alerts. The functionality includes metric, log, and activity log alerts.
-ITSMC uses username and password credentials. Secure Webhook has stronger authentication because it uses Azure Active Directory (Azure AD). Azure AD is Microsoft's cloud-based identity and access management service. It helps users sign in and access internal or external resources. Using Azure AD with ITSM helps to identify Azure alerts (through the Azure AD application ID) that were sent to the external system.
+ITSMC uses username and password credentials. Secure Webhook has stronger authentication because it uses Microsoft Entra ID. Microsoft Entra ID is Microsoft's cloud-based identity and access management service. It helps users sign in and access internal or external resources. Using Microsoft Entra ID with ITSM helps to identify Azure alerts (through the Microsoft Entra application ID) that were sent to the external system.
## Secure Webhook architecture The Secure Webhook architecture introduces the following new capabilities: * **New action group**: Alerts are sent to the ITSM tool through the Secure Webhook action group, instead of the ITSM action group that ITSMC uses.
-* **Azure AD authentication**: Authentication occurs through Azure AD instead of username and password credentials.
+* **Microsoft Entra authentication**: Authentication occurs through Microsoft Entra ID instead of username and password credentials.
## Secure Webhook data flow
The steps of the Secure Webhook data flow are:
1. Azure Monitor sends an alert that's configured to use Secure Webhook. 1. The alert payload is sent by a Secure Webhook action to the ITSM tool.
-1. The ITSM application checks with Azure AD to determine if the alert is authorized to enter the ITSM tool.
+1. The ITSM application checks with Microsoft Entra ID to determine if the alert is authorized to enter the ITSM tool.
1. If the alert is authorized, the application: 1. Creates a work item (for example, an incident) in the ITSM tool. 1. Binds the ID of the configuration item to the customer management database.
-![Diagram that shows how the ITSM tool communicates with Azure Active Directory, Azure alerts, and an action group.](media/it-service-management-connector-secure-webhook-connections/secure-export-diagram.png)
+![Diagram that shows how the ITSM tool communicates with Microsoft Entra ID, Azure alerts, and an action group.](media/it-service-management-connector-secure-webhook-connections/secure-export-diagram.png)
## Benefits of Secure Webhook The main benefits of the integration are:
-* **Better authentication**: Azure AD provides more secure authentication without the timeouts that commonly occur in ITSMC.
+* **Better authentication**: Microsoft Entra ID provides more secure authentication without the timeouts that commonly occur in ITSMC.
* **Alerts resolved in the ITSM tool**: Metric alerts implement **fired** and **resolved** states. When the condition is met, the alert state is fired. When the condition isn't met anymore, the alert state is resolved. In ITSMC, alerts can't be resolved automatically. With Secure Webhook, the resolved state flows to the ITSM tool, so it's updated automatically. * [Common alert schema](./alerts-common-schema.md): In ITSMC, the schema of the alert payload differs based on the alert type. In Secure Webhook, there's a common schema for all alert types. This common schema contains the configuration item for all alert types. All alert types will be able to bind their configuration item with the customer management database.
azure-monitor Itsm Connector Secure Webhook Connections Azure Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsm-connector-secure-webhook-connections-azure-configuration.md
This article describes the required Azure configurations for using Secure Webhook.
-## Register with Azure Active Directory
+<a name='register-with-azure-active-directory'></a>
-To register the application with Azure Active Directory (Azure AD):
+## Register with Microsoft Entra ID
+
+To register the application with Microsoft Entra ID:
1. Follow the steps in [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).
-1. In Azure AD, select **Expose application**.
+1. In Microsoft Entra ID, select **Expose application**.
1. Select **Add** for **Application ID URI**. [![Screenshot that shows the option for setting the U R I of the application I D.](media/itsm-connector-secure-webhook-connections-azure-configuration/azure-ad.png)](media/itsm-connector-secure-webhook-connections-azure-configuration/azure-ad-expand.png#lightbox)
To register the application with Azure Active Directory (Azure AD):
## Define a service principal
-The action group service is a first-party application. It has permission to acquire authentication tokens from your Azure AD application to authenticate with ServiceNow.
+The action group service is a first-party application. It has permission to acquire authentication tokens from your Microsoft Entra application to authenticate with ServiceNow.
As an optional step, you can define an application role in the created app's manifest. This way, you can further restrict access so that only certain applications with that specific role can send messages. This role has to be then assigned to the Action Group service principal. Tenant admin privileges are required.
You can do this step by using the same [PowerShell commands](../alerts/action-gr
## Create a Secure Webhook action group
-After your application is registered with Azure AD, you can create work items in your ITSM tool based on Azure alerts by using the Secure Webhook action in action groups.
+After your application is registered with Microsoft Entra ID, you can create work items in your ITSM tool based on Azure alerts by using the Secure Webhook action in action groups.
Action groups provide a modular and reusable way of triggering actions for Azure alerts. You can use action groups with metric alerts, activity log alerts, and Log Analytics alerts in the Azure portal.
To add a webhook to an action, follow these instructions for Secure Webhook:
1. Enter a name in the **Action group name** box and enter a name in the **Short name** box. The short name is used in place of a full action group name when notifications are sent by using this group. 1. Select **Secure Webhook**. 1. Select these details:
- 1. Select the object ID of the Azure AD instance that you registered.
+ 1. Select the object ID of the Microsoft Entra instance that you registered.
1. For the URI, paste in the webhook URL that you copied from the [ITSM tool environment](#configure-the-itsm-tool-environment). 1. Set **Enable the common Alert Schema** to **Yes**.
azure-monitor Itsmc Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-overview.md
Depending on your integration, start connecting to your ITSM tool with these ste
- For ServiceNow ITOM events or BMC Helix, use the secure webhook action:
- 1. [Register your app with Azure Active Directory](./itsm-connector-secure-webhook-connections-azure-configuration.md#register-with-azure-active-directory).
+ 1. [Register your app with Microsoft Entra ID](./itsm-connector-secure-webhook-connections-azure-configuration.md#register-with-azure-active-directory).
1. [Define a service principal](./itsm-connector-secure-webhook-connections-azure-configuration.md#define-a-service-principal). 1. [Create a secure webhook action group](./itsm-connector-secure-webhook-connections-azure-configuration.md#create-a-secure-webhook-action-group). 1. Configure your partner environment. Secure Export supports connections with the following ITSM tools:
azure-monitor Itsmc Secure Webhook Connections Bmc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-secure-webhook-connections-bmc.md
The following sections provide details about how to connect your BMC Helix produ
Ensure that you've met the following prerequisites:
-* Azure Active Directory is registered.
+* Microsoft Entra ID is registered.
* You have the supported version of BMC Helix Multi-Cloud Service Management (version 19.08 or later). ## Configure the BMC Helix connection
azure-monitor Itsmc Secure Webhook Connections Servicenow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/itsmc-secure-webhook-connections-servicenow.md
The following sections provide information about how to connect your ServiceNow
Ensure that you've met the following prerequisites:
-* Azure Active Directory is registered.
+* Microsoft Entra ID is registered.
* You have the supported version of ServiceNow Event Management - ITOM (version New York or later). * The [application](https://store.servicenow.com/sn_appstore_store.do#!/store/application/ac4c9c57dbb1d090561b186c1396191a/2.2.0) is installed on the ServiceNow instance.
azure-monitor Test Action Group Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/alerts/test-action-group-errors.md
The error messages in this section are related to these **actions**:
|HTTP 400: The \<action\> returned a 'bad request' error. |Check the alert payload received on your endpoint, and make sure the endpoint can process the request successfully. |HTTP 400: The \<action\> couldn't be triggered because this alert type doesn't support the common alert schema. |1. Check if the alert type supports common alert schema.</br>2. Change the ΓÇ£Enable the common alert schemaΓÇ¥ in the action group action to ΓÇ£NoΓÇ¥ and retry. |HTTP 400: The \<action\> could not be triggered because the payload is empty or invalid. | Check if the payload is valid, and if it's included as part of the request.
-|HTTP 400: The \<action\> could not be triggered because Azure AD auth is enabled but no auth context provided in the request. | 1. Check your Secure Webhook action settings.</br>2. Check your Azure AD configuration. For more information, see [action groups](action-groups.md). |
+|HTTP 400: The \<action\> could not be triggered because Microsoft Entra auth is enabled but no auth context provided in the request. | 1. Check your Secure Webhook action settings.</br>2. Check your Microsoft Entra configuration. For more information, see [action groups](action-groups.md). |
|HTTP 400: ServiceNow returned error: No such host is known | Check your ServiceNow host url to make sure it's valid and retry. For more information, see [Connect ServiceNow with IT Service Management Connector](./itsmc-connections-servicenow.md) | |</br>HTTP 401: The \<action\> returned an "Unauthorized" error.</br>HTTP 401: The request was rejected by the \<action\> endpoint. Make sure you have the required authorization. | 1. Check if the credential in the request is present and valid.</br>2. Check if your endpoint correctly validates the credentials from the request. |
-|</br>HTTP 403: The \<action\> returned a "Forbidden" response.</br>HTTP 403: Couldn't trigger the \<action\>. Make sure you have the required authorization.</br>HTTP 403: The \<action\> returned a 'Forbidden' response. Make sure you have the proper permissions to access it.</br>HTTP 403: The \<action\> is "Forbidden".</br>HTTP 403: Could not access the ITSM system. Make sure you have the required authorization. | 1. Check if the credential in the request is present, and valid.</br>2. Check if your endpoint correctly validates the credentials.</br>3. If it's Secure Webhook, make sure the Azure AD authentication is set up correctly. For more information, see [action groups](action-groups.md).|
+|</br>HTTP 403: The \<action\> returned a "Forbidden" response.</br>HTTP 403: Couldn't trigger the \<action\>. Make sure you have the required authorization.</br>HTTP 403: The \<action\> returned a 'Forbidden' response. Make sure you have the proper permissions to access it.</br>HTTP 403: The \<action\> is "Forbidden".</br>HTTP 403: Could not access the ITSM system. Make sure you have the required authorization. | 1. Check if the credential in the request is present, and valid.</br>2. Check if your endpoint correctly validates the credentials.</br>3. If it's Secure Webhook, make sure the Microsoft Entra authentication is set up correctly. For more information, see [action groups](action-groups.md).|
| HTTP 403: The access token needs to be refreshed.| Refresh the access token and retry. For more information, see [Connect ServiceNow with IT Service Management Connector](./itsmc-connections-servicenow.md) | |HTTP 404: The \<action\> was not found.</br>HTTP 404: The \<action\> target workflow was not found.</br>HTTP 404: The \<action\> target was not found.</br>HTTP 404: The \<action\> endpoint could not be found.</br>HTTP 404: The \<action\> was deleted. | 1. Check if the endpoints included in the requests are valid, up and running and accepting the requests.</br>2. For ITSM, check if the ITSM connector is still active.| |HTTP 408: The call to the \<action\> timed out.</br>HTTP 408: The call to the Azure App service endpoint timed out. | 1.Check the client network connection, and retry.</br>2. Check if your endpoint is up and running and can process the request successfully.</br>3. Clear the browser cache, and retry. |
The error messages in this section are related to these **notifications**:
- [Action Groups](action-groups.md). - [Common alert schema](./alerts-common-schema.md) - [Non-common alert schema](./alerts-non-common-schema-definitions.md)-- [Connect ServiceNow with IT Service Management Connector](./itsmc-connections-servicenow.md)
+- [Connect ServiceNow with IT Service Management Connector](./itsmc-connections-servicenow.md)
azure-monitor Api Filtering Sampling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/api-filtering-sampling.md
Title: Filtering and preprocessing in the Application Insights SDK | Microsoft Docs description: Write telemetry processors and telemetry initializers for the SDK to filter or add properties to the data before the telemetry is sent to the Application Insights portal. Previously updated : 07/10/2023 Last updated : 10/11/2023 ms.devlang: csharp, javascript, python
azure-monitor App Insights Azure Ad Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-insights-azure-ad-api.md
Title: Application Insights API Access with Microsoft Azure Active Directory (Azure AD) Authentication
-description: Learn how to authenticate and access the Azure Monitor Application Insights APIs using Azure AD
+ Title: Application Insights API Access with Microsoft Entra authentication
+description: Learn how to authenticate and access the Azure Monitor Application Insights APIs using Microsoft Entra ID
Last updated 04/11/2023
-# Application Insights API Access with Microsoft Azure Active Directory (Azure AD) Authentication
+# Application Insights API Access with Microsoft Entra authentication
-You can submit a query request by using the Azure Monitor Application Insights endpoint `https://api.applicationinsights.io`. To access the endpoint, you must authenticate through Azure Active Directory (Azure AD).
+You can submit a query request by using the Azure Monitor Application Insights endpoint `https://api.applicationinsights.io`. To access the endpoint, you must authenticate through Microsoft Entra ID.
## Set up authentication
-To access the API, you register a client app with Azure AD and request a token.
+To access the API, you register a client app with Microsoft Entra ID and request a token.
-1. [Register an app in Azure AD](../logs/api/register-app-for-token.md).
+1. [Register an app in Microsoft Entra ID](../logs/api/register-app-for-token.md).
1. On the app's overview page, select **API permissions**. 1. Select **Add a permission**.
Now that your app is registered and has permissions to use the API, grant your a
## Request an authorization token Before you begin, make sure you have all the values required to make the request successfully. All requests require:-- Your Azure AD tenant ID.
+- Your Microsoft Entra tenant ID.
- Your App Insights App ID - If you are currently using API Keys, this is the same app ID.-- Your Azure AD client ID for the app.-- An Azure AD client secret for the app.
+- Your Microsoft Entra client ID for the app.
+- A Microsoft Entra client secret for the app.
-The Application Insights API supports Azure AD authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
+The Application Insights API supports Microsoft Entra authentication with three different [Microsoft Entra ID OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
- Client credentials - Authorization code - Implicit ### Client credentials flow
-In the client credentials flow, the token is used with the Application Insights endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Azure AD](../logs/api/register-app-for-token.md).
+In the client credentials flow, the token is used with the Application Insights endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Microsoft Entra ID](../logs/api/register-app-for-token.md).
Use the `https://api.applicationinsights.io` endpoint.
The main OAuth2 flow supported is through [authorization codes](/azure/active-di
&resource=https://api.applicationinsights.io ```
-When a request is made to the authorize URL, the client\_id is the application ID from your Azure AD app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Azure AD app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
+When a request is made to the authorize URL, the client\_id is the application ID from your Microsoft Entra app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Microsoft Entra app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
```http http://<app-client-id>/?code=AUTHORIZATION_CODE&session_state=STATE_GUID
At this point, you've obtained an authorization code, which you need now to requ
&client_secret=<app-client-secret> ```
-All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Azure AD app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Azure AD app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.
+All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Microsoft Entra app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Microsoft Entra app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.
Response example:
azure-monitor App Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/app-insights-overview.md
Application Insights provides many experiences to enhance the performance, relia
The logic model diagram visualizes components of Application Insights and how they interact. > [!Note] > Firewall settings must be adjusted for data to reach ingestion endpoints. For more information, see [IP addresses used by Azure Monitor](./ip-addresses.md).
azure-monitor Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net-core.md
description: Monitor ASP.NET Core web applications for availability, performance
ms.devlang: csharp Previously updated : 09/12/2023 Last updated : 10/10/2023 # Application Insights for ASP.NET Core applications
azure-monitor Asp Net https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/asp-net.md
Title: Configure monitoring for ASP.NET with Azure Application Insights | Microsoft Docs description: Configure performance, availability, and user behavior analytics tools for your ASP.NET website hosted on-premises or in Azure. Previously updated : 04/24/2023 Last updated : 10/11/2023 ms.devlang: csharp
azure-monitor Availability Test Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/availability-test-migration.md
Title: Migrate from Azure Monitor Application Insights classic URL ping tests to
description: How to migrate from Azure Monitor Application Insights classic availability URL ping tests to standard tests. Previously updated : 09/27/2023 Last updated : 10/11/2023
azure-monitor Azure Ad Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-ad-authentication.md
Title: Azure AD authentication for Application Insights
-description: Learn how to enable Azure Active Directory (Azure AD) authentication to ensure that only authenticated telemetry is ingested in your Application Insights resources.
+ Title: Microsoft Entra authentication for Application Insights
+description: Learn how to enable Microsoft Entra authentication to ensure that only authenticated telemetry is ingested in your Application Insights resources.
Previously updated : 06/23/2023 Last updated : 10/10/2023 ms.devlang: csharp, java, javascript, python
-# Azure AD authentication for Application Insights
+# Microsoft Entra authentication for Application Insights
-Application Insights now supports [Azure Active Directory (Azure AD) authentication](../../active-directory/authentication/overview-authentication.md). By using Azure AD, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.
+Application Insights now supports [Microsoft Entra authentication](../../active-directory/authentication/overview-authentication.md). By using Microsoft Entra ID, you can ensure that only authenticated telemetry is ingested in your Application Insights resources.
-Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to [opt out of local authentication](#disable-local-authentication) to ensure only telemetry exclusively authenticated by using [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) and [Azure AD](../../active-directory/fundamentals/active-directory-whatis.md) is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make critical operational ([alerting](../alerts/alerts-overview.md#what-are-azure-monitor-alerts)and [autoscale](../autoscale/autoscale-overview.md#overview-of-autoscale-in-azure)) and business decisions.
+Using various authentication systems can be cumbersome and risky because it's difficult to manage credentials at scale. You can now choose to [opt out of local authentication](#disable-local-authentication) to ensure only telemetry exclusively authenticated by using [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) and [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) is ingested in your resource. This feature is a step to enhance the security and reliability of the telemetry used to make critical operational ([alerting](../alerts/alerts-overview.md#what-are-azure-monitor-alerts)and [autoscale](../autoscale/autoscale-overview.md#overview-of-autoscale-in-azure)) and business decisions.
> [!NOTE] > Note
-> This document covers data ingestion into Application Insights using Azure AD. authentication. For information on querying data within Application Insights, see [Query Application Insights using Azure AD Authentication](./app-insights-azure-ad-api.md).
+> This document covers data ingestion into Application Insights using Microsoft Entra ID. authentication. For information on querying data within Application Insights, see [Query Application Insights using Microsoft Entra authentication](./app-insights-azure-ad-api.md).
## Prerequisites >
-The following prerequisites enable Azure AD authenticated ingestion. You need to:
+The following prerequisites enable Microsoft Entra authenticated ingestion. You need to:
- Be in the public cloud. - Have familiarity with:
The following prerequisites enable Azure AD authenticated ingestion. You need to
## Unsupported scenarios
-The following SDKs and features are unsupported for use with Azure AD authenticated ingestion:
+The following SDKs and features are unsupported for use with Microsoft Entra authenticated ingestion:
- [Application Insights Java 2.x SDK](deprecated-java-2x.md#monitor-dependencies-caught-exceptions-and-method-execution-times-in-java-web-apps).<br>
- Azure AD authentication is only available for Application Insights Java Agent greater than or equal to 3.2.0.
+ Microsoft Entra authentication is only available for Application Insights Java Agent greater than or equal to 3.2.0.
- [ApplicationInsights JavaScript web SDK](javascript.md). - [Application Insights OpenCensus Python SDK](/previous-versions/azure/azure-monitor/app/opencensus-python) with Python version 3.4 and 3.5.-- [Certificate/secret-based Azure AD](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md) isn't recommended for production. Use managed identities instead.
+- [Certificate/secret-based Microsoft Entra ID](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md) isn't recommended for production. Use managed identities instead.
- On-by-default codeless monitoring (for languages) for Azure App Service, Azure Virtual Machines/Azure Virtual Machine Scale Sets, and Azure Functions. - [Availability tests](availability-overview.md). - [Profiler](profiler-overview.md).
-## Configure and enable Azure AD-based authentication
+<a name='configure-and-enable-azure-ad-based-authentication'></a>
+
+## Configure and enable Microsoft Entra ID-based authentication
1. If you don't already have an identity, create one by using either a managed identity or a service principal.
The following SDKs and features are unsupported for use with Azure AD authentica
- We don't recommend using a service principal:
- For more information on how to create an Azure AD application and service principal that can access resources, see [Create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md).
+ For more information on how to create a Microsoft Entra application and service principal that can access resources, see [Create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md).
1. Assign a role to the Azure service.
The following SDKs and features are unsupported for use with Azure AD authentica
### [.NET](#tab/net) > [!NOTE]
-> Support for Azure AD in the Application Insights .NET SDK is included starting with [version 2.18-Beta3](https://www.nuget.org/packages/Microsoft.ApplicationInsights/2.18.0-beta3).
+> Support for Microsoft Entra ID in the Application Insights .NET SDK is included starting with [version 2.18-Beta3](https://www.nuget.org/packages/Microsoft.ApplicationInsights/2.18.0-beta3).
Application Insights .NET SDK supports the credential classes provided by [Azure Identity](https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity#credential-classes).
services.AddApplicationInsightsTelemetry(new ApplicationInsightsServiceOptions
### [Node.js](#tab/nodejs) > [!NOTE]
-> Support for Azure AD in the Application Insights Node.JS is included starting with [version 2.1.0-beta.1](https://www.npmjs.com/package/applicationinsights/v/2.1.0-beta.1).
+> Support for Microsoft Entra ID in the Application Insights Node.JS is included starting with [version 2.1.0-beta.1](https://www.npmjs.com/package/applicationinsights/v/2.1.0-beta.1).
Application Insights Node.JS supports the credential classes provided by [Azure Identity](https://github.com/Azure/azure-sdk-for-js/tree/master/sdk/identity/identity#credential-classes).
appInsights.defaultClient.config.aadTokenCredential = credential;
### [Java](#tab/java) > [!NOTE]
-> Support for Azure AD in the Application Insights Java agent is included starting with [Java 3.2.0-BETA](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0-BETA).
+> Support for Microsoft Entra ID in the Application Insights Java agent is included starting with [Java 3.2.0-BETA](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0-BETA).
1. [Configure your application with the Java agent.](opentelemetry-enable.md?tabs=java#get-started)
appInsights.defaultClient.config.aadTokenCredential = credential;
#### System-assigned managed identity
-The following example shows how to configure the Java agent to use system-assigned managed identity for authentication with Azure AD.
+The following example shows how to configure the Java agent to use system-assigned managed identity for authentication with Microsoft Entra ID.
```JSON {
The following example shows how to configure the Java agent to use system-assign
#### User-assigned managed identity
-The following example shows how to configure the Java agent to use user-assigned managed identity for authentication with Azure AD.
+The following example shows how to configure the Java agent to use user-assigned managed identity for authentication with Microsoft Entra ID.
```JSON {
The following example shows how to configure the Java agent to use user-assigned
#### Client secret
-The following example shows how to configure the Java agent to use a service principal for authentication with Azure AD. We recommend using this type of authentication only during development. The ultimate goal of adding the authentication feature is to eliminate secrets.
+The following example shows how to configure the Java agent to use a service principal for authentication with Microsoft Entra ID. We recommend using this type of authentication only during development. The ultimate goal of adding the authentication feature is to eliminate secrets.
```JSON {
The following example shows how to configure the Java agent to use a service pri
#### Environment variable configuration
-The `APPLICATIONINSIGHTS_AUTHENTICATION_STRING` environment variable lets Application Insights authenticate to Azure AD and send telemetry.
+The `APPLICATIONINSIGHTS_AUTHENTICATION_STRING` environment variable lets Application Insights authenticate to Microsoft Entra ID and send telemetry.
- For system-assigned identity:
export APPLICATIONINSIGHTS_AUTHENTICATION_STRING="Authorization=AAD"
set APPLICATIONINSIGHTS_AUTHENTICATION_STRING="Authorization=AAD" ```
-After setting it, restart your application. It now sends telemetry to Application Insights using Azure AD authentication.
+After setting it, restart your application. It now sends telemetry to Application Insights using Microsoft Entra authentication.
### [Python](#tab/python) > [!NOTE]
-> Azure AD authentication is only available for Python v2.7, v3.6, and v3.7. Support for Azure AD in the Application Insights Opencensus Python SDK
+> Microsoft Entra authentication is only available for Python v2.7, v3.6, and v3.7. Support for Microsoft Entra ID in the Application Insights Opencensus Python SDK
is included starting with beta version [opencensus-ext-azure 1.1b0](https://pypi.org/project/opencensus-ext-azure/1.1b0/). Construct the appropriate [credentials](/python/api/overview/azure/identity-readme#credentials) and pass them into the constructor of the Azure Monitor exporter. Make sure your connection string is set up with the instrumentation key and ingestion endpoint of your resource.
tracer = Tracer(
## Disable local authentication
-After the Azure AD authentication is enabled, you can choose to disable local authentication. This configuration allows you to ingest telemetry authenticated exclusively by Azure AD and affects data access (for example, through API keys).
+After the Microsoft Entra authentication is enabled, you can choose to disable local authentication. This configuration allows you to ingest telemetry authenticated exclusively by Microsoft Entra ID and affects data access (for example, through API keys).
You can disable local authentication by using the Azure portal or Azure Policy or programmatically.
The following example shows the policy template definition:
### Programmatic enablement
-The property `DisableLocalAuth` is used to disable any local authentication on your Application Insights resource. When this property is set to `true`, it enforces that Azure AD authentication must be used for all access.
+The property `DisableLocalAuth` is used to disable any local authentication on your Application Insights resource. When this property is set to `true`, it enforces that Microsoft Entra authentication must be used for all access.
The following example shows the Azure Resource Manager template you can use to create a workspace-based Application Insights resource with `LocalAuth` disabled.
The following example shows the Azure Resource Manager template you can use to c
### Token audience
-When developing a custom client to obtain an access token from Azure AD for submitting telemetry to Application Insights, refer to the following table to determine the appropriate audience string for your particular host environment.
+When developing a custom client to obtain an access token from Microsoft Entra ID for submitting telemetry to Application Insights, refer to the following table to determine the appropriate audience string for your particular host environment.
| Azure cloud version | Token audience value | | | |
The ingestion service returns specific errors, regardless of the SDK language. N
#### HTTP/1.1 400 Authentication not supported
-This error indicates that the resource is configured for Azure AD only. The SDK hasn't been correctly configured and is sending to the incorrect API.
+This error indicates that the resource is configured for Microsoft Entra-only. The SDK hasn't been correctly configured and is sending to the incorrect API.
> [!NOTE]
-> "v2/track" doesn't support Azure AD. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".
+> "v2/track" doesn't support Microsoft Entra ID. When the SDK is correctly configured, telemetry will be sent to "v2.1/track".
Next, you should review the SDK configuration. #### HTTP/1.1 401 Authorization required
-This error indicates that the SDK is correctly configured but it's unable to acquire a valid token. This error might indicate an issue with Azure AD.
+This error indicates that the SDK is correctly configured but it's unable to acquire a valid token. This error might indicate an issue with Microsoft Entra ID.
Next, you should identify exceptions in the SDK logs or network errors from Azure Identity.
If the SDK fails to get a token, the exception message is logged as
### [Node.js](#tab/nodejs)
-Internal logs could be turned on by using the following setup. After they're enabled, error logs will be shown in the console, including any error related to Azure AD integration. Examples include failure to generate the token when the wrong credentials are supplied or errors when the ingestion endpoint fails to authenticate by using the provided credentials.
+Internal logs could be turned on by using the following setup. After they're enabled, error logs will be shown in the console, including any error related to Microsoft Entra integration. Examples include failure to generate the token when the wrong credentials are supplied or errors when the ingestion endpoint fails to authenticate by using the provided credentials.
```javascript let appInsights = require("applicationinsights");
You can inspect network traffic by using a tool like Fiddler. To enable the traf
Or add the following JVM args while running your application: `-Djava.net.useSystemProxies=true -Dhttps.proxyHost=localhost -Dhttps.proxyPort=8888`
-If Azure AD is enabled in the agent, outbound traffic includes the HTTP header `Authorization`.
+If Microsoft Entra ID is enabled in the agent, outbound traffic includes the HTTP header `Authorization`.
#### 401 Unauthorized
-If the following WARN message is seen in the log file `WARN c.m.a.TelemetryChannel - Failed to send telemetry with status code: 401, please check your credentials`, it indicates the agent wasn't successful in sending telemetry. You probably haven't enabled Azure AD authentication on the agent, but your Application Insights resource is configured with `DisableLocalAuth: true`. Make sure you're passing in a valid credential and that it has permission to access your Application Insights resource.
+If the following WARN message is seen in the log file `WARN c.m.a.TelemetryChannel - Failed to send telemetry with status code: 401, please check your credentials`, it indicates the agent wasn't successful in sending telemetry. You probably haven't enabled Microsoft Entra authentication on the agent, but your Application Insights resource is configured with `DisableLocalAuth: true`. Make sure you're passing in a valid credential and that it has permission to access your Application Insights resource.
If you're using Fiddler, you might see the response header `HTTP/1.1 401 Unauthorized - please provide the valid authorization token`.
This error usually occurs when the provided credentials don't grant access to in
* [Monitor your telemetry in the portal](overview-dashboard.md) * [Diagnose with Live Metrics Stream](live-stream.md)
-* [Query Application Insights using Azure AD Authentication](./app-insights-azure-ad-api.md)
--
+* [Query Application Insights using Microsoft Entra authentication](./app-insights-azure-ad-api.md)
azure-monitor Azure Vm Vmss Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-vm-vmss-apps.md
If your extension deployed successfully but you're unable to see telemetry, it c
- Updated Application Insights .NET/.NET Core SDK to 2.20.1 - red field. - Enabled SQL query collection.-- Enabled support for Azure Active Directory authentication.
+- Enabled support for Microsoft Entra authentication.
### 2.8.42
azure-monitor Azure Web Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/azure-web-apps.md
To find which version of the extension you're currently using, go to `https://<y
#### 2.8.42 - JAVA extension: Upgraded to [Java Agent 3.2.0](https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0) from 2.5.1.-- Node.js extension: Updated AI SDK to [2.1.8](https://github.com/microsoft/ApplicationInsights-node.js/releases/tag/2.1.8) from 2.1.7. Added support for User and System assigned Azure AD Managed Identities.
+- Node.js extension: Updated AI SDK to [2.1.8](https://github.com/microsoft/ApplicationInsights-node.js/releases/tag/2.1.8) from 2.1.7. Added support for User and System assigned Microsoft Entra managed identities.
- .NET Core: Added self-contained deployments and .NET 6.0 support using [.NET Startup Hook](https://github.com/dotnet/runtime/blob/main/docs/design/features/host-startup-hook.md). #### 2.8.41
azure-monitor Codeless Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/codeless-overview.md
Title: Autoinstrumentation for Azure Monitor Application Insights
description: Overview of autoinstrumentation for Azure Monitor Application Insights codeless application performance management. Previously updated : 09/12/2023 Last updated : 10/10/2023
Links are provided to more information for each supported scenario.
|Environment/Resource provider | .NET Framework | .NET Core / .NET | Java | Node.js | Python | |-|||-|-|--|
-|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-net-core.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-java.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md) <sup>[1](#OnBD)</sup> | :x: |
-|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) <sup>[2](#Preview)</sup> | :x: | :x: |
-|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-java.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |
+|Azure App Service on Windows - Publish as Code | [ :white_check_mark: :link: ](azure-web-apps-net.md) ┬╣ | :x: |
+|Azure App Service on Windows - Publish as Docker | [ :white_check_mark: ](https://azure.github.io/AppService/2022/04/11/windows-containers-app-insights-preview.html) ┬▓ | :x: | :x: |
+|Azure App Service on Linux - Publish as Code | :x: | [ :white_check_mark: :link: ](azure-web-apps-net-core.md?tabs=linux) ┬╣ | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |
|Azure App Service on Linux - Publish as Docker | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | [ :white_check_mark: :link: ](azure-web-apps-nodejs.md?tabs=linux) | :x: |
-|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> | [ :white_check_mark: :link: ](monitor-functions.md) <sup>[1](#OnBD)</sup> |
+|Azure Functions - basic | [ :white_check_mark: :link: ](monitor-functions.md) ┬╣ |
|Azure Functions - dependencies | :x: | :x: | [ :white_check_mark: :link: ](monitor-functions.md) | :x: | [ :white_check_mark: :link: ](monitor-functions.md#distributed-tracing-for-python-function-apps) | |Azure Spring Cloud | :x: | :x: | [ :white_check_mark: :link: ](azure-web-apps-java.md) | :x: | :x: | |Azure Kubernetes Service (AKS) | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |
-|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |
-|On-premises VMs Windows | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) <sup>[2](#Preview)</sup> <sup>[3](#Agent)</sup> | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |
+|Azure VMs Windows | [ :white_check_mark: :link: ](azure-vm-vmss-apps.md) ┬▓ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |
+|On-premises VMs Windows | [ :white_check_mark: :link: ](application-insights-asp-net-agent.md) ┬│ | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: |
|Standalone agent - any environment | :x: | :x: | [ :white_check_mark: :link: ](opentelemetry-enable.md?tabs=java) | :x: | :x: | **Footnotes**-- <a name="OnBD">1</a>: Application Insights is on by default and enabled automatically.-- <a name="Preview">2</a>: This feature is in public preview. See [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).-- <a name="Agent">3</a>: An agent must be deployed and configured.
+- ┬╣: Application Insights is on by default and enabled automatically.
+- ┬▓: This feature is in public preview. See [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+- ┬│: An agent must be deployed and configured.
> [!NOTE] > Autoinstrumentation was known as "codeless attach" before October 2021.
azure-monitor Convert Classic Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/convert-classic-resource.md
Title: Migrate an Application Insights classic resource to a workspace-based resource - Azure Monitor | Microsoft Docs description: Learn how to upgrade your Application Insights classic resource to the new workspace-based model. Previously updated : 08/11/2023 Last updated : 10/11/2023
To migrate a classic Application Insights resource to a workspace-based resource
:::image type="content" source="./media/convert-classic-resource/migrate.png" lightbox="./media/convert-classic-resource/migrate.png" alt-text="Screenshot that shows the Migrate to Workspace-based button.":::
-1. Select the Log Analytics workspace where you want all future ingested Application Insights telemetry to be stored. It can either be a Log Analytics workspace in the same subscription or a different subscription that shares the same Azure Active Directory tenant. The Log Analytics workspace doesn't have to be in the same resource group as the Application Insights resource.
+1. Select the Log Analytics workspace where you want all future ingested Application Insights telemetry to be stored. It can either be a Log Analytics workspace in the same subscription or a different subscription that shares the same Microsoft Entra tenant. The Log Analytics workspace doesn't have to be in the same resource group as the Application Insights resource.
> [!NOTE] > Migrating to a workspace-based resource can take up to 24 hours, but the process is usually faster. Rely on accessing data through your Application Insights resource while you wait for the migration process to finish. After it's finished, you'll see new data stored in the Log Analytics workspace tables.
azure-monitor Custom Operations Tracking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/custom-operations-tracking.md
description: Learn how to track custom operations with the Application Insights
ms.devlang: csharp Previously updated : 08/11/2023 Last updated : 10/10/2023
azure-monitor Distributed Tracing Telemetry Correlation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/distributed-tracing-telemetry-correlation.md
Title: Distributed tracing and telemetry correlation in Azure Application Insights description: This article provides information about distributed tracing and telemetry correlation Previously updated : 03/30/2023 Last updated : 10/11/2023 ms.devlang: csharp, java, javascript, python
azure-monitor Java Get Started Supplemental https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-get-started-supplemental.md
Title: Application Insights with containers description: This article shows you how to set-up Application Insights Previously updated : 09/18/2023 Last updated : 10/10/2023 ms.devlang: java
azure-monitor Java Standalone Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-config.md
Title: Configuration options - Azure Monitor Application Insights for Java description: This article shows you how to configure Azure Monitor Application Insights for Java. Previously updated : 09/18/2023 Last updated : 10/10/2023 ms.devlang: java
By default, Application Insights Java 3.x sends a heartbeat metric once every 15
> [!NOTE] > The authentication feature is GA since version 3.4.17.
-You can use authentication to configure the agent to generate [token credentials](/java/api/overview/azure/identity-readme#credentials) that are required for Azure Active Directory authentication.
+You can use authentication to configure the agent to generate [token credentials](/java/api/overview/azure/identity-readme#credentials) that are required for Microsoft Entra authentication.
For more information, see the [Authentication](./azure-ad-authentication.md) documentation. ## HTTP proxy
azure-monitor Java Standalone Sampling Overrides https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-sampling-overrides.md
those are also collected for all '/login' requests.
Span attribute names are based on the OpenTelemetry semantic conventions:
-* [HTTP](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/http.md)
-* [Messaging](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/messaging.md)
-* [Database](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/database.md)
-* [RPC](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/rpc.md)
+* [HTTP](https://github.com/open-telemetry/semantic-conventions/blob/main/docs//http.md)
+* [Messaging](https://github.com/open-telemetry/semantic-conventions/blob/main/docs//messaging.md)
+* [Database](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/database/README.md)
+* [RPC](https://github.com/open-telemetry/semantic-conventions/blob/main/docs//rpc.md)
To see the exact set of attributes captured by Application Insights Java for your application, set the [self-diagnostics level to debug](./java-standalone-config.md#self-diagnostics), and look for debug messages starting
azure-monitor Java Standalone Telemetry Processors Examples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors-examples.md
Title: Telemetry processor examples - Azure Monitor Application Insights for Java description: Explore examples that show telemetry processors in Azure Monitor Application Insights for Java. Previously updated : 09/12/2023 Last updated : 10/11/2023 ms.devlang: java
azure-monitor Java Standalone Telemetry Processors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/java-standalone-telemetry-processors.md
Title: Telemetry processors (preview) - Azure Monitor Application Insights for Java description: Learn to configure telemetry processors in Azure Monitor Application Insights for Java. Previously updated : 09/12/2023 Last updated : 10/11/2023 ms.devlang: java
This section lists some common span attributes that telemetry processors can use
| Attribute | Type | Description | ||||
-| `db.system` | string | Identifier for the database management system (DBMS) product being used. See [list of identifiers](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/semantic_conventions/database.md#connection-level-attributes). |
+| `db.system` | string | Identifier for the database management system (DBMS) product being used. See [list of identifiers](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/database/README.md). |
| `db.connection_string` | string | Connection string used to connect to the database. It's recommended to remove embedded credentials.| | `db.user` | string | Username for accessing the database. | | `db.name` | string | String used to report the name of the database being accessed. For commands that switch the database, this string should be set to the target database, even if the command fails.|
azure-monitor Javascript Feature Extensions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-feature-extensions.md
description: Learn how to install and use JavaScript feature extensions (Click A
ibiza Previously updated : 09/12/2023 Last updated : 10/11/2023 ms.devlang: javascript
azure-monitor Javascript Sdk Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk-upgrade.md
Title: Azure Application Insights JavaScript SDK upgrade information description: Azure Application Insights JavaScript SDK upgrade information Previously updated : 02/13/2023 Last updated : 10/11/2023 ms.devlang: javascript
azure-monitor Javascript Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/javascript-sdk.md
Title: Microsoft Azure Monitor Application Insights JavaScript SDK description: Microsoft Azure Monitor Application Insights JavaScript SDK is a powerful tool for monitoring and analyzing web application performance. Previously updated : 09/12/2023 Last updated : 10/11/2023 ms.devlang: javascript
azure-monitor Live Stream https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/live-stream.md
If you want to monitor a particular server role instance, you can filter by serv
Live Metrics custom filters allow you to control which of your application's telemetry is streamed to the Live Metrics view in the Azure portal. The filters criteria are sent to the apps that are instrumented with the Application Insights SDK. The filter value could potentially contain sensitive information, such as the customer ID. To keep this value secured and prevent potential disclosure to unauthorized applications, you have two options: -- **Recommended:** Secure the Live Metrics channel by using [Azure Active Directory (Azure AD) authentication](./azure-ad-authentication.md#configure-and-enable-azure-ad-based-authentication).
+- **Recommended:** Secure the Live Metrics channel by using [Microsoft Entra authentication](./azure-ad-authentication.md#configure-and-enable-azure-ad-based-authentication).
- **Legacy (no longer recommended):** Set up an authenticated channel by configuring a secret API key as explained in the "Legacy option" section. > [!NOTE]
-> On September 30, 2025, API keys used to stream Live Metrics telemetry into Application Insights will be retired. After that date, applications that use API keys won't be able to send Live Metrics data to your Application Insights resource. Authenticated telemetry ingestion for Live Metrics streaming to Application Insights will need to be done with [Azure AD authentication for Application Insights](./azure-ad-authentication.md).
+> On September 30, 2025, API keys used to stream Live Metrics telemetry into Application Insights will be retired. After that date, applications that use API keys won't be able to send Live Metrics data to your Application Insights resource. Authenticated telemetry ingestion for Live Metrics streaming to Application Insights will need to be done with [Microsoft Entra authentication for Application Insights](./azure-ad-authentication.md).
It's possible to try custom filters without having to set up an authenticated channel. Select any of the filter icons and authorize the connected servers. If you choose this option, you have to authorize the connected servers once every new session or whenever a new server comes online.
azure-monitor Migrate From Instrumentation Keys To Connection Strings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/migrate-from-instrumentation-keys-to-connection-strings.md
This process can be [automated in your Azure deployments](../../azure-resource-m
Connection strings provide a single configuration setting and eliminate the need for multiple proxy settings. - **Reliability**: Connection strings make telemetry ingestion more reliable by removing dependencies on global ingestion endpoints.-- **Security**: Connection strings allow authenticated telemetry ingestion by using [Azure Active Directory (Azure AD) authentication for Application Insights](azure-ad-authentication.md).
+- **Security**: Connection strings allow authenticated telemetry ingestion by using [Microsoft Entra authentication for Application Insights](azure-ad-authentication.md).
- **Customized endpoints (sovereign or hybrid cloud environments)**: Endpoint settings allow sending data to a specific Azure Government region. ([See examples](sdk-connection-string.md#set-a-connection-string).) - **Privacy (regional endpoints)**: Connection strings ease privacy concerns by sending data to regional endpoints, ensuring data doesn't leave a geographic region.
The connection string is also included in the Resource Manager resource properti
Autoinstrumentation scenarios aren't affected.
-### Can I use Azure AD authentication with autoinstrumentation?
+<a name='can-i-use-azure-ad-authentication-with-autoinstrumentation'></a>
-You can't enable [Azure AD authentication](azure-ad-authentication.md) for [autoinstrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future.
+### Can I use Microsoft Entra authentication with autoinstrumentation?
+
+You can't enable [Microsoft Entra authentication](azure-ad-authentication.md) for [autoinstrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future.
### What's the difference between global and regional ingestion?
azure-monitor Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/nodejs.md
Title: Monitor Node.js services with Application Insights | Microsoft Docs description: Monitor performance and diagnose problems in Node.js services with Application Insights. Previously updated : 09/12/2023 Last updated : 10/11/2023 ms.devlang: javascript
azure-monitor Opentelemetry Add Modify https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-add-modify.md
Title: Add, modify, and filter Azure Monitor OpenTelemetry for .NET, Java, Node.js, and Python applications description: This article provides guidance on how to add, modify, and filter OpenTelemetry for applications using Azure Monitor. Previously updated : 09/12/2023 Last updated : 10/10/2023 ms.devlang: csharp, javascript, typescript, python
The distros automatically collect data by bundling OpenTelemetry instrumentation
Requests - [ASP.NET
- Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>
+ Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ┬╣
Dependencies-- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>-- [SqlClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.SqlClient/README.md) <sup>[1](#FOOTNOTEONE)</sup>
+- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ┬╣
+- [SqlClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.SqlClient/README.md) ┬╣
Logging - `ILogger`
Metrics
* JMX Metrics Logs
-* Logback (including MDC properties) [1](#FOOTNOTEONE)</sup> <sup>[3](#FOOTNOTETHREE)</sup>
-* Log4j (including MDC/Thread Context properties) [1](#FOOTNOTEONE)</sup> <sup>[3](#FOOTNOTETHREE)</sup>
-* JBoss Logging (including MDC properties) [1](#FOOTNOTEONE)</sup> <sup>[3](#FOOTNOTETHREE)</sup>
-* java.util.logging [1](#FOOTNOTEONE)</sup> <sup>[3](#FOOTNOTETHREE)</sup>
+* Logback (including MDC properties) ┬╣ ┬│
+* Log4j (including MDC/Thread Context properties) ┬╣ ┬│
+* JBoss Logging (including MDC properties) ┬╣ ┬│
+* java.util.logging ┬╣ ┬│
Telemetry emitted by these Azure SDKs is automatically collected by default:
Telemetry emitted by these Azure SDKs is automatically collected by default:
The following OpenTelemetry Instrumentation libraries are included as part of the Azure Monitor Application Insights Distro. For more information, see [OpenTelemetry officially supported instrumentations](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry#officially-supported-instrumentations). Requests-- [HTTP/HTTPS](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) <sup>[2](#FOOTNOTETWO)</sup>
+- [HTTP/HTTPS](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ┬▓
Dependencies - [MongoDB](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-mongodb)
Logs
#### [Python](#tab/python) Requests-- [Django](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-django) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>-- [FastApi](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-fastapi) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>-- [Flask](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-flask) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>
+- [Django](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-django) ┬╣
+- [FastApi](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-fastapi) ┬╣
+- [Flask](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-flask) ┬╣
Dependencies - [Psycopg2](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-psycopg2)-- [Requests](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-requests) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>-- [`Urllib`](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>-- [`Urllib3`](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib3) <sup>[1](#FOOTNOTEONE)</sup> <sup>[2](#FOOTNOTETWO)</sup>
+- [Requests](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-requests) ┬╣
+- [`Urllib`](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib) ┬╣
+- [`Urllib3`](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib3) ┬╣
Logs-- [Python logging library](https://docs.python.org/3/howto/logging.html) <sup>[4](#FOOTNOTEFOUR)</sup>
+- [Python logging library](https://docs.python.org/3/howto/logging.html) ⁴
Examples of using the Python logging library can be found on [GitHub](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry/samples/logging).
Telemetry emitted by Azure SDKS is automatically [collected](https://github.com/
**Footnotes**-- <a name="FOOTNOTEONE">1</a>: Supports automatic reporting of *unhandled/uncaught* exceptions-- <a name="FOOTNOTETWO">2</a>: Supports OpenTelemetry Metrics-- <a name="FOOTNOTETHREE">3</a>: By default, logging is only collected at INFO level or higher. To change this setting, see the [configuration options](./java-standalone-config.md#autocollected-logging).-- <a name="FOOTNOTEFOUR">4</a>: By default, logging is only collected when that logging is performed at the WARNING level or higher.
+- ┬╣: Supports automatic reporting of *unhandled/uncaught* exceptions
+- ┬▓: Supports OpenTelemetry Metrics
+- ┬│: By default, logging is only collected at INFO level or higher. To change this setting, see the [configuration options](./java-standalone-config.md#autocollected-logging).
+- ⁴: By default, logging is only collected when that logging is performed at the WARNING level or higher.
> [!NOTE] > The Azure Monitor OpenTelemetry Distros include custom mapping and logic to automatically emit [Application Insights standard metrics](standard-metrics.md).
azure-monitor Opentelemetry Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-configuration.md
Title: Configure Azure Monitor OpenTelemetry for .NET, Java, Node.js, and Python applications description: This article provides configuration guidance for .NET, Java, Node.js, and Python applications. Previously updated : 09/12/2023 Last updated : 10/10/2023 ms.devlang: csharp, javascript, typescript, python
You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-r
### [ASP.NET Core](#tab/aspnetcore)
-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).
+Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md).
```csharp // Setting role name and role instance
app.Run();
### [.NET](#tab/net)
-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).
+Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md).
```csharp // Setting role name and role instance
To set the cloud role instance, see [cloud role instance](java-standalone-config
### [Node.js](#tab/nodejs)
-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).
+Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md).
```typescript // Import the useAzureMonitor function, the AzureMonitorOpenTelemetryOptions class, the Resource class, and the SemanticResourceAttributes class from the @azure/monitor-opentelemetry, @opentelemetry/resources, and @opentelemetry/semantic-conventions packages, respectively.
useAzureMonitor(options);
### [Python](#tab/python)
-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).
+Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md).
Set Resource attributes using the `OTEL_RESOURCE_ATTRIBUTES` and/or `OTEL_SERVICE_NAME` environment variables. `OTEL_RESOURCE_ATTRIBUTES` takes series of comma-separated key-value pairs. For example, to set the Cloud Role Name to `my-namespace.my-helloworld-service` and set Cloud Role Instance to `my-instance`, you can set `OTEL_RESOURCE_ATTRIBUTES` and `OTEL_SERVICE_NAME` as such: ```
export OTEL_TRACES_SAMPLER_ARG=0.1
> [!TIP] > When using fixed-rate/percentage sampling and you aren't sure what to set the sampling rate as, start at 5% (i.e., 0.05 sampling ratio) and adjust the rate based on the accuracy of the operations shown in the failures and performance blades. A higher rate generally results in higher accuracy. However, ANY sampling will affect accuracy so we recommend alerting on [OpenTelemetry metrics](opentelemetry-add-modify.md#metrics), which are unaffected by sampling.
-## Enable Entra ID (formerly Azure AD) authentication
+<a name='enable-entra-id-formerly-azure-ad-authentication'></a>
-You might want to enable Entra ID Authentication for a more secure connection to Azure, which prevents unauthorized telemetry from being ingested into your subscription.
+## Enable Microsoft Entra ID (formerly Azure AD) authentication
+
+You might want to enable Microsoft Entra authentication for a more secure connection to Azure, which prevents unauthorized telemetry from being ingested into your subscription.
#### [ASP.NET Core](#tab/aspnetcore)
azure-monitor Opentelemetry Enable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-enable.md
Title: Enable Azure Monitor OpenTelemetry for .NET, Java, Node.js, and Python applications description: This article provides guidance on how to enable Azure Monitor on applications by using OpenTelemetry. Previously updated : 09/18/2023 Last updated : 10/10/2023 ms.devlang: csharp, javascript, typescript, python
OpenTelemetry offerings are available for .NET, Node.js, Python and Java applica
|Language |Release Status | |-|-|
-|.NET (Exporter) | :white_check_mark: <sup>[1](#GA)</sup> |
-|Java | :white_check_mark: <sup>[1](#GA)</sup> |
-|Node.js | :white_check_mark: <sup>[1](#GA)</sup> |
-|Python | :white_check_mark: <sup>[1](#GA)</sup> |
-|ASP.NET Core | :warning: <sup>[2](#PREVIEW)</sup> |
+|.NET (Exporter) | :white_check_mark: ┬╣ |
+|Java | :white_check_mark: ┬╣ |
+|Node.js | :white_check_mark: ┬╣ |
+|Python | :white_check_mark: ┬╣ |
+|ASP.NET Core | :warning: ┬▓ |
**Footnotes**-- <a name="GA"> :white_check_mark: 1</a>: OpenTelemetry is available to all customers with formal support.-- <a name="PREVIEW"> :warning: 2</a>: OpenTelemetry is available as a public preview. [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
+- ┬╣ :white_check_mark: : OpenTelemetry is available to all customers with formal support.
+- ┬▓ :warning: : OpenTelemetry is available as a public preview. [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
> [!NOTE] > For a feature-by-feature release status, see the [FAQ](../faq.yml#what-s-the-current-release-state-of-features-within-the-azure-monitor-opentelemetry-distro-).
azure-monitor Opentelemetry Nodejs Exporter https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-nodejs-exporter.md
As part of using Application Insights instrumentation, we collect and send diagn
You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-role-name-within-the-context-of-an-application-map) and the Cloud Role Instance from the default values to something that makes sense to your team. They appear on the Application Map as the name underneath a node.
-Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/semantic_conventions/README.md).
+Set the Cloud Role Name and the Cloud Role Instance via [Resource](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/resource/sdk.md#resource-sdk) attributes. Cloud Role Name uses `service.namespace` and `service.name` attributes, although it falls back to `service.name` if `service.namespace` isn't set. Cloud Role Instance uses the `service.instance.id` attribute value. For information on standard attributes for resources, see [Resource Semantic Conventions](https://github.com/open-telemetry/semantic-conventions/blob/main/docs/README.md).
```javascript ...
azure-monitor Opentelemetry Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-overview.md
There are two methods to instrument your application:
**Autoinstrumentation** enables telemetry collection through configuration without touching the application's code. Although it's more convenient, it tends to be less configurable. It's also not available in all languages. See [Autoinstrumentation supported environments and languages](codeless-overview.md). When autoinstrumentation is available, it's the easiest way to enable Azure Monitor Application Insights. > [!TIP]
-> Currently, [Azure AD Authentication](azure-ad-authentication.md) is not available with autoinstrumentation. If you require AAD Auth, you'll need to use manual instrumentation.
+> Currently, [Microsoft Entra authentication](azure-ad-authentication.md) is not available with autoinstrumentation. If you require Microsoft Entra auth, you'll need to use manual instrumentation.
**Manual instrumentation** is coding against the Application Insights or OpenTelemetry API. In the context of a user, it typically refers to installing a language-specific SDK in an application. There are two options for manual instrumentation:
azure-monitor Opentelemetry Python Opencensus Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/opentelemetry-python-opencensus-migrate.md
Title: Migrating Azure Monitor Application Insights Python from OpenCensus to OpenTelemetry description: This article provides guidance on how to migrate from the Azure Monitor Application Insights Python SDK and OpenCensus exporter to OpenTelemetry. Previously updated : 09/12/2023 Last updated : 10/10/2023 ms.devlang: python
azure-monitor Resources Roles Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/resources-roles-access-control.md
Along with the resource you created for your application, there are also separat
You must have Owner rights to the subscription or the resource group.
-The user must have a [Microsoft account][account] or access to their [organizational Microsoft account](../../active-directory/fundamentals/sign-up-organization.md). You can provide access to individuals and also to user groups defined in Azure Active Directory.
+The user must have a [Microsoft account][account] or access to their [organizational Microsoft account](../../active-directory/fundamentals/sign-up-organization.md). You can provide access to individuals and also to user groups defined in Microsoft Entra ID.
#### Go to a resource group or directly to the resource itself
azure-monitor Sampling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sampling.md
Title: Telemetry sampling in Azure Application Insights | Microsoft Docs description: How to keep the volume of telemetry under control. Previously updated : 08/11/2023 Last updated : 10/11/2023
azure-monitor Sdk Connection String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/sdk-connection-string.md
For more information, see [Regions that require endpoint modification](./create-
#### Is the connection string a secret?
-The connection string contains an ikey, which is a unique identifier used by the ingestion service to associate telemetry to a specific Application Insights resource. It's not considered a security token or key. If you want to protect your AI resource from misuse, the ingestion endpoint provides authenticated telemetry ingestion options based on Azure Active Directory (Azure AD).
+The connection string contains an ikey, which is a unique identifier used by the ingestion service to associate telemetry to a specific Application Insights resource. It's not considered a security token or key. If you want to protect your AI resource from misuse, the ingestion endpoint provides authenticated telemetry ingestion options based on Microsoft Entra ID.
> [!NOTE]
-> The Application Insights JavaScript SDK requires the connection string to be passed in during initialization and configuration. It's viewable in plain text in client browsers. There's no easy way to use the Azure AD-based authentication for browser telemetry. We recommend that you consider creating a separate Application Insights resource for browser telemetry if you need to secure the service telemetry.
+> The Application Insights JavaScript SDK requires the connection string to be passed in during initialization and configuration. It's viewable in plain text in client browsers. There's no easy way to use the Microsoft Entra ID-based authentication for browser telemetry. We recommend that you consider creating a separate Application Insights resource for browser telemetry if you need to secure the service telemetry.
## Connection string examples
azure-monitor Tutorial Asp Net Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/tutorial-asp-net-core.md
description: Application Insights SDK tutorial to monitor ASP.NET Core web appli
ms.devlang: csharp Previously updated : 04/24/2023 Last updated : 10/11/2023
azure-monitor Usage Heart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/app/usage-heart.md
These dimensions are measured independently, but they interact with each other.
| customEvents | timestamp | Datetime of event | | customEvents | operation_Id | Correlate telemetry events | | customEvents | user_Id | Unique user identifier |
- | customEvents <sup>[1](#FN1)</sup> | parentId | Name of feature |
- | customEvents <sup>[1](#FN1)</sup> | pageName | Name of page |
- | customEvents <sup>[1](#FN1)</sup> | actionType | Category of Click Analytics record |
+ | customEvents ┬╣ | parentId | Name of feature |
+ | customEvents ┬╣ | pageName | Name of page |
+ | customEvents ┬╣ | actionType | Category of Click Analytics record |
| pageViews | user_AuthenticatedId | Unique authenticated user identifier | | pageViews | session_Id | Unique session identifier | | pageViews | appName | Unique Application Insights app identifier |
These dimensions are measured independently, but they interact with each other.
**Footnotes**
-<a name="FN1">1</a>: To emit these attributes, use the [Click Analytics Autocollection plug-in](javascript-feature-extensions.md) via npm.
+┬╣: To emit these attributes, use the [Click Analytics Autocollection plug-in](javascript-feature-extensions.md) via npm.
>[!TIP] > To understand how to effectively use the Click Analytics plug-in, see [Feature extensions for the Application Insights JavaScript SDK (Click Analytics)](javascript-feature-extensions.md#use-the-plug-in).
azure-monitor Best Practices Data Collection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/best-practices-data-collection.md
The following table shows the configuration steps required to collect all availa
### Collect tenant and subscription logs
-The [Azure Active Directory (Azure AD) logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically. When you send them to a Log Analytics workspace, you can analyze these events with other log data by using log queries in Log Analytics. You can also create log query alerts, which are the only way to alert on Azure AD logs and provide more complex logic than activity log alerts.
+The [Microsoft Entra logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically. When you send them to a Log Analytics workspace, you can analyze these events with other log data by using log queries in Log Analytics. You can also create log query alerts, which are the only way to alert on Microsoft Entra logs and provide more complex logic than activity log alerts.
-There's no cost for sending the activity log to a workspace, but there's a data ingestion and retention charge for Azure AD logs.
+There's no cost for sending the activity log to a workspace, but there's a data ingestion and retention charge for Microsoft Entra logs.
-See [Integrate Azure AD logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) and [Create diagnostic settings to send platform logs and metrics to different destinations](essentials/diagnostic-settings.md) to create a diagnostic setting for your tenant and subscription to send log entries to your Log Analytics workspace.
+See [Integrate Microsoft Entra logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) and [Create diagnostic settings to send platform logs and metrics to different destinations](essentials/diagnostic-settings.md) to create a diagnostic setting for your tenant and subscription to send log entries to your Log Analytics workspace.
### Collect resource logs and platform metrics
azure-monitor Container Insights Livedata Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-livedata-overview.md
You can view real-time log data as it's generated by the container engine on the
1. Select the **Nodes**, **Controllers**, or **Containers** tab.
-1. Select an object from the performance grid. In the **Properties** pane on the right side, select the **Live Logs** tab. If the AKS cluster is configured with single sign-on by using Azure Active Directory (Azure AD), you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
+1. Select an object from the performance grid. In the **Properties** pane on the right side, select the **Live Logs** tab. If the AKS cluster is configured with single sign-on by using Microsoft Entra ID, you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
>[!NOTE] >To view the data from your Log Analytics workspace, select **View in Log analytics** in the **Properties** pane. The log search results potentially show **Nodes**, **Daemon Sets**, **Replica Sets**, **Stateful Sets**, **Jobs**, **Cron Jobs**, **Pods**, and **Containers**. These logs might no longer exist. The log search results for **Stateful Sets** shows the data for the pods in a stateful set. Attempting to search logs for a container that isn't available in `kubectl` will also fail here. To learn more about viewing historical logs, events, and metrics, see [How to query logs from Container insights](container-insights-log-query.md).
You can view real-time event data as it's generated by the container engine on t
1. Select the **Nodes**, **Controllers**, **Containers**, or **Deployments** tab.
-1. Select an object from the performance grid. In the **Properties** pane on the right side, select the **Live Events** tab. If the AKS cluster is configured with single sign-on by using Azure AD, you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
+1. Select an object from the performance grid. In the **Properties** pane on the right side, select the **Live Events** tab. If the AKS cluster is configured with single sign-on by using Microsoft Entra ID, you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
>[!NOTE] >To view the data from your Log Analytics workspace, select **View in Log Analytics** in the **Properties** pane. The log search results potentially show **Nodes**, **Daemon Sets**, **Replica Sets**, **Stateful Sets**, **Jobs**, **Cron Jobs**, **Pods**, and **Containers**. These logs might no longer exist. The log search results for **Stateful Sets** shows the data for the pods in a stateful set. Attempting to search logs for a container that isn't available in `kubectl` will also fail here. To learn more about viewing historical logs, events, and metrics, see [How to query logs from Container insights](container-insights-log-query.md).
You can view real-time metric data as it's generated by the container engine fro
1. Select either the **Nodes** or **Controllers** tab.
-1. Select a **Pod** object from the performance grid. In the **Properties** pane on the right side, select the **Live Metrics** tab. If the AKS cluster is configured with single sign-on by using Azure AD, you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
+1. Select a **Pod** object from the performance grid. In the **Properties** pane on the right side, select the **Live Metrics** tab. If the AKS cluster is configured with single sign-on by using Microsoft Entra ID, you're prompted to authenticate on first use during that browser session. Select your account and finish authentication with Azure.
>[!NOTE] >To view the data from your Log Analytics workspace, select the **View in Log Analytics** option in the **Properties** pane. The log search results potentially show **Nodes**, **Daemon Sets**, **Replica Sets**, **Stateful Sets**, **Jobs**, **Cron Jobs**, **Pods**, and **Containers**. These logs might no longer exist. The log search results for **Stateful Sets** shows the data for the pods in a stateful set. Attempting to search logs for a container that isn't available in `kubectl` will also fail here. To learn more about viewing historical logs, events, and metrics, see [How to query logs from Container insights](container-insights-log-query.md).
Suspend or pause autoscroll for only a short period of time while you're trouble
## Next steps - To continue learning how to use Azure Monitor and monitor other aspects of your AKS cluster, see [View Azure Kubernetes Service health](container-insights-analyze.md).-- To see predefined queries and examples to create alerts and visualizations or perform further analysis of your clusters, see [How to query logs from Container insights](container-insights-log-query.md).
+- To see predefined queries and examples to create alerts and visualizations or perform further analysis of your clusters, see [How to query logs from Container insights](container-insights-log-query.md).
azure-monitor Container Insights Livedata Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-livedata-setup.md
This feature supports the following methods to control access to logs, events, a
- AKS without Kubernetes role-based access control (RBAC) authorization enabled - AKS enabled with Kubernetes RBAC authorization - AKS configured with the cluster role binding [clusterMonitoringUser](/rest/api/aks/managedclusters/listclustermonitoringusercredentials)-- AKS enabled with Azure Active Directory (Azure AD) SAML-based single sign-on
+- AKS enabled with Microsoft Entra SAML-based single sign-on
-These instructions require administrative access to your Kubernetes cluster. If you're configuring to use Azure AD for user authentication, you also need administrative access to Azure AD.
+These instructions require administrative access to your Kubernetes cluster. If you're configuring to use Microsoft Entra ID for user authentication, you also need administrative access to Microsoft Entra ID.
This article explains how to configure authentication to control access to the Live Data feature from the cluster: - Kubernetes RBAC-enabled AKS cluster-- Azure AD-integrated AKS cluster
+- Microsoft Entra integrated AKS cluster
## Authentication model The Live Data feature uses the Kubernetes API, which is identical to the `kubectl` command-line tool. The Kubernetes API endpoints use a self-signed certificate, which your browser will be unable to validate. This feature uses an internal proxy to validate the certificate with the AKS service, ensuring the traffic is trusted.
-The Azure portal prompts you to validate your sign-in credentials for an Azure AD cluster. It redirects you to the client registration setup during cluster creation (and reconfigured in this article). This behavior is similar to the authentication process required by `kubectl`.
+The Azure portal prompts you to validate your sign-in credentials for a Microsoft Entra ID cluster. It redirects you to the client registration setup during cluster creation (and reconfigured in this article). This behavior is similar to the authentication process required by `kubectl`.
>[!NOTE] >Authorization to your cluster is managed by Kubernetes and the security model it's configured with. Users who access this feature require permission to download the Kubernetes configuration (*kubeconfig*), which is similar to running `az aks get-credentials -n {your cluster name} -g {your resource group}`. >
->This configuration file contains the authorization and authentication token for the *Azure Kubernetes Service Cluster User Role*, in the case of Azure RBAC enabled and AKS clusters without Kubernetes RBAC authorization enabled. It contains information about Azure AD and client registration details when AKS is enabled with Azure AD SAML-based single sign-on.
+>This configuration file contains the authorization and authentication token for the *Azure Kubernetes Service Cluster User Role*, in the case of Azure RBAC enabled and AKS clusters without Kubernetes RBAC authorization enabled. It contains information about Microsoft Entra ID and client registration details when AKS is enabled with Microsoft Entra SAML-based single sign-on.
Users of this feature require the [Azure Kubernetes Cluster User Role](../../role-based-access-control/built-in-roles.md) to access the cluster to download the `kubeconfig` and use this feature. Users do *not* require contributor access to the cluster to use this feature.
AKS released this new role binding in January 2020, so clusters created before J
## Kubernetes cluster without Kubernetes RBAC enabled
-If you have a Kubernetes cluster that isn't configured with Kubernetes RBAC authorization or integrated with Azure AD single sign-on, you don't need to follow these steps. You already have administrative permissions by default in a non-RBAC configuration.
+If you have a Kubernetes cluster that isn't configured with Kubernetes RBAC authorization or integrated with Microsoft Entra single sign-on, you don't need to follow these steps. You already have administrative permissions by default in a non-RBAC configuration.
## Configure Kubernetes RBAC authorization
The following example steps demonstrate how to configure cluster role binding fr
>[!NOTE] > If you've applied a previous version of the **LogReaderRBAC.yaml** file to your cluster, update it by copying and pasting the new code shown in step 1. Then run the command shown in step 2 to apply it to your cluster.
-## Configure Azure AD-integrated authentication
+<a name='configure-azure-ad-integrated-authentication'></a>
-An AKS cluster configured to use Azure AD for user authentication uses the sign-in credentials of the person accessing this feature. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.
+## Configure Microsoft Entra integrated authentication
-Azure AD client registration must be reconfigured to allow the Azure portal to redirect authorization pages as a trusted redirect URL. Users from Azure AD are then granted access directly to the same Kubernetes API endpoints through **ClusterRoles** and **ClusterRoleBindings**.
+An AKS cluster configured to use Microsoft Entra ID for user authentication uses the sign-in credentials of the person accessing this feature. In this configuration, you can sign in to an AKS cluster by using your Microsoft Entra authentication token.
+
+Microsoft Entra client registration must be reconfigured to allow the Azure portal to redirect authorization pages as a trusted redirect URL. Users from Microsoft Entra ID are then granted access directly to the same Kubernetes API endpoints through **ClusterRoles** and **ClusterRoleBindings**.
For more information on advanced security setup in Kubernetes, review the [Kubernetes documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). >[!NOTE]
->If you're creating a new Kubernetes RBAC-enabled cluster, see [Integrate Azure Active Directory with Azure Kubernetes Service](../../aks/azure-ad-integration-cli.md) and follow the steps to configure Azure AD authentication. During the steps to create the client application, a note in that section highlights the two redirect URLs you need to create for Container insights matching those specified in step 3.
+>If you're creating a new Kubernetes RBAC-enabled cluster, see [Integrate Microsoft Entra ID with Azure Kubernetes Service](../../aks/azure-ad-integration-cli.md) and follow the steps to configure Microsoft Entra authentication. During the steps to create the client application, a note in that section highlights the two redirect URLs you need to create for Container insights matching those specified in step 3.
### Client registration reconfiguration
-1. Locate the client registration for your Kubernetes cluster in Azure AD under **Azure Active Directory** > **App registrations** in the Azure portal.
+1. Locate the client registration for your Kubernetes cluster in Microsoft Entra ID under **Microsoft Entra ID** > **App registrations** in the Azure portal.
1. On the left pane, select **Authentication**.
For more information on advanced security setup in Kubernetes, review the [Kuber
1. After you register the redirect URLs, under **Implicit grant**, select the options **Access tokens** and **ID tokens**. Then save your changes.
-You can configure authentication with Azure AD for single sign-on only during initial deployment of a new AKS cluster. You can't configure single sign-on for an AKS cluster that's already deployed.
+You can configure authentication with Microsoft Entra ID for single sign-on only during initial deployment of a new AKS cluster. You can't configure single sign-on for an AKS cluster that's already deployed.
>[!IMPORTANT]
->If you reconfigured Azure AD for user authentication by using the updated URI, clear your browser's cache to ensure the updated authentication token is downloaded and applied.
+>If you reconfigured Microsoft Entra ID for user authentication by using the updated URI, clear your browser's cache to ensure the updated authentication token is downloaded and applied.
## Grant permission
-Each Azure AD account must be granted permission to the appropriate APIs in Kubernetes to access the Live Data feature. The steps to grant the Azure AD account are similar to the steps described in the [Kubernetes RBAC authentication](#configure-kubernetes-rbac-authorization) section. Before you apply the YAML configuration template to your cluster, replace **clusterUser** under **ClusterRoleBinding** with the desired user.
+Each Microsoft Entra account must be granted permission to the appropriate APIs in Kubernetes to access the Live Data feature. The steps to grant the Microsoft Entra account are similar to the steps described in the [Kubernetes RBAC authentication](#configure-kubernetes-rbac-authorization) section. Before you apply the YAML configuration template to your cluster, replace **clusterUser** under **ClusterRoleBinding** with the desired user.
>[!IMPORTANT]
->If the user you grant the Kubernetes RBAC binding for is in the same Azure AD tenant, assign permissions based on `userPrincipalName`. If the user is in a different Azure AD tenant, query for and use the `objectId` property.
+>If the user you grant the Kubernetes RBAC binding for is in the same Microsoft Entra tenant, assign permissions based on `userPrincipalName`. If the user is in a different Microsoft Entra tenant, query for and use the `objectId` property.
For more help in configuring your AKS cluster **ClusterRoleBinding**, see [Create Kubernetes RBAC binding](../../aks/azure-ad-integration-cli.md#create-kubernetes-rbac-binding).
azure-monitor Container Insights Onboard https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-onboard.md
Container insights stores its data in a [Log Analytics workspace](../logs/log-an
You can let the onboarding experience create a Log Analytics workspace in the default resource group of the AKS cluster subscription. If you already have a workspace, you'll probably want to use that one. For more information, see [Designing your Azure Monitor Logs deployment](../logs/design-logs-deployment.md).
- You can attach an AKS cluster to a Log Analytics workspace in a different Azure subscription in the same Azure Active Directory tenant. Currently, you can't do it with the Azure portal, but you can use the Azure CLI or an Azure Resource Manager template.
+ You can attach an AKS cluster to a Log Analytics workspace in a different Azure subscription in the same Microsoft Entra tenant. Currently, you can't do it with the Azure portal, but you can use the Azure CLI or an Azure Resource Manager template.
### Azure Monitor workspace (preview)
The following table lists the extra firewall configuration required for managed
After you've enabled monitoring, you can begin analyzing the performance of your Kubernetes clusters that are hosted on AKS, Azure Stack, or another environment. To learn how to use Container insights, see [View Kubernetes cluster performance](container-insights-analyze.md).-
azure-monitor Container Insights Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/container-insights-troubleshoot.md
To view the non-AKS cluster in Container insights, read access is required on th
``` For clusters with MSI, the user-assigned client ID for Azure Monitor Agent changes every time monitoring is enabled and disabled, so the role assignment should exist on the current MSI client ID.
-1. For clusters with Azure Active Directory pod identity enabled and using MSI:
+1. For clusters with Microsoft Entra pod identity enabled and using MSI:
- Verify that the required label **kubernetes.azure.com/managedby: aks** is present on the Azure Monitor Agent pods by using the following command:
azure-monitor Integrate Keda https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/integrate-keda.md
To integrate KEDA into your Azure Kubernetes Service, you have to deploy and con
This article walks you through the steps to integrate KEDA into your AKS cluster using a workload identity. > [!NOTE]
-> We recommend using Azure Active Directory workload identity. This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.
+> We recommend using Microsoft Entra Workload ID. This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.
>
-> The open source Azure AD pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the deprecation notice. The AKS Managed add-on begins deprecation in Sept. 2023.
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022, and the project will be archived in Sept. 2023. For more information, see the deprecation notice. The AKS Managed add-on begins deprecation in Sept. 2023.
> > Azure Managed Prometheus support starts from KEDA v2.10. If you have an older version of KEDA installed, you must upgrade in order to work with Azure Managed Prometheus.
This article walks you through the steps to integrate KEDA into your AKS cluster
+ `SERVICE_ACCOUNT_NAME` - KEDA must use the service account that was used to create federated credentials. This can be any user defined name. + `AKS_CLUSTER_NAME`- The name of the AKS cluster where you want to deploy KEDA. + `SERVICE_ACCOUNT_NAMESPACE` Both KEDA and service account must be in same namespace.
- + `USER_ASSIGNED_IDENTITY_NAME` is the name of the Azure Active directory identity that's created for KEDA.
+ + `USER_ASSIGNED_IDENTITY_NAME` is the name of the Microsoft Entra identity that's created for KEDA.
+ `FEDERATED_IDENTITY_CREDENTIAL_NAME` is the name of the credential that's created for KEDA to use to authenticate with Azure. 1. If your AKS cluster hasn't been created with workload-identity or oidc-issuer enabled, you'll need to enable it. If you aren't sure, you can run the following command to check if it's enabled.
azure-monitor Monitor Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/monitor-kubernetes.md
If you're unsure which resource logs to initially enable, use the following reco
| kube-controller-manager | Enable | Log Analytics workspace | | kube-scheduler | Disable | | | cluster-autoscaler | Enable if autoscale is enabled | Log Analytics workspace |
-| guard | Enable if Azure Active Directory is enabled | Log Analytics workspace |
+| guard | Enable if Microsoft Entra ID is enabled | Log Analytics workspace |
| AllMetrics | Disable since metrics are collected in Managed Prometheus | Log Analytics workspace |
Following are common scenarios for monitoring your application.
## See also - See [Monitoring AKS](../../aks/monitor-aks.md) for guidance on monitoring specific to Azure Kubernetes Service (AKS).--
azure-monitor Prometheus Authorization Proxy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-authorization-proxy.md
Title: Azure Active Directory authorization proxy
-description: Azure Active Directory authorization proxy
+ Title: Microsoft Entra authorization proxy
+description: Microsoft Entra authorization proxy
Last updated 07/10/2022
-# Azure Active Directory authorization proxy
-The Azure Active Directory authorization proxy is a reverse proxy, which can be used to authenticate requests using Azure Active Directory. This proxy can be used to authenticate requests to any service that supports Azure Active Directory authentication. Use this proxy to authenticate requests to Azure Monitor managed service for Prometheus.
+# Microsoft Entra authorization proxy
+The Microsoft Entra authorization proxy is a reverse proxy, which can be used to authenticate requests using Microsoft Entra ID. This proxy can be used to authenticate requests to any service that supports Microsoft Entra authentication. Use this proxy to authenticate requests to Azure Monitor managed service for Prometheus.
## Prerequisites
The Azure Active Directory authorization proxy is a reverse proxy, which can be
The proxy can be deployed with custom templates using release image or as a helm chart. Both deployments contain the same customizable parameters. These parameters are described in the [Parameters](#parameters) table.
-For for more information, see [Azure Active Directory authentication proxy](https://github.com/Azure/aad-auth-proxy) project.
+For for more information, see [Microsoft Entra authentication proxy](https://github.com/Azure/aad-auth-proxy) project.
The following examples show how to deploy the proxy for remote write and for querying data from Azure Monitor.
azure-monitor Prometheus Metrics From Arc Enabled Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-metrics-from-arc-enabled-cluster.md
For issues with the extension, see the [Troubleshooting Guide](./prometheus-metr
+ [Default Prometheus metrics configuration in Azure Monitor ](prometheus-metrics-scrape-default.md) + [Customize scraping of Prometheus metrics in Azure Monitor](prometheus-metrics-scrape-configuration.md) + [Use Azure Monitor managed service for Prometheus as data source for Grafana using managed system identity](../essentials/prometheus-grafana.md)
-+ [Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Azure Active Directory](../essentials/prometheus-self-managed-grafana-azure-active-directory.md)
++ [Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Microsoft Entra ID](../essentials/prometheus-self-managed-grafana-azure-active-directory.md)
azure-monitor Prometheus Remote Write Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-remote-write-active-directory.md
Title: Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory
-description: Describes how to configure remote-write to send data from self-managed Prometheus running in your Kubernetes cluster running on-premises or in another cloud using Azure Active Directory authentication.
+ Title: Remote-write in Azure Monitor Managed Service for Prometheus using Microsoft Entra ID
+description: Describes how to configure remote-write to send data from self-managed Prometheus running in your Kubernetes cluster running on-premises or in another cloud using Microsoft Entra authentication.
Last updated 11/01/2022
-# Configure remote write for Azure Monitor managed service for Prometheus using Azure Active Directory authentication
-This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using Azure Active Directory authentication.
+# Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra authentication
+This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from self-managed Prometheus running in your AKS cluster or Azure Arc-enabled Kubernetes cluster using Microsoft Entra authentication.
## Cluster configurations This article applies to the following cluster configurations:
This article applies to the following cluster configurations:
## Prerequisites See prerequisites at [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#prerequisites).
-## Create Azure Active Directory application
-Follow the procedure at [Register an application with Azure AD and create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) to register an application for Prometheus remote-write and create a service principal.
+<a name='create-azure-active-directory-application'></a>
+## Create Microsoft Entra application
+Follow the procedure at [Register an application with Microsoft Entra ID and create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) to register an application for Prometheus remote-write and create a service principal.
-## Get the client ID of the Azure Active Directory application.
-1. From the **Azure Active Directory** menu in the Azure Portal, select **App registrations**.
+<a name='get-the-client-id-of-the-azure-active-directory-application'></a>
+
+## Get the client ID of the Microsoft Entra application.
+
+1. From the **Microsoft Entra ID** menu in the Azure Portal, select **App registrations**.
2. Locate your application and note the client ID.
- :::image type="content" source="media/prometheus-remote-write-active-directory/application-client-id.png" alt-text="Screenshot showing client ID of Azure Active Directory application." lightbox="media/prometheus-remote-write-active-directory/application-client-id.png":::
+ :::image type="content" source="media/prometheus-remote-write-active-directory/application-client-id.png" alt-text="Screenshot showing client ID of Microsoft Entra application." lightbox="media/prometheus-remote-write-active-directory/application-client-id.png":::
## Assign Monitoring Metrics Publisher role on the data collection rule to the application The application requires the *Monitoring Metrics Publisher* role on the data collection rule associated with your Azure Monitor workspace.
The application requires the *Monitoring Metrics Publisher* role on the data col
2. Create a certificate using the guidance at [Add a certificate to Key Vault](../../key-vault/certificates/quick-create-portal.md#add-a-certificate-to-key-vault). 3. Download the newly generated certificate in CER format using the guidance at [Export certificate from Key Vault](../../key-vault/certificates/quick-create-portal.md#export-certificate-from-key-vault).
-## Add certificate to the Azure Active Directory application
+<a name='add-certificate-to-the-azure-active-directory-application'></a>
+
+## Add certificate to the Microsoft Entra application
-1. From the menu for your Azure Active Directory application, select **Certificates & secrets**.
+1. From the menu for your Microsoft Entra application, select **Certificates & secrets**.
2. Select **Upload certificate** and select the certificate that you downloaded.
- :::image type="content" source="media/prometheus-remote-write-active-directory/upload-certificate.png" alt-text="Screenshot showing upload of certificate for Azure Active Directory application." lightbox="media/prometheus-remote-write-active-directory/upload-certificate.png":::
+ :::image type="content" source="media/prometheus-remote-write-active-directory/upload-certificate.png" alt-text="Screenshot showing upload of certificate for Microsoft Entra application." lightbox="media/prometheus-remote-write-active-directory/upload-certificate.png":::
> [!WARNING] > Certificates have an expiration date, and it's the responsibility of the user to keep these certificates valid.
This step is only required if you didn't enable Azure Key Vault Provider for Sec
- url: 'http://localhost:8081/api/v1/write' # Additional volumes on the output StatefulSet definition.
- # Required only for AAD based auth
+ # Required only for Microsoft Entra ID based auth
volumes: - name: secrets-store-inline csi:
This step is only required if you didn't enable Azure Key Vault Provider for Sec
image: <CONTAINER-IMAGE-VERSION> imagePullPolicy: Always
- # Required only for AAD based auth
+ # Required only for Microsoft Entra ID based auth
volumeMounts: - name: secrets-store-inline mountPath: /mnt/secrets-store
This step is only required if you didn't enable Azure Key Vault Provider for Sec
| `<CONTAINER-IMAGE-VERSION>` | `mcr.microsoft.com/azuremonitor/prometheus/promdev/prom-remotewrite:prom-remotewrite-20230906.1`<br>The remote write container image version. | | `<INGESTION-URL>` | **Metrics ingestion endpoint** from the **Overview** page for the Azure Monitor workspace | | `<APP-REGISTRATION -CLIENT-ID> ` | Client ID of your application |
- | `<TENANT-ID> ` | Tenant ID of the Azure Active Directory application |
+ | `<TENANT-ID> ` | Tenant ID of the Microsoft Entra application |
| `<CERT-NAME>` | Name of the certificate | | `<CLUSTER-NAME>` | Name of the cluster Prometheus is running on |
See [Azure Monitor managed service for Prometheus remote write](prometheus-remot
- [Remote-write in Azure Monitor Managed Service for Prometheus](prometheus-remote-write.md) - [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md) - [Configure remote write for Azure Monitor managed service for Prometheus using Azure Workload Identity (preview)](./prometheus-remote-write-azure-workload-identity.md)-- [Configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
+- [Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
azure-monitor Prometheus Remote Write Azure Ad Pod Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-remote-write-azure-ad-pod-identity.md
Title: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Azure Active Directory pod identity (preview)
-description: Configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity (preview)
+ Title: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)
+description: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)
Last updated 05/11/2023
-# Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Azure Active Directory pod identity (preview)
+# Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)
> [!NOTE]
-> The remote write sidecar should only be configured via the following steps only if the AKS cluster already has the Azure AD pod enabled. This approach is not recommended as AAD pod identity has been deprecated to be replace by [Azure Workload Identity](/azure/active-directory/workload-identities/workload-identities-overview)
+> The remote write sidecar should only be configured via the following steps only if the AKS cluster already has the Microsoft Entra pod enabled. This approach is not recommended as Microsoft Entra pod identity has been deprecated to be replace by [Azure Workload Identity](/azure/active-directory/workload-identities/workload-identities-overview)
-To configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity, follow the steps below.
+To configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity, follow the steps below.
1. Create user assigned identity or use an existing user assigned managed identity. For information on creating the managed identity, see [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md#get-the-client-id-of-the-user-assigned-identity). 1. Assign the `Managed Identity Operator` and `Virtual Machine Contributor` roles to the managed identity created/used in the previous step.
To configure remote write for Azure Monitor managed service for Prometheus using
- [Collect Prometheus metrics from an AKS cluster](../containers/prometheus-metrics-enable.md) - [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) - [Remote-write in Azure Monitor Managed Service for Prometheus](prometheus-remote-write.md)-- [Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory](./prometheus-remote-write-active-directory.md)
+- [Remote-write in Azure Monitor Managed Service for Prometheus using Microsoft Entra ID](./prometheus-remote-write-active-directory.md)
- [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md) - [Configure remote write for Azure Monitor managed service for Prometheus using Azure Workload Identity (preview)](./prometheus-remote-write-azure-workload-identity.md)
azure-monitor Prometheus Remote Write Azure Workload Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-remote-write-azure-workload-identity.md
Title: Configure remote write for Azure managed service for Prometheus using Azure Active Directory workload identity (preview)
-description: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Azure Active Directory workload identity (preview)
+ Title: Configure remote write for Azure managed service for Prometheus using Microsoft Entra Workload ID (preview)
+description: Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra Workload ID (preview)
Last updated 09/10/2023
-# Configure remote write for Azure managed service for Prometheus using Azure Active Directory workload identity (preview)
+# Configure remote write for Azure managed service for Prometheus using Microsoft Entra Workload ID (preview)
-This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from your Azure managed Prometheus cluster using Azure Active Directory workload identity.
+This article describes how to configure [remote-write](prometheus-remote-write.md) to send data from your Azure managed Prometheus cluster using Microsoft Entra Workload ID.
## Prerequisites * The cluster must have OIDC-specific feature flags and an OIDC issuer URL:
- * For managed clusters (AKS/EKS/GKE), see [Managed Clusters - Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
- * For self-managed clusters, see [Self-Managed Clusters - Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters.html)
-* Installed mutating admission webhook. For more information, see [Mutating Admission Webhook - Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html)
+ * For managed clusters (AKS/EKS/GKE), see [Managed Clusters - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html)
+ * For self-managed clusters, see [Self-Managed Clusters - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/self-managed-clusters.html)
+* Installed mutating admission webhook. For more information, see [Mutating Admission Webhook - Microsoft Entra Workload ID](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html)
* The cluster already has Prometheus running. This guide assumes that the Prometheus is set up using [kube-prometheus-stack](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html), however, you can set up Prometheus any other way. ## Configure workload identity
This article describes how to configure [remote-write](prometheus-remote-write.m
For `SERVICE_ACCOUNT_NAME`, check if there's a service account (apart from the "default" service account) already associated with Prometheus pod, check for the value of `serviceaccountName` or `serviceAccount` (deprecated) in the `spec` of your Prometheus pod and use this value if it exists. If not, provide the name of the service account you would like to associate with your Prometheus pod.
-1. Create an Azure Active Directory app or user assigned managed identity and grant permission to publish metrics to Azure Monitor workspace.
+1. Create a Microsoft Entra app or user assigned managed identity and grant permission to publish metrics to Azure Monitor workspace.
```azurecli # create an Azure Active Directory application az ad sp create-for-rbac --name "${APPLICATION_NAME}"
This article describes how to configure [remote-write](prometheus-remote-write.m
az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" ```
- Assign the *Monitoring Metrics Publisher* role to the Azure Active Directory app or user-assigned managed identity. For more information, see [Assign Monitoring Metrics Publisher role on the data collection rule to the managed identity](prometheus-remote-write-managed-identity.md#assign-monitoring-metrics-publisher-role-on-the-data-collection-rule-to-the-managed-identity).
+ Assign the *Monitoring Metrics Publisher* role to the Microsoft Entra app or user-assigned managed identity. For more information, see [Assign Monitoring Metrics Publisher role on the data collection rule to the managed identity](prometheus-remote-write-managed-identity.md#assign-monitoring-metrics-publisher-role-on-the-data-collection-rule-to-the-managed-identity).
1. Create or Update your Kubernetes service account Prometheus pod. Often there's a Kubernetes service account created and associated with the pod running the Prometheus container. If you're using kube-prometheus-stack, it automatically creates `prometheus-kube-prometheus-prometheus` service account.
This article describes how to configure [remote-write](prometheus-remote-write.m
kubectl annotate sa ${SERVICE_ACCOUNT_NAME} -n ${SERVICE_ACCOUNT_NAMESPACE} azure.workload.identity/client-id="${APPLICATION_OR_USER_ASSIGNED_IDENTITY_CLIENT_ID}" ΓÇôoverwrite ```
- If your Azure Active Directory app or user assigned managed identity isn't in the same tenant as your cluster, add the following annotation to your service account:
+ If your Microsoft Entra app or user assigned managed identity isn't in the same tenant as your cluster, add the following annotation to your service account:
```bash kubectl annotate sa ${SERVICE_ACCOUNT_NAME} -n ${SERVICE_ACCOUNT_NAMESPACE} azure.workload.identity/tenant-id="${APPLICATION_OR_USER_ASSIGNED_IDENTITY_TENANT_ID}" ΓÇôoverwrite
This article describes how to configure [remote-write](prometheus-remote-write.m
--subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}" ```
- * Azure AD
+ * Microsoft Entra ID
```CLI
- # Get the ObjectID of the Azure Active Directory app.
+ # Get the ObjectID of the Microsoft Entra app.
export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query id -otsv)"
prometheus:
* [Collect Prometheus metrics from an AKS cluster](../containers/prometheus-metrics-enable.md) * [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) * [Remote-write in Azure Monitor Managed Service for Prometheus](prometheus-remote-write.md)
-* [Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory](./prometheus-remote-write-active-directory.md)
+* [Remote-write in Azure Monitor Managed Service for Prometheus using Microsoft Entra ID](./prometheus-remote-write-active-directory.md)
* [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md)
-* [Configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
+* [Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
azure-monitor Prometheus Remote Write Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-remote-write-managed-identity.md
This article applies to the following cluster configurations:
- Azure Arc-enabled Kubernetes cluster > [!NOTE]
-> For a Kubernetes cluster running in another cloud or on-premises, see [Azure Monitor managed service for Prometheus remote write - Azure Active Directory](prometheus-remote-write-active-directory.md).
+> For a Kubernetes cluster running in another cloud or on-premises, see [Azure Monitor managed service for Prometheus remote write - Microsoft Entra ID](prometheus-remote-write-active-directory.md).
## Prerequisites See prerequisites at [Azure Monitor managed service for Prometheus remote write](prometheus-remote-write.md#prerequisites).
See [Azure Monitor managed service for Prometheus remote write](prometheus-remot
- [Collect Prometheus metrics from an AKS cluster](../containers/prometheus-metrics-enable.md) - [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md) - [Remote-write in Azure Monitor Managed Service for Prometheus](prometheus-remote-write.md)-- [Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory](./prometheus-remote-write-active-directory.md)
+- [Remote-write in Azure Monitor Managed Service for Prometheus using Microsoft Entra ID](./prometheus-remote-write-active-directory.md)
- [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md)-- [Configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
+- [Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
azure-monitor Prometheus Remote Write https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/containers/prometheus-remote-write.md
Last updated 11/01/2022
Azure Monitor managed service for Prometheus is intended to be a replacement for self managed Prometheus so you don't need to manage a Prometheus server in your Kubernetes clusters. You may also choose to use the managed service to centralize data from self-managed Prometheus clusters for long term data retention and to create a centralized view across your clusters. In this case, you can use [remote_write](https://prometheus.io/docs/operating/integrations/#remote-endpoints-and-storage) to send data from your self-managed Prometheus into the Azure managed service. ## Architecture
-Azure Monitor provides a reverse proxy container (Azure Monitor [side car container](/azure/architecture/patterns/sidecar)) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets. The Azure Monitor side car container currently supports User Assigned Identity and Azure Active Directory (Azure AD) based authentication to ingest Prometheus remote write metrics to Azure Monitor workspace.
+Azure Monitor provides a reverse proxy container (Azure Monitor [side car container](/azure/architecture/patterns/sidecar)) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets. The Azure Monitor side car container currently supports User Assigned Identity and Microsoft Entra ID based authentication to ingest Prometheus remote write metrics to Azure Monitor workspace.
## Prerequisites
Azure Monitor provides a reverse proxy container (Azure Monitor [side car contai
The process for configuring remote write depends on your cluster configuration and the type of authentication that you use. - **Managed identity** is recommended for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster. See [Azure Monitor managed service for Prometheus remote write - managed identity](prometheus-remote-write-managed-identity.md)-- **Azure Active Directory** can be used for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster and is required for Kubernetes cluster running in another cloud or on-premises. See [Azure Monitor managed service for Prometheus remote write - Azure Active Directory](prometheus-remote-write-active-directory.md)
+- **Microsoft Entra ID** can be used for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster and is required for Kubernetes cluster running in another cloud or on-premises. See [Azure Monitor managed service for Prometheus remote write - Microsoft Entra ID](prometheus-remote-write-active-directory.md)
> [!NOTE]
-> Whether you use Managed Identity or Azure Active Directory to enable permissions for ingesting data, these settings take some time to take effect. When following the steps below to verify that the setup is working please allow up to 10-15 minutes for the authorization settings needed to ingest data to complete.
+> Whether you use Managed Identity or Microsoft Entra ID to enable permissions for ingesting data, these settings take some time to take effect. When following the steps below to verify that the setup is working please allow up to 10-15 minutes for the authorization settings needed to ingest data to complete.
## Verify remote write is working correctly
az monitor data-collection rule show --name "myCollectionRule" --resource-group
- [Learn more about Azure Monitor managed service for Prometheus](../essentials/prometheus-metrics-overview.md). - [Collect Prometheus metrics from an AKS cluster](../containers/prometheus-metrics-enable.md)-- [Remote-write in Azure Monitor Managed Service for Prometheus using Azure Active Directory](./prometheus-remote-write-active-directory.md)
+- [Remote-write in Azure Monitor Managed Service for Prometheus using Microsoft Entra ID](./prometheus-remote-write-active-directory.md)
- [Configure remote write for Azure Monitor managed service for Prometheus using managed identity authentication](./prometheus-remote-write-managed-identity.md) - [Configure remote write for Azure Monitor managed service for Prometheus using Azure Workload Identity (preview)](./prometheus-remote-write-azure-workload-identity.md)-- [Configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
+- [Configure remote write for Azure Monitor managed service for Prometheus using Microsoft Entra pod identity (preview)](./prometheus-remote-write-azure-ad-pod-identity.md)
azure-monitor Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/data-sources.md
The following table briefly describes the application tiers that are specific to
| Tier | Description | Collection method | |:|:|:|
-| [Azure Tenant](#azure-tenant) | Data about the operation of tenant-level Azure services, such as Azure Active Directory. | View Azure Active Directory data in portal or configure collection to Azure Monitor using a tenant diagnostic setting. |
+| [Azure Tenant](#azure-tenant) | Data about the operation of tenant-level Azure services, such as Microsoft Entra ID. | View Microsoft Entra data in portal or configure collection to Azure Monitor using a tenant diagnostic setting. |
| [Azure subscription](#azure-subscription) | Data related to the health and management of cross-resource services in your Azure subscription such as Resource Manager and Service Health. | View in portal or configure collection to Azure Monitor using a log profile. | | [Azure resources](#azure-resources) | Data about the operation and performance of each Azure resource. | Metrics collected automatically, view in Metrics Explorer.<br>Configure diagnostic settings to collect logs in Azure Monitor.<br>Monitoring solutions and Insights available for more detailed monitoring for specific resource types. |
The following table briefly describes the application tiers that may be in Azure
| [Custom sources](#custom-sources) | Data from external services or other components or devices. | Collect log or metrics data into Azure Monitor from any REST client. | ## Azure tenant
-Telemetry related to your Azure tenant is collected from tenant-wide services such as Azure Active Directory.
+Telemetry related to your Azure tenant is collected from tenant-wide services such as Microsoft Entra ID.
:::image type="content" source="media/data-sources/tenant.png" lightbox="media/data-sources/tenant.png" alt-text="Diagram that shows Azure tenant collection." border="false":::
-### Azure Active Directory Audit Logs
-[Azure Active Directory reporting](../active-directory/reports-monitoring/overview-reports.md) contains the history of sign-in activity and audit trail of changes made within a particular tenant.
+<a name='azure-active-directory-audit-logs'></a>
+
+### Microsoft Entra audit logs
+[Microsoft Entra ID reporting](../active-directory/reports-monitoring/overview-reports.md) contains the history of sign-in activity and audit trail of changes made within a particular tenant.
| Destination | Description | Reference | |:|:|:|
-| Azure Monitor Logs | Configure Azure AD logs to be collected in Azure Monitor to analyze them with other monitoring data. | [Integrate Azure AD logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) |
-| Azure Storage | Export Azure AD logs to Azure Storage for archiving. | [Tutorial: Archive Azure AD logs to an Azure storage account](../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md) |
-| Event Hubs | Stream Azure AD logs to other locations using Event Hubs. | [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
+| Azure Monitor Logs | Configure Microsoft Entra logs to be collected in Azure Monitor to analyze them with other monitoring data. | [Integrate Microsoft Entra logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) |
+| Azure Storage | Export Microsoft Entra logs to Azure Storage for archiving. | [Tutorial: Archive Microsoft Entra logs to an Azure storage account](../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md) |
+| Event Hubs | Stream Microsoft Entra logs to other locations using Event Hubs. | [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
## Azure subscription Telemetry related to the health and operation of your Azure subscription.
azure-monitor Collect Custom Metrics Guestos Vm Classic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/collect-custom-metrics-guestos-vm-classic.md
The process that's outlined in this article only works on classic virtual machin
## Create a service principal
-Create a service principal in your Azure Active Directory tenant by using the instructions at [Create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md). Note the following while going through this process:
+Create a service principal in your Microsoft Entra tenant by using the instructions at [Create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md). Note the following while going through this process:
- Create new client secret for this app. - Save the key and the client ID for use in later steps.
Give this app ΓÇ£Monitoring Metrics PublisherΓÇ¥ permissions to the resource tha
## Next steps-- Learn more about [custom metrics](./metrics-custom-overview.md).
+- Learn more about [custom metrics](./metrics-custom-overview.md).
azure-monitor Collect Custom Metrics Guestos Vm Cloud Service Classic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/collect-custom-metrics-guestos-vm-cloud-service-classic.md
The process that's outlined in this article works only for performance counters
## Create a service principal
-Create a service principal in your Azure Active Directory tenant by using the instructions at [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Note the following while you're going through this process:
+Create a service principal in your Microsoft Entra tenant by using the instructions at [Use portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Note the following while you're going through this process:
- You can put in any URL for the sign-in URL. - Create new client secret for this app.
azure-monitor Diagnostic Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/diagnostic-settings.md
To get around these limitations for specific metrics, you can manually extract t
### Destination limitations
-Any destinations for the diagnostic setting must be created before you create the diagnostic settings. The destination doesn't have to be in the same subscription as the resource sending logs if the user who configures the setting has appropriate Azure role-based access control access to both subscriptions. By using Azure Lighthouse, it's also possible to have diagnostic settings sent to a workspace, storage account, or event hub in another Azure Active Directory tenant.
+Any destinations for the diagnostic setting must be created before you create the diagnostic settings. The destination doesn't have to be in the same subscription as the resource sending logs if the user who configures the setting has appropriate Azure role-based access control access to both subscriptions. By using Azure Lighthouse, it's also possible to have diagnostic settings sent to a workspace, storage account, or event hub in another Microsoft Entra tenant.
The following table provides unique requirements for each destination including any regional restrictions.
azure-monitor Metrics Custom Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/metrics-custom-overview.md
When you send custom metrics to Azure Monitor, each data point, or value, report
### Authentication
-To submit custom metrics to Azure Monitor, the entity that submits the metric needs a valid Azure Active Directory (Azure AD) token in the **Bearer** header of the request. Supported ways to acquire a valid bearer token include:
+To submit custom metrics to Azure Monitor, the entity that submits the metric needs a valid Microsoft Entra token in the **Bearer** header of the request. Supported ways to acquire a valid bearer token include:
- [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md). You can use a managed identity to give resources permissions to carry out certain operations. An example is allowing a resource to emit metrics about itself. A resource, or its managed identity, can be granted **Monitoring Metrics Publisher** permissions on another resource. With this permission, the managed identity can also emit metrics for other resources.-- [Azure AD service principal](../../active-directory/develop/app-objects-and-service-principals.md). In this scenario, an Azure AD application, or service, can be assigned permissions to emit metrics about an Azure resource. To authenticate the request, Azure Monitor validates the application token by using Azure AD public keys. The existing **Monitoring Metrics Publisher** role already has this permission. It's available in the Azure portal.
+- [Microsoft Entra service principal](../../active-directory/develop/app-objects-and-service-principals.md). In this scenario, a Microsoft Entra application, or service, can be assigned permissions to emit metrics about an Azure resource. To authenticate the request, Azure Monitor validates the application token by using Microsoft Entra public keys. The existing **Monitoring Metrics Publisher** role already has this permission. It's available in the Azure portal.
The service principal, depending on what resources it emits custom metrics for, can be given the **Monitoring Metrics Publisher** role at the scope required. Examples are a subscription, resource group, or specific resource. > [!TIP]
-> When you request an Azure AD token to emit custom metrics, ensure that the audience or resource that the token is requested for is `https://monitoring.azure.com/`. Be sure to include the trailing slash.
+> When you request a Microsoft Entra token to emit custom metrics, ensure that the audience or resource that the token is requested for is `https://monitoring.azure.com/`. Be sure to include the trailing slash.
### Subject
azure-monitor Metrics Store Custom Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/metrics-store-custom-rest-api.md
This article shows you how to send custom metrics for Azure resources to the Azu
## Create and authorize a service principal to emit metrics
-A service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources by using Azure Active Directory. Resources include user apps, services, or automation tools.
+A service principal is an application whose tokens can be used to authenticate and grant access to specific Azure resources by using Microsoft Entra ID. Resources include user apps, services, or automation tools.
-1. [Register an application with Azure Active Directory](../logs/api/register-app-for-token.md) to create a service principal.
+1. [Register an application with Microsoft Entra ID](../logs/api/register-app-for-token.md) to create a service principal.
1. Save the tenant ID, new client ID, and client secret value for your app to use when it requests a token.
azure-monitor Platform Logs Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/platform-logs-overview.md
The following table lists the platform logs that are available at different laye
|:|:|:| | [Resource logs](./resource-logs.md) | Azure Resources | Resource logs provide an insight into operations that were performed within an Azure resource. This is know as the *data plane*. Examples include getting a secret from a key vault, or making a request to a database. The contents of resource logs varies according to the Azure service and resource type.<br><br>*Resource logs were previously referred to as diagnostic logs.* | | [Activity logs](../essentials/activity-log.md) | Azure Subscription |Activity logs provide an insight into the operations performed *on* each Azure resource in the subscription from the outside, known as the *management plane*. in addition to updates on Service Health events. Use the Activity log to determine *what*, *who*, and *when* for any write operation (PUT, POST, DELETE) executed on the resources in your subscription. There's a single activity log for each Azure subscription. |
-| [Azure Active Directory (Azure AD) logs](../../active-directory/reports-monitoring/overview-reports.md) | Azure Tenant | Azure Active Directory logs contain the history of sign-in activity and an audit trail of changes made in Azure AD for a particular tenant. |
+| [Microsoft Entra logs](../../active-directory/reports-monitoring/overview-reports.md) | Azure Tenant | Microsoft Entra logs contain the history of sign-in activity and an audit trail of changes made in Microsoft Entra ID for a particular tenant. |
> [!NOTE] > The Azure activity log is primarily for activities that occur in Azure Resource Manager. The activity log doesn't track resources by using the classic/RDFE model. Some classic resource types have a proxy resource provider in Resource Manager, for example, Microsoft.ClassicCompute. If you interact with a classic resource type through Resource Manager by using these proxy resource providers, the operations appear in the activity log. If you interact with a classic resource type outside of the Resource Manager proxies, your actions are only recorded in the Operation log. The [Operation log](https://portal.azure.com/?Microsoft_Azure_Monitoring_Log=#view/Microsoft_Azure_Resources/OperationLogsBlade) can be browsed in a separate section of the portal.
The following table lists the platform logs that are available at different laye
There are different options for viewing and analyzing the different Azure platform logs: - View the activity log using the Azure portal and access events from PowerShell and the Azure CLI. See [View the activity log](../essentials/activity-log.md#view-the-activity-log) for details.-- View Azure AD security and activity reports in the Azure portal. See [What are Azure AD reports?](../../active-directory/reports-monitoring/overview-reports.md) for details.
+- View Microsoft Entra security and activity reports in the Azure portal. See [What are Microsoft Entra reports?](../../active-directory/reports-monitoring/overview-reports.md) for details.
- Resource logs are automatically generated by supported Azure resources. You must create a [diagnostic setting](#diagnostic-settings) for the resource to store and view the log. ## Diagnostic settings
Resource logs must have a diagnostic setting to be viewed. Create a [diagnostic
| [Azure Monitor partner integrations](../../partner-solutions/overview.md)| Partner integrations are specialized integrations between Azure Monitor and non-Microsoft monitoring platforms. Partner integrations are especially useful when you're already using one of the supported partners. | - For details on how to create a diagnostic setting for activity logs or resource logs, see [Create diagnostic settings to send platform logs and metrics to different destinations](../essentials/diagnostic-settings.md).-- For details on how to create a diagnostic setting for Azure AD logs, see the following articles:
- - [Integrate Azure AD logs with Azure Monitor logs](../../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
- - [Tutorial: Stream Azure AD logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)
- - [Tutorial: Archive Azure AD logs to an Azure Storage account](../../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md)
+- For details on how to create a diagnostic setting for Microsoft Entra logs, see the following articles:
+ - [Integrate Microsoft Entra logs with Azure Monitor logs](../../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md)
+ - [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)
+ - [Tutorial: Archive Microsoft Entra logs to an Azure Storage account](../../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md)
## Pricing model
azure-monitor Prometheus Api Promql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-api-promql.md
To query an Azure monitor workspace using PromQL, you need the following prerequ
## Authentication
-To query your Azure Monitor workspace, authenticate using Azure Active Directory.
-The API supports Azure Active Directory authentication using client credentials. Register a client app with Azure Active Directory and request a token.
+To query your Azure Monitor workspace, authenticate using Microsoft Entra ID.
+The API supports Microsoft Entra authentication using client credentials. Register a client app with Microsoft Entra ID and request a token.
-To set up Azure Active Directory authentication, follow the steps below:
+To set up Microsoft Entra authentication, follow the steps below:
-1. Register an app with Azure Active Directory.
+1. Register an app with Microsoft Entra ID.
1. Grant access for the app to your Azure Monitor workspace. 1. Request a token.
-### Register an app with Azure Active Directory
+<a name='register-an-app-with-azure-active-directory'></a>
+
+### Register an app with Microsoft Entra ID
1. To register an app, follow the steps in [Register an App to request authorization tokens and work with APIs](../logs/api/register-app-for-token.md?tabs=portal)
azure-monitor Prometheus Grafana https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-grafana.md
Last updated 09/28/2022
[Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md) allows you to collect and analyze metrics at scale using a [Prometheus](https://aka.ms/azureprometheus-promio)-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for both [Azure Managed Grafana](../../managed-grafan) and [self-hosted Grafana](https://grafana.com/) running in an Azure virtual machine using managed system identity authentication.
-For information on using Grafana with Active Directory, see [Configure self-managed Grafana to use Azure Monitor managed Prometheus with Azure Active Directory](./prometheus-self-managed-grafana-azure-active-directory.md).
+For information on using Grafana with Active Directory, see [Configure self-managed Grafana to use Azure Monitor managed Prometheus with Microsoft Entra ID](./prometheus-self-managed-grafana-azure-active-directory.md).
## Azure Managed Grafana The following sections describe how to configure Azure Monitor managed service for Prometheus as a data source for Azure Managed Grafana.
Versions 9.x and greater of Grafana support Azure Authentication, but it's not e
## Next steps-- [Configure self-managed Grafana to use Azure-managed Prometheus with Azure Active Directory](./prometheus-self-managed-grafana-azure-active-directory.md).
+- [Configure self-managed Grafana to use Azure-managed Prometheus with Microsoft Entra ID](./prometheus-self-managed-grafana-azure-active-directory.md).
- [Collect Prometheus metrics for your AKS cluster](../essentials/prometheus-metrics-enable.md). - [Configure Prometheus alerting and recording rules groups](prometheus-rule-groups.md). - [Customize scraping of Prometheus metrics](prometheus-metrics-scrape-configuration.md).
azure-monitor Prometheus Self Managed Grafana Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/prometheus-self-managed-grafana-azure-active-directory.md
Title: Configure self-hosted Grafana to use Azure Monitor managed service for Prometheus as data source using Azure Active Directory.
-description: How to configure Azure Monitor managed service for Prometheus as data source for both Azure Managed Grafana and self-hosted Grafana using Azure Active Directory.
+ Title: Configure self-hosted Grafana to use Azure Monitor managed service for Prometheus as data source using Microsoft Entra ID.
+description: How to configure Azure Monitor managed service for Prometheus as data source for both Azure Managed Grafana and self-hosted Grafana using Microsoft Entra ID.
Last updated 11/04/2022
-# Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Azure Active Directory.
+# Configure self-managed Grafana to use Azure Monitor managed service for Prometheus with Microsoft Entra ID.
-[Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md) allows you to collect and analyze metrics at scale using a [Prometheus](https://aka.ms/azureprometheus-promio)-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for [self-hosted Grafana](https://grafana.com/) using Azure Active Directory.
+[Azure Monitor managed service for Prometheus](prometheus-metrics-overview.md) allows you to collect and analyze metrics at scale using a [Prometheus](https://aka.ms/azureprometheus-promio)-compatible monitoring solution. The most common way to analyze and present Prometheus data is with a Grafana dashboard. This article explains how to configure Prometheus as a data source for [self-hosted Grafana](https://grafana.com/) using Microsoft Entra ID.
For information on using Grafana with managed system identity, see [Configure Grafana using managed system identity](./prometheus-grafana.md).
-## Azure Active Directory authentication
+<a name='azure-active-directory-authentication'></a>
-To set up Azure Active Directory authentication, follow the steps below:
-1. Register an app with Azure Active Directory.
+## Microsoft Entra authentication
+
+To set up Microsoft Entra authentication, follow the steps below:
+1. Register an app with Microsoft Entra ID.
1. Grant access for the app to your Azure Monitor workspace. 1. Configure your self-hosted Grafana with the app's credentials.
-## Register an app with Azure Active Directory
+<a name='register-an-app-with-azure-active-directory'></a>
+
+## Register an app with Microsoft Entra ID
1. To register an app, open the Active Directory Overview page in the Azure portal.
Allow your app to query data from your Azure Monitor workspace.
:::image type="content" source="./media/prometheus-self-managed-grafana-azure-active-directory/add-role-assignment.png" alt-text="A screenshot showing the Add role assignment page"::: 1. Select **Select members**.
-1. Search for the app that you registered in the [Register an app with Azure Active Directory](#register-an-app-with-azure-active-directory) section and select it.
+1. Search for the app that you registered in the [Register an app with Microsoft Entra ID](#register-an-app-with-azure-active-directory) section and select it.
1. Click **Select**. 1. Select **Review + assign**. :::image type="content" source="./media/prometheus-self-managed-grafana-azure-active-directory/select-members.png" alt-text="A screenshot showing the Add role assignment, select members page.":::
Grafana now supports connecting to Azure Monitor managed Prometheus using the [P
1. In the **URL** field, paste the Query endpoint value from the Azure Monitor workspace overview page. 1. Under **Auth**, turn on **Azure Authentication**. 1. In the Azure Authentication section, select **App Registration** from the **Authentication** dropdown.
-1. Enter the **Direct(tenant) ID**, **Application (client) ID**, and the **Client secret** from the [Register an app with Azure Active Directory](#register-an-app-with-azure-active-directory) section.
+1. Enter the **Direct(tenant) ID**, **Application (client) ID**, and the **Client secret** from the [Register an app with Microsoft Entra ID](#register-an-app-with-azure-active-directory) section.
1. Select **Save & test** :::image type="content" source="./media/prometheus-self-managed-grafana-azure-active-directory/configure-grafana.png" alt-text="A screenshot showing the Grafana settings page for adding a data source.":::
azure-monitor Resource Logs Schema https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/resource-logs-schema.md
The schema for resource logs varies depending on the resource and log category.
| Service or feature | Schema and documentation | | | |
-| Azure Active Directory | [Overview](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md), [Audit log schema](../../active-directory/reports-monitoring/overview-reports.md), [Sign-ins schema](../../active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md) |
+| Microsoft Entra ID | [Overview](../../active-directory/reports-monitoring/concept-activity-logs-azure-monitor.md), [Audit log schema](../../active-directory/reports-monitoring/overview-reports.md), [Sign-ins schema](../../active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema.md) |
| Azure Analysis Services | [Azure Analysis | Azure API Management | [API Management resource logs](../../api-management/api-management-howto-use-azure-monitor.md#resource-logs) | | Azure App Service | [App Service logs](../../app-service/troubleshoot-diagnostic-logs.md)
azure-monitor Rest Api Walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/rest-api-walkthrough.md
Retrieve metric definitions, dimension values, and metric values using the Azure
## Authenticate Azure Monitor requests
-Request submitted using the Azure Monitor API use the Azure Resource Manager authentication model. All requests are authenticated with Azure Active Directory. One approach to authenticating the client application is to create an Azure Active Directory service principal and retrieve an authentication token. You can create an Azure Active Directory service principal using the Azure portal, CLI, or PowerShell. For more information, see [Register an App to request authorization tokens and work with APIs](../logs/api/register-app-for-token.md)
+Request submitted using the Azure Monitor API use the Azure Resource Manager authentication model. All requests are authenticated with Microsoft Entra ID. One approach to authenticating the client application is to create a Microsoft Entra service principal and retrieve an authentication token. You can create a Microsoft Entra service principal using the Azure portal, CLI, or PowerShell. For more information, see [Register an App to request authorization tokens and work with APIs](../logs/api/register-app-for-token.md)
### Retrieve a token Once you've created a service principal, retrieve an access token using a REST call. Submit the following request using the `appId` and `password` for your service principal or app:
azure-monitor Stream Monitoring Data Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/essentials/stream-monitoring-data-event-hubs.md
Before you configure streaming for any data source, you need to [create an Event
| Tier | Data | Method | |:|:|:|
-| [Azure tenant](../data-sources.md#azure-tenant) | Azure Active Directory audit logs | Configure a tenant diagnostic setting on your Azure Active Directory tenant. For more information, see [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
+| [Azure tenant](../data-sources.md#azure-tenant) | Microsoft Entra audit logs | Configure a tenant diagnostic setting on your Microsoft Entra tenant. For more information, see [Tutorial: Stream Microsoft Entra logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md). |
| [Azure subscription](../data-sources.md#azure-subscription) | Azure activity log | [Create a diagnostic setting](diagnostic-settings.md#create-diagnostic-settings) to export activity log events to event hubs. For more information, see [Stream Azure platform logs to Azure event hubs](../essentials/resource-logs.md#send-to-azure-event-hubs). | | [Azure resources](../data-sources.md#azure-resources) | Platform metrics<br> Resource logs | [Create a diagnostic setting](diagnostic-settings.md#create-diagnostic-settings) to export resource logs and metrics to event hubs. For more information, see [Stream Azure platform logs to Azure event hubs](../essentials/resource-logs.md#send-to-azure-event-hubs). | | [Operating system (guest)](../data-sources.md#operating-system-guest) | Azure virtual machines | Install the [Azure Diagnostics extension](../agents/diagnostics-extension-overview.md) on Windows and Linux virtual machines in Azure. For more information, see [Streaming Azure Diagnostics data in the hot path by using event hubs](../agents/diagnostics-extension-stream-event-hubs.md) for details on Windows VMs. See [Use Linux Diagnostic extension to monitor metrics and logs](../../virtual-machines/extensions/diagnostics-linux.md#protected-settings) for details on Linux VMs. |
azure-monitor Insights Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/insights/insights-overview.md
The following table lists the available curated visualizations and information a
| [Azure Stack HCI Insights](/azure-stack/hci/manage/azure-stack-hci-insights) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/azureStackHCIInsights) | Based on Azure Monitor Workbooks. Provides health, performance, and usage insights about registered Azure Stack HCI version 21H2 clusters that are connected to Azure and enrolled in monitoring. It stores its data in a Log Analytics workspace, which allows it to deliver powerful aggregation and filtering and analyze data trends over time. | | [Windows Update for Business](/windows/deployment/update/wufb-reports-overview) | GA | [Yes](https://ms.portal.azure.com/#view/AppInsightsExtension/WorkbookViewerBlade/Type/updatecompliance-insights/ComponentId/Azure%20Monitor/GalleryResourceType/Azure%20Monitor/ConfigurationId/community-Workbooks%2FUpdateCompliance%2FUpdateComplianceHub) | Detailed deployment monitoring, compliance assessment and failure troubleshooting for all Windows 10/11 devices.| |**Not in Azure portal Insight hub**||||
-| [Azure Monitor Workbooks for Azure Active Directory](../../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | General availability (GA) | [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Azure Active Directory provides workbooks to understand the effect of your Conditional Access policies, troubleshoot sign-in failures, and identify legacy authentications. |
+| [Azure Monitor Workbooks for Microsoft Entra ID](../../active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md) | General availability (GA) | [Yes](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Workbooks) | Microsoft Entra ID provides workbooks to understand the effect of your Conditional Access policies, troubleshoot sign-in failures, and identify legacy authentications. |
| [Azure HDInsight](../../hdinsight/log-analytics-migration.md#insights) | Preview | No | An Azure Monitor workbook that collects important performance metrics from your HDInsight cluster and provides the visualizations and dashboards for most common scenarios. Gives a complete view of a single HDInsight cluster including resource utilization and application status.|
azure-monitor Access Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/access-api.md
# Access the Azure Monitor Log Analytics API
-You can submit a query request to a workspace by using the Azure Monitor Log Analytics endpoint `https://api.loganalytics.azure.com`. To access the endpoint, you must authenticate through Azure Active Directory (Azure AD).
+You can submit a query request to a workspace by using the Azure Monitor Log Analytics endpoint `https://api.loganalytics.azure.com`. To access the endpoint, you must authenticate through Microsoft Entra ID.
>[!Note] > The `api.loganalytics.io` endpoint is being replaced by `api.loganalytics.azure.com`. The `api.loganalytics.io` endpoint will continue to be supported for the forseeable future. ## Authenticate with a demo API key
-To quickly explore the API without Azure AD authentication, use the demonstration workspace with sample data, which supports API key authentication.
+To quickly explore the API without Microsoft Entra authentication, use the demonstration workspace with sample data, which supports API key authentication.
To authenticate and run queries against the sample workspace, use `DEMO_WORKSPACE` as the {workspace-id} and pass in the API key `DEMO_KEY`.
For example:
## Set up authentication
-To access the API, you register a client app with Azure AD and request a token.
+To access the API, you register a client app with Microsoft Entra ID and request a token.
-1. [Register an app in Azure AD](./register-app-for-token.md).
+1. [Register an app in Microsoft Entra ID](./register-app-for-token.md).
1. On the app's overview page, select **API permissions**. 1. Select **Add a permission**.
Now that your app is registered and has permissions to use the API, grant your a
## Request an authorization token Before you begin, make sure you have all the values required to make the request successfully. All requests require:-- Your Azure AD tenant ID.
+- Your Microsoft Entra tenant ID.
- Your workspace ID.-- Your Azure AD client ID for the app.-- An Azure AD client secret for the app.
+- Your Microsoft Entra client ID for the app.
+- A Microsoft Entra client secret for the app.
-The Log Analytics API supports Azure AD authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
+The Log Analytics API supports Microsoft Entra authentication with three different [Microsoft Entra ID OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
- Client credentials - Authorization code - Implicit ### Client credentials flow
-In the client credentials flow, the token is used with the Log Analytics endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Azure AD](./register-app-for-token.md).
+In the client credentials flow, the token is used with the Log Analytics endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Microsoft Entra ID](./register-app-for-token.md).
Use the `https://api.loganalytics.azure.com` endpoint.
The main OAuth2 flow supported is through [authorization codes](/azure/active-di
&resource=https://api.loganalytics.io ```
-When a request is made to the authorize URL, the client\_id is the application ID from your Azure AD app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Azure AD app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
+When a request is made to the authorize URL, the client\_id is the application ID from your Microsoft Entra app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Microsoft Entra app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
```http http://<app-client-id>/?code=AUTHORIZATION_CODE&session_state=STATE_GUID
At this point, you've obtained an authorization code, which you need now to requ
&client_secret=<app-client-secret> ```
-All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Azure AD app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Azure AD app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.
+All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Microsoft Entra app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Microsoft Entra app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.
Response example:
This access\_token can be used as the `Authorization: Bearer` header value when
## More information
-You can find documentation about OAuth2 with Azure AD here:
+You can find documentation about OAuth2 with Microsoft Entra here:
+ - [Microsoft Entra authorization code flow](/azure/active-directory/develop/active-directory-protocols-oauth-code)
+ - [Microsoft Entra implicit grant flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant)
+ - [Microsoft Entra S2S client credentials flow](/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
## Next steps
azure-monitor Batch Queries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/batch-queries.md
# Batch queries
-The Azure Monitor Log Analytics API supports batching queries together. Batch queries currently require Azure AD authentication.
+The Azure Monitor Log Analytics API supports batching queries together. Batch queries currently require Microsoft Entra authentication.
## Request format To batch queries, use the API endpoint, adding $batch at the end of the URL: `https://api.loganalytics.azure.com/v1/$batch`.
This list is a non-exhaustive list of examples of possible errors and their mean
} ``` -- 403 - Forbidden. The token provided does not have access to the resource you are trying to access. Make sure that your token request has the correct resource, and you have granted permissions for your Azure AD application.
+- 403 - Forbidden. The token provided does not have access to the resource you are trying to access. Make sure that your token request has the correct resource, and you have granted permissions for your Microsoft Entra application.
``` {
azure-monitor Errors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/errors.md
Include a form of authentication with your request, such as the header `"Authori
} ```
-The token is malformed or otherwise invalid. This error can occur if you manually copy and paste the token and add or cut characters to the payload. Verify that the token is exactly as received from Azure Active Directory (Azure AD).
+The token is malformed or otherwise invalid. This error can occur if you manually copy and paste the token and add or cut characters to the payload. Verify that the token is exactly as received from Microsoft Entra ID.
## Invalid token audience
This error can occur if you try to use client credentials via the direct API end
} ```
-The token you've presented for authorization belongs to a user who doesn't have sufficient access to this privilege. Verify that your workspace GUID and your token request are correct. If necessary, grant IAM privileges in your workspace to the Azure AD application you created as Contributor.
+The token you've presented for authorization belongs to a user who doesn't have sufficient access to this privilege. Verify that your workspace GUID and your token request are correct. If necessary, grant IAM privileges in your workspace to the Microsoft Entra application you created as Contributor.
> [!NOTE]
-> When you use Azure AD authentication, it might take up to 60 minutes for the Application Insights REST API to recognize new role-based access control permissions. While permissions are propagating, REST API calls might fail with error code 403.
+> When you use Microsoft Entra authentication, it might take up to 60 minutes for the Application Insights REST API to recognize new role-based access control permissions. While permissions are propagating, REST API calls might fail with error code 403.
## Bad authorization code
The token you've presented for authorization belongs to a user who doesn't have
} ```
-The authorization code submitted in the token request was either stale or previously used. Reauthorize via the Azure AD authorize endpoint to get a new code.
+The authorization code submitted in the token request was either stale or previously used. Reauthorize via the Microsoft Entra authorize endpoint to get a new code.
## Path not found
azure-monitor Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/overview.md
The Log Analytics Query API is a REST API that you can use to query the full set
## Log Analytics API authentication You must authenticate to access the Log Analytics API:-- To query your workspaces, you must use [Azure Active Directory (Azure AD) authentication](../../../active-directory/fundamentals/active-directory-whatis.md).-- To quickly explore the API without using Azure AD authentication, you can use an API key to query sample data in a non-production environment.
+- To query your workspaces, you must use [Microsoft Entra authentication](../../../active-directory/fundamentals/active-directory-whatis.md).
+- To quickly explore the API without using Microsoft Entra authentication, you can use an API key to query sample data in a non-production environment.
-### Azure AD authentication for workspace data
+<a name='azure-ad-authentication-for-workspace-data'></a>
-The Log Analytics API supports Azure AD authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
+### Microsoft Entra authentication for workspace data
+
+The Log Analytics API supports Microsoft Entra authentication with three different [Microsoft Entra ID OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
- Authorization code - Implicit - Client credentials
After you receive a token, the process for calling the Log Analytics API is the
### API key authentication for sample data
-To quickly explore the API without using Azure AD authentication, we provide a demonstration workspace with sample data. You can [authenticate by using an API key](./access-api.md#authenticate-with-a-demo-api-key).
+To quickly explore the API without using Microsoft Entra authentication, we provide a demonstration workspace with sample data. You can [authenticate by using an API key](./access-api.md#authenticate-with-a-demo-api-key).
> [!NOTE]
-> When you use Azure AD authentication, it might take up to 60 minutes for the Application Insights REST API to recognize new role-based access control permissions. While permissions are propagating, REST API calls might fail with [error code 403](./errors.md#insufficient-permissions).
+> When you use Microsoft Entra authentication, it might take up to 60 minutes for the Application Insights REST API to recognize new role-based access control permissions. While permissions are propagating, REST API calls might fail with [error code 403](./errors.md#insufficient-permissions).
## Log Analytics API query limits
azure-monitor Register App For Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/register-app-for-token.md
Create a service principal and register an app using the Azure portal, Azure CLI
1. To register an app, open the Active Directory Overview page in the Azure portal. 1. Select **App registrations** from the side bar. 1. Select **New registration** 1. On the Register an application page, enter a **Name** for the application.
Create a service principal and register an app using the Azure portal, Azure CLI
1. On the app's overview page, select **Certificates and Secrets** 1. Note the **Application (client) ID**. It's used in the HTTP request for a token. 1. In the **Client secrets tab** Select **New client secret** 1. Enter a **Description** and select **Add**
The CLI following example assigns the `Reader` role to the service principal for
For more information on creating a service principal using Azure CLI, see [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli). ### [PowerShell](#tab/powershell)
-The following sample script demonstrates creating an Azure Active Directory service principal via PowerShell. For a more detailed walkthrough, see [using Azure PowerShell to create a service principal to access resources](../../../active-directory/develop/howto-authenticate-service-principal-powershell.md)
+The following sample script demonstrates creating a Microsoft Entra service principal via PowerShell. For a more detailed walkthrough, see [using Azure PowerShell to create a service principal to access resources](../../../active-directory/develop/howto-authenticate-service-principal-powershell.md)
```powershell $subscriptionId = "{azure-subscription-id}"
For more information, see [Assign Azure roles using the Azure portal](../../../r
Once you've assigned a role, you can use your app, client ID, and client secret to generate a bearer token to access the REST API. > [!NOTE]
-> When using Azure AD authentication, it may take up to 60 minutes for the Azure Application Insights REST API to recognize new role-based access control (RBAC) permissions. While permissions are propagating, REST API calls may fail with error code 403.
+> When using Microsoft Entra authentication, it may take up to 60 minutes for the Azure Application Insights REST API to recognize new role-based access control (RBAC) permissions. While permissions are propagating, REST API calls may fail with error code 403.
azure-monitor Request Format https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/api/request-format.md
There are two endpoints through which you can communicate with the Log Analytics
- A direct URL for the API: `https://api.loganalytics.azure.com` - Through Azure Resource Manager (ARM).
-While the URLs are different, the query parameters are the same for each endpoint. Both endpoints require authorization through Azure Active Directory (Azure AD).
+While the URLs are different, the query parameters are the same for each endpoint. Both endpoints require authorization through Microsoft Entra ID.
The API supports the `POST` and `GET` methods.
For example, to count AzureActivity events by Category, make this call:
{ "query": "AzureActivity | summarize count() by Category" }
-```
+```
azure-monitor Azure Ad Authentication Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/azure-ad-authentication-logs.md
Title: Azure AD authentication for Azure Monitor Logs
-description: Learn how to enable Azure Active Directory (Azure AD) authentication for Log Analytics in Azure Monitor.
+ Title: Microsoft Entra authentication for Azure Monitor Logs
+description: Learn how to enable Microsoft Entra authentication for Log Analytics in Azure Monitor.
Last updated 08/24/2021
-# Azure AD authentication for Azure Monitor Logs
+# Microsoft Entra authentication for Azure Monitor Logs
Azure Monitor can [collect data in Azure Monitor Logs from multiple sources](data-platform-logs.md#data-collection). These sources include agents on virtual machines, Application Insights, diagnostic settings for Azure resources, and the Data Collector API. Log Analytics agents use a workspace key as an enrollment key to verify initial access and provision a certificate further used to establish a secure connection between the agent and Azure Monitor. To learn more, see [Send data from agents](data-security.md#2-send-data-from-agents). The Data Collector API uses the same workspace key to [authorize access](data-collector-api.md#authorization).
-These options might be cumbersome and pose a risk because it's difficult to manage credentials, specifically workspace keys, at a large scale. You can opt out of local authentication and ensure that only telemetry that's exclusively authenticated by using Managed Identities and Azure Active Directory (Azure AD) is ingested into Azure Monitor. This feature enhances the security and reliability of the telemetry used to make critical operational and business decisions.
+These options might be cumbersome and pose a risk because it's difficult to manage credentials, specifically workspace keys, at a large scale. You can opt out of local authentication and ensure that only telemetry that's exclusively authenticated by using Managed Identities and Microsoft Entra ID is ingested into Azure Monitor. This feature enhances the security and reliability of the telemetry used to make critical operational and business decisions.
-To enable Azure AD integration for Azure Monitor Logs and remove reliance on these shared secrets:
+To enable Microsoft Entra integration for Azure Monitor Logs and remove reliance on these shared secrets:
1. [Disable local authentication for Log Analytics workspaces](#disable-local-authentication-for-log-analytics-workspaces).
-1. Ensure that only authenticated telemetry is ingested in your Application Insights resources with [Azure AD authentication for Application Insights (preview)](../app/azure-ad-authentication.md).
+1. Ensure that only authenticated telemetry is ingested in your Application Insights resources with [Microsoft Entra authentication for Application Insights (preview)](../app/azure-ad-authentication.md).
## Prerequisites
To disable local authentication for a Log Analytics workspace, you need `microso
Disabling local authentication might limit the availability of some functionality, specifically: - Existing Log Analytics agents will stop functioning. Only Azure Monitor Agent will be supported. Azure Monitor Agent will be missing some capabilities that are available through the Log Analytics agent. Examples include custom log collection and IIS log collection.-- The Data Collector API (preview) won't support Azure AD authentication and won't be available to ingest data.
+- The Data Collector API (preview) won't support Microsoft Entra authentication and won't be available to ingest data.
- VM insights and Container insights will stop working. Local authorization will be the only authorization method supported by these features. You can disable local authentication by using Azure Policy. Or you can disable it programmatically through an Azure Resource Manager template, PowerShell, or the Azure CLI.
The policy template definition:
### [Azure Resource Manager](#tab/azure-resource-manager)
-The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Azure AD authentication must be used for all access.
+The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Microsoft Entra authentication must be used for all access.
Use the following Azure Resource Manager template to disable local authentication:
Use the following Azure Resource Manager template to disable local authenticatio
### [Azure CLI](#tab/azure-cli)
-The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Azure AD authentication must be used for all access.
+The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Microsoft Entra authentication must be used for all access.
Use the following Azure CLI commands to disable local authentication:
Use the following Azure CLI commands to disable local authentication:
### [PowerShell](#tab/powershell)
-The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Azure AD authentication must be used for all access.
+The `DisableLocalAuth` property is used to disable any local authentication on your Log Analytics workspace. When set to `true`, this property enforces that Microsoft Entra authentication must be used for all access.
Use the following PowerShell commands to disable local authentication:
Use the following PowerShell commands to disable local authentication:
## Next steps
-See [Azure AD authentication for Application Insights (preview)](../app/azure-ad-authentication.md).
+See [Microsoft Entra authentication for Application Insights (preview)](../app/azure-ad-authentication.md).
azure-monitor Cross Workspace Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/cross-workspace-query.md
Last updated 05/30/2023
Azure Monitor Logs support querying across multiple Log Analytics workspaces and Application Insights apps in the same resource group, another resource group, or another subscription. This capability provides you with a systemwide view of your data.
-If you manage subscriptions in other Azure Active Directory (Azure AD) tenants through [Azure Lighthouse](../../lighthouse/overview.md), you can include [Log Analytics workspaces created in those customer tenants](../../lighthouse/how-to/monitor-at-scale.md) in your queries.
+If you manage subscriptions in other Microsoft Entra tenants through [Azure Lighthouse](../../lighthouse/overview.md), you can include [Log Analytics workspaces created in those customer tenants](../../lighthouse/how-to/monitor-at-scale.md) in your queries.
There are two methods to query data that's stored in multiple workspaces and apps:
azure-monitor Custom Logs Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/custom-logs-migrate.md
The migration procedure described in this article assumes you have:
- A Log Analytics workspace where you have at least [contributor rights](manage-access.md#azure-rbac). - [Permissions to create data collection rules](../essentials/data-collection-rule-overview.md#permissions) in the Log Analytics workspace.-- [An Azure AD application to authenticate API calls](../logs/tutorial-logs-ingestion-portal.md#create-azure-ad-application) or any other Resource Manager authentication scheme.
+- [A Microsoft Entra application to authenticate API calls](../logs/tutorial-logs-ingestion-portal.md#create-azure-ad-application) or any other Resource Manager authentication scheme.
## Create new resources required for the Log ingestion API
azure-monitor Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/customer-managed-keys.md
Log Analytics Dedicated Clusters [pricing model](./logs-dedicated-clusters.md#cl
## How Customer-managed key works in Azure Monitor
-Azure Monitor uses managed identity to grant access to your Azure Key Vault. The identity of the Log Analytics cluster is supported at the cluster level. To allow Customer-managed key on multiple workspaces, a Log Analytics Cluster resource performs as an intermediate identity connection between your Key Vault and your Log Analytics workspaces. The cluster's storage uses the managed identity that\'s associated with the Cluster resource to authenticate to your Azure Key Vault via Azure Active Directory.
+Azure Monitor uses managed identity to grant access to your Azure Key Vault. The identity of the Log Analytics cluster is supported at the cluster level. To allow Customer-managed key on multiple workspaces, a Log Analytics Cluster resource performs as an intermediate identity connection between your Key Vault and your Log Analytics workspaces. The cluster's storage uses the managed identity that\'s associated with the Cluster resource to authenticate to your Azure Key Vault via Microsoft Entra ID.
Clusters support two [managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types): System-assigned and User-assigned, while a single identity can be defined in a cluster depending on your scenario.
The following rules apply:
- The "AEK" is used to derive "DEKs, which are the keys that are used to encrypt each block of data written to disk. - When you configure a key in your Key Vault, and updated the key details in the cluster, the cluster storage performs requests to 'wrap' and 'unwrap' "AEK" for encryption and decryption. - Your "KEK" never leaves your Key Vault, and in the case of Managed "HSM", it never leaves the hardware.-- Azure Storage uses managed identity that's associated with the *Cluster* resource for authentication. It accesses Azure Key Vault via Azure Active Directory.
+- Azure Storage uses managed identity that's associated with the *Cluster* resource for authentication. It accesses Azure Key Vault via Microsoft Entra ID.
### Customer-Managed key provisioning steps
Deleting a linked workspace is permitted while linked to cluster. If you decide
- [Soft Delete](../../key-vault/general/soft-delete-overview.md). - [Purge protection](../../key-vault/general/soft-delete-overview.md#purge-protection) should be turned on to guard against force deletion of the secret, vault even after soft delete. -- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.
+- Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions.
- Setting the cluster's `identity` `type` to `None` also revokes access to your data, but this approach isn't recommended since you can't revert it without contacting support. The recommended way to revoke access to your data is [key revocation](#key-revocation).
azure-monitor Ingest Logs Event Hub https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/ingest-logs-event-hub.md
To stop ingesting data from the event hub, [delete all data collection rule asso
## Known issues and limitations -- If you transfer a subscription between Azure AD directories, you need to follow the steps described in [Known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories) to continue ingesting data.
+- If you transfer a subscription between Microsoft Entra directories, you need to follow the steps described in [Known issues with managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/known-issues#transferring-a-subscription-between-azure-ad-directories) to continue ingesting data.
- You can ingest messages of up to 64 KB from Event Hubs to Azure Monitor Logs. ## Next steps
Learn more about to:
- [Create a custom table](../logs/create-custom-table.md#create-a-custom-table). - [Create a data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint). - [Update an existing data collection rule](../essentials/data-collection-rule-edit.md).--
azure-monitor Logs Data Export https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-data-export.md
For more information, including the data export billing timeline, see [Azure Mon
## Export destinations
-The data export destination must be available before you create export rules in your workspace. Destinations don't have to be in the same subscription as your workspace. When you use Azure Lighthouse, it's also possible to send data to destinations in another Azure Active Directory tenant.
+The data export destination must be available before you create export rules in your workspace. Destinations don't have to be in the same subscription as your workspace. When you use Azure Lighthouse, it's also possible to send data to destinations in another Microsoft Entra tenant.
You need to have write permissions to both workspace and destination to configure a data export rule on any table in a workspace. The shared access policy for the Event Hubs namespace defines the permissions that the streaming mechanism has. Streaming to Event Hubs requires manage, send, and listen permissions. To update the export rule, you must have the ListKey permission on that Event Hubs authorization rule.
azure-monitor Logs Ingestion Api Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/logs-ingestion-api-overview.md
Authentication for the Logs Ingestion API is performed at the DCE, which uses st
### Token audience
-When developing a custom client to obtain an access token from Azure AD for the purpose of submitting telemetry to Log Ingestion API in Azure Monitor, refer to the table provided below to determine the appropriate audience string for your particular host environment.
+When developing a custom client to obtain an access token from Microsoft Entra ID for the purpose of submitting telemetry to Log Ingestion API in Azure Monitor, refer to the table provided below to determine the appropriate audience string for your particular host environment.
| Azure cloud version | Token audience value | | | |
azure-monitor Manage Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/manage-access.md
In addition to using the built-in roles for a Log Analytics workspace, you can c
- Grant users the following permissions to their resources: `Microsoft.Insights/logs/*/read`. - Add the following NonAction to block users from reading the SecurityEvent type: `Microsoft.Insights/logs/SecurityEvent/read`. The NonAction shall be in the same custom role as the action that provides the read permission (`Microsoft.Insights/logs/*/read`). If the user inherits the read action from another role that's assigned to this resource or to the subscription or resource group, they could read all log types. This scenario is also true if they inherit `*/read` that exists, for example, with the Reader or Contributor role.
-**Example 5: Grant a user permission to read log data from their resources and all Azure AD sign-in and read Update Management solution log data in the Log Analytics workspace.**
+**Example 5: Grant a user permission to read log data from their resources and all Microsoft Entra sign-in and read Update Management solution log data in the Log Analytics workspace.**
- Configure the workspace access control mode to *use workspace or resource permissions*. - Grant users the following permissions on the workspace: - `Microsoft.OperationalInsights/workspaces/read`: Required so the user can enumerate the workspace and open the workspace pane in the Azure portal - `Microsoft.OperationalInsights/workspaces/query/read`: Required for every user that can execute queries
- - `Microsoft.OperationalInsights/workspaces/query/SigninLogs/read`: To be able to read Azure AD sign-in logs
+ - `Microsoft.OperationalInsights/workspaces/query/SigninLogs/read`: To be able to read Microsoft Entra sign-in logs
- `Microsoft.OperationalInsights/workspaces/query/Update/read`: To be able to read Update Management solution logs - `Microsoft.OperationalInsights/workspaces/query/UpdateRunProgress/read`: To be able to read Update Management solution logs - `Microsoft.OperationalInsights/workspaces/query/UpdateSummary/read`: To be able to read Update Management logs
azure-monitor Migrate Splunk To Azure Monitor Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/migrate-splunk-to-azure-monitor-logs.md
This table lists the tools Azure Monitor provides for collecting data from vario
| Resource type | Data collection tool |Similar Splunk tool| Collected data | | | | |
-| **Azure** | [Diagnostic settings](../essentials/diagnostic-settings.md) | | **Azure tenant** - Azure Active Directory Audit Logs provide sign-in activity history and audit trail of changes made within a tenant.<br/>**Azure resources** - Logs and performance counters.<br/>**Azure subscription** - Service health records along with records on any configuration changes made to the resources in your Azure subscription. |
+| **Azure** | [Diagnostic settings](../essentials/diagnostic-settings.md) | | **Azure tenant** - Microsoft Entra audit logs provide sign-in activity history and audit trail of changes made within a tenant.<br/>**Azure resources** - Logs and performance counters.<br/>**Azure subscription** - Service health records along with records on any configuration changes made to the resources in your Azure subscription. |
| **Application** | [Application insights](../app/app-insights-overview.md) |Splunk Application Performance Monitoring| Application performance monitoring data. | | **Container** |[Container insights](../containers/container-insights-overview.md)|Container Monitoring| Container performance data. | | **Operating system** | [Azure Monitor Agent](../vm/monitor-virtual-machine-agent.md) |Universal Forwarder, Heavy Forwarder | Monitoring data from the guest operating system of Azure and non-Azure virtual machines.|
azure-monitor Monitor Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/monitor-workspace.md
The following section provides information on data collection.
#### Operation: Azure Activity Log collection
-"Access to the subscription was lost. Ensure that the \<**subscription id**\> subscription is in the \<**tenant id**\> Azure Active Directory tenant. If the subscription is transferred to another tenant, there's no impact to the services, but information for the tenant could take up to an hour to propagate."
+"Access to the subscription was lost. Ensure that the \<**subscription id**\> subscription is in the \<**tenant id**\> Microsoft Entra tenant. If the subscription is transferred to another tenant, there's no impact to the services, but information for the tenant could take up to an hour to propagate."
In some situations, like moving a subscription to a different tenant, the Azure activity logs might stop flowing into the workspace. In those situations, you need to reconnect the subscription following the process described in this article.
azure-monitor Move Workspace https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/move-workspace.md
In this article, you'll learn the steps to move a Log Analytics workspace to ano
| Action | Permissions required | |:|:|
-| Verify the Azure Active Directory tenant. | `Microsoft.AzureActiveDirectory/b2cDirectories/read` permissions, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example. |
+| Verify the Microsoft Entra tenant. | `Microsoft.AzureActiveDirectory/b2cDirectories/read` permissions, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example. |
| Delete a solution. | `Microsoft.OperationsManagement/solutions/delete` permissions on the solution, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example. | | Remove alert rules for the Start/Stop VMs solution. | `microsoft.insights/scheduledqueryrules/delete` permissions, as provided by the [Monitoring Contributor built-in role](../../role-based-access-control/built-in-roles.md#monitoring-contributor), for example. | | Unlink the Automation account | `Microsoft.OperationalInsights/workspaces/linkedServices/delete` permissions on the linked Log Analytics workspace, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example. |
Consider these points before you move a Log Analytics workspace:
> - Custom scripting >
-## Verify the Azure Active Directory tenant
-The workspace source and destination subscriptions must exist within the same Azure Active Directory tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.
+<a name='verify-the-azure-active-directory-tenant'></a>
+
+## Verify the Microsoft Entra tenant
+The workspace source and destination subscriptions must exist within the same Microsoft Entra tenant. Use Azure PowerShell to verify that both subscriptions have the same tenant ID.
### [Portal](#tab/azure-portal)
-[Find your Azure AD tenant](../../azure-portal/get-subscription-tenant-id.md#find-your-azure-ad-tenant) for the source and destination subscriptions.
+[Find your Microsoft Entra tenant](../../azure-portal/get-subscription-tenant-id.md#find-your-azure-ad-tenant) for the source and destination subscriptions.
### [REST API](#tab/rest-api)
azure-monitor Notebooks Azure Monitor Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/notebooks-azure-monitor-logs.md
In this tutorial, you use these tools:
| Tool | Description | | | | |[Azure Monitor Query client library](/python/api/overview/azure/monitor-query-readme) |Lets you run read-only queries on data in Azure Monitor Logs. |
-|[Azure Identity client library](/python/api/overview/azure/identity-readme)|Enables Azure SDK clients to authenticate with Azure Active Directory.|
+|[Azure Identity client library](/python/api/overview/azure/identity-readme)|Enables Azure SDK clients to authenticate with Microsoft Entra ID.|
|[Azure Monitor Ingestion client library](/python/api/overview/azure/monitor-ingestion-readme)| Lets you send custom logs to Azure Monitor using the Logs Ingestion API. Required to [ingest analyzed data into a custom table in your Log Analytics workspace (optional)](#4-ingest-analyzed-data-into-a-custom-table-in-your-log-analytics-workspace-optional)| |[Data collection rule](../essentials/data-collection-rule-overview.md), [data collection endpoint](../essentials/data-collection-endpoint-overview.md), and a [registered application](../logs/tutorial-logs-ingestion-portal.md#create-azure-ad-application) | Required to [ingest analyzed data into a custom table in your Log Analytics workspace (optional)](#4-ingest-analyzed-data-into-a-custom-table-in-your-log-analytics-workspace-optional) |
Set up your notebook to query your Log Analytics workspace:
logs_query_client = LogsQueryClient(credential, authentication_policy=authentication_policy) ```
- `LogsQueryClient` typically only supports authentication with Azure Active Directory (Azure AD) token credentials. However, we can pass a custom authentication policy to enable the use of API keys. This allows the client to [query the demo workspace](../logs/api/access-api.md#authenticate-with-a-demo-api-key). The availability and access to this demo workspace is subject to change, so we recommend using your own Log Analytics workspace.
+ `LogsQueryClient` typically only supports authentication with Microsoft Entra token credentials. However, we can pass a custom authentication policy to enable the use of API keys. This allows the client to [query the demo workspace](../logs/api/access-api.md#authenticate-with-a-demo-api-key). The availability and access to this demo workspace is subject to change, so we recommend using your own Log Analytics workspace.
1. Define a helper function, called `query_logs_workspace`, to run a given query in the Log Analytics workspace and return the results as a Pandas DataFrame.
For an example of how to implement machine learning techniques to analyze data i
Send your analysis results to a custom table in your Log Analytics workspace to trigger alerts or to make them available for further analysis.
-1. To send data to your Log Analytics workspace, you need a custom table, data collection endpoint, data collection rule, and a registered Azure Active Directory application with permission to use the data collection rule, as explained in [Tutorial: Send data to Azure Monitor Logs with Logs ingestion API (Azure portal)](../logs/tutorial-logs-ingestion-portal.md).
+1. To send data to your Log Analytics workspace, you need a custom table, data collection endpoint, data collection rule, and a registered Microsoft Entra application with permission to use the data collection rule, as explained in [Tutorial: Send data to Azure Monitor Logs with Logs ingestion API (Azure portal)](../logs/tutorial-logs-ingestion-portal.md).
When you create your custom table:
azure-monitor Personal Data Mgmt https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/personal-data-mgmt.md
Log Analytics prescribes a schema to your data, but allows you to override every
| summarize numNonObfuscatedIPs_24h = count() by $table ```
-* **User IDs**: By default, Application Insights uses randomly generated IDs for user and session tracking in fields such as *session_Id*, *user_Id*, *user_AuthenticatedId*, *user_AccountId*, and *customDimensions*. However, it's common to override these fields with an ID that's more relevant to the application, such as usernames or Azure Active Directory GUIDs. These IDs are often considered to be personal data. We recommend obfuscating or anonymizing these IDs.
+* **User IDs**: By default, Application Insights uses randomly generated IDs for user and session tracking in fields such as *session_Id*, *user_Id*, *user_AuthenticatedId*, *user_AccountId*, and *customDimensions*. However, it's common to override these fields with an ID that's more relevant to the application, such as usernames or Microsoft Entra GUIDs. These IDs are often considered to be personal data. We recommend obfuscating or anonymizing these IDs.
* **Custom data**: Application Insights allows you to append a set of custom dimensions to any data type. Use the following query to identify custom dimensions collected in the last 24 hours: ``` search *
azure-monitor Query Audit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/query-audit.md
An audit record is created each time a query is run. If you send the data to a L
|:|:| | TimeGenerated | UTC time when query was submitted. | | CorrelationId | Unique ID to identify the query. Can be used in troubleshooting scenarios when contacting Microsoft for assistance. |
-| AADObjectId | Azure Active Directory ID of the user account that started the query. |
+| AADObjectId | Microsoft Entra ID of the user account that started the query. |
| AADTenantId | ID of the tenant of the user account that started the query. | | AADEmail | Email of the tenant of the user account that started the query. | | AADClientId | ID and resolved name of the application used to start the query. |
azure-monitor Set Up Logs Ingestion Api Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/set-up-logs-ingestion-api-prerequisites.md
The script creates these resources, if they don't already exist:
You probably already have a Log Analytics workspace, in which case, provide the workspace details so the script sets up the other resources in the same region as the workspace. -- An Azure AD application to authenticate against the API and:
- - A service principal on the Azure AD application
- - A secret for the Azure AD application
+- A Microsoft Entra application to authenticate against the API and:
+ - A service principal on the Microsoft Entra application
+ - A secret for the Microsoft Entra application
- A data collection endpoint (DCE) and a resource group for the data collection endpoint, in same region as Log Analytics workspace, to receive data. - A resource group for data collection rules (DCR) in the same region as the Log Analytics workspace.
$VerbosePreference = "SilentlyContinue" # "Continue"
- [Learn more about data collection rules](../essentials/data-collection-rule-overview.md) - [Learn more about writing transformation queries](../essentials//data-collection-transformations.md)-
azure-monitor Tutorial Logs Ingestion Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/tutorial-logs-ingestion-api.md
The [Logs Ingestion API](logs-ingestion-api-overview.md) in Azure Monitor allows
The steps required to configure the Logs ingestion API are as follows:
-1. [Create an Azure AD application](#create-azure-ad-application) to authenticate against the API.
+1. [Create a Microsoft Entra application](#create-azure-ad-application) to authenticate against the API.
3. [Create a data collection endpoint (DCE)](#create-data-collection-endpoint) to receive data. 2. [Create a custom table in a Log Analytics workspace](#create-new-table-in-log-analytics-workspace). This is the table you'll be sending data to. 4. [Create a data collection rule (DCR)](#create-data-collection-rule) to direct the data to the target table.
Go to your workspace in the **Log Analytics workspaces** menu in the Azure porta
:::image type="content" source="media/tutorial-logs-ingestion-api/workspace-resource-id.png" lightbox="media/tutorial-logs-ingestion-api/workspace-resource-id.png" alt-text="Screenshot that shows the workspace resource ID.":::
-## Create Azure AD application
-Start by registering an Azure Active Directory application to authenticate against the API. Any Resource Manager authentication scheme is supported, but this tutorial follows the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+<a name='create-azure-ad-application'></a>
-1. On the **Azure Active Directory** menu in the Azure portal, select **App registrations** > **New registration**.
+## Create Microsoft Entra application
+Start by registering a Microsoft Entra application to authenticate against the API. Any Resource Manager authentication scheme is supported, but this tutorial follows the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+
+1. On the **Microsoft Entra ID** menu in the Azure portal, select **App registrations** > **New registration**.
:::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-registration.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-registration.png" alt-text="Screenshot that shows the app registration screen.":::
azure-monitor Tutorial Logs Ingestion Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/tutorial-logs-ingestion-code.md
The following script uses the [Azure Monitor Ingestion client library for .NET](
dotnet add package Azure.Monitor.Ingestion ```
-3. Create the following environment variables with values for your Microsoft Entra ID application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
+3. Create the following environment variables with values for your Microsoft Entra application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
- `AZURE_TENANT_ID` - `AZURE_CLIENT_ID`
The following sample code uses the [Azure Monitor Ingestion client module for Go
go get github.com/Azure/azure-sdk-for-go/sdk/azidentity ```
-1. Create the following environment variables with values for your Microsoft Entra ID application. These values are used by `DefaultAzureCredential` in the Azure Identity module.
+1. Create the following environment variables with values for your Microsoft Entra application. These values are used by `DefaultAzureCredential` in the Azure Identity module.
- `AZURE_TENANT_ID` - `AZURE_CLIENT_ID`
The following sample code uses the [Azure Monitor Ingestion client library for J
</dependency> ```
-1. Create the following environment variables with values for your Microsoft Entra ID application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
+1. Create the following environment variables with values for your Microsoft Entra application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
- `AZURE_TENANT_ID` - `AZURE_CLIENT_ID`
The following sample code uses the [Azure Monitor Ingestion client library for J
npm install --save @azure/identity ```
-1. Create the following environment variables with values for your Microsoft Entra ID application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
+1. Create the following environment variables with values for your Microsoft Entra application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
- `AZURE_TENANT_ID` - `AZURE_CLIENT_ID`
The following sample code uses the [Azure Monitor Ingestion client library for P
pip install azure-identity ```
-1. Create the following environment variables with values for your Microsoft Entra ID application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
+1. Create the following environment variables with values for your Microsoft Entra application. These values are used by `DefaultAzureCredential` in the Azure Identity library.
- `AZURE_TENANT_ID` - `AZURE_CLIENT_ID`
The cache that drives IntelliSense might take up to 24 hours to update.
- [Learn more about data collection rules](../essentials/data-collection-rule-overview.md) - [Learn more about writing transformation queries](../essentials//data-collection-transformations.md)-
azure-monitor Tutorial Logs Ingestion Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/tutorial-logs-ingestion-portal.md
The [Logs Ingestion API](logs-ingestion-api-overview.md) in Azure Monitor allows
The steps required to configure the Logs ingestion API are as follows:
-1. [Create an Azure AD application](#create-azure-ad-application) to authenticate against the API.
+1. [Create a Microsoft Entra application](#create-azure-ad-application) to authenticate against the API.
3. [Create a data collection endpoint (DCE)](#create-data-collection-endpoint) to receive data. 2. [Create a custom table in a Log Analytics workspace](#create-new-table-in-log-analytics-workspace). This is the table you'll be sending data to. As part of this process, you will create a data collection rule (DCR) to direct the data to the target table. 5. [Give the AD application access to the DCR](#assign-permissions-to-the-dcr).
In this tutorial, you'll use a PowerShell script to send sample Apache access lo
After the configuration is finished, you'll send sample data from the command line, and then inspect the results in Log Analytics.
-## Create Azure AD application
-Start by registering an Azure Active Directory application to authenticate against the API. Any Resource Manager authentication scheme is supported, but this tutorial will follow the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+<a name='create-azure-ad-application'></a>
-1. On the **Azure Active Directory** menu in the Azure portal, select **App registrations** > **New registration**.
+## Create Microsoft Entra application
+Start by registering a Microsoft Entra application to authenticate against the API. Any Resource Manager authentication scheme is supported, but this tutorial will follow the [Client Credential Grant Flow scheme](../../active-directory/develop/v2-oauth2-client-creds-grant-flow.md).
+
+1. On the **Microsoft Entra ID** menu in the Azure portal, select **App registrations** > **New registration**.
:::image type="content" source="media/tutorial-logs-ingestion-portal/new-app-registration.png" lightbox="media/tutorial-logs-ingestion-portal/new-app-registration.png" alt-text="Screenshot that shows the app registration screen.":::
azure-monitor Workspace Design https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/logs/workspace-design.md
In a distributed architecture, a Log Analytics workspace is created in each Azur
There are two options to allow service provider administrators to access the workspaces in the customer tenants: -- Use [Azure Lighthouse](../../lighthouse/overview.md) to access each customer tenant. The service provider administrators are included in an Azure Active Directory (Azure AD) user group in the service provider's tenant. This group is granted access during the onboarding process for each customer. The administrators can then access each customer's workspaces from within their own service provider tenant instead of having to sign in to each customer's tenant individually. For more information, see [Monitor customer resources at scale](../../lighthouse/how-to/monitor-at-scale.md).-- Add individual users from the service provider as [Azure AD guest users (B2B)](../../active-directory/external-identities/what-is-b2b.md). The customer tenant administrators manage individual access for each service provider administrator. The service provider administrators must sign in to the directory for each tenant in the Azure portal to access these workspaces.
+- Use [Azure Lighthouse](../../lighthouse/overview.md) to access each customer tenant. The service provider administrators are included in a Microsoft Entra user group in the service provider's tenant. This group is granted access during the onboarding process for each customer. The administrators can then access each customer's workspaces from within their own service provider tenant instead of having to sign in to each customer's tenant individually. For more information, see [Monitor customer resources at scale](../../lighthouse/how-to/monitor-at-scale.md).
+- Add individual users from the service provider as [Microsoft Entra guest users (B2B)](../../active-directory/external-identities/what-is-b2b.md). The customer tenant administrators manage individual access for each service provider administrator. The service provider administrators must sign in to the directory for each tenant in the Azure portal to access these workspaces.
Advantages to this strategy:
azure-monitor Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/overview.md
Azure Monitor collects these types of data:
||--| |App/Workloads |**App**- Application performance, health, and activity data. <br/><br/>**Workloads** - IaaS workloads such as SQL server, Oracle or SAP running on a hosted Virtual Machine.| |Infrastructure|**Container** - Data about containers, such as [Azure Kubernetes Service](../aks/intro-kubernetes.md), [Prometheus](./essentials/prometheus-metrics-overview.md), and the applications running inside containers.<br><br>**Operating system** - Data about the guest operating system on which your application is running.|
-|Azure Platform|**Azure resource** - Data about the operation of an Azure resource from inside the resource, including changes. Resource Logs are one example. <br><br>**Azure subscription** - The operation and management of an Azure subscription, and data about the health and operation of Azure itself. The activity log is one example.<br><br>**Azure tenant** - Data about the operation of tenant-level Azure services, such as Azure Active Directory.<br> |
+|Azure Platform|**Azure resource** - Data about the operation of an Azure resource from inside the resource, including changes. Resource Logs are one example. <br><br>**Azure subscription** - The operation and management of an Azure subscription, and data about the health and operation of Azure itself. The activity log is one example.<br><br>**Azure tenant** - Data about the operation of tenant-level Azure services, such as Microsoft Entra ID.<br> |
|Custom Sources| Data which gets into the system using the <br/> - Azure Monitor REST API <br/> - Data Collection API | For detailed information about each of the data sources, see [data sources](./data-sources.md).
azure-monitor Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/partners.md
Furthermore, Dynatrace is also available as a native solution integrated into Mi
The Azure Native Dynatrace Service gives Microsoft Azure customers a seamless experience for Dynatrace automatic and intelligent observability and runtime application security in and from Azure. The benefits of this native integration include: - Integrated onboarding: You can provision Dynatrace and manage the integration through the Azure Marketplace and Portal. The seamless onboarding experience sets up Dynatrace automatically. -- Single sign-on: You can easily enable SSO through Azure Active Directory.
+- Single sign-on: You can easily enable SSO through Microsoft Entra ID.
- Metrics and logs: You can enable the collection of metrics and logs for Virtual Machine (VM) and App Services resources by installing Dynatrace OneAgent on those resources. Furthermore, you can activate the sending of Azure [subscription activity logs](./essentials/activity-log-schema.md) and [resource logs](./essentials/resource-logs-categories.md) to Dynatrace. - OneAgent deployment: You can install or uninstall Dynatrace OneAgents on single or multiple virtual machines and Azure App Services directly from your Azure Portal. - Manage Dynatrace within Azure portal: Within your Azure Portal, you can verify which resources are sending Azure metrics and logs to Dynatrace and make instant changes as needed.
azure-monitor Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/policy-reference.md
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-monitor Profiler Bring Your Own Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler-bring-your-own-storage.md
In this guide, you learn how to:
## Grant Diagnostic Services access to your storage account
-A BYOS storage account is linked to an Application Insights resource. Start by granting the `Storage Blob Data Contributor` role to the Azure Active Directory (Azure AD) application named `Diagnostic Services Trusted Storage Access` via the [Access Control (IAM)](../../role-based-access-control/role-assignments-portal.md) page in your storage account.
+A BYOS storage account is linked to an Application Insights resource. Start by granting the `Storage Blob Data Contributor` role to the Microsoft Entra application named `Diagnostic Services Trusted Storage Access` via the [Access Control (IAM)](../../role-based-access-control/role-assignments-portal.md) page in your storage account.
1. Select **Access control (IAM)**.
This section provides answers to common questions about configuring BYOS for Pro
## Next steps - [Learn more about Application Insights Profiler](./profiler-overview.md)-- [Learn more about Snapshot Debugger](../snapshot-debugger/snapshot-debugger.md)
+- [Learn more about Snapshot Debugger](../snapshot-debugger/snapshot-debugger.md)
azure-monitor Profiler https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/profiler/profiler.md
Currently, the only regions that require endpoint modifications are [Azure Gover
|ApplicationInsightsProfilerEndpoint | `https://profiler.monitor.azure.us` | `https://profiler.monitor.azure.cn` | |ApplicationInsightsEndpoint | `https://dc.applicationinsights.us` | `https://dc.applicationinsights.azure.cn` |
-## Enable Azure Active Directory authentication for profile ingestion
+<a name='enable-azure-active-directory-authentication-for-profile-ingestion'></a>
-Application Insights Profiler supports Azure Active Directory (Azure AD) authentication for profile ingestion. For all profiles of your application to be ingested, your application must be authenticated and provide the required application settings to the Profiler agent.
+## Enable Microsoft Entra authentication for profile ingestion
-Profiler only supports Azure AD authentication when you reference and configure Azure AD by using the [Application Insights SDK](../app/asp-net-core.md#configure-the-application-insights-sdk) in your application.
+Application Insights Profiler supports Microsoft Entra authentication for profile ingestion. For all profiles of your application to be ingested, your application must be authenticated and provide the required application settings to the Profiler agent.
-To enable Azure AD for profile ingestion:
+Profiler only supports Microsoft Entra authentication when you reference and configure Microsoft Entra ID by using the [Application Insights SDK](../app/asp-net-core.md#configure-the-application-insights-sdk) in your application.
+
+To enable Microsoft Entra ID for profile ingestion:
1. Create and add the managed identity to authenticate against your Application Insights resource to your App Service:
To enable Azure AD for profile ingestion:
1. [User-assigned managed identity documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-user-assigned-identity)
-1. [Configure and enable Azure AD](../app/azure-ad-authentication.md?tabs=net#configure-and-enable-azure-ad-based-authentication) in your Application Insights resource.
+1. [Configure and enable Microsoft Entra ID](../app/azure-ad-authentication.md?tabs=net#configure-and-enable-azure-ad-based-authentication) in your Application Insights resource.
1. Add the following application setting to let the Profiler agent know which managed identity to use.
azure-monitor Snapshot Debugger App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/snapshot-debugger/snapshot-debugger-app-service.md
Currently the only regions that require endpoint modifications are [Azure Govern
For more information about other connection overrides, see [Application Insights documentation](../app/sdk-connection-string.md?tabs=net#connection-string-with-explicit-endpoint-overrides).
-## Enable Azure Active Directory authentication for snapshot ingestion
+<a name='enable-azure-active-directory-authentication-for-snapshot-ingestion'></a>
-Application Insights Snapshot Debugger supports Azure AD authentication for snapshot ingestion. This means, for all snapshots of your application to be ingested, your application must be authenticated and provide the required application settings to the Snapshot Debugger agent.
+## Enable Microsoft Entra authentication for snapshot ingestion
-As of today, Snapshot Debugger only supports Azure AD authentication when you reference and configure Azure AD using the Application Insights SDK in your application.
+Application Insights Snapshot Debugger supports Microsoft Entra authentication for snapshot ingestion. This means, for all snapshots of your application to be ingested, your application must be authenticated and provide the required application settings to the Snapshot Debugger agent.
-To turn-on Azure AD for snapshot ingestion:
+As of today, Snapshot Debugger only supports Microsoft Entra authentication when you reference and configure Microsoft Entra ID using the Application Insights SDK in your application.
+
+To turn-on Microsoft Entra ID for snapshot ingestion:
1. Create and add the managed identity you want to use to authenticate against your Application Insights resource to your App Service.
To turn-on Azure AD for snapshot ingestion:
1. For User-Assigned Managed identity, see the following [documentation](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-user-assigned-identity).
-1. Configure and turn on Azure AD in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configure-and-enable-azure-ad-based-authentication)
+1. Configure and turn on Microsoft Entra ID in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configure-and-enable-azure-ad-based-authentication)
1. Add the following application setting, used to let Snapshot Debugger agent know which managed identity to use: For System-Assigned Identity:
azure-monitor Snapshot Debugger https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/snapshot-debugger/snapshot-debugger.md
A point release to revert a breaking change introduced in 1.4.0.
Fixed [Method not found in WebJobs](https://github.com/microsoft/ApplicationInsights-SnapshotCollector/issues/15). ### [1.4.0](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.4.0)
-Addressed multiple improvements and added support for Azure Active Directory (Azure AD) authentication for Application Insights ingestion.
+Addressed multiple improvements and added support for Microsoft Entra authentication for Application Insights ingestion.
#### Changes - Reduced Snapshot Collector package size by 60% from 10.34 MB to 4.11 MB.
Addressed multiple improvements and added support for Azure Active Directory (Az
- Used `System.Diagnostics.Process` in Snapshot Collector and Snapshot Uploader. #### New features
-Added Azure AD authentication to `SnapshotCollector`. To learn more about Azure AD authentication in Application Insights, see [Azure AD authentication for Application Insights](../app/azure-ad-authentication.md).
+Added Microsoft Entra authentication to `SnapshotCollector`. To learn more about Microsoft Entra authentication in Application Insights, see [Microsoft Entra authentication for Application Insights](../app/azure-ad-authentication.md).
### [1.3.7.5](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector/1.3.7.5) A point release to backport a fix from 1.4.0-pre.
azure-monitor Grafana Plugin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/grafana-plugin.md
Follow these steps to set up Grafana.
### Set up Azure Managed Grafana Azure Managed Grafana is optimized for the Azure environment and works seamlessly with Azure Monitor. You can: -- Manage user authentication and access control by using Azure Active Directory identities.
+- Manage user authentication and access control by using Microsoft Entra identities.
- Pin charts from the Azure portal directly to Azure Managed Grafana dashboards. Use this [quickstart guide](../../managed-grafan) to create an Azure Managed Grafana workspace by using the Azure portal.
If you're hosting Grafana on your own Azure Virtual Machines or Azure App Servic
### Use app registration
-1. Create a service principal. Grafana uses an Azure Active Directory service principal to connect to Azure Monitor APIs and collect data. You must create, or use an existing service principal, to manage access to your Azure resources:
- * See [Create an Azure AD app and service principal in the portal](../../active-directory/develop/howto-create-service-principal-portal.md) to create a service principal. Copy and save your tenant ID (Directory ID), client ID (Application ID), and client secret (Application key value).
- * View [Assign application to role](../../active-directory/develop/howto-create-service-principal-portal.md) to assign the [Monitoring Reader role](../roles-permissions-security.md) to the Azure Active Directory application on the subscription, resource group, or resource you want to monitor.
+1. Create a service principal. Grafana uses a Microsoft Entra service principal to connect to Azure Monitor APIs and collect data. You must create, or use an existing service principal, to manage access to your Azure resources:
+ * See [Create a Microsoft Entra app and service principal in the portal](../../active-directory/develop/howto-create-service-principal-portal.md) to create a service principal. Copy and save your tenant ID (Directory ID), client ID (Application ID), and client secret (Application key value).
+ * View [Assign application to role](../../active-directory/develop/howto-create-service-principal-portal.md) to assign the [Monitoring Reader role](../roles-permissions-security.md) to the Microsoft Entra application on the subscription, resource group, or resource you want to monitor.
1. Provide the connection details you want to use: * When you configure the plug-in, you can indicate which Azure Cloud you want the plug-in to monitor: Public, Azure US Government, Azure Germany, or Microsoft Azure operated by 21Vianet. > [!NOTE] > Some data source fields are named differently than their correlated Azure settings: > * Tenant ID is the Azure Directory ID.
- > * Client ID is the Azure Active Directory Application ID.
- > * Client Secret is the Azure Active Directory Application key value.
+ > * Client ID is the Microsoft Entra Application ID.
+ > * Client Secret is the Microsoft Entra Application key value.
1. Select **Save & test** and Grafana will test the credentials. You should see a message similar to the following one.
azure-monitor Workbooks Automate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/visualize/workbooks-automate.md
Two types of workbook resources can be managed programmatically:
| Usage in Application Insights | `microsoft.insights/components` | `usage` | | Workbooks in Kubernetes service | `Microsoft.ContainerService/managedClusters` | `workbook` | | Workbooks in resource groups | `microsoft.resources/subscriptions/resourcegroups` | `workbook` |
-| Workbooks in Azure Active Directory | `microsoft.aadiam/tenant` | `workbook` |
+| Workbooks in Microsoft Entra ID | `microsoft.aadiam/tenant` | `workbook` |
| VM Insights in virtual machines | `microsoft.compute/virtualmachines` | `insights` | | VM Insights in virtual machine scale sets | `microsoft.compute/virtualmachinescalesets` | `insights` |
azure-monitor Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-monitor/whats-new.md
Title: "What's new in Azure Monitor documentation"
description: "What's new in Azure Monitor documentation" Previously updated : 06/06/2023 Last updated : 10/11/2023
This article lists significant changes to Azure Monitor documentation.
> > !["An rss icon"](./media//whats-new/rss.png) https://aka.ms/azmon/rss
+## September 2023
+
+|Subservice | Article | Description |
+||||
+Agents|[Define Azure Monitor Agent network settings](agents/azure-monitor-agent-data-collection-endpoint.md)|Added an example of Azure Monitor Agent deployment with an Azure Resource Manager policy template.|
+Agents|[Migrate to Azure Monitor Agent from Log Analytics agent](agents/azure-monitor-agent-migration.md)|VM Insights with Azure Monitor Agent is now generally available.|
+Alerts|[Manage your alert instances](alerts/alerts-manage-alert-instances.md)|Updated documentation to clarify that Azure Monitor alerts are stored for 30 days and are deleted after the 30-day retention period. For stateful alerts, while the alert itself is deleted after 30 days, and isn't viewable on the alerts page, the alert condition is stored until the alert is resolved, to prevent firing another alert, and so that notifications can be sent when the alert is resolved.|
+Alerts|[Troubleshooting problems in Azure Monitor alerts](alerts/alerts-troubleshoot.md)|Added a new article describing the process for migrating from the alertsSummary API, which is being deprecated in September 2026. You can use Azure Resource Graph's functionality to get the same information returned by the alertsSummary API.|
+Alerts|[Troubleshoot log alerts in Azure Monitor](alerts/alerts-troubleshoot-log.md)|Added clarification about the limitations of the override time query setting when creating a new alert rule. The alert time range is limited to a maximum of two days, no matter what override time is set in the query.|
+Application-Insights|[Migrate availability tests](app/availability-test-migration.md)|Updated PowerShell script for quick migration of URL Ping Tests to Standard Tests.|
+Application-Insights|[Application Insights overview](app/app-insights-overview.md)|We've updated the Supported Languages section to provide more information about the OpenTelemetry Distro.|
+Application-Insights|[Migrating from OpenCensus Python SDK and Azure Monitor OpenCensus exporter for Python to Azure Monitor OpenTelemetry Python Distro](app/opentelemetry-python-opencensus-migrate.md)|Follow this guide to migrate Python apps from OpenCensus solutions to the OpenTelemetry Distro.|
+Application-Insights|[Enable Azure Monitor OpenTelemetry for .NET, Node.js, Python and Java applications](app/opentelemetry-enable.md)|The OpenTelemetry Distro is fully released and generally available for Node.js, Python, and Java. An OpenTelemetry Exporter is also released and generally available for .NET and .NET Core.|
+Application-Insights|[What is autoinstrumentation for Azure Monitor Application Insights?](app/codeless-overview.md)|Automatic instrumentation, which enables Application Insights without code changes, is now released and generally available for App Service on Linux - Publish as Docker.|
+Containers|[Migrate from ContainerLog to ContainerLogV2](containers/container-insights-v2-migration.md)|New article.|
+Containers|[Configure remote write for Azure managed service for Prometheus using Azure Active Directory workload identity (preview)](containers/prometheus-remote-write-azure-workload-identity.md)|New article Configure remote write for Azure Monitor managed service …|
+Essentials|[Migrate from diagnostic settings storage retention to Azure Storage lifecycle management](essentials/migrate-to-azure-storage-lifecycle-policy.md)|Added CLI and template tabs showing storage lifecycle setting.|
+General|[Plan your alerts and automated actions](alerts/alerts-plan.md)|Add alerts best practices article|
+General|[Azure Monitor cost and usage](usage-estimated-costs.md)|Updated information about the Cost Analysis usage report which contains both the cost for your usage, and the number of units of usage. You can use this export to see the amount of benefit you're receiving from various offers such as the [Defender for Servers data allowance](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud) and the [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/). |
+Logs|[Send log data to Azure Monitor by using the HTTP Data Collector API (deprecated)](logs/data-collector-api.md)|Added deprecation notice.|
+Logs|[Azure Monitor Logs overview](logs/data-platform-logs.md)|Added code samples for the Azure Monitor Ingestion client module for Go.|
+Logs|[Set a table's log data plan to Basic or Analytics](logs/basic-logs-configure.md)|Added new Virtual Network Manager, Dev Center, and Communication Services tables that now support Basic logs.|
+ ## August 2023 |Subservice| Article | Description |
azure-portal Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-portal/policy-reference.md
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-resource-manager File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/bicep/file.md
For more information, see [Use Bicep modules](./modules.md).
## Resource and module decorators
-You can add a decorator to a resource or module definition. The only supported decorator is `batchSize(int)`. You can only apply it to a resource or module definition that uses a `for` expression.
+You can add a decorator to a resource or module definition. The supported decorators are `batchSize(int) and description. You can only apply it to a resource or module definition that uses a `for` expression.
By default, resources are deployed in parallel. When you add the `batchSize` decorator, you deploy instances serially.
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/custom-providers/policy-reference.md
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/managed-applications/policy-reference.md
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-resource-manager Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-resource-manager/management/policy-reference.md
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-signalr Concept Connection String https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/concept-connection-string.md
The local auth method is used when `AuthType` is set to null.
### Use Microsoft Entra ID
-The Microsoft Entra ID auth method is used when `AuthType` is set to `azure`, `azure.app` or `azure.msi`.
+The Microsoft Entra auth method is used when `AuthType` is set to `azure`, `azure.app` or `azure.msi`.
| Key | Description | Required | Default value | Example value | | -- | | -- | - | |
azure-signalr Howto Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/howto-use-managed-identity.md
The token in the `Authorization` header is a [Microsoft identity platform access
To validate access tokens, your app should also validate the audience and the signing tokens. These tokens need to be validated against the values in the OpenID discovery document. For example, see the [tenant-independent version of the document](https://login.microsoftonline.com/common/.well-known/openid-configuration).
-The Microsoft Entra ID middleware has built-in capabilities for validating access tokens. You can browse through our [samples](../active-directory/develop/sample-v2-code.md) to find one in the language of your choice.
+The Microsoft Entra middleware has built-in capabilities for validating access tokens. You can browse through our [samples](../active-directory/develop/sample-v2-code.md) to find one in the language of your choice.
Libraries and code samples that show how to handle token validation are available. There are also several open-source partner libraries available for JSON Web Token (JWT) validation. There's at least one option for almost every platform and language. For more information about Microsoft Entra authentication libraries and code samples, see [Microsoft identity platform authentication libraries](../active-directory/develop/reference-v2-libraries.md).
You can easily set access validation for a Function App without code changes usi
1. Select **Add identity provider**. 1. In the **Basics** tab, select **Microsoft** from the **Identity provider** dropdown. 1. Select **Log in with Microsoft Entra ID** in **Action to take when request is not authenticated**.
-1. Select **Microsoft** in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration. For more information on enabling Microsoft Entra ID provider, see [Configure your App Service or Azure Functions app to login with Microsoft Entra ID](../app-service/configure-authentication-provider-aad.md)
+1. Select **Microsoft** in the identity provider dropdown. The option to create a new registration is selected by default. You can change the name of the registration. For more information on enabling Microsoft Entra provider, see [Configure your App Service or Azure Functions app to login with Microsoft Entra ID](../app-service/configure-authentication-provider-aad.md)
:::image type="content" source="media/signalr-howto-use-managed-identity/function-aad.png" alt-text="Function Microsoft Entra ID"::: 1. Navigate to SignalR Service and follow the [steps](howto-use-managed-identity.md#add-a-system-assigned-identity) to add a system-assigned identity or user-assigned identity. 1. go to **Upstream settings** in SignalR Service and choose **Use Managed Identity** and **Select from existing Applications**. Select the application you created previously.
azure-signalr Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-signalr/policy-reference.md
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
azure-sql-edge Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-sql-edge/features.md
The following list includes the SQL Server 2022 on Linux features that aren't cu
| | Management Data Warehouse | | | Contained Databases | | | S3-compatible object storage integration |
-| | Azure Active Directory authentication |
+| | Microsoft Entra authentication |
| | Buffer pool parallel scan | | | Hybrid buffer pool with direct write | | | Concurrent updates to global allocation map (GAM) pages and shared global allocation map (SGAM) pages |
azure-video-indexer Connect Classic Account To Arm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/connect-classic-account-to-arm.md
Before the end of the 30 days of transition state, you can remove access from us
### Browse to the [Azure AI Video Indexer website](https://aka.ms/vi-portal-link)
-1. Sign in using your Azure AD account.
+1. Sign in using your Microsoft Entra account.
1. On the top right bar press *User account* to open the side pane account list. 1. Select the Azure AI Video Indexer classic account you wish to connect to ARM (classic accounts will be tagged with a *classic tag*). 1. Click **Settings**.
azure-video-indexer Connect To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/connect-to-azure.md
For the pricing details, see [pricing](https://azure.microsoft.com/pricing/detai
* An Azure subscription. If you don't have an Azure subscription yet, sign up for [Azure Free Trial](https://azure.microsoft.com/free/).
-* An Azure Active Directory (Azure AD) domain.
+* A Microsoft Entra domain.
- If you don't have an Azure AD domain, create this domain with your Azure subscription. For more information, see [Managing custom domain names in your Azure AD](../active-directory/enterprise-users/domains-manage.md)
-* A user in your Azure AD domain with an **Application administrator** role. You'll use this member when connecting your Azure AI Video Indexer account to Azure.
+ If you don't have a Microsoft Entra domain, create this domain with your Azure subscription. For more information, see [Managing custom domain names in your Microsoft Entra ID](../active-directory/enterprise-users/domains-manage.md)
+* A user in your Microsoft Entra domain with an **Application administrator** role. You'll use this member when connecting your Azure AI Video Indexer account to Azure.
- This user should be an Azure AD user with a work or school account. Don't use a personal account, such as outlook.com, live.com, or hotmail.com.
+ This user should be a Microsoft Entra user with a work or school account. Don't use a personal account, such as outlook.com, live.com, or hotmail.com.
- :::image type="content" alt-text="Screenshot that shows how to choose a user in your Azure A D domain." source="./media/create-account/all-aad-users.png":::
-* A user and member in your Azure AD domain.
+ :::image type="content" alt-text="Screenshot that shows how to choose a user in your Microsoft Entra domain." source="./media/create-account/all-aad-users.png":::
+* A user and member in your Microsoft Entra domain.
You'll use this member when connecting your Azure AI Video Indexer account to Azure.
For the pricing details, see [pricing](https://azure.microsoft.com/pricing/detai
## Connect to Azure > [!NOTE]
-> Use the same Azure AD user you used when connecting to Azure.
+> Use the same Microsoft Entra user you used when connecting to Azure.
It's strongly recommended to have the following three accounts located in the same region:
If your storage account is behind a firewall, see [storage account that is behin
In the new Media Services account, select **Streaming endpoints**. Then select the streaming endpoint and press start. :::image type="content" alt-text="Screenshot that shows how to specify streaming endpoints." source="./media/create-account/create-ams-account-se.png":::
-1. For Azure AI Video Indexer to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/azure/media-services/previous/media-services-portal-get-started-with-aad):
+1. For Azure AI Video Indexer to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Microsoft Entra authentication process described in [Get started with Microsoft Entra authentication by using the Azure portal](/azure/media-services/previous/media-services-portal-get-started-with-aad):
1. In the new Media Services account, select **API access**. 2. Select [Service principal authentication method](/azure/media-services/previous/media-services-portal-get-started-with-aad).
In the dialog, provide the following information:
|Setting|Description| ||| |Azure AI Video Indexer account region|The name of the Azure AI Video Indexer account region. For better performance and lower costs, it's highly recommended to specify the name of the region where the Azure Media Services resource and Azure Storage account are located. |
-|Azure AD tenant|The name of the Azure AD tenant, for example "contoso.onmicrosoft.com". The tenant information can be retrieved from the Azure portal. Place your cursor over the name of the signed-in user in the top-right corner. Find the name to the right of **Domain**.|
+|Microsoft Entra tenant|The name of the Microsoft Entra tenant, for example "contoso.onmicrosoft.com". The tenant information can be retrieved from the Azure portal. Place your cursor over the name of the signed-in user in the top-right corner. Find the name to the right of **Domain**.|
|Subscription ID|The Azure subscription under which this connection should be created. The subscription ID can be retrieved from the Azure portal. Select **All services** in the left panel, and search for "subscriptions". Select **Subscriptions** and choose the desired ID from the list of your subscriptions.| |Azure Media Services resource group name|The name for the resource group in which you created the Media Services account.| |Media service resource name|The name of the Azure Media Services account that you created in the previous section.|
-|Application ID|The Azure AD application ID (with permissions for the specified Media Services account) that you created in the previous section.|
-|Application key|The Azure AD application key that you created in the previous section. |
+|Application ID|The Microsoft Entra application ID (with permissions for the specified Media Services account) that you created in the previous section.|
+|Application key|The Microsoft Entra application key that you created in the previous section. |
## Import your content from the trial account
See [Import your content from the trial account](import-content-from-trial.md).
To automate the creation of the account is a two steps process:
-1. Use Azure Resource Manager to create an Azure Media Services account + Azure AD application.
+1. Use Azure Resource Manager to create an Azure Media Services account + Microsoft Entra application.
See an example of the [Media Services account creation template](https://github.com/Azure-Samples/media-services-v3-arm-templates).
-1. Call [Create-Account with the Media Services and Azure AD application](https://videoindexer.ai.azure.us/account/login?source=apim).
+1. Call [Create-Account with the Media Services and Microsoft Entra application](https://videoindexer.ai.azure.us/account/login?source=apim).
## Azure AI Video Indexer in Azure Government ### Prerequisites for connecting to Azure Government - An Azure subscription in [Azure Government](../azure-government/index.yml).-- An Azure AD account in Azure Government.
+- A Microsoft Entra account in Azure Government.
- All pre-requirements of permissions and resources as described above in [Prerequisites for connecting to Azure](#prerequisites-for-connecting-to-azure). ### Create new account via the Azure Government portal
To automate the creation of the account is a two steps process:
To create a paid account via the Azure AI Video Indexer website: 1. Go to https://videoindexer.ai.azure.us
-1. Sign-in with your Azure Government Azure AD account.
+1. Sign-in with your Azure Government Microsoft Entra account.
1.If you don't have any Azure AI Video Indexer accounts in Azure Government that you're an owner or a contributor to, you'll get an empty experience from which you can start creating your account. The rest of the flow is as described in above, only the regions to select from will be Government regions in which Azure AI Video Indexer is available
The account will be permanently deleted in 90 days.
## Next steps You can programmatically interact with your trial account and/or with your Azure AI Video Indexer accounts that are connected to Azure by following the instructions in: [Use APIs](video-indexer-use-apis.md).-
azure-video-indexer Manage Account Connected To Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/manage-account-connected-to-azure.md
In the **Update connection to Azure Media Services** dialog of your [Azure AI Vi
||| |Azure subscription ID|The subscription ID can be retrieved from the Azure portal. Click on **All services** in the left panel and search for "subscriptions". Select **Subscriptions** and choose the desired ID from the list of your subscriptions.| |Azure Media Services resource group name|The name for the resource group in which you created the Media Services account.|
-|Application ID|The Azure AD application ID (with permissions for the specified Media Services account) that you created for this Azure AI Video Indexer account. <br/><br/>To get the app ID, navigate to Azure portal. Under the Media Services account, choose your account and go to **API Access**. Select **Connect to Media Services API with service principal** -> **Azure AD App**. Copy the relevant parameters.|
-|Application key|The Azure AD application key associated with your Media Services account that you specified above. <br/><br/>To get the app key, navigate to Azure portal. Under the Media Services account, choose your account and go to **API Access**. Select **Connect to Media Services API with service principal** -> **Manage application** -> **Certificates & secrets**. Copy the relevant parameters.|
+|Application ID|The Microsoft Entra application ID (with permissions for the specified Media Services account) that you created for this Azure AI Video Indexer account. <br/><br/>To get the app ID, navigate to Azure portal. Under the Media Services account, choose your account and go to **API Access**. Select **Connect to Media Services API with service principal** -> **Microsoft Entra App**. Copy the relevant parameters.|
+|Application key|The Microsoft Entra application key associated with your Media Services account that you specified above. <br/><br/>To get the app key, navigate to Azure portal. Under the Media Services account, choose your account and go to **API Access**. Select **Connect to Media Services API with service principal** -> **Manage application** -> **Certificates & secrets**. Copy the relevant parameters.|
## Errors and warnings
If your account needs some adjustments, you see relevant errors and warnings abo
You can programmatically interact with your trial account or Azure AI Video Indexer accounts that are connected to Azure by following the instructions in: [Use APIs](video-indexer-use-apis.md).
-Use the same Azure AD user you used when connecting to Azure.
+Use the same Microsoft Entra user you used when connecting to Azure.
azure-video-indexer Restricted Viewer Role https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/restricted-viewer-role.md
To see your accounts, select **User Accounts** at the top-right of the [Azure AI
## User management of ARM accounts
-[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Using Azure RBAC, you can segregate duties within your team and users by granting only the amount of access that is appropriate. Users in your Azure Active Directory (Azure AD) are assigned specific roles, which grant access to resources.
+[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) is used to manage access to Azure resources, such as the ability to create new resources or use existing ones. Using Azure RBAC, you can segregate duties within your team and users by granting only the amount of access that is appropriate. Users in your Microsoft Entra ID are assigned specific roles, which grant access to resources.
-Users with owner or administrator Azure Active Directory (Azure AD) permissions can assign roles to Azure AD users or security groups for an account. For information on how to assign roles, seeΓÇ»[Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
+Users with owner or administrator Microsoft Entra permissions can assign roles to Microsoft Entra users or security groups for an account. For information on how to assign roles, seeΓÇ»[Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
Azure AI Video Indexer provides three built-in roles. You can learn more about [Azure built-in roles](../role-based-access-control/built-in-roles.md). Azure AI Video Indexer doesn't support the creation of custom roles.
azure-video-indexer Switch Tenants Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/switch-tenants-portal.md
When logging in the Azure AI Video Indexer website, a default directory will loa
> [!Note] > Trial accounts and Classic accounts are global and not tenant-specific. Hence, the tenant switching described in this article only applies to your ARM accounts. >
-> The option to switch directories is available only for users using Azure Active Directory (Azure AD) to log in.
+> The option to switch directories is available only for users using Microsoft Entra ID to log in.
This article shows two options to solve the same problem - how to switch tenants:
If you want to see domains for all of your directories and switch between them,
1. Go to the [Azure AI Video Indexer](https://www.videoindexer.ai/) website. 1. Press **Sign out** after pressing the button in the top-right corner.
-1. On the AVI website, press **Sign in** and choose the Azure AD account.
+1. On the AVI website, press **Sign in** and choose the Microsoft Entra account.
> [!div class="mx-imgBorder"]
- > ![Sign in with the AAD account.](./media/switch-directory/choose-account.png)
+ > ![Sign in with the Microsoft Entra account.](./media/switch-directory/choose-account.png)
1. Press **Use another account**. > [!div class="mx-imgBorder"]
azure-video-indexer Video Indexer Use Apis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/azure-video-indexer/video-indexer-use-apis.md
Before you start, see the [Recommendations](#recommendations) section (that foll
> [!Important] > * You must use the same provider you used when you signed up for Azure AI Video Indexer.
- > * Personal Google and Microsoft (Outlook/Live) accounts can only be used for trial accounts. Accounts connected to Azure require Azure AD.
+ > * Personal Google and Microsoft (Outlook/Live) accounts can only be used for trial accounts. Accounts connected to Azure require Microsoft Entra ID.
> * There can be only one active account per email. If a user tries to sign in with user@gmail.com for LinkedIn and later with user@gmail.com for Google, the latter will display an error page, saying the user already exists. ![Sign in to the Azure AI Video Indexer API developer portal](./media/video-indexer-use-apis/sign-in.png)
After you're done with this tutorial, delete resources that you aren't planning
- [Examine details of the output JSON](video-indexer-output-json-v2.md) - Check out the [sample code](https://github.com/Azure-Samples/media-services-video-indexer) that demonstrates important aspect of uploading and indexing a video. Following the code will give you a good idea of how to use our API for basic functionalities. Make sure to read the inline comments and notice our best practices advice.-
backup Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/backup/policy-reference.md
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
baremetal-infrastructure Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/baremetal-infrastructure/workloads/nc2-on-azure/requirements.md
The following sections identify the requirements to use Nutanix Clusters on Azur
## Azure account requirements * An Azure account with a new subscription
-* An Azure Active Directory
+* A Microsoft Entra directory
## My Nutanix account requirements
gateway-external-api.cloud.nutanix.com.
Learn more: > [!div class="nextstepaction"]
-> [Supported instances and regions](supported-instances-and-regions.md)
+> [Supported instances and regions](supported-instances-and-regions.md)
bastion Bastion Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/bastion-faq.md
Azure Bastion is deployed within VNets or peered VNets, and is associated to an
Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions may or may not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.
-### <a name="azure-ad-guests"></a>Does Bastion support Azure AD guest accounts?
+### <a name="azure-ad-guests"></a>Does Bastion support Microsoft Entra guest accounts?
-Yes, [Azure AD guest accounts](../active-directory/external-identities/what-is-b2b.md) can be granted access to Bastion and can connect to virtual machines. However, Azure AD guest users can't connect to Azure VMs via Azure AD authentication. Non-guest users are supported via Azure AD authentication. For more information about Azure AD authentication for Azure VMs (for non-guest users), see [Log in to a Windows virtual machine in Azure by using Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
+Yes, [Microsoft Entra guest accounts](../active-directory/external-identities/what-is-b2b.md) can be granted access to Bastion and can connect to virtual machines. However, Microsoft Entra guest users can't connect to Azure VMs via Microsoft Entra authentication. Non-guest users are supported via Microsoft Entra authentication. For more information about Microsoft Entra authentication for Azure VMs (for non-guest users), see [Log in to a Windows virtual machine in Azure by using Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
### <a name="shareable-links-domains"></a>Are custom domains supported with Bastion shareable links?
Azure Bastion offers support for file transfer between your target VM and local
### <a name="aadj"></a>Does Bastion hardening work with AADJ VM extension-joined VMs?
-This feature doesn't work with AADJ VM extension-joined machines using Azure AD users. For more information, see [Sign in to a Windows virtual machine in Azure by using Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#requirements).
+This feature doesn't work with AADJ VM extension-joined machines using Microsoft Entra users. For more information, see [Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md#requirements).
### <a name="rdscal-compatibility"></a>Is Bastion compatible with VMs set up as RDS session hosts?
bastion Connect Ip Address https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/connect-ip-address.md
IP-based connection lets you connect to your on-premises, non-Azure, and Azure v
* IP-based connection wonΓÇÖt work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement will result in traffic blackholing.
-* Azure Active Directory Authentication isn't supported for RDP connections. Azure Active Directory authentication is supported for SSH connections via native client.
+* Microsoft Entra authentication isn't supported for RDP connections. Microsoft Entra authentication is supported for SSH connections via native client.
* Custom ports and protocols aren't currently supported when connecting to a VM via native client.
Before you begin these steps, verify that you have the following environment set
You can connect to VMs using a specified IP address with native client via SSH, RDP, or tunneling. To learn more about configuring native client support, see [Configure Bastion native client support](native-client.md). > [!NOTE]
-> This feature does not currently support Azure Active Directory authentication or custom port and protocol.
+> This feature does not currently support Microsoft Entra authentication or custom port and protocol.
Use the following commands as examples:
bastion Connect Vm Native Client Linux https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/connect-vm-native-client-linux.md
# Connect to a VM using Bastion and a Linux native client
-This article helps you connect via Azure Bastion to a VM in VNet using the native client on your local Linux computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
+This article helps you connect via Azure Bastion to a VM in VNet using the native client on your local Linux computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
When you connect using this command, file transfers aren't supported. If you wan
This command lets you do the following: * Connect to a Linux VM using SSH.
-* Authenticate via Azure Active Directory
+* Authenticate via Microsoft Entra ID
* Connect to concurrent VM sessions within the virtual network. To sign in, use one of the following examples. Once you sign in to your target VM, the native client on your computer opens up with your VM session.
To sign in to your VM using an SSH key pair, use the following example.
az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>" ```
-**Azure AD authentication**
+**Microsoft Entra authentication**
-If youΓÇÖre signing in to an Azure AD login-enabled VM, use the following example. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
+If youΓÇÖre signing in to a Microsoft Entra login-enabled VM, use the following example. For more information, see [Azure Linux VMs and Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
```azurecli az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"
az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupNa
#### <a name="VM-IP"></a>SSH to a Linux VM IP address
-You can connect to a VM private IP address instead of the resource ID. Be aware that Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
+You can connect to a VM private IP address instead of the resource ID. Be aware that Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM. The following example uses --ssh-key for the authentication method.
bastion Connect Vm Native Client Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/connect-vm-native-client-windows.md
# Connect to a VM using Bastion and the Windows native client
-This article helps you connect to a VM in the VNet using the native client (SSH or RDP) on your local Windows computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
+This article helps you connect to a VM in the VNet using the native client (SSH or RDP) on your local Windows computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
The steps in the following sections help you connect to a VM from a Windows nati
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" ```
-1. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via **MSTSC**.
+1. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Microsoft Entra credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via **MSTSC**.
> [!IMPORTANT]
- > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.
+ > Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are Microsoft Entra registered (starting with Windows 10 20H1), Microsoft Entra joined, or Microsoft Entra hybrid joined to the *same* directory as the VM.
#### Specify authentication method Optionally, you can also specify the authentication method as part of the command.
-* **Azure AD authentication:** For Windows 10 version 20H2+, Windows 11 21H2+, and Windows Server 2022, use `--enable-mfa`. For more information, see [az network bastion rdp - optional parameters](/cli/azure/network/bastion?#az-network-bastion-rdp(bastion)-optional-parameters).
+* **Microsoft Entra authentication:** For Windows 10 version 20H2+, Windows 11 21H2+, and Windows Server 2022, use `--enable-mfa`. For more information, see [az network bastion rdp - optional parameters](/cli/azure/network/bastion?#az-network-bastion-rdp(bastion)-optional-parameters).
#### Specify a custom port
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupNa
#### RDP to a Windows VM IP address
-You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
+You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupNa
1. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, include the field **--resource-port** in the sign-in command.
- **Azure AD:**
+ **Microsoft Entra ID:**
- If youΓÇÖre signing in to an Azure AD login-enabled VM, use the following command. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
+ If youΓÇÖre signing in to a Microsoft Entra login-enabled VM, use the following command. For more information, see [Azure Linux VMs and Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
```azurecli az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupNa
#### SSH to a Linux VM IP address
-You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
+You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.
bastion Native Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/native-client.md
# Configure Bastion for native client connections
-This article helps you configure your Bastion deployment to accept connections from the native client (SSH or RDP) on your local computer to VMs located in the VNet. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Additionally, you can also upload or download files, depending on the connection type and client.
+This article helps you configure your Bastion deployment to accept connections from the native client (SSH or RDP) on your local computer to VMs located in the VNet. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. Additionally, you can also upload or download files, depending on the connection type and client.
:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
After you deploy this feature, there are different connection instructions, depe
Use the following table to understand how to connect from native clients. Notice that different supported combinations of native client and target VMs allow for different features and require specific commands.
-| Client | Target VM | Method | Azure Active Directory authentication | File transfer | Concurrent VM sessions | Custom port |
+| Client | Target VM | Method | Microsoft Entra authentication | File transfer | Concurrent VM sessions | Custom port |
||||| ||| | Windows native client | Windows VM | [RDP](connect-vm-native-client-windows.md) | Yes | [Upload/Download](vm-upload-download-native.md#rdp) | Yes | Yes | | | Linux VM | [SSH](connect-vm-native-client-windows.md) | Yes |No | Yes | Yes |
bastion Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/troubleshoot.md
The key's randomart image is:
**Q:** I'm unable to connect to my Windows virtual machine that is domain-joined.
-**A:** Azure Bastion supports domain-joined VM sign-in for username-password based domain sign-in only. When specifying the domain credentials in the Azure portal, use the UPN (username@domain) format instead of *domain\username* format to sign in. This is supported for domain-joined or hybrid-joined (both domain-joined and Azure AD-joined) virtual machines. It isn't supported for Azure AD-joined-only virtual machines.
+**A:** Azure Bastion supports domain-joined VM sign-in for username-password based domain sign-in only. When specifying the domain credentials in the Azure portal, use the UPN (username@domain) format instead of *domain\username* format to sign in. This is supported for domain-joined or hybrid-joined (both domain-joined and Microsoft Entra joined) virtual machines. It isn't supported for Microsoft Entra joined-only virtual machines.
## <a name="connectivity"></a> Unable to connect to virtual machine
bastion Vm Upload Download Native https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/bastion/vm-upload-download-native.md
The steps in this section apply when connecting to a target VM from a Windows lo
az account set --subscription "<subscription ID>" ```
-1. Sign in to your target VM via RDP using the following command. You can use either a local username and password, or your Azure AD credentials. To learn more about how to use Azure AD to sign in to your Azure Windows VMs, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
+1. Sign in to your target VM via RDP using the following command. You can use either a local username and password, or your Microsoft Entra credentials. To learn more about how to use Microsoft Entra ID to sign in to your Azure Windows VMs, see [Azure Windows VMs and Microsoft Entra ID](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
```azurecli az network bastion rdp --name "<BastionName>" --resource-group "<BastionResourceGroupName>" --target-resource-id "<VMResourceId>"
batch Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/batch/policy-reference.md
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
chaos-studio Chaos Studio Permissions Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-permissions-security.md
Chaos Studio has three levels of security to help you control how and when fault
When you attempt to control the ability to inject faults against a resource, the most important operation to restrict is `Microsoft.Chaos/experiments/start/action`. This operation starts a chaos experiment that injects faults.
-* Second, a chaos experiment has a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) or a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) that executes faults on a resource. If you choose to use a system-assigned managed identity for your experiment, the identity is created at experiment creation time in your Azure Active Directory tenant. User-assigned managed identites may be used across any number of experiments.
+* Second, a chaos experiment has a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) or a [user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) that executes faults on a resource. If you choose to use a system-assigned managed identity for your experiment, the identity is created at experiment creation time in your Microsoft Entra tenant. User-assigned managed identites may be used across any number of experiments.
Within a chaos experiment, you can choose to enable custom role assignment on either your system-assigned or user-assigned managed identity selection. Enabling this functionality allows Chaos Studio to create and assign a custom role containing any necessary experiment action capabilities to your experiment's identity (that do not already exist in your identity selection). If a chaos experiment is using a user-assigned managed identity, any custom roles assigned to the experiment identity by Chaos Studio will persist after experiment deletion.
chaos-studio Chaos Studio Region Availability https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-region-availability.md
Any target or capability metadata is deleted when a target is deleted.
Chaos Studio is a regional, zone-redundant service (in regions that support availability zones). If there's an availability zone outage, any chaos operation might fail, but experiment metadata, history, and details should remain available and the service shouldn't see a full outage.
+## Data Residency
+Azure Chaos Studio doesn't store customer data outside the region the customer deploys the service instance in.
+ ## Next steps Now that you understand the region availability model for Chaos Studio, you're ready to: - [Review the availability of Chaos Studio per region](https://azure.microsoft.com/global-infrastructure/services/?products=chaos-studio)
chaos-studio Chaos Studio Tutorial Aad Outage Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-tutorial-aad-outage-portal.md
+
+ Title: Use a chaos experiment template to induce an outage on an Azure Active Directory instance
+description: Use the Azure portal to create an experiment from the AAD outage experiment template.
++++ Last updated : 09/27/2023+++
+# Use a chaos experiment template to induce an outage on an Azure Active Directory instance
+
+You can use a chaos experiment to verify that your application is resilient to failures by causing those failures in a controlled environment. In this article, you induce an outage on an Azure Active Directory resource using a pre-populated experiment template and Azure Chaos Studio Preview.
+
+## Prerequisites
+
+- An Azure subscription. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+- A network security group.
+
+## Enable Chaos Studio on your network security group
+
+Azure Chaos Studio Preview can't inject faults against a resource until that resource is added to Chaos Studio. To add a resource to Chaos Studio, create a [target and capabilities](chaos-studio-targets-capabilities.md) on the resource. Network security groups have only one target type (service-direct) and one capability (set rules). Other resources might have up to two target types. One target type is for service-direct faults. Another target type is for agent-based faults. Other resources might have many other capabilities.
+
+1. Open the [Azure portal](https://portal.azure.com).
+1. Search for **Chaos Studio** in the search bar.
+1. Select **Targets** and find your network security group resource.
+1. Select the network security group resource and select **Enable targets** > **Enable service-direct targets**.
+
+ [![Screenshot that shows the Targets screen in Chaos Studio, with the network security group resource selected.](images/tutorial-aad-outage-enable.png) ](images/tutorial-aad-outage-enable.png#lightbox)
+1. Select **Review + Enable** > **Enable**.
+
+You've now successfully added your network security group to Chaos Studio.
+
+## Create an experiment from a template
+
+Now you can create your experiment from a pre-filled experiment template. A chaos experiment defines the actions you want to take against target resources. The actions are organized and run in sequential steps. The chaos experiment also defines the actions you want to take against branches, which run in parallel.
+
+1. In Chaos Studio, go to **Experiments** > **Create** > **New from template**.
+
+ [![Screenshot that shows the Experiments screen, with the New from template button highlighted.](images/tutorial-aad-outage-create.png)](images/tutorial-aad-outage-create.png#lightbox)
+1. Select **AAD Outage**.
+
+ [![Screenshot that shows the experiment templates screen, with the AAD outage template button highlighted.](images/tutorial-aad-outage-select.png)](images/tutorial-aad-outage-select.png#lightbox)
+1. Add a name for your experiment that complies with resource naming guidelines. Select **Next: Permissions**.
+
+ [![Screenshot that shows the experiment basics screen, with the permissions tab button button highlighted.](images/tutorial-aad-outage-basics.png)](images/tutorial-aad-outage-basics.png#lightbox)
+1. For your chaos experiment to run successfully, it must have [sufficient permissions on target resources](chaos-studio-permissions-security.md). Select a system-assigned managed identity or a user-assigned managed identity for your experiment. You can choose to enable custom role assignment if you would like Chaos Studio to add the necessary permissions to run (in the form of a custom role) to your experiment's identity. Select **Next: Experiment designer**.
+
+ [![Screenshot that shows the experiment permissions screen, with the experiment designer tab button button highlighted.](images/tutorial-aad-outage-permissions.png)](images/tutorial-aad-outage-permissions.png#lightbox)
+1. Within the **NSG Security Rule (version 1.1)** fault, select **Edit**.
+
+ [![Screenshot that shows the experiment designer screen, with the edit button within the NSG fault highlighted.](images/tutorial-aad-outage-edit-fault.png)](images/tutorial-aad-outage-edit-fault.png#lightbox)
+1. Review fault parameters and select **Next: Target resources**.
+
+ [![Screenshot that shows the fault parameters pane, with the target resources button highlighted.](images/tutorial-aad-outage-fault-params.png)](images/tutorial-aad-outage-fault-params.png#lightbox)
+1. Select the network security group resource that you want to use in the experiment. Select **Save**.
+
+ [![Screenshot that shows the fault targets pane, with the save button highlighted.](images/tutorial-aad-outage-targets.png)](images/tutorial-aad-outage-targets.png#lightbox)
+1. Select **Review + create** > **Create** to save the experiment.
+
+## Run your experiment
+You're now ready to run your experiment.
+
+1. In the **Experiments** view, select your experiment. Select **Start** > **OK**.
+1. When **Status** changes to *Running*, select **Details** for the latest run under **History** to see details for the running experiment.
+
+## Next steps
+Now that you've run an AAD outage template experiment, you're ready to:
+- [Manage your experiment](chaos-studio-run-experiment.md)
+- [Create an experiment that shut down all targets in a zone](chaos-studio-tutorial-dynamic-target-portal.md)
chaos-studio Chaos Studio Tutorial Agent Based Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/chaos-studio/chaos-studio-tutorial-agent-based-cli.md
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.
Next, set up a Microsoft-Agent target on each VM or virtual machine scale set that specifies the user-assigned managed identity that the agent uses to connect to Chaos Studio. In this example, we use one managed identity for all VMs. A target must be created via REST API. In this example, we use the `az rest` CLI command to execute the REST API calls.
-1. Modify the following JSON by replacing `$USER_IDENTITY_CLIENT_ID` with the client ID of your managed identity. You can find the client ID in the Azure portal overview of the user-assigned managed identity you created. Replace `$USER_IDENTITY_TENANT_ID` with your Azure tenant ID. You can find it in the Azure portal under **Azure Active Directory** under **Tenant information**. Save the JSON as a file in the same location where you're running the Azure CLI. In Cloud Shell, you can drag and drop the JSON file to upload it.
+1. Modify the following JSON by replacing `$USER_IDENTITY_CLIENT_ID` with the client ID of your managed identity. You can find the client ID in the Azure portal overview of the user-assigned managed identity you created. Replace `$USER_IDENTITY_TENANT_ID` with your Azure tenant ID. You can find it in the Azure portal under **Microsoft Entra ID** under **Tenant information**. Save the JSON as a file in the same location where you're running the Azure CLI. In Cloud Shell, you can drag and drop the JSON file to upload it.
```json {
cloud-services-extended-support Enable Key Vault Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services-extended-support/enable-key-vault-virtual-machine.md
The Key Vault VM extension provides automatic refresh of certificates stored in
The Key Vault VM extension is now supported on the Azure Cloud Services (extended support) platform to enable the management of certificates end to end. The extension can now pull certificates from a configured key vault at a predefined polling interval and install them for the service to use. ## How can I use the Key Vault VM extension?
-The following procedure will show you how to install the Key Vault VM extension on Azure Cloud Services by first creating a bootstrap certificate in your vault to get a token from Azure Active Directory (Azure AD). That token will help in the authentication of the extension with the vault. After the authentication process is set up and the extension is installed, all the latest certificates will be pulled down automatically at regular polling intervals.
+The following procedure will show you how to install the Key Vault VM extension on Azure Cloud Services by first creating a bootstrap certificate in your vault to get a token from Microsoft Entra ID. That token will help in the authentication of the extension with the vault. After the authentication process is set up and the extension is installed, all the latest certificates will be pulled down automatically at regular polling intervals.
> [!NOTE] > The Key Vault VM extension downloads all the certificates in the Windows certificate store to the location provided by the `certificateStoreLocation` property in the VM extension settings. Currently, the Key Vault VM extension grants access to the private key of the certificate only to the local system admin account. ### Prerequisites
-To use the Azure Key Vault VM extension, you need to have an Azure AD tenant. For more information, see [Quickstart: Set up a tenant](../active-directory/develop/quickstart-create-new-tenant.md).
+To use the Azure Key Vault VM extension, you need to have a Microsoft Entra tenant. For more information, see [Quickstart: Set up a tenant](../active-directory/develop/quickstart-create-new-tenant.md).
### Enable the Azure Key Vault VM extension
To use the Azure Key Vault VM extension, you need to have an Azure AD tenant. Fo
4. On the next page, fill out the form and complete the app creation.
-5. Upload the .cer file of the certificate to the Azure AD app portal.
+5. Upload the .cer file of the certificate to the Microsoft Entra app portal.
Optionally, you can use the [Azure Event Grid notification feature for Key Vault](https://azure.microsoft.com/updates/azure-key-vault-event-grid-integration-is-now-available/) to upload the certificate.
-6. Grant the Azure Active Directory app secret permissions in Key Vault:
+6. Grant the Microsoft Entra app secret permissions in Key Vault:
- - If you're using a role-based access control (RBAC) preview, search for the name of the Azure AD app that you created and assign it to the Key Vault Secrets User (preview) role.
- - If you're using vault access policies, assign **Secret-Get** permissions to the Azure AD app that you created. For more information, see [Assign access policies](../key-vault/general/assign-access-policy-portal.md).
+ - If you're using a role-based access control (RBAC) preview, search for the name of the Microsoft Entra app that you created and assign it to the Key Vault Secrets User (preview) role.
+ - If you're using vault access policies, assign **Secret-Get** permissions to the Microsoft Entra app that you created. For more information, see [Assign access policies](../key-vault/general/assign-access-policy-portal.md).
7. Install the Key Vault VM extension by using the Azure Resource Manager template snippet for the `cloudService` resource:
cloud-services-extended-support In Place Migration Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services-extended-support/in-place-migration-overview.md
These are top scenarios involving combinations of resources, features, and Cloud
| Service | Configuration | Comments | ||||
-| [Azure AD Domain Services](../active-directory-domain-services/overview.md) | Virtual networks that contain Azure Active Directory Domain services. | Virtual network containing both Cloud Service deployment and Azure AD Domain services is supported. Customer first needs to separately migrate Azure AD Domain services and then migrate the virtual network left only with the Cloud Service deployment |
+| [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) | Virtual networks that contain Microsoft Entra Domain Services. | Virtual network containing both Cloud Service deployment and Microsoft Entra Domain Services is supported. Customer first needs to separately migrate Microsoft Entra Domain Services and then migrate the virtual network left only with the Cloud Service deployment |
| Cloud Service | Cloud Service with a deployment in a single slot only. | Cloud Services containing a prod slot deployment can be migrated. It is not recommended to migrate staging slot as this can result in issues with retaining service FQDN. To migrate staging slot, first promote staging deployment to production and then migrate to ARM. | | Cloud Service | Deployment not in a publicly visible virtual network (default virtual network deployment) | A Cloud Service can be in a publicly visible virtual network, in a hidden virtual network or not in any virtual network. Cloud Services in a hidden virtual network and publicly visible virtual networks are supported for migration. Customer can use the Validate API to tell if a deployment is inside a default virtual network or not and thus determine if it can be migrated. | |Cloud Service | XML extensions (BGInfo, Visual Studio Debugger, Web Deploy, and Remote Debugging). | All xml extensions are supported for migration
cloud-services Cloud Services Guestos Msrc Releases https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-services/cloud-services-guestos-msrc-releases.md
na Previously updated : 9/26/2023- Last updated : 10/10/2023+ # Azure Guest OS The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in.
+## October 2023 Guest OS
++
+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
+| | | | | |
+| Rel 23-10 | [5031361] | Latest Cumulative Update(LCU) | [6.63] | Oct 10, 2023 |
+| Rel 23-10 | [5031364] | Latest Cumulative Update(LCU) | [7.32] | Oct 10, 2023 |
+| Rel 23-10 | [5031362] | Latest Cumulative Update(LCU) | [5.87] | Oct 10, 2023 |
+| Rel 23-10 | [5029938] | .NET Framework 3.5 Security and Quality Rollup | [2.143] | Oct 10, 2023 |
+| Rel 23-10 | [5029933] | .NET Framework 4.7.2 Cumulative Update LKG | [2.143] | Sep 12, 2023 |
+| Rel 23-10 | [5029915] | .NET Framework 3.5 Security and Quality Rollup LKG | [4.123] | Oct 10, 2023 |
+| Rel 23-10 | [5029916] | .NET Framework 4.7.2 Cumulative Update LKG | [4.123] | Oct 10, 2023 |
+| Rel 23-10 | [5030160] | .NET Framework 4.7.2 Security and Quality Rollup | [2.142] | Oct 10, 2023 |
+| Rel 23-10 | [5030160] | .NET Framework 3.5 Security and Quality Rollup LKG | [3.131] | Oct 10, 2023 |
+| Rel 23-10 | [5029932] | .NET Framework 4.7.2 Cumulative Update LKG | [3.131] | Oct 10, 2023 |
+| Rel 23-10 | [5029931] | .NET Framework DotNet | [6.63] | Oct 10, 2023 |
+| Rel 23-10 | [5029928] | .NET Framework 4.8 Security and Quality Rollup LKG | [7.32] | Oct 10, 2023 |
+| Rel 23-10 | [5031408] | Monthly Rollup | [2.143] | Oct 10, 2023 |
+| Rel 23-10 | [5031442] | Monthly Rollup | [3.131] | Oct 10, 2023 |
+| Rel 23-10 | [5031419] | Monthly Rollup | [4.123] | Oct 10, 2023 |
+| Rel 23-10 | [5031469] | Servicing Stack Update | [3.131] | Oct 10, 2023 |
+| Rel 23-10 | [5030329] | Servicing Stack Update LKG | [4.123] | Sep 12, 2023 |
+| Rel 23-10 | [5030504] | Servicing Stack Update LKG | [5.87] | Sep 12, 2023 |
+| Rel 23-10 | [5031658] | Servicing Stack Update LKG | [2.143] | Oct 10, 2023 |
+| Rel 23-10 | [4494175] | January '20 Microcode | [5.87] | Sep 1, 2020 |
+| Rel 23-10 | [4494175] | January '20 Microcode | [6.63] | Sep 1, 2020 |
+| Rel 23-10 | 5031590 | Servicing Stack Update | [7.31] | |
+| Rel 23-10 | 5031589 | Servicing Stack Update | [6.62] | |
+
+[5031361]: https://support.microsoft.com/kb/5031361
+[5031364]: https://support.microsoft.com/kb/5031364
+[5031362]: https://support.microsoft.com/kb/5031362
+[5029938]: https://support.microsoft.com/kb/5029938
+[5029933]: https://support.microsoft.com/kb/5029933
+[5029915]: https://support.microsoft.com/kb/5029915
+[5029916]: https://support.microsoft.com/kb/5029916
+[5030160]: https://support.microsoft.com/kb/5030160
+[5029932]: https://support.microsoft.com/kb/5029932
+[5029931]: https://support.microsoft.com/kb/5029931
+[5029928]: https://support.microsoft.com/kb/5029928
+[5031408]: https://support.microsoft.com/kb/5031408
+[5031442]: https://support.microsoft.com/kb/5031442
+[5031419]: https://support.microsoft.com/kb/5031419
+[5031469]: https://support.microsoft.com/kb/5031469
+[5030329]: https://support.microsoft.com/kb/5030329
+[5030504]: https://support.microsoft.com/kb/5030504
+[5031658]: https://support.microsoft.com/kb/5031658
+[4494175]: https://support.microsoft.com/kb/4494175
+[4494175]: https://support.microsoft.com/kb/4494175
+[2.143]: ./cloud-services-guestos-update-matrix.md#family-2-releases
+[3.131]: ./cloud-services-guestos-update-matrix.md#family-3-releases
+[4.123]: ./cloud-services-guestos-update-matrix.md#family-4-releases
+[5.87]: ./cloud-services-guestos-update-matrix.md#family-5-releases
+[6.63]: ./cloud-services-guestos-update-matrix.md#family-6-releases
+[7.32]: ./cloud-services-guestos-update-matrix.md#family-7-releases
++++ ## September 2023 Guest OS
cloud-shell Quickstart Deploy Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-shell/quickstart-deploy-vnet.md
description: This article provides step-by-step instructions to deploy Azure Cloud Shell in a private virtual network. ms.contributor: jahelmic Previously updated : 09/29/2023 Last updated : 10/10/2023 Title: Deploy Azure Cloud Shell in a virtual network with quickstart templates
This article walks you through the following steps to deploy Azure Cloud Shell i
1. Collect the required information 1. Create the virtual networks using the **Azure Cloud Shell - VNet** ARM template
-1. Create the virtual network storage account using the **Azure Cloud Shell - VNet storage** ARM template
+1. Create the virtual network storage account using the **Azure Cloud Shell - VNet storage** ARM
+ template
1. Configure and use Azure Cloud Shell in a virtual network ## 1. Collect the required information
Information needed for the template:
- **Resource Group** - The resource group name of either an existing or newly created resource group - **Region** - Location of the resource group - **Virtual Network** - The name of the virtual network created for Azure Cloud Shell virtual network
+- **Network Security Group** - The name that you want to assign to the Network Security Group
+ created by the template
- **Azure Container Instance OID** - The ID of the Azure Container Instance for your resource group Fill out the form with the following information:
Fill out the form with the following information:
| Instance details | Value | | - | - | | Region | Prefilled with your default region.<br>For this example, we're using `East US`. |
-| Existing virtual network Name | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `vnet-cloudshell-eastus`. |
+| Existing VNET Name | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `vnet-cloudshell-eastus`. |
| Relay Namespace Name | Create a name that you want to assign to the Relay resource created by the template.<br>For this example, we're using `arn-cloudshell-eastus`. |
+| Nsg Name | Enter the name of the Network Security Group (NSG). The deployment creates this NSG and assigns an access rule to it. |
| Azure Container Instance OID | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `8fe7fd25-33fe-4f89-ade3-0e705fcf4370`. | | Container Subnet Name | Defaults to `cloudshellsubnet`. Enter the name of the subnet for your container. | | Container Subnet Address Prefix | For this example, we use `10.1.0.0/16`, which provides 65,543 IP addresses for Cloud Shell instances. |
Fill out the form with the following information:
| Instance details | Value | | | | | Region | Prefilled with your default region.<br>For this example, we're using `East US`. |
-| Existing virtual network Name | For this example, we're using `vnet-cloudshell-eastus`. |
+| Existing VNET Name | For this example, we're using `vnet-cloudshell-eastus`. |
| Existing Storage Subnet Name | Fill in the name of the resource created by the network template. | | Existing Container Subnet Name | Fill in the name of the resource created by the network template. | | Storage Account Name | Create a name for the new storage account.<br>For this example, we're using `myvnetstorage1138`. |
cloud-shell Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cloud-shell/troubleshooting.md
This article covers troubleshooting Cloud Shell common scenarios.
### Storage Dialog - Error: 400 DisallowedOperation -- **Details**: When using a Microsoft Entra ID subscription, you can't create storage.
+- **Details**: When using a Microsoft Entra subscription, you can't create storage.
- **Resolution**: Use an Azure subscription capable of creating storage resources. Microsoft Entra ID subscriptions aren't able to create Azure resources.
communication-services Template Messages https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/advanced-messaging/whatsapp/template-messages.md
+
+ Title: Send WhatsApp template messages
+
+description: In this concept, you learn the various ways to send WhatsApp template messages with Advanced Messaging.
+++++ Last updated : 07/12/2023++++
+# Send WhatsApp template messages
++
+This document provides guidance to send WhatsApp Template messages using Advanced Communication Messages SDK.
+
+## Why do I need to send a template message?
+
+Conversations between a WhatsApp Business Account and a WhatsApp user can be initiated in one of two ways:
+- The business sends a template message to the WhatsApp user.
+- The WhatsApp user sends any message to the business number.
+
+A business can send only template messages until the user sends a message to the business. Only then can the business send text or media messages to the user. Once the 24 hour conversation window has expired, the conversation must be reinitiated. To learn more about conversations, see the definition at [WhatsApp Business Platform](https://developers.facebook.com/docs/whatsapp/pricing#conversations)
+
+For further requirements on templates, refer to the guidelines in the WhatsApp Business Platform API references [Create and Manage Templates](https://developers.facebook.com/docs/whatsapp/business-management-api/message-templates/), [Template Components](https://developers.facebook.com/docs/whatsapp/business-management-api/message-templates/components), and [Sending Template Messages](https://developers.facebook.com/docs/whatsapp/cloud-api/guides/send-message-templates).
+Businesses must also adhere to [opt-in requirements](https://developers.facebook.com/docs/whatsapp/overview/getting-opt-in) before sending messages to WhatsApp users.
+
+## Choosing a template
+
+When a WhatsApp Business Account is [created through the Azure portal during embedded signup](../../../quickstarts/advanced-messaging/whatsapp/connect-whatsapp-business-account.md#whatsapp-business-account-sign-up), a set of sample templates may be automatically available for you to try out. See the usage for a few of these sample templates at [Examples](#examples).
+
+### Create template
+
+To create your own templates, use the Meta WhatsApp Manager.
+Follow the instructions in the Meta Business Help Center at [Create message templates for your WhatsApp Business account](https://www.facebook.com/business/help/2055875911147364?id=2129163877102343).
+
+### List templates
+
+You can view your templates in the Azure portal by going to your Azure Communication Service resource > Templates.
++
+By selecting a template, you can view the template details.
+The `content` field of the template details may include parameter bindings. The parameter bindings can be denoted as:
+- A "format" field with a value such as `IMAGE`.
+- Double brackets surrounding a number, such as `{{1}}`. The number, indexed started at 1, indicates the order in which the binding values must be supplied to create the message template.
++
+Alternatively, you can view and edit all of your WhatsApp Business Account's templates in the [WhatsApp Manager](https://business.facebook.com/wa/manage/home/) > Account tools > [Message templates](https://business.facebook.com/wa/manage/message-templates/).
+
+To list out your templates programmatically, you can fetch all templates for your channel ID:
++
+## Quick reference
++
+## Examples
+
+These examples utilize sample templates available to WhatsApp Business Accounts created through the Azure portal embedded signup.
++
+## Full code example
++
+## Next steps
+
+- [Get started with advanced communication messages SDK](../../../quickstarts/advanced-messaging/whatsapp/get-started.md)
communication-services Whatsapp Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/advanced-messaging/whatsapp/whatsapp-overview.md
+
+ Title: Advanced Messaging for WhatsApp in Azure Communication Services
+
+description: Learn about Communication Service WhatsApp concepts.
++++ Last updated : 06/26/2023++++
+# Advanced Messaging for WhatsApp in Azure Communication Services
++
+Azure Communication Services enables you to send and receive WhatsApp messages using the Azure Communication Services Messaging SDK. This SDK can be used to engage in conversation with a customer for product inquiry and customer service scenarios. It can also be used to send out messages like appointment reminders, shipping updates, two-factor authentication, and other notification scenarios.
+
+## Advanced Messaging for WhatsApp features
+
+The key features of Azure Communications Services Advanced Messaging for WhatsApp include:
+
+* Create new or connect existing WhatsApp Business Accounts to Azure Communication Services.
+* Participate in conversations with WhatsApp users world-wide.
+* Support for business-initiated and customer-initiated conversations.
+* Initiate conversations with WhatsApp users using templates.
+* Reply to userΓÇÖs inquiries and trigger automation using Azure Event Grid notifications.
+* Receive delivery reports for messages sent, delivered, and read.
+
+## Next steps
+
+The following documents help you get started with Advanced Messaging for WhatsApp:
+
+- [Register WhatsApp Business Account](../../../quickstarts/advanced-messaging/whatsapp/connect-whatsapp-business-account.md)
+- [Advanced Messaging for WhatsApp Terms of Services](./whatsapp-terms-of-service.md)
+- [Trying WhatsApp Sandbox](../../../quickstarts/advanced-messaging/whatsapp/whatsapp-sandbox-quickstart.md)
+- [Get Started With Advanced Communication Messages SDK](../../../quickstarts//advanced-messaging/whatsapp/get-started.md)
+- [Handle Advanced Messaging Events](../../../quickstarts/advanced-messaging/whatsapp/handle-advanced-messaging-events.md)
+- [Messaging Policy](../../../concepts/sms/messaging-policy.md)
communication-services Whatsapp Terms Of Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/concepts/advanced-messaging/whatsapp/whatsapp-terms-of-service.md
+
+ Title: Advanced Messaging for WhatsApp data transfer and independent terms of service
+
+description: Learn about Communication Service WhatsApp terms of service concepts.
++++ Last updated : 06/26/2023++++
+# Advanced Messaging for WhatsApp data transfer and independent terms of service
++
+To enable the WhatsApp feature in Azure Communication Services, you need to create or connect a WhatsApp Business Account and agree to the Meta Cloud API and WhatsApp Terms of Service ("Meta Terms"). When you use the WhatsApp feature in Azure Communication Services, your data is transferred from one service to the other, and the respective terms govern the handling of that data. [Microsoft Product Terms](https://www.microsoft.com/licensing/terms) governs the Azure Communication Services. [Meta Terms](https://www.facebook.com/legal/Meta-Hosting-Terms-Cloud-API) governs the WhatsApp Service. You should be aware of differences between the Meta Terms and Microsoft Terms in subject matters, including but not limited to privacy, compliance and data handling.
+
+## EU data boundary
+
+WhatsApp data follows the data handling policy defined in the Meta Terms, which may not include the EU Data Boundary commitments.
+
+## Support data transfer
+
+Some support cases may require you to authorize the transfer of your data to Meta. Any data that Microsoft collects will be handled in accordance with the Microsoft Product Terms. The Meta software and any data that you provide to Meta or authorize Microsoft to provide Meta will be covered by the Meta Terms.
+
+## Service level agreement
+
+Azure Communication Services provides an SLA for its customers as outlined in the Azure Terms. Once data is transferred to WhatsApp, it follows the service levels detailed in the Meta Terms.
+
+## HIPAA
+
+The WhatsApp Service may not be HIPAA compliant. It may not have the proper safeguards in place to protect health information.
communication-services Connect Whatsapp Business Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/connect-whatsapp-business-account.md
+
+ Title: Register WhatsApp business account
+
+description: Learn about Communication Service WhatsApp Business Accounts concepts.
++++ Last updated : 06/26/2023++++
+# Quickstart: Register WhatsApp business account
++
+Get started with the Azure Communication Services Advanced Messaging, which extends messaging to users on WhatsApp. This feature allows your organization to send and receive messages with WhatsApp users using a WhatsApp Business Account. The Advanced Communication Messages SDK extends your communications to interact with the large global WhatsApp community for common scenarios:
+
+- Receive inquiries from your customers for product feedback or support, price quotes, and reschedule appointments.
+- Send your customer's notifications like appointment reminders, product discounts, transaction receipts, and one-time passcodes.
+
+## Prerequisites
+
+- [Create Azure Communication Resource](../../create-communication-resource.md)
+- [Set-up Event Grid viewer](/samples/azure-samples/azure-event-grid-viewer/azure-event-grid-viewer/).
+- [Set-up Event subscription for SMS received and SMS delivery events.](../../telephony/get-phone-number.md?tabs=windows&pivots=platform-azp)
+- [Facebook login account](https://www.facebook.com/index.php)
+- Phone number using [Azure Communication Service Phonenumber](../..//telephony/get-phone-number.md?tabs=windows&pivots=platform-azp) **or** bring your own phone number with the given capabilities:
+ - Able to send and receive SMS messages.
+ - Phonenumber isn't associated with a WhatsApp Business Account.
+
+- [Active Meta Business Account](https://www.facebook.com/business/tools/meta-business-suite)
+
+## WhatsApp business account sign-up
+
+## Select Meta business account
+
+## Select WhatsApp business profile
+
+1. Now that you have selected Meta Business Account, you need to **create/select** a WhatsApp Business profile. Fill out the required information.
++
+2. Once you have completed the form, click **Next** to continue.
+
+## Verify your WhatsApp business number
+
+## View your WhatsApp account in the Azure Communication Services Resource
+
+You see the account and status listed in the Azure portal along with the other WhatsApp Business accounts that you have connected to Azure Communication Services. Once approved, you can use the WhatsApp Business account to send and receive messages. The status of your WhatsApp Business account is displayed in the Azure portal. Meta reviews your businessΓÇÖs display name. You can learn more about this review process and how to update your business accountΓÇÖs display name in the article this article: [About WhatsApp Business display name](https://www.facebook.com/business/help/338047025165344).
++
+When you no longer want to use the WhatsApp Business account with Azure Communication Services, you can select the account and click the **Disconnect** button. This option disconnects the account from Azure Communication Services but doesn't delete the account and the account can be reconnected later.
+
+## Create new Meta business account
+
+Provide the company details to be used in your Meta Business Account then click the **Next** button.
+- Company Name: How you want your company identified to your WhatsApp users.
+- Website: A legitimate web page that verifies your business.
+- Business Email: You can use the email associated with your Facebook login.
+- Business Phone Number: The phone number that customers can use to contact you.
+
+
+Once Business account is created, continue with [**Set up WhatsApp Profile**](#select-whatsapp-business-profile) step.
+
+> [!NOTE]
+> More details on how-to and required information on Meta Business Account can be found [Here](https://www.facebook.com/business/tools/meta-business-suite)
+
+## Next steps
+
+In this quickstart, you have learned, how to register your WhatsApp Business Account with Azure Communication Services. Now, you're ready to send and receive WhatsApp messages.
+
+> [!div class="nextstepaction"]
+> [Get Started With Advanced Messages SDK](../../../quickstarts//advanced-messaging/whatsapp/get-started.md)
+
+You might also want to see the following articles:
+
+- [WhatsApp Business Account FAQ](../../../quickstarts//advanced-messaging/whatsapp/whatsapp-business-account-faq.md)
+- [WhatsApp Business Help Center](https://www.facebook.com/business/help/524220081677109?id=2129163877102343)
+- [WhatsApp Business Display Name Policy](https://www.facebook.com/business/help/338047025165344)
+- [Business Verification](https://www.facebook.com/business/help/1095661473946872?id=180505742745347)
+- [Add more Management Accounts](https://www.facebook.com/business/help/2169003770027706)
communication-services Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/get-started.md
+
+ Title: Add Advanced Messaging to your app
+
+description: In this quickstart, you learn to set up the basic functionality of Azure Communication Services Messages
++++ Last updated : 06/20/2023++
+zone_pivot_groups: acs-dev-environment-vs-vscode,client-operating-system
++
+# Quickstart: Add Advanced Messaging to your app
++
+Azure Communication Services now enables you to send and receive WhatsApp messages. In this quickstart, get started integrating your app with Azure Communication Advanced Messages SDK and start sending/receiving WhatsApp messages. Completing this quickstart incurs a small cost of a few USD cents or less in your Azure account.
+
+## Prerequisites
+
+- [Azure Communication Services resource](../../create-communication-resource.md)
+- [Connecting a WhatsApp Business Account](../../../quickstarts/advanced-messaging/whatsapp/connect-whatsapp-business-account.md)
+- Active WhatsApp Phone Number
++
+## Next steps
+
+In this quickstart, you have tried out the Advanced Messaging for WhatsApp SDK. Next you might also want to see the following articles:
+
+- [Handle Advanced Messaging Events](./handle-advanced-messaging-events.md)
+- [Send WhatsApp Template Messages](../../../concepts/advanced-messaging/whatsapp/template-messages.md)
communication-services Handle Advanced Messaging Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/handle-advanced-messaging-events.md
+
+ Title: Handle Advanced Messaging events
+
+description: "In this quickstart, you learn how to subscribe for AdvancedMessaging for WhatsApp events."
+++++ Last updated : 07/03/2023+++
+# Quickstart: Handle Advanced Messaging events
++
+Azure Communication Services now enables you to send and receive WhatsApp messages using the Advanced Messaging SDK. Get started with setting up Event Grid events for receiving WhatsApp messages send/receive status reports. Completing this quickstart incurs a small cost of a few USD cents or less in your Azure account.
+
+## Prerequisites
+
+- [Azure account with an active subscription](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- [Register Event Grid Resource Provider](../../sms/handle-sms-events.md#register-an-event-grid-resource-provider).
+- [Create an Azure Communication Services resource](../../create-communication-resource.md).
+
+## About Event Grid
+
+[Event Grid](../../../../event-grid/overview.md) is a cloud-based eventing service. In this article, you learn how to subscribe to [communication service events](../../../../event-grid/event-schema-communication-services.md), and trigger an event to view the result. Typically, you send events to an endpoint that processes the event data and takes actions. In this article, we send the events to a web app that collects and displays the messages.
+
+## Set up Event Grid Viewer
+
+The Event Grid Viewer is a sample site that allows you to view incoming events from Event Grid.
+
+1. Go to this Link [Azure Event Grid Viewer - Code Samples \| Microsoft Learn](/samples/azure-samples/azure-event-grid-viewer/azure-event-grid-viewer/). Deploy the Event Grid Viewer sample by clicking the "Deploy to Azure" button.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/event-grid-viewer.png" alt-text="Screenshot that shows the Event Grid Viewer Sample Page with Deploy To Azure option.":::
+
+2. After clicking the "Deploy to Azure" button, fill in the required fields (since the site name needs to be globally unique as it creates a DNS entry, it's recommended to include your alias in the name for this step). While this quickstart doesn't require any special setup for this step, here are suggestions for filling out the deployment details:
+ - `Subscription` - Select the subscription that contains your Azure Communication Services resource. This specific subscription isn't required, but it will make it easier to clean up after you're done with the quickstart.
+ - `Resource Group` - Select the resource group that contains your Azure Communication Services resource. This specific resource group isn't required, but it will make it easier to clean up after you're done with the quickstart.
+ - `Region` - Select the resource group that contains your Azure Communication Services resource. This specific region isn't required, but is recommended.
+ - 'Site Name' - Create a name that is globally unique. This site name is used to create a domain to connect to your Event Grid Viewer.
+ - 'Hosting Plan Name' - Create any name to identify your hosting plan.
+ - 'Sku' - The sku F1 can be used for development and testing purposes. If you encounter validation errors creating your Event Grid Viewer that say there's no more capacity for the F1 plan, try selecting a different region. For more information about skus, see [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/windows/)
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/custom-deployment.png" alt-text="Screenshot that shows Custom deployment of Events Viewer web app and properties you need to provide to successfully deploy.":::
+
+3. Then select **Review + Create**.
+
+4. After the deployment completes, select on the App Service resource to open it.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/event-viewer-web-app.png" alt-text="Screenshot that shows Events Viewer web app.":::
+
+5. On the resource overview page, select on the copy button next to the "Default Domain" property.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/default-domain.png" alt-text="Screenshot that shows URL of Events Viewer web app.":::
+
+6. The URL for the Event Grid Viewer is the Site Name you used to create the deployment with the path "/api/update" appended.
+ For example: "https://{{site-name}}.azurewebsites.net/api/updates". You'll need it in the next step and during the creation of the demo app.
+
+## Subscribe to Advanced Messaging events
+
+1. Open your Communication Services resource in the Azure portal, navigate to the **Events** option in left panel, and select **+Event Subscription**.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/event-subscription.png" alt-text="Screenshot that shows Azure Communication Services Events subscription option and allows you to subscribe to Advanced Messaging events.":::
+
+2. Fill in the details for the new event subscription:
+
+ - Subscription name.
+
+ - System topic name - Enter a unique name, unless this name is already prefilled with a topic from your subscription.
+
+ - Event types - Select the two Advanced messaging events from the list.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/create-event-subscription.png" alt-text="Screenshot that shows create event subscription properties.":::
+
+ - For endpoint type, select **"Webhook"** and enter the URL for the Event Grid Viewer we created in the "Setup Event Grid Viewer" step with the path "/api/updates" appended. For example: https://{{site-name}}.azurewebsites.net/api/updates.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/event-webhook-details.png" alt-text="Screenshot that shows how to update webhook url of event subscription to receive events.":::
+
+ - Select **Create**.
+
+3. Now if you navigate back to the "Events" option in left panel of your ACS resource, you should be able to see the new event subscription with the Advanced Messaging events.
+
+ :::image type="content" source="./media/handle-advanced-messaging-events/verify-events.png" alt-text="Screenshot that shows two Advanced messaging events subscribed.":::
+
+## Clean up resources
+
+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../../create-communication-resource.md#clean-up-resources).
+
+## Next steps
+
+Advance to the next article to learn how to use Advanced Messaging SDK for WhatsApp messaging.
+> [!div class="nextstepaction"]
+> [Get Started With Advanced Communication Messages SDK](./get-started.md).
+
communication-services Whatsapp Business Account Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/whatsapp-business-account-faq.md
+
+ Title: WhatsApp business account FAQ
+
+description: Learn about Communication Service WhatsApp Business Accounts FAQ.
++++ Last updated : 06/26/2023++++
+# WhatsApp business account FAQ
++
+There are some common issues you may see with the WhatsApp Business Account that you have connected to your Azure Communication Services resource. Your WhatsApp Business Account is managed from the WhatsApp business portal. This article provides links to the WhatsApp documentation to learn more and troubleshoot these issues.
+
+## What is a display name and how is it verified?
+
+The WhatsApp Business display name is your business name that customers see on your WhatsApp Business profile. When you add a new phone number to your WhatsApp Business Account in the Meta Business Manager, you need to assign a display name to it.
+
+WhatsApp reviews your display name and check your account. The review and account checks aren't required to get started with the platform. You can immediately start sending messages to customers. You can learn more about the WhatsApp Business display name review here: [Business Accounts - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/overview/business-accounts/)
++
+If your display name is rejected, review the [Display Name Guidelines \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/757569725593362)
+
+You can change your display name following these instructions: [How to change your WhatsApp Business display name \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/378834799515077)
++
+## What is WhatsApp business verification and why would I need it?
+WhatsApp offers many options to verify and promote your business. You can learn about the types of WhatsApp Business accounts here: [Verify Your Business \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/2058515294227817?id=180505742745347)
+
+By default, any account using the WhatsApp Business Platform or WhatsApp Business App is a business account. Business verification isn't required to send messages to your customers.
+
+When youΓÇÖre ready to scale marketing, utility, and authentication conversations, you can complete business verification. Once the account has completed Business Verification, the name of the business is visible even if the user hasn't added the business to their address book.
+
+You can learn more about verifying your business here: [Verify Your Business \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/2058515294227817?id=180505742745347)
+
+You can troubleshoot why your business canΓÇÖt be verified here: [Troubleshoot Why Your Business Can't Be Verified \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/2342133782492969?id=180505742745347)
+
+To get the verified green check by your business, you can request to become an Official Business Account (OBA). You can find more about this process here: [Request a WhatsApp Official Business Account \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/604726921052590)
+
+## What is WhatsApp template review?
+
+WhatsApp requires businesses to initiate conversations by using templates. You must create these templates and submit them for approval before using them. You can learn more about this approval process along with common rejection reasons here: [Message Template Guidelines - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/message-templates/guidelines)
+
+## Why was my account revoked?
+
+WhatsApp revokes WhatsApp Business Accounts that repeatedly violate its [Business](https://www.whatsapp.com/legal/business-policy/?fbclid=IwAR1lTizu2h_YMI2BlTtDPKsi3k0OrnD7uXwcmHLmbSXI21MPBU-Kgt070BQ) and [Commerce](https://www.whatsapp.com/legal/commerce-policy/?fbclid=IwAR2J_EdbAUuYN4XD737puCEOfM5DJOsrssuueEAszXbSLgUmmLtCuxJHy3w) policies. Learn more about account revocation here: [View policy violation details for your WhatsApp Business account \| Meta Business Help Center (facebook.com)](https://www.facebook.com/business/help/692706745267064)
++
+## Resources
+Here are some other helpful resources regarding your WhatsApp Business Account:
+- [Business Platform \| WhatsApp Business](https://business.whatsapp.com/products/business-platform)
+- [Embedded Signup - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/embedded-signup)
+- [Phone Numbers - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/phone-numbers)
+- [Quality Rating and Messaging Limits - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/messaging-limits)
+- [Policy Enforcement - WhatsApp Business Platform (facebook.com)](https://developers.facebook.com/docs/whatsapp/overview/policy-enforcement)
+- [Success Stories \| WhatsApp Business](https://business.whatsapp.com/resources/success-stories)
+- [FAQs \| WhatsApp Business](https://business.whatsapp.com/resources/faq)
+- [WhatsApp Business API Status (metastatus.com)](https://metastatus.com/whatsapp-business-api)
communication-services Whatsapp Sandbox Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/advanced-messaging/whatsapp/whatsapp-sandbox-quickstart.md
+
+ Title: Try Advanced Messaging for WhatsApp sandbox
+
+description: Learn about Communication Service WhatsApp sandbox
++++ Last updated : 06/26/2023++++
+# Quickstart: Try Advanced Messaging for WhatsApp sandbox
++
+Getting started to enable Contoso developers to try out the Advanced Messaging for WhatsApp quickly, Advanced Messaging is providing WhatsApp Business Account enabled sandbox. This WhatsApp Sandbox is available on the Azure portal and Contoso developers can play around the Advanced Messaging functionalities including sending template messages and text messages.  
+
+## Prerequisites
+
+- [Create an Azure Communication Services resource](../../create-communication-resource.md).
+- WhatsApp enabled phone number.
+
+## Set up
+
+1. Go to the Azure Communication Service Resource in the Azure portal.
++
+2. Select **Try Advanced Messaging**.
++
+3. Before you can send a message to a WhatsApp end user from the sandbox on Azure portal, you first need to join the sandbox. You can scan the QR code on the **Connect to WhatsApp** page with your mobile device, it takes you to our preconfigured WhatsApp business account.
++
+4. You're asked to send a unique keyword message to that phone number. Once we receive the keyword message, we reply with confirmation to you, that you have successfully joined the Sandbox. And we also save your WhatsApp phone number, which is used as the recipient number when sending messages from the sandbox.ΓÇ»
++
+## Send text message
+Once connected, you're able to send either a template message or a text message. Here's an example of text message.
++
+## Send template message
+Our sandbox also have a few preconfigured templates for you to try out. Fill in the parameters and they replace the double-bracketed numbers in the template message.
++
+> [!NOTE]
+> There is one constraint from WhatsApp known as the 24-hour window. If a WhatsApp user has sent your application a message ΓÇö whether itΓÇÖs a reply to one of your outbound messages, or they have initiated communication themselves ΓÇö your application has a 24-hour window (sometimes called a ΓÇ£24-hour sessionΓÇ¥) to send that user messages that donΓÇÖt need to use a template. When your application sends a message to a WhatsApp user outside a 24-hour session, the message must use an approved template.
+
+## Next steps
+
+In this quickstart, you have tried out Advanced Messaging for WhatsApp sandbox. Next you might also want to see the following articles:
+
+- [Get Started With Advanced Communication Messages SDK](./get-started.md)
+- [AdvancedMessaging for WhatsApp Overview](../../../concepts/advanced-messaging/whatsapp/whatsapp-overview.md)
+- [Advanced Messaging for WhatsApp Terms of Services](../../../concepts/advanced-messaging/whatsapp/whatsapp-terms-of-service.md)
communication-services Get Started With Voice Video Calling Custom Teams Client https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communication-services/quickstarts/voice-video-calling/get-started-with-voice-video-calling-custom-teams-client.md
Last updated 12/1/2021
+zone_pivot_groups: acs-plat-web-ios-android-windows
# QuickStart: Add 1:1 video calling as a Teams user to your application +++ ## Clean up resources If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md?pivots=platform-azp&tabs=windows#clean-up-resources).
communications-gateway Connect Operator Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/connect-operator-connect.md
This article describes how to set up Azure Communications Gateway for Operator C
You must have carried out all the steps in [Deploy Azure Communications Gateway](deploy.md).
-You must have access to a user account with the Azure Active Directory Global Admin role.
+You must have access to a user account with the Microsoft Entra Global Administrator role.
## Add the Project Synergy application to your Azure tenancy > [!NOTE] >This step and the next step ([Assign an Admin user to the Project Synergy application](#assign-an-admin-user-to-the-project-synergy-application)) set you up as an Operator in the Teams Phone Mobile (TPM) and Operator Connect (OC) environments. If you've already gone through onboarding, go to [Find the Object ID and Application ID for your Azure Communication Gateway resource](#find-the-object-id-and-application-id-for-your-azure-communication-gateway-resource).
-The Operator Connect and Teams Phone Mobile programs require your Azure Active Directory tenant to contain a Microsoft application called Project Synergy. Operator Connect and Teams Phone Mobile inherit permissions and identities from your Azure Active Directory tenant through the Project Synergy application. The Project Synergy application also allows configuration of Operator Connect or Teams Phone Mobile and assigning users and groups to specific roles.
+The Operator Connect and Teams Phone Mobile programs require your Microsoft Entra tenant to contain a Microsoft application called Project Synergy. Operator Connect and Teams Phone Mobile inherit permissions and identities from your Microsoft Entra tenant through the Project Synergy application. The Project Synergy application also allows configuration of Operator Connect or Teams Phone Mobile and assigning users and groups to specific roles.
To add the Project Synergy application:
-1. Check whether the Azure Active Directory (`AzureAD`) module is installed in PowerShell. Install it if necessary.
+1. Check whether the Microsoft Entra ID (`AzureAD`) module is installed in PowerShell. Install it if necessary.
1. Open PowerShell. 1. Run the following command and check whether `AzureAD` appears in the output. ```azurepowershell
To add the Project Synergy application:
Install-Module AzureAD ``` 1. Close your PowerShell admin window.
-1. Sign in to the [Azure portal](https://ms.portal.azure.com/) as an Azure Active Directory Global Admin.
-1. Select **Azure Active Directory**.
+1. Sign in to the [Azure portal](https://ms.portal.azure.com/) as a Microsoft Entra Global Admin.
+1. Select **Microsoft Entra ID**.
1. Select **Properties**. 1. Scroll down to the Tenant ID field. Your tenant ID is in the box. Make a note of your tenant ID. 1. Open PowerShell.
Each Azure Communications Gateway resource automatically receives a [system-assi
1. Select your Communications Gateway resource. 1. Select **Identity**. 1. In **System assigned**, copy the **Object (principal) ID**.
-1. Search for the value of **Object (principal) ID** with the search bar. You should see an enterprise application with that value under the **Azure Active Directory** subheading. You might need to select **Continue searching in Azure Active Directory** to find it.
+1. Search for the value of **Object (principal) ID** with the search bar. You should see an enterprise application with that value under the **Microsoft Entra ID** subheading. You might need to select **Continue searching in Microsoft Entra ID** to find it.
1. Make a note of the **Object (principal) ID**. 1. Select the enterprise application. 1. Check that the **Object ID** matches the **Object (principal) ID** value that you copied.
Azure Communications Gateway contains services that need to access the Operator
Do the following steps in the tenant that contains your Project Synergy application.
-1. Check whether the Azure Active Directory (`AzureAD`) module is installed in PowerShell. Install it if necessary.
+1. Check whether the Microsoft Entra ID (`AzureAD`) module is installed in PowerShell. Install it if necessary.
1. Open PowerShell. 1. Run the following command and check whether `AzureAD` appears in the output. ```azurepowershell
Do the following steps in the tenant that contains your Project Synergy applicat
Install-Module AzureAD ``` 1. Close your PowerShell admin window.
-1. Sign in to the [Azure portal](https://ms.portal.azure.com/) as an Azure Active Directory Global Admin.
-1. Select **Azure Active Directory**.
+1. Sign in to the [Azure portal](https://ms.portal.azure.com/) as a Microsoft Entra Global Administrator.
+1. Select **Microsoft Entra ID**.
1. Select **Properties**. 1. Scroll down to the Tenant ID field. Your tenant ID is in the box. Make a note of your tenant ID. 1. Open PowerShell.
To enable the application, add the Application ID of the system-assigned managed
1. Log into the [Operator Connect portal](https://operatorconnect.microsoft.com/operator/configuration). 1. Add a new **Application Id**, using the Application ID that you found.
-## Register your deployment's domain name in Active Directory
+## Register your deployment's domain name in Microsoft Entra
-Microsoft Teams only sends traffic to domains that you've confirmed that you own. Your Azure Communications Gateway deployment automatically receives an autogenerated fully qualified domain name (FQDN). You need to add this domain name to your Active Directory tenant as a custom domain name, share the details with your onboarding team and then verify the domain name. This process confirms that you own the domain.
+Microsoft Teams only sends traffic to domains that you've confirmed that you own. Your Azure Communications Gateway deployment automatically receives an autogenerated fully qualified domain name (FQDN). You need to add this domain name to your Microsoft Entra tenant as a custom domain name, share the details with your onboarding team and then verify the domain name. This process confirms that you own the domain.
1. Navigate to the **Overview** of your Azure Communications Gateway resource and select **Properties**. Find the field named **Domain**. This name is your deployment's domain name.
-1. Complete the following procedure: [Add your custom domain name to Azure AD](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name).
+1. Complete the following procedure: [Add your custom domain name to Microsoft Entra ID](../active-directory/fundamentals/add-custom-domain.md#add-your-custom-domain-name).
1. Share your DNS TXT record information with your onboarding team. Wait for your onboarding team to confirm that the DNS TXT record has been configured correctly. 1. Complete the following procedure: [Verify your custom domain name](../active-directory/fundamentals/add-custom-domain.md#verify-your-custom-domain-name).
communications-gateway Manage Enterprise Operator Connect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/manage-enterprise-operator-connect.md
Assigning numbers to an enterprise allows IT administrators at the enterprise to
1. Go to the number management page for the enterprise. * If you followed [Select an enterprise customer to manage](#select-an-enterprise-customer-to-manage), select **Manage numbers** from the menu.
- * Otherwise, select **Numbers** in the sidebar and search for the enterprise using the enterprise's Azure Active Directory tenant ID.
+ * Otherwise, select **Numbers** in the sidebar and search for the enterprise using the enterprise's Microsoft Entra tenant ID.
1. To add new numbers for an enterprise: 1. Select **Upload numbers**. 1. Fill in the fields based on the information you determined in [Prerequisites](#prerequisites). These settings apply to all the numbers you upload in the **Telephone numbers** section.
You can view civic addresses for an enterprise. The enterprise configures the de
1. Go to the civic address page for the enterprise. * If you followed [Select an enterprise customer to manage](#select-an-enterprise-customer-to-manage), select **Civic addresses** from the menu.
- * Otherwise, select **Civic addresses** in the sidebar and search for the enterprise using the enterprise's Azure Active Directory tenant ID.
+ * Otherwise, select **Civic addresses** in the sidebar and search for the enterprise using the enterprise's Microsoft Entra tenant ID.
1. View the civic addresses. You can see the address, the company name, the description and whether the address was validated when the enterprise configured the address. 1. Optionally, select an individual address to view additional information provided by the enterprise (for example, the ELIN information). ## Next steps
-Learn more about [the metrics you can use to monitor calls](monitoring-azure-communications-gateway-data-reference.md).
+Learn more about [the metrics you can use to monitor calls](monitoring-azure-communications-gateway-data-reference.md).
communications-gateway Prepare To Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/prepare-to-deploy.md
We strongly recommend that you have a support plan that includes technical suppo
## Choose the Azure tenant to use
-We recommend that you use an existing Azure Active Directory tenant for Azure Communications Gateway, because using an existing tenant uses your existing identities for fully integrated authentication. If you need to manage identities separately from the rest of your organization, create a new dedicated tenant first.
+We recommend that you use an existing Microsoft Entra tenant for Azure Communications Gateway, because using an existing tenant uses your existing identities for fully integrated authentication. If you need to manage identities separately from the rest of your organization, create a new dedicated tenant first.
-The Operator Connect and Teams Phone Mobile environments inherit identities and configuration permissions from your Azure Active Directory tenant through a Microsoft application called Project Synergy. You must add this application to your Azure Active Directory tenant as part of [Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile](connect-operator-connect.md) (if your tenant does not already contain this application).
+The Operator Connect and Teams Phone Mobile environments inherit identities and configuration permissions from your Microsoft Entra tenant through a Microsoft application called Project Synergy. You must add this application to your Microsoft Entra tenant as part of [Connect Azure Communications Gateway to Operator Connect or Teams Phone Mobile](connect-operator-connect.md) (if your tenant does not already contain this application).
## Get access to Azure Communications Gateway for your Azure subscription
communications-gateway Provision User Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/communications-gateway/provision-user-roles.md
This article will guide you through how to configure the permissions required fo
## Prerequisites
-Familiarize yourself with the Azure user roles relevant to Azure Communications Gateway by reading [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
+Familiarize yourself with the Azure user roles relevant to Azure Communications Gateway by reading [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
A list of all available defined Azure roles is available in [Azure built-in roles](../role-based-access-control/built-in-roles.md).
confidential-computing Skr Flow Confidential Containers Azure Container Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-containers-azure-container-instance.md
To perform a custom container application that extends the capability of Azure K
![Image of the aforementioned operations, which you should be performing.](media/skr-flow-azure-container-instance-sev-snp-attestation/skr-flow-custom-container.png) 1. **Step 1:** Set up AKV with Exportable Key and attach the release policy. More [here](concept-skr-attestation.md)
-1. **Step 2:** Set up a managed identity with Azure Active Directory and attach that to AKV. More [here](../container-instances/container-instances-managed-identity.md)
+1. **Step 2:** Set up a managed identity with Microsoft Entra ID and attach that to AKV. More [here](../container-instances/container-instances-managed-identity.md)
1. **Step 3:** Deploy your container application with required parameters within ACI by setting up a confidential computing enforcement policy. More [here](../container-instances/container-instances-tutorial-deploy-confidential-containers-cce-arm.md) 1. **Step 4:** In this step, your application shall fetch a RAW AMD SEV-SNP hardware report by doing a IOCTL Linux Socket call. You don't need any guest attestation library to perform this action. More on existing side-car [implementation](https://github.com/microsoft/confidential-sidecar-containers/blob/d933d0f4e3d5498f7ed9137189ab6a23ade15466/pkg/attest/snp.go) 1. **Step 5:** Fetch the AMD SEV-SNP cert chain for the container group. These certs are delivered from Azure host IMDS endpoint. More [here](https://github.com/microsoft/confidential-sidecar-containers/blob/d933d0f4e3d5498f7ed9137189ab6a23ade15466/pkg/common/info.go)
confidential-computing Skr Flow Confidential Vm Sev Snp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/skr-flow-confidential-vm-sev-snp.md
Follow the quickstart instructions on how to "[Deploy confidential VM with ARM t
## Enable system-assigned managed identity
-[Managed identities](../active-directory/managed-identities-azure-resources/overview.md) for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
+[Managed identities](../active-directory/managed-identities-azure-resources/overview.md) for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
-To enable system-assigned managed identity on a CVM, your account needs the [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Azure AD directory role assignments are required.
+To enable system-assigned managed identity on a CVM, your account needs the [Virtual Machine Contributor](../role-based-access-control/built-in-roles.md#virtual-machine-contributor) role assignment. No other Microsoft Entra directory role assignments are required.
### [Bicep 1](#tab/bicep)
The documentation for Microsoft Azure Attestation service has an extensive list
We can use any scripting or programming language to receive an attested platform report using the AttestationClient binary. Since the virtual machine we deployed in a previous step has managed identity enabled, we should get an __Azure AD token for Key Vault__ from the instance metadata service (__IMDS__).
-By configuring the attested platform report as the body payload and the Azure AD token in our __authorization header__, you have everything needed to perform the key `release` operation.
+By configuring the attested platform report as the body payload and the Microsoft Entra token in our __authorization header__, you have everything needed to perform the key `release` operation.
```powershell #Requires -Version 7
confidential-computing Use Cases Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/confidential-computing/use-cases-scenarios.md
The aggregate data-sets from many types of sensor and data feed are managed in a
Commonly applicable to FSI and healthcare where there are legal or regulatory requirements that limit where certain workloads can be processed and be stored at-rest.
-In this use-case we use a combination of Azure Confidential Compute technologies with Azure Policy, Network Security Groups (NSGs) and Azure Active Directory Conditional Access to ensure that the following protection goals are met for the ΓÇÿlift & shiftΓÇÖ of an existing application:
+In this use-case we use a combination of Azure Confidential Compute technologies with Azure Policy, Network Security Groups (NSGs) and Microsoft Entra Conditional Access to ensure that the following protection goals are met for the ΓÇÿlift & shiftΓÇÖ of an existing application:
- Application is protected from the cloud operator whilst in-use using Confidential Compute - Application resources can only be deployed in the West Europe Azure region
container-apps Application Lifecycle Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/application-lifecycle-management.md
As a container app is updated with a [revision scope-change](revisions.md#revisi
:::image type="content" source="media/application-lifecycle-management/azure-container-apps-lifecycle-update.png" alt-text="Azure Container Apps: Update phase":::
-### Zero downtime deployment
-
-In single revision mode, Container Apps automatically ensures your app doesn't experience downtime when creating a new revision. The existing active revision isn't deactivated until the new revision is ready. If ingress is enabled, the existing revision continues to receive 100% of the traffic until the new revision is ready.
-
-> [!NOTE]
-> A new revision is considered ready when one of its replicas starts and becomes ready. A replica is ready when all of its containers start and pass their [startup and readiness probes](./health-probes.md).
-
-In multiple revision mode, you control when revisions are activated or deactivated and which revisions receive ingress traffic. If a [traffic splitting rule](./revisions-manage.md#traffic-splitting) is configured with `latestRevision` set to `true`, traffic doesn't switch to the latest revision until it's ready.
+When in single revision mode, Container Apps handles the automatic switch between revisions to support [zero downtime deployment](revisions.md#zero-downtime-deployment).
## Deactivate
container-apps Blue Green Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/blue-green-deployment.md
zone_pivot_groups: azure-cli-bicep
Once green environment is tested, the live traffic is directed to it, and the blue environment is used to deploy a new application version during next deployment cycle.
-You can enable blue-green deployment in Azure Container Apps by combining [container apps revisions](revisions.md), [traffic weights](traffic-splitting.md), and [revision labels](revisions.md#revision-labels).
+You can enable blue-green deployment in Azure Container Apps by combining [container apps revisions](revisions.md), [traffic weights](traffic-splitting.md), and [revision labels](revisions.md#labels).
:::image type="content" source="media/blue-green-deployment/azure-container-apps-blue-green-deployment.png" alt-text="Screenshot of Azure Container Apps: Blue/Green deployment.":::
After you test and verify the new revision, you can then point production traffi
| Actions | Description | |||
-| Testing and verification | The *green* revision is thoroughly tested and verified to ensure that the new version of the application functions as expected. This testing may involve various tasks, including functional tests, performance tests, and compatibility checks. |
+| Testing and verification | The *green* revision is thoroughly tested and verified to ensure that the new version of the application functions as expected. This testing might involve various tasks, including functional tests, performance tests, and compatibility checks. |
| Traffic switch | Once the *green* revision passes all the necessary tests, a traffic switch is performed so that the *green* revision starts serving production load. This switch is done in a controlled manner, ensuring a smooth transition. | | Rollback | If problems occur in the *green* revision, you can revert the traffic switch, routing traffic back to the stable *blue* revision. This rollback ensures minimal impact on users if there are issues in the new version. The *green* revision is still available for the next deployment. | | Role change | The roles of the blue and green revisions change after a successful deployment to the *green* revision. During the next release cycle, the *green* revision represents the stable production environment while the new version of the application code is deployed and tested in the *blue* revision.
container-apps Connect Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/connect-services.md
The following steps bind your application to an existing instance of Azure Cache
``` > [!NOTE]
- > Environment variable names used for dev mode services and managed service vary slightly.
+ > Environment variable names used for [add-ons](services.md) and managed services vary slightly.
> > If you'd like to see the sample code used for this tutorial please see https://github.com/Azure-Samples/sample-service-redis.
container-apps Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/policy-reference.md
Title: Built-in policy definitions for Azure Container Apps
description: Lists Azure Policy built-in policy definitions for Azure Container Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
container-apps Revisions Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/revisions-manage.md
To update a container app, use the `az containerapp update` command. With this
# [Bash](#tab/bash)
-You may also use a YAML file to define these and other configuration options and parameters. For more information regarding this command, see [`az containerapp revision copy`](/cli/azure/containerapp#az-containerapp-update).
+You can also use a YAML file to define these and other configuration options and parameters. For more information regarding this command, see [`az containerapp revision copy`](/cli/azure/containerapp#az-containerapp-update).
This example updates the container image. Replace the \<PLACEHOLDERS\> with your values.
echo $RevisionObject
## Revision copy
-To create a new revision based on an existing revision, use the `az containerapp revision copy`. Container Apps uses the configuration of the existing revision, which you may then modify.
+To create a new revision based on an existing revision, use the `az containerapp revision copy`. Container Apps uses the configuration of the existing revision, which you can then modify.
-With this command, you can modify environment variables, compute resources, scale parameters, and deploy a different image. You may also use a YAML file to define these and other configuration options and parameters. For more information regarding this command, see [`az containerapp revision copy`](/cli/azure/containerapp/revision#az-containerapp-revision-copy).
+With this command, you can modify environment variables, compute resources, scale parameters, and deploy a different image. You can also use a YAML file to define these and other configuration options and parameters. For more information regarding this command, see [`az containerapp revision copy`](/cli/azure/containerapp/revision#az-containerapp-revision-copy).
This example copies the latest revision and sets the compute resource parameters. (Replace the \<PLACEHOLDERS\> with your values.)
Restart-AzContainerAppRevision @CmdArgs
## Revision set mode
-The revision mode controls whether only a single revision or multiple revisions of your container app can be simultaneously active. To set your container app to support [single revision mode](revisions.md#single-revision-mode) or [multiple revision mode](revisions.md#multiple-revision-mode), use the `az containerapp revision set-mode` command.
+The revision mode controls whether only a single revision or multiple revisions of your container app can be simultaneously active. To set your container app to support [single revision mode](revisions.md#revision-modes) or [multiple revision mode](revisions.md#revision-modes), use the `az containerapp revision set-mode` command.
The default setting is *single revision mode*. For more information about this command, see [`az containerapp revision set-mode`](/cli/azure/containerapp/revision#az-containerapp-revision-set-mode).
Update-AzContainerApp @CmdArgs
## Revision labels
-Labels provide a unique URL that you can use to direct traffic to a revision. You can move a label between revisions to reroute traffic directed to the label's URL to a different revision. For more information about revision labels, see [Revision Labels](revisions.md#revision-labels).
+Labels provide a unique URL that you can use to direct traffic to a revision. You can move a label between revisions to reroute traffic directed to the label's URL to a different revision. For more information about revision labels, see [Revision Labels](revisions.md#labels).
You can add and remove a label from a revision. For more information about the label commands, see [`az containerapp revision label`](/cli/azure/containerapp/revision/label)
container-apps Revisions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/revisions.md
Title: Revisions in Azure Container Apps
-description: Learn how revisions are created in Azure Container Apps.
+ Title: Update and deploy changes in Azure Container Apps
+description: Learn how to use revisions to make changes in Azure Container Apps.
Previously updated : 05/11/2022 Last updated : 10/10/2023
-# Revisions in Azure Container Apps
+# Update and deploy changes in Azure Container Apps
-Azure Container Apps implements container app versioning by creating revisions. A revision is an immutable snapshot of a container app version.
+Change management can be challenging as you develop containerized applications in the cloud. Ultimately, you need the support to track changes, ensure uptime, and have mechanisms to handle smooth rollbacks.
-- The first revision is automatically provisioned when you deploy your container app.-- New revisions are automatically provisioned when you make a [*revision-scope*](#revision-scope-changes) change to your container app.-- While revisions are immutable, they're affected by [*application-scope*](#application-scope-changes) changes, which apply to all revisions.-- You can create new revisions by updating a previous revision.-- You can retain up to 100 revisions, giving you a historical record of your container app updates.-- You can run multiple revisions concurrently.-- You can split external HTTP traffic between active revisions.
+Change management in Azure Container Apps is powered by revisions, which are a snapshot of each version of your container app.
+Key characteristics of revisions include:
-> [!NOTE]
-> [Azure Container Apps jobs](jobs.md) don't have revisions. Each job execution uses the latest configuration of the job.
+- **Immutable**: Once established, a revision remains unchangeable.
-## Use cases
-
-Container Apps revisions help you manage the release of updates to your container app by creating a new revision each time you make a *revision-scope* change to your app. You can control which revisions are active, and the external traffic that is routed to each active revision.
+- **Versioned**: Revisions act as a record of the container app's versions, capturing its state at various stages.
-You can use revisions to:
+- **Automatically provisioned**: When you deploy a container app for the first time, an initial revision is automatically created.
-- Release a new version of your app.-- Quickly revert to an earlier version of your app.-- Split traffic between revisions for [A/B testing](https://wikipedia.org/wiki/A/B_testing).-- Gradually phase in a new revision in blue-green deployments. For more information about blue-green deployment, see [blue-green deployment](blue-green-deployment.md).
+- **Scoped changes**: While revisions remain static, [application-scope](#change-types) changes can affect all revisions, while [revision-scope](#change-types) changes create a new revision.
-## Revision lifecycle
+- **Historical record**: Azure Container Apps allow you to retain up to 100 revisions. This history gives you a comprehensive historical record of your app's updates.
-Revisions go through a series of states, based on status and availability.
+- **Multiple revisions**: You can run multiple revisions concurrently. This feature is especially beneficial when you need to manage different versions of your app simultaneously.
-### Provisioning status
+## Lifecycle
-When a new revision is first created, it has to pass startup and readiness checks. _Provisioning status_ is set to _provisioning_ during verification. Use _provisioning status_ to follow progress.
+Each revision undergoes specific states, influenced by its status and availability. During its lifecycle, a container app goes through different provisioning, running, and an inactive status.
-Once the revision is verified, _running status_ is set to _running_. The revision is available and ready for work.
+### Provisioning status
-_Provisioning status_ values include:
+When you create a new revision, the container app undergoes startup and readiness checks. During this phase, the provisioning status serves as a guide to track the container app's progress.
-- Provisioning-- Provisioned-- Provisioning failed
+| Status | Description |
+|||
+| Provisioning | The revision is in the verification process. |
+| Provisioned | The revision has successfully passed all checks. |
+| Provisioning failed | The revision encountered issues during verification. |
### Running status
-Revisions are fully functional after provisioning is complete. Use _running status_ to monitor the status of a revision.
-
-Running status values include:
+After a container app is successfully provisioned, a revision enters its operating phase. The running status helps monitor a container app's health and functionality.
| Status | Description | |||
-| Running | The revision is running. There are no issues to report. |
-| Unhealthy | The revision isn't operating properly. Use the revision state details for details. Common issues include:<br>ΓÇó Container crashes<br>ΓÇó Resource quota exceeded<br>ΓÇó Image access issues, including [_ImagePullBackOff_ errors](/troubleshoot/azure/azure-kubernetes/cannot-pull-image-from-acr-to-aks-cluster) |
-| Failed | Critical errors caused revisions to fail. The _running state_ provides details. Common causes include:<br>ΓÇó Termination<br>ΓÇó Exit code `137` |
-
-Use running state details to learn more about the current status.
+| Scale to 0 | Zero running replicas, and not provisioning any new replicas. The container app can create new replicas if scale rules are triggered. |
+| Activating | Zero running replicas, one replica being provisioned. |
+| Processing | Scaling in or out is occurring. One or more running replicas, while other replicas are being provisioned. |
+| Running | One or more replicas running. There are no issues to report. |
+| Degraded | At least one replica in the revision is failed. View running state details for specific issues. |
+| Failed | Critical errors caused revisions to fail. The *running state* provides details. Common causes include:<br>ΓÇó Termination<br>ΓÇó Exit code `137` |
### Inactive status
-A revision can be set to active or inactive.
+Revisions can also enter an inactive state. These revisions don't possess provisioning or running states. However, Azure Container Apps maintains a list of these revisions, accommodating up to 100 inactive entries. You can activate a revision at any time.
-Inactive revisions don't have provisioning or running states.
+## Revision modes
-Inactive revisions remain in a list of up to 100 inactive revisions.
+Azure Container Apps support two revision modes. Your choice of mode determines how many revisions of your app are simultaneously active.
-## Multiple revisions
+| Revision modes | Description | Default |
+||||
+| Single | New revisions are automatically provisioned, activated, and scaled to the desired size. Once all the replicas are running as defined by the [scale rule](scale-app.md), then traffic is diverted from the old version to the new one. If an update fails, traffic remains pointed to the old revision. Old revisions are automatically deprovisioned. | Yes |
+| Multiple | You can have multiple active revisions, split traffic between revisions, and choose when to deprovision old revisions. This level of control is helpful for testing multiple versions of an app, blue-green testing, or taking full control of app updates. Refer to [traffic splitting](traffic-splitting.md) for more detail.
-The following diagram shows a container app with two revisions.
+### Labels
+For container apps with external HTTP traffic, labels direct traffic to specific revisions. A label provides a unique URL that you can use to route traffic to the revision that the label is assigned.
-This scenario presumes the container app is in the following state:
+To switch traffic between revisions, you can move the label from one revision to another.
-- [Ingress](ingress-how-to.md) is enabled, making the container app available via HTTP or TCP.-- The first revision was deployed as _Revision 1_.-- After the container was updated, a new revision was activated as _Revision 2_.-- [Traffic splitting](traffic-splitting.md) rules are configured so that _Revision 1_ receives 80% of the requests, and _Revision 2_ receives the remaining 20%.
+- Labels keep the same URL when moved from one revision to another.
+- A label can be applied to only one revision at a time.
+- Allocation for traffic splitting isn't required for revisions with labels.
+- Labels are most useful when the app is in *multiple revision mode*.
+- You can enable labels, traffic splitting or both.
-## Revision name suffix
+Labels are useful for testing new revisions. For example, when you want to give access to a set of test users, you can give them the label's URL. Then when you want to move your users to a different revision, you can move the label to that revision.
-Revision names are used to identify a revision, and in the revision's URL. You can customize the revision name by setting the revision suffix.
+Labels work independently of traffic splitting. Traffic splitting distributes traffic going to the container app's application URL to revisions based on the percentage of traffic. When traffic is directed to a label's URL, the traffic is routed to one specific revision.
-The format of a revision name is:
+A label name must:
-``` text
-<CONTAINER_APP_NAME>-<REVISION_SUFFIX>
-```
+- Consist of lower case alphanumeric characters or dashes (`-`)
+- Start with an alphabetic character
+- End with an alphanumeric character
-By default, Container Apps creates a unique revision name with a suffix consisting of a semi-random string of alphanumeric characters. You can customize the name by setting a unique custom revision suffix.
+Labels must not:
-For example, for a container app named *album-api*, setting the revision suffix name to *first-revision* would create a revision with the name *album-api-first-revision*.
+- Have two consecutive dashes (`--`)
+- Be more than 64 characters
-A revision suffix name must:
+You can manage labels from your container app's **Revision management** page in the Azure portal.
++
+The label URL is available in the revision details pane.
++
+### Zero downtime deployment
+
+In *single revision mode*, Container Apps ensures your app doesn't experience downtime when creating a new revision. The existing active revision isn't deactivated until the new revision is ready.
+
+If ingress is enabled, the existing revision continues to receive 100% of the traffic until the new revision is ready.
+
+A new revision is considered ready when:
-- consist of lower case alphanumeric characters or dashes ('-')-- start with an alphabetic character-- end with an alphanumeric character-- not have two consecutive dashes (--)-- not be more than 64 characters
+- The revision has provisioned successfully
+- The revision has scaled up to match the previous revisions replica count (respecting the new revision's min and max replica count)
+- All the replicas have passed their startup and readiness probes
-You can set the revision suffix in the [ARM template](azure-resource-manager-api-spec.md#propertiestemplate), through the Azure CLI `az containerapp create` and `az containerapp update` commands, or when creating a revision via the Azure portal.
+In *multiple revision* mode, you can control when revisions are activated or deactivated and which revisions receive ingress traffic. If a [traffic splitting rule](./revisions-manage.md#traffic-splitting) is configured with `latestRevision` set to `true`, traffic doesn't switch to the latest revision until it's ready.
+
+## Work with multiple revisions
+
+While single revision mode is the default, sometimes you might want to have full control over how your revisions are managed.
+
+Multiple revision mode gives you the flexibility to manage your revision manually. For instance, using multiple revision mode allows you to decide exactly how much traffic is allocated to each revision.
+
+### Traffic splitting
+
+The following diagram shows a container app with two revisions.
++
+This scenario presumes the container app is in the following state:
+
+- [Ingress](ingress-how-to.md) is enabled, making the container app available via HTTP or TCP.
+- The first revision was deployed as *Revision 1*.
+- After the container was updated, a new revision was activated as *Revision 2*.
+- [Traffic splitting](traffic-splitting.md) rules are configured so that *Revision 1* receives 80% of the requests, and *Revision 2* receives the remaining 20%.
+
+### Direct revision access
+
+Rather than using a routing rule to divert traffic to a revision, you might want to make a revision available to requests for a specific URL. Multiple revision mode can allow you to send all requests coming in to your domain to the latest revision, while requests for an older revision are available via [labels](#labels) for direct access.
+
+### Activation state
+
+In multiple revision mode, you can activate or deactivate revisions as needed. Active revisions are operational and can handle requests, while inactive revisions remain dormant.
+
+Container Apps doesn't charge for inactive revisions. However, there's a cap on the total number of available revisions, with the oldest ones being purged once you exceed a count of 100.
## Change types
A *revision-scope* change is any change to the parameters in the [`properties.te
These parameters include: -- [Revision suffix](#revision-name-suffix)
+- [Revision suffix](#name-suffix)
- Container configuration and images - Scale rules for the container application
These parameters include:
- Credentials for private container registries - Dapr settings
-## Revision modes
+## Customize revisions
-The revision mode controls whether only a single revision or multiple revisions of your container app can be simultaneously active. You can set your app's revision mode from your container app's **Revision management** page in the Azure portal, using Azure CLI commands, or in the ARM template.
+You can customize the revision name and labels to better align with your naming conventions or versioning strategy.
-### Single revision mode
+### Name suffix
-By default, a container app is in *single revision mode*. In this mode, when a new revision is created, the latest revision replaces the active revision. For more information, see [Zero downtime deployment](./application-lifecycle-management.md#zero-downtime-deployment).
+Every revision in Container Apps is assigned a unique identifier. While names are automatically generated, you can personalize the revision name.
-### Multiple revision mode
+The typical format for a revision name is:
-Set the revision mode to *multiple revision mode*, to run multiple revisions of your app simultaneously. While in this mode, new revisions are activated alongside current active revisions.
+``` text
+<CONTAINER_APP_NAME>-<REVISION_SUFFIX>
+```
-For an app implementing external HTTP ingress, you can control the percentage of traffic going to each active revision from your container app's **Revision management** page in the Azure portal, using Azure CLI commands, or in an ARM template. For more information, see [Traffic splitting](traffic-splitting.md).
+For example, if you have a container app named *album-api* and decide on the revision suffix *first-revision*, the complete revision name becomes *album-api-first-revision*.
-## Revision Labels
+A revision suffix name must:
-For container apps with external HTTP traffic, labels are a portable means to direct traffic to specific revisions. A label provides a unique URL that you can use to route traffic to the revision that the label is assigned. To switch traffic between revisions, you can move the label from one revision to another.
+- Consist of only lower case alphanumeric characters or dashes (`-`)
+- Start with an alphabetic character
+- End with an alphanumeric character
-- Labels keep the same URL when moved from one revision to another.-- A label can be applied to only one revision at a time.-- Allocation for traffic splitting isn't required for revisions with labels.-- Labels are most useful when the app is in *multiple revision mode*.-- You can enable labels, traffic splitting or both.
+Names must not have:
-Labels are useful for testing new revisions. For example, when you want to give access to a set of test users, you can give them the label's URL. Then when you want to move your users to a different revision, you can move the label to that revision.
+- Two consecutive dashes (`--`)
+- Be more than 64 characters
-Labels work independently of traffic splitting. Traffic splitting distributes traffic going to the container app's application URL to revisions based on the percentage of traffic. When traffic is directed to a label's URL, the traffic is routed to one specific revision.
+You can set the revision suffix in the [ARM template](azure-resource-manager-api-spec.md#propertiestemplate), through the Azure CLI `az containerapp create` and `az containerapp update` commands, or when creating a revision via the Azure portal.
-A label name must:
+## Use cases
-- consist of lower case alphanumeric characters or dashes ('-')-- start with an alphabetic character-- end with an alphanumeric character-- not have two consecutive dashes (--)-- not be more than 64 characters
+The following are common use cases for using revisions in container apps. This list isn't an exhaustive list of the purpose or capabilities of using Container Apps revisions.
-You can manage labels from your container app's **Revision management** page in the Azure portal.
+### Release management
+Revisions streamline the process of introducing new versions of your app. When you're ready to roll out an update or a new feature, you can create a new revision without affecting the current live version. This approach ensures a smooth transition and minimizes disruptions for end-users.
-You can find the label URL in the revision details pane.
+### Reverting to previous versions
+Sometimes you need to quickly revert to a previous, stable version of your app. You can roll back to a previous revision of your container app if necessary.
+
+### A/B testing
-## Activation state
+When you want to test different versions of your app, revisions can support [A/B testing](https://wikipedia.org/wiki/A/B_testing). You can route a subset of your users to a new revision, gather feedback, and make informed decisions based on real-world data.
-In *multiple revision modes*, revisions remain active until you deactivate them. You can activate and deactivate revisions from your container app's **Revision management** page in the Azure portal or from the Azure CLI.
+### Blue-green deployments
-You aren't charged for the inactive revisions. You can have a maximum of 100 revisions, after which the oldest revision is purged.
+Revisions support the [blue-green deployment](blue-green-deployment.md) strategy. By having two parallel revisions (blue for the live version and green for the new one), you can gradually phase in a new revision. Once you're confident in the new version's stability and performance, you can switch traffic entirely to the green environment.
## Next steps
container-apps Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/services.md
Previously updated : 05/22/2023 Last updated : 10/11/2023 # Connect to services in Azure Container Apps (preview)
-As you develop applications in Azure Container Apps, you often need to connect to different services.
+As you develop applications in Azure Container Apps, you often need to connect to different services. Rather than creating services ahead of time and manually connecting them to your container app, you can quickly create instances of development-grade services that are designed for nonproduction environments known as "add-ons".
-Rather than creating services ahead of time and manually connecting them to your container app, you can quickly create instances of development-grade services that are designed for nonproduction environments known as "dev services".
+Add-ons allow you to use OSS services without the burden of manual downloads, creation, and configuration.
-Dev services allow you to use OSS services without the burden of manual downloads, creation, and configuration.
-
-Services available as dev services include:
+Services available as an add-on include:
- Open-source Redis - Open-source PostgreSQL
Once you're ready for your app to use a production level service, you can connec
## Features
-dev services come with the following features:
+Add-ons come with the following features:
-- **Scope**: The service runs in the same environment as the connected container app.-- **Scaling**: The service can scale in to zero when there's no demand for the service.-- **Pricing**: Service billing falls under consumption-based pricing. Billing only happens when instances of the service are running.-- **Storage**: The service uses persistent storage to ensure there's no data loss as a service scales in to zero.-- **Revisions**: Anytime you change a dev service, a new revision of your container app is created.
+- **Scope**: The add-on runs in the same environment as the connected container app.
+- **Scaling**: The add-on can scale in to zero when there's no demand for the service.
+- **Pricing**: Add-on billing falls under consumption-based pricing. Billing only happens when instances of the add-on are running.
+- **Storage**: The add-on uses persistent storage to ensure there's no data loss as the add-on scales in to zero.
+- **Revisions**: Anytime you change an add-on, a new revision of your container app is created.
See the service-specific features for managed services. ## Binding
-Both dev mode and managed services connect to a container via a "binding".
+Both add-ons and managed services connect to a container via a "binding".
The Container Apps runtime binds a container app to a service by:
Once a binding is established, the container app can read these configuration an
## Development vs production
-As you move from development to production, you can move from a dev service to a managed service.
+As you move from development to production, you can move from an add-on to a managed service.
The following table shows you which service to use in development, and which service to use in production.
container-apps Sticky Sessions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/sticky-sessions.md
zone_pivot_groups: arm-portal
Session affinity, also known as sticky sessions, is a feature that allows you to route all requests from a client to the same replica. This feature is useful for stateful applications that require a consistent connection to the same replica.
-Session stickiness is enforced using HTTP cookies. This feature is available in single revision mode when HTTP ingress is enabled. A client may be routed to a new replica if the previous replica is no longer available.
+Session stickiness is enforced using HTTP cookies. This feature is available in single revision mode when HTTP ingress is enabled. A client might be routed to a new replica if the previous replica is no longer available.
If your app doesn't require session affinity, we recommend that you don't enable it. With session affinity disabled, ingress distributes requests more evenly across replicas improving the performance of your app. > [!NOTE]
-> Session affinity is only supported when your app is in [single revision mode](revisions.md#single-revision-mode) and the ingress type is HTTP.
+> Session affinity is only supported when your app is in [single revision mode](revisions.md#revision-modes) and the ingress type is HTTP.
> ## Configure session affinity
container-apps Traffic Splitting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-apps/traffic-splitting.md
By default, when ingress is enabled, all traffic is routed to the latest deploye
Traffic splitting is useful for testing updates to your container app. You can use traffic splitting to gradually phase in a new revision in [blue-green deployments](blue-green-deployment.md) or in [A/B testing](https://wikipedia.org/wiki/A/B_testing).
-Traffic splitting is based on the weight (percentage) of traffic that is routed to each revision. The combined weight of all traffic split rules must equal 100%. You can specify revision by revision name or [revision label](revisions.md#revision-labels).
+Traffic splitting is based on the weight (percentage) of traffic that is routed to each revision. The combined weight of all traffic split rules must equal 100%. You can specify revision by revision name or [revision label](revisions.md#labels).
This article shows you how to configure traffic splitting rules for your container app. To run the following examples, you need a container app with multiple revisions.
The following template moves 20% of traffic over to the updated revision:
### Staging microservices
-When building microservices, you may want to maintain production and staging endpoints for the same app. Use labels to ensure that traffic doesn't switch between different revisions.
+When building microservices, you might want to maintain production and staging endpoints for the same app. Use labels to ensure that traffic doesn't switch between different revisions.
The following example template applies labels to different revisions.
container-instances Container Instances Image Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-image-security.md
For comprehensive recommendations that will help you improve the security postur
Containers are built from images that are stored in one or more repositories. These repositories can belong to a public registry, like [Docker Hub](https://hub.docker.com), or to a private registry. An example of a private registry is the [Docker Trusted Registry](https://docs.docker.com/datacenter/dtr/), which can be installed on-premises or in a virtual private cloud. You can also use cloud-based private container registry services, including [Azure Container Registry](../container-registry/container-registry-intro.md).
-A publicly available container image does not guarantee security. Container images consist of multiple software layers, and each software layer might have vulnerabilities. To help reduce the threat of attacks, you should store and retrieve images from a private registry, such as Azure Container Registry or Docker Trusted Registry. In addition to providing a managed private registry, Azure Container Registry supports [service principal-based authentication](../container-registry/container-registry-authentication.md) through Azure Active Directory for basic authentication flows. This authentication includes role-based access for read-only (pull), write (push), and other permissions.
+A publicly available container image does not guarantee security. Container images consist of multiple software layers, and each software layer might have vulnerabilities. To help reduce the threat of attacks, you should store and retrieve images from a private registry, such as Azure Container Registry or Docker Trusted Registry. In addition to providing a managed private registry, Azure Container Registry supports [service principal-based authentication](../container-registry/container-registry-authentication.md) through Microsoft Entra ID for basic authentication flows. This authentication includes role-based access for read-only (pull), write (push), and other permissions.
### Monitor and scan container images
container-instances Container Instances Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-managed-identity.md
Last updated 06/17/2022
# How to use managed identities with Azure Container Instances
-Use [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) to run code in Azure Container Instances that interacts with other Azure services - without maintaining any secrets or credentials in code. The feature provides an Azure Container Instances deployment with an automatically managed identity in Azure Active Directory.
+Use [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) to run code in Azure Container Instances that interacts with other Azure services - without maintaining any secrets or credentials in code. The feature provides an Azure Container Instances deployment with an automatically managed identity in Microsoft Entra ID.
In this article, you learn more about managed identities in Azure Container Instances and:
Adapt the examples to enable and use identities in Azure Container Instances to
## Why use a managed identity?
-Use a managed identity in a running container to authenticate to any [service that supports Azure AD authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) without managing credentials in your container code. For services that don't support AD authentication, you can store secrets in an Azure key vault and use the managed identity to access the key vault to retrieve credentials. For more information about using a managed identity, see [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
+Use a managed identity in a running container to authenticate to any [service that supports Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication) without managing credentials in your container code. For services that don't support AD authentication, you can store secrets in an Azure key vault and use the managed identity to access the key vault to retrieve credentials. For more information about using a managed identity, see [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
### Enable a managed identity
az container show \
--name mycontainer ```
-The `identity` section in the output looks similar to the following, showing the identity is set in the container group. The `principalID` under `userAssignedIdentities` is the service principal of the identity you created in Azure Active Directory:
+The `identity` section in the output looks similar to the following, showing the identity is set in the container group. The `principalID` under `userAssignedIdentities` is the service principal of the identity you created in Microsoft Entra ID:
```output [...]
az container exec \
--exec-command "/bin/bash" ```
-Run the following commands in the bash shell in the container. To get an access token to use Azure Active Directory to authenticate to key vault, run the following command:
+Run the following commands in the bash shell in the container. To get an access token to use Microsoft Entra ID to authenticate to key vault, run the following command:
```bash client_id="xxxxxxxx-5523-45fc-9f49-xxxxxxxxxxxx"
az container show \
--name mycontainer ```
-The `identity` section in the output looks similar to the following, showing that a system-assigned identity is created in Azure Active Directory:
+The `identity` section in the output looks similar to the following, showing that a system-assigned identity is created in Microsoft Entra ID:
```output [...]
container-instances Container Instances Tutorial Deploy App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-tutorial-deploy-app.md
In this section, you use the Azure CLI to deploy the image built in the [first t
When you deploy an image that's hosted in a private Azure container registry like the one created in the [second tutorial](container-instances-tutorial-prepare-acr.md), you must supply credentials to access the registry.
-A best practice for many scenarios is to create and configure an Azure Active Directory service principal with *pull* permissions to your registry. See [Authenticate with Azure Container Registry from Azure Container Instances](../container-registry/container-registry-auth-aci.md) for sample scripts to create a service principal with the necessary permissions. Take note of the *service principal ID* and *service principal password*. You use these credentials to access the registry when you deploy the container.
+A best practice for many scenarios is to create and configure a Microsoft Entra service principal with *pull* permissions to your registry. See [Authenticate with Azure Container Registry from Azure Container Instances](../container-registry/container-registry-auth-aci.md) for sample scripts to create a service principal with the necessary permissions. Take note of the *service principal ID* and *service principal password*. You use these credentials to access the registry when you deploy the container.
You also need the full name of the container registry login server (replace `<acrName>` with the name of your registry):
container-instances Container Instances Using Azure Container Registry https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/container-instances-using-azure-container-registry.md
# Deploy to Azure Container Instances from Azure Container Registry using a service principal
-[Azure Container Registry](../container-registry/container-registry-intro.md) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to Azure Container Instances. One way to configure registry access is to create an Azure Active Directory service principal and password, and store the login credentials in an Azure key vault.
+[Azure Container Registry](../container-registry/container-registry-intro.md) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to Azure Container Instances. One way to configure registry access is to create a Microsoft Entra service principal and password, and store the login credentials in an Azure key vault.
## Prerequisites
container-instances Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Container Instances
container-instances Using Azure Container Registry Mi https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-instances/using-azure-container-registry-mi.md
# Deploy to Azure Container Instances from Azure Container Registry using a managed identity
-[Azure Container Registry][acr-overview] (ACR) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to container groups with Azure Container Instances. One way to configure registry access is to create an Azure Active Directory managed identity.
+[Azure Container Registry][acr-overview] (ACR) is an Azure-based, managed container registry service used to store private Docker container images. This article describes how to pull container images stored in an Azure container registry when deploying to container groups with Azure Container Instances. One way to configure registry access is to create a Microsoft Entra managed identity.
When access to an Azure Container Registry (ACR) is [restricted using a private endpoint](../container-registry/container-registry-private-link.md), using a managed identity allows Azure Container Instances [deployed into a virtual network](container-instances-vnet.md) to access the container registry through the private endpoint.
container-registry Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/container-registry/policy-reference.md
Title: Built-in policy definitions for Azure Container Registry
description: Lists Azure Policy built-in policy definitions for Azure Container Registry. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
cosmos-db Bulk Executor Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/bulk-executor-dotnet.md
Currently, bulk executor library is supported by the Azure Cosmos DB for NoSQL a
* You can [Try Azure Cosmos DB for free](https://azure.microsoft.com/try/cosmosdb/) without an Azure subscription. You can also [Install and use the Azure Cosmos DB Emulator for local development and testing](../emulator.md) with the `https://localhost:8081` endpoint. The Primary Key is provided in [Authenticating requests](../emulator.md).
-* Create an Azure Cosmos DB for NoSQL account by using the steps described in the [Create an Azure Cosmos DB account](quickstart-dotnet.md#create-account) section of [Quickstart: Azure Cosmos DB for NoSQL client library for .NET](quickstart-dotnet.md).
+* Create an Azure Cosmos DB for NoSQL account by using the steps described in the [Create an Azure Cosmos DB account](how-to-create-account.md) section of [Quickstart: Azure Cosmos DB for NoSQL client library for .NET](quickstart-dotnet.md).
## Clone the sample application
cosmos-db Find Request Unit Charge https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/find-request-unit-charge.md
Currently, you can measure consumption only by using the Azure portal or by insp
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos DB account](quickstart-dotnet.md#create-account) and feed it with data, or select an existing Azure Cosmos DB account that already contains data.
+1. [Create a new Azure Cosmos DB account](how-to-create-account.md) and feed it with data, or select an existing Azure Cosmos DB account that already contains data.
1. Go to the **Data Explorer** pane, and then select the container you want to work on.
cosmos-db How To Create Container https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-create-container.md
This article explains the different ways to create a container in Azure Cosmos D
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos DB account](quickstart-dotnet.md#create-account), or select an existing account.
+1. [Create a new Azure Cosmos DB account](how-to-create-account.md), or select an existing account.
1. Open the **Data Explorer** pane, and select **New Container**. Next, provide the following details:
cosmos-db How To Provision Container Throughput https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-provision-container-throughput.md
If you are using a different API, see [API for MongoDB](../mongodb/how-to-provis
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos DB account](quickstart-dotnet.md#create-account), or select an existing Azure Cosmos DB account.
+1. [Create a new Azure Cosmos DB account](how-to-create-account.md), or select an existing Azure Cosmos DB account.
1. Open the **Data Explorer** pane, and select **New Container**. Next, provide the following details:
cosmos-db How To Provision Database Throughput https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/how-to-provision-database-throughput.md
If you are using a different API, see [API for MongoDB](../mongodb/how-to-provis
1. Sign in to the [Azure portal](https://portal.azure.com/).
-1. [Create a new Azure Cosmos DB account](quickstart-dotnet.md#create-account), or select an existing Azure Cosmos DB account.
+1. [Create a new Azure Cosmos DB account](how-to-create-account.md), or select an existing Azure Cosmos DB account.
1. Open the **Data Explorer** pane, and select **New Database**. Provide the following details:
cosmos-db Manage With Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/manage-with-powershell.md
The following guide describes how to use PowerShell to script and automate manag
> [!NOTE] > Samples in this article use [Az.CosmosDB](/powershell/module/az.cosmosdb) management cmdlets. See the [Az.CosmosDB](/powershell/module/az.cosmosdb) API reference page for the latest changes.
-For cross-platform management of Azure Cosmos DB, you can use the `Az` and `Az.CosmosDB` cmdlets with [cross-platform PowerShell](/powershell/scripting/install/installing-powershell), as well as the [Azure CLI](manage-with-cli.md), the [REST API][rp-rest-api], or the [Azure portal](quickstart-dotnet.md#create-account).
+For cross-platform management of Azure Cosmos DB, you can use the `Az` and `Az.CosmosDB` cmdlets with [cross-platform PowerShell](/powershell/scripting/install/installing-powershell), as well as the [Azure CLI](manage-with-cli.md), the [REST API][rp-rest-api], or the [Azure portal](how-to-create-account.md).
[!INCLUDE [updated-for-az](../../../includes/updated-for-az.md)]
cosmos-db Tutorial Create Notebook Vscode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/tutorial-create-notebook-vscode.md
+
+ Title: |
+ Tutorial: Create a Jupyter Notebook to analyze data in your Azure Cosmos DB for NoSQL account
+description: |
+ Learn how to use Visual Studio Code Jupyter notebooks to import data to Azure Cosmos DB for NoSQL and analyze the data.
+++ Last updated : 10/09/2023+++++
+# Tutorial: Create a Jupyter Notebook to analyze data in your Azure Cosmos DB for NoSQL account using Visual Studio Code Jupyter notebooks
++
+This tutorial walks through how to use the Visual Studio Code Jupyter notebooks to interact with your Azure Cosmos DB for NoSQL account. You'll see how to connect to your account, import data, and run queries.
+
+## Prerequisites
+
+### [Python](#tab/python)
+- An existing Azure Cosmos DB for NoSQL account.
+ - If you have an existing Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).
+ - No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required.
+- [Install Visual Studio Code](https://code.visualstudio.com/download) and [setup your environment](https://code.visualstudio.com/docs/datascience/jupyter-notebooks) to use notebooks.
+
+### [C#](#tab/csharp)
+- An existing Azure Cosmos DB for NoSQL account.
+ - If you have an existing Azure subscription, [create a new account](how-to-create-account.md?tabs=azure-portal).
+ - No Azure subscription? You can [try Azure Cosmos DB free](../try-free.md) with no credit card required.
+- [Install Visual Studio Code](https://code.visualstudio.com/download) and [setup your environment](https://code.visualstudio.com/docs/datascience/jupyter-notebooks) to use notebooks.
+- Install the [Polyglot notebooks extension](https://code.visualstudio.com/docs/languages/polyglot) for Visual Studio Code.
++
+## Create a new notebook
+
+In this section, you'll create the Azure Cosmos database, container, and import the retail data to the container.
+
+### [Python](#tab/python)
+
+1. Open Visual Studio Code.
+1. Run the **Create: New Jupyter Notebook** command from the Command Palette (Ctrl+Shift+P) or create a new .ipynb file in your workspace.
+
+### [C#](#tab/csharp)
+1. Open Visual Studio Code.
+1. Run the **Polyglot Notebook: Create new blank notebook** command from the Command Palette (Ctrl+Shift+P).
+
+ :::image type="content" source="media/tutorial-create-notebook-vscode/create-notebook-csharp.png" alt-text="Screenshot of Create new Polyglot notebook command in Visual Studio Code.":::
+
+1. Select the .ipynb file extension.
+1. Select C# as the default language.
++
+> [!TIP]
+> Now that the new notebook has been created, you can save it and name it something like **AnalyzeRetailData.ipynb**.
+
+## Create a database and container using the SDK
+
+### [Python](#tab/python)
+
+1. Start in the default code cell.
+
+1. Install the Azure.cosmos package. Run this cell before continuing.
+ ```python
+ %pip install azure.cosmos
+ ```
+
+1. Import any packages you require for this tutorial.
+
+ ```python
+ import azure.cosmos
+ from azure.cosmos.partition_key import PartitionKey
+ from azure.cosmos import CosmosClient
+ ```
+
+1. Create a new instance of CosmosClient.
+ ```python
+ endpoint = "<FILL ME>"
+ key = "<FILL ME>"
+ cosmos_client = CosmosClient(url=endpoint, credential=key)
+ ```
+
+1. Create a database named **RetailIngest** using the built-in SDK.
+
+ ```python
+ database = cosmos_client.create_database_if_not_exists('RetailIngest')
+ ```
+
+1. Create a container named **WebsiteMetrics** with a partition key of `/CartID`.
+
+ ```python
+ container = database.create_container_if_not_exists(id='WebsiteMetrics', partition_key=PartitionKey(path='/CartID'))
+ ```
+
+1. Select **Run** to create the database and container resource.
+
+ :::image type="content" source="media/tutorial-create-notebook-vscode/run-cell-python.png" alt-text="Screenshot of Execute cell in Visual Studio Code Jupyter notebook.":::
+
+### [C#](#tab/csharp)
+
+1. Start in the default code cell.
+
+1. Install the Microsoft.Azure.Cosmos NuGet package. Run this cell before proceeding.
+ ```csharp
+ #r "nuget: Microsoft.Azure.Cosmos"
+ ```
+1. Create a new code cell.
+
+1. Import any packages you require for this tutorial.
+
+ ```csharp
+ using Microsoft.Azure.Cosmos;
+ ```
+
+1. Create a new instance of the client type using the built-in SDK. Fill in the URI endpoint and key of your Azure Cosmos DB account. You can find these values in the **Keys** page in your Azure Cosmos DB account.
+
+ ```csharp
+ var endpoint = "<FILL ME>";
+ var key = "<FILL ME>";
+
+ var cosmosClient = new CosmosClient(Cosmos.Endpoint, Cosmos.Key);
+ ```
+
+1. Create a database named **RetailIngest**.
+
+ ```csharp
+ Database database = await cosmosClient.CreateDatabaseIfNotExistsAsync("RetailIngest");
+ ```
+
+1. Create a container named **WebsiteMetrics** with a partition key of `/CartID`.
+
+ ```csharp
+ Container container = await database.CreateContainerIfNotExistsAsync("WebsiteMetrics", "/CartID");
+ ```
+
+1. Select **Execute Cell** to create the database and container resource.
+
+ :::image type="content" source="media/tutorial-create-notebook-vscode/run-cell-csharp.png" alt-text="Screenshot of Execute cell in Visual Studio Code Jupyter C# notebook.":::
+++
+## Import data into container
+
+### [Python](#tab/python)
+
+1. Add a new code cell
+
+1. Within the code cell, add the following code to upload data from this url: <https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json>.
+ ```python
+ import urllib.request
+ import json
+
+ with urllib.request.urlopen("https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json") as url:
+ docs = json.loads(url.read().decode())
+
+ for doc in docs:
+ container.upsert_item(doc)
+ ```
+1. Run the cell. This will take 45 seconds to 1 minute to run.
++
+### [C#](#tab/csharp)
+
+1. Add a new code cell.
+
+1. In the code cell, create a new C# class to represent an item in the container. Run the cell.
+
+ ```csharp
+ public class Record
+ {
+ public string id { get; set; }
+ public int CartID { get; set; }
+ public string Action { get; set; }
+ public decimal Price { get; set; }
+ public string Country { get; set; }
+ public string Item { get; set; }
+ }
+ ```
+
+1. Add a new code cell.
+
+1. Within the code cell, add the following code to upload data from this url: <https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json>.
+ ```csharp
+ using System.Net.Http;
+ using System.Text.Json;
+ using System.IO;
+
+ var dataURL = "https://cosmosnotebooksdata.blob.core.windows.net/notebookdata/websiteData.json";
+ var jsonData = new HttpClient().GetStringAsync(dataURL).Result;
+
+ Record[] result = JsonSerializer.Deserialize<Record[]>(jsonData);
+
+ foreach (Record record in result) {
+ await container.UpsertItemAsync<Record>(record, new PartitionKey(record.CartID)); //43 seconds
+ }
+ ```
+
+1. Run the cell. This will take 45 seconds to 1 minute to run.
+++
+## Analyze your data
+
+### [Python](#tab/python)
+
+1. Create another new code cell.
+
+1. In the code cell, use a SQL query to populate a [Pandas DataFrame](https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.DataFrame.html#pandas.DataFrame). Run this cell.
+
+ ```python
+ import pandas as pd
+ from pandas import DataFrame
+
+ QUERY = "SELECT c.Action, c.Price as ItemRevenue, c.Country, c.Item FROM c"
+ results = container.query_items(
+ query=QUERY, enable_cross_partition_query=True
+ )
+
+ df_cosmos = pd.DataFrame(results)
+ ```
+
+1. Create another new code cell.
+
+1. In the code cell, output the top **10** items from the dataframe. Run this cell.
+
+ ```python
+ df_cosmos.head(10)
+ ```
+
+1. Observe the output of running the command.
+
+ | | Action | ItemRevenue | Country | Item |
+ | | | | | |
+ | **0** | Purchased | 19.99 | Macedonia | Button-Up Shirt |
+ | **1** | Viewed | 12.00 | Papua New Guinea | Necklace |
+ | **2** | Viewed | 25.00 | Slovakia (Slovak Republic) | Cardigan Sweater |
+ | **3** | Purchased | 14.00 | Senegal | Flip Flop Shoes |
+ | **4** | Viewed | 50.00 | Panama | Denim Shorts |
+ | **5** | Viewed | 14.00 | Senegal | Flip Flop Shoes |
+ | **6** | Added | 14.00 | Senegal | Flip Flop Shoes |
+ | **7** | Added | 50.00 | Panama | Denim Shorts |
+ | **8** | Purchased | 33.00 | Palestinian Territory | Red Top |
+ | **9** | Viewed | 30.00 | Malta | Green Sweater |
+
+1. Create another new code cell.
+
+1. In the code cell, import the **pandas** package to customize the output of the dataframe. Run this cell.
+
+ ```python
+ import pandas as pd
+ df_cosmos.groupby("Item").size().reset_index()
+ ```
+
+1. Observe the output of running the command.
+
+ | | Item | Test |
+ | | | |
+ | **0** | Flip Flop Shoes | 66 |
+ | **1** | Necklace | 55 |
+ | **2** | Athletic Shoes | 111 |
+ | **...** | ... | ... |
+ | **45** | Windbreaker Jacket| 56 |
+++
+### [C#](#tab/csharp)
+
+1. Create a new code cell.
+
+1. In the code cell, add code to [execute a SQL query using the SDK](quickstart-dotnet.md#query-items) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**.
+
+ ```csharp
+ using System.Collections.Generic;
+
+ var query = new QueryDefinition(
+ query: "SELECT c.Action, c.Price, c.Country, c.Item FROM c"
+ );
+
+ FeedIterator<Record> feed = container.GetItemQueryIterator<Record>(
+ queryDefinition: query
+ );
+
+ var results = new List<Record>();
+ while (feed.HasMoreResults)
+ {
+ FeedResponse<Record> response = await feed.ReadNextAsync();
+ foreach (Record result in response)
+ {
+ results.Add(result);
+ }
+ }
+ ```
+
+1. Create another new code cell.
+
+1. In the code cell, create a dictionary by adding unique permutations of the **Item** field as the key and the sum of the **Price** field as the value. This gives the total sales for each item. Run this cell.
+
+ ```csharp
+ var dictionary = new Dictionary<string, decimal>();
+
+ foreach(var result in results)
+ {
+ if (dictionary.ContainsKey(result.Item)) {
+ dictionary[result.Item] += result.Price;
+ }
+ else {
+ dictionary.TryAdd (result.Item, result.Price);
+
+ }
+ }
+
+ dictionary
+ ```
+
+1. Observe the output with unique combinations of the **Item** and **Price** fields.
+
+ ```output
+ ...
+ Black Tee: 603
+ Flannel Shirt: 1199.40
+ Socks: 210.00
+ Rainjacket: 2695
+ ...
+ ```
+++
+## Next steps
+- [Get started with the Azure Cosmos DB for NoSQL client library for .NET](quickstart-dotnet.md)
+- [Get started with the Azure Cosmos DB for NoSQL client library for Python](quickstart-python.md)
cosmos-db Tutorial Create Notebook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/tutorial-create-notebook.md
[!INCLUDE[NoSQL](../includes/appliesto-nosql.md)]
-> [!IMPORTANT]
-> The Jupyter Notebooks feature of Azure Cosmos DB is currently in a preview state and is progressively rolling out to all customers over time.
+> [!WARNING]
+> The Jupyter Notebooks feature of Azure Cosmos DB will be retired March 30, 2024; you will not be able to use built-in Jupyter notebooks from the Azure Cosmos DB account. We recommend using [Visual Studio Code's support for Jupyter notebooks](../nosql/tutorial-create-notebook-vscode.md) or your preferred notebooks client.
This tutorial walks through how to use the Jupyter Notebooks feature of Azure Cosmos DB to import sample retail data to an Azure Cosmos DB for NoSQL account. You'll see how to use the Azure Cosmos DB magic commands to run queries, analyze the data, and visualize the results.
In this section, you'll create the Azure Cosmos database, container, and import
1. Create another new code cell.
-1. In the code cell, add code to [execute a SQL query using the SDK](quickstart-dotnet.md#query-items) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**.
+1. In the code cell, add code to [execute a SQL query using the SDK](query/index.yml) storing the output of the query in a variable of type <xref:System.Collections.Generic.List%601> named **results**.
```csharp using System.Collections.Generic;
cosmos-db Tutorial Import Notebooks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/nosql/tutorial-import-notebooks.md
[!INCLUDE[NoSQL](../includes/appliesto-nosql.md)]
-> [!IMPORTANT]
-> The Jupyter Notebooks feature of Azure Cosmos DB is currently in a preview state and is progressively rolling out to all customers over time.
+> [!WARNING]
+> The Jupyter Notebooks feature of Azure Cosmos DB will be retired March 30, 2024; you will not be able to use built-in Jupyter notebooks from the Azure Cosmos DB account. We recommend using [Visual Studio Code's support for Jupyter notebooks](../nosql/tutorial-create-notebook-vscode.md) or your preferred notebooks client.
This tutorial walks through how to import Jupyter notebooks from a GitHub repository and run them in an Azure Cosmos DB for NoSQL account. After importing the notebooks, you can run, edit them, and persist your changes back to the same GitHub repository.
cosmos-db Notebooks Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/notebooks-overview.md
[!INCLUDE[NoSQL, MongoDB, Cassandra, Gremlin, Table](includes/appliesto-nosql-mongodb-cassandra-gremlin-table.md)]
-> [!IMPORTANT]
-> The Jupyter Notebooks feature of Azure Cosmos DB is currently in a preview state and is progressively rolling out to all customers over time.
+> [!WARNING]
+> The Jupyter Notebooks feature of Azure Cosmos DB will be retired March 30, 2024; you will not be able to use built-in Jupyter notebooks from the Azure Cosmos DB account. We recommend using [Visual Studio Code's support for Jupyter notebooks](nosql/tutorial-create-notebook-vscode.md) or your preferred notebooks client.
Jupyter Notebooks is an open-source interactive developer environment (IDE) that's designed to create, execute, and share documents that contain live code, equations, visualizations, and narrative text.
cosmos-db Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cosmos-db/policy-reference.md
Title: Built-in policy definitions for Azure Cosmos DB description: Lists Azure Policy built-in policy definitions for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
cost-management-billing Cost Management Api Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/cost-management-api-permissions.md
Before using the Azure Cost Management APIs, you need to properly assign permiss
- Get familiar with the [Azure Resource Manager REST APIs](/rest/api/azure). - Determine which Cost Management APIs you want to use. For more information about available APIs, see [Cost Management automation overview](automation-overview.md). - Configure service authorization and authentication for the Azure Resource Manager APIs.
- - If you're not already using Azure Resource Manager APIs, [register your client app with Azure AD](/rest/api/azure/#register-your-client-application-with-azure-ad). Registration creates a service principal for you to use to call the APIs.
+ - If you're not already using Azure Resource Manager APIs, [register your client app with Microsoft Entra ID](/rest/api/azure/#register-your-client-application-with-azure-ad). Registration creates a service principal for you to use to call the APIs.
- Assign the service principal access to the scopes needed, as outlined below.
- - Update any programming code to use [Azure AD authentication](/rest/api/azure/#create-the-request) with your service principal.
+ - Update any programming code to use [Microsoft Entra authentication](/rest/api/azure/#create-the-request) with your service principal.
## Assign service principal access to Azure Resource Manager APIs
cost-management-billing Migrate Ea Reporting Arm Apis Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/migrate-ea-reporting-arm-apis-overview.md
The following information describes the differences between the older Azure Ente
| Use | Azure Enterprise Reporting APIs | Microsoft Cost Management APIs | | | | |
-| Authentication | API key provisioned in the Enterprise Agreement (EA) portal | Azure Active Directory (Azure AD) Authentication using user tokens or service principals. Service principals take the place of API keys. |
+| Authentication | API key provisioned in the Enterprise Agreement (EA) portal | Microsoft Entra authentication using user tokens or service principals. Service principals take the place of API keys. |
| Scopes and permissions | All requests are at the enrollment scope. API Key permission assignments will determine whether data for the entire enrollment, a department, or a specific account is returned. No user authentication. | Users or service principals are assigned access to the enrollment, department, or account scope. | | URI Endpoint | `https://consumption.azure.com` | `https://management.azure.com` | | Development status | In maintenance mode. On the path to deprecation. | In active development |
After you've migrated to the Cost Management APIs for your existing reporting sc
- Familiarize yourself with the [Azure Resource Manager REST APIs](/rest/api/azure). - If needed, determine which Enterprise Reporting APIs you use and see which Cost Management APIs to move to at [Migrate from Azure Enterprise Reporting to Microsoft Cost Management APIs](../automate/migrate-ea-reporting-arm-apis-overview.md).-- If you're not already using Azure Resource Manager APIs, [register your client app with Azure AD](/rest/api/azure/#register-your-client-application-with-azure-ad).-- If needed, update any of your programming code to use [Azure AD authentication](/rest/api/azure/#create-the-request) with your service principal.
+- If you're not already using Azure Resource Manager APIs, [register your client app with Microsoft Entra ID](/rest/api/azure/#register-your-client-application-with-azure-ad).
+- If needed, update any of your programming code to use [Microsoft Entra authentication](/rest/api/azure/#create-the-request) with your service principal.
cost-management-billing Understand Usage Details Fields https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/automate/understand-usage-details-fields.md
description: This article describes the fields in the usage data files. Previously updated : 07/19/2023 Last updated : 10/11/2023 -+ # Understand cost details fields
MPA accounts have all MCA terms, in addition to the MPA terms, as described in t
| CostInBillingCurrency | EA, MCA | Cost of the charge in the billing currency before credits or taxes. | | CostInPricingCurrency | MCA | Cost of the charge in the pricing currency before credits or taxes. | | Currency | EA, pay-as-you-go | See `BillingCurrency`. |
-| CustomerName | MPA | Name of the Azure Active Directory tenant for the customer's subscription. |
-| CustomerTenantId | MPA | Identifier of the Azure Active Directory tenant of the customer's subscription. |
+| CustomerName | MPA | Name of the Microsoft Entra tenant for the customer's subscription. |
+| CustomerTenantId | MPA | Identifier of the Microsoft Entra tenant of the customer's subscription. |
| Date┬╣ | All | The usage or purchase date of the charge. |
-| EffectivePrice | All | Blended unit price for the period. Blended prices average out any fluctuations in the unit price, like graduated tiering, which lowers the price as quantity increases over time. |
+| EffectivePrice┬▓ | All | Blended unit price for the period. Blended prices average out any fluctuations in the unit price, like graduated tiering, which lowers the price as quantity increases over time. |
| ExchangeRateDate | MCA | Date the exchange rate was established. | | ExchangeRatePricingToBilling | MCA | Exchange rate used to convert the cost in the pricing currency to the billing currency. | | Frequency | All | Indicates whether a charge is expected to repeat. Charges can either happen once (**OneTime**), repeat on a monthly or yearly basis (**Recurring**), or be based on usage (**UsageBased**). |
MPA accounts have all MCA terms, in addition to the MPA terms, as described in t
| InvoiceSectionId┬╣ | EA, MCA | Unique identifier for the EA department or MCA invoice section. | | InvoiceSectionName | EA, MCA | Name of the EA department or MCA invoice section. | | IsAzureCreditEligible | All | Indicates if the charge is eligible to be paid for using Azure credits (Values: `True` or `False`). |
-| Location | MCA | Normalized location of the resource, if different resource locations are configured for the same regions. Purchases and Marketplace usage may be shown as blank or `unassigned`. |
+| Location | MCA | Normalized location of the resource, if different resource locations are configured for the same regions. Purchases and Marketplace usage might be shown as blank or `unassigned`. |
| MeterCategory | All | Name of the classification category for the meter. For example, _Cloud services_ and _Networking_. | | MeterId┬╣ | All | The unique identifier for the meter. |
-| MeterName | All | The name of the meter. Purchases and Marketplace usage may be shown as blank or `unassigned`.|
+| MeterName | All | The name of the meter. Purchases and Marketplace usage might be shown as blank or `unassigned`.|
| MeterRegion | All | Name of the datacenter location for services priced based on location. See Location. |
-| MeterSubCategory | All | Name of the meter subclassification category. Purchases and Marketplace usage may be shown as blank or `unassigned`.|
+| MeterSubCategory | All | Name of the meter subclassification category. Purchases and Marketplace usage might be shown as blank or `unassigned`.|
| OfferId┬╣ | All | Name of the offer purchased. |
-| pay-as-you-goPrice | All | Retail price for the resource. |
+| pay-as-you-goPrice┬▓ | All | Retail price for the resource. |
| PartnerEarnedCreditApplied | MPA | Indicates whether the partner earned credit has been applied. | | PartnerEarnedCreditRate | MPA | Rate of discount applied if there's a partner earned credit (PEC), based on partner admin link access. |
-| PartnerName | MPA | Name of the partner Azure Active Directory tenant. |
-| PartnerTenantId | MPA | Identifier for the partner's Azure Active Directory tenant. |
+| PartnerName | MPA | Name of the partner Microsoft Entra tenant. |
+| PartnerTenantId | MPA | Identifier for the partner's Microsoft Entra tenant. |
| PartNumber┬╣ | EA, pay-as-you-go | Identifier used to get specific meter pricing. | | PlanName | EA, pay-as-you-go | Marketplace plan name. | | PreviousInvoiceId | MCA | Reference to an original invoice if the line item is a refund. |
MPA accounts have all MCA terms, in addition to the MPA terms, as described in t
| Tags┬╣ | All | Tags assigned to the resource. Doesn't include resource group tags. Can be used to group or distribute costs for internal chargeback. For more information, see [Organize your Azure resources with tags](https://azure.microsoft.com/updates/organize-your-azure-resources-with-tags/). | | Term | All | Displays the term for the validity of the offer. For example: For reserved instances, it displays 12 months as the Term. For one-time purchases or recurring purchases, Term is one month (SaaS, Marketplace Support). Not applicable for Azure consumption. | | UnitOfMeasure | All | The unit of measure for billing for the service. For example, compute services are billed per hour. |
-| UnitPrice | EA, pay-as-you-go | The price per unit for the charge. |
+| UnitPrice┬▓ | EA, pay-as-you-go | The price per unit for the charge. |
┬╣ Fields used to build a unique ID for a single cost record. Every record in your cost details file should be considered unique.
+┬▓ For MCA customers, prices are shown in the pricing currency in the Actual Cost and Amortized Cost reports. In contrast, for EA customers, the billing and pricing currencies are the same.
+ The cost details file itself doesnΓÇÖt uniquely identify individual records with an ID. Instead, you can use fields in the file flagged with ┬╣ to create a unique ID yourself. Some fields might differ in casing and spacing between account types. Older versions of pay-as-you-go cost details files have separate sections for the statement and daily cost.
+### Reconcile charges for MCA accounts
+
+MCA customers can use the following information to reconcile charges between billing and pricing currencies.
+
+1. Manually calculate the CostInPricingCurrency by: `(EffectivePrice)` * `(Quantity)`
+2. Convert the calculated CostInPricingCurrency to the CostInBillingCurrency by: `(CalculatedCostinPricingCurrency)` * `(ExchangeRatePricingToBilling)`
+3. Summarize the values that you calculated for `CostInBillingCurrency` and compare them to the invoice.
++ ### Rounding adjustment details Rounding adjustment isn't available in the cost details file during an open month. The adjustment is visible when the month closes and the invoice gets generated.
cost-management-billing Cost Management Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/cost-management-error-codes.md
Error message `Unauthorized`.
**Mitigation**
-If using the ExternalBillingAccounts or ExternalSubscriptions APIs, verify that the Microsoft.CostManagement resource providerRP was [registered](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) for your Azure Active Directory instance. Resource Provider registration is required to use Cost Management for AWS.
+If using the ExternalBillingAccounts or ExternalSubscriptions APIs, verify that the Microsoft.CostManagement resource providerRP was [registered](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) for your Microsoft Entra instance. Resource Provider registration is required to use Cost Management for AWS.
If you get an `Empty GUID user id` error, update the bearer token associated with the request. You might temporarily see the error in the Azure portal, but it should resolve itself. If you continue to see the error in the Azure portal, refresh your browser.
cost-management-billing Get Started Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/get-started-partners.md
The following data fields are found in usage detail files and Cost Management AP
| billingProfileName | Name of the billing profile that groups costs across invoices in a single billing currency across the customers who have onboarded to a Microsoft customer agreement and the CSP customers that have made entitlement purchases like SaaS, Azure Marketplace, and reservations. | N/A | | invoiceSectionName | Name of the project that is being charged in the invoice. Not applicable for Microsoft Customer Agreements onboarded by partners. | N/A | | invoiceSectionID | Identifier of the project that is being charged in the invoice. Not applicable for Microsoft Customer Agreements onboarded by partners. | N/A |
-| **CustomerTenantID** | Identifier of the Azure Active Directory tenant of the customer's subscription. | Customer's organizational ID - the customer's Azure Active Directory TenantID. |
-| **CustomerName** | Name of the Azure Active Directory tenant for the customer's subscription. | Customer's organization name, as shown in the Partner Center. Important for reconciling the invoice with your system information. |
-| **CustomerTenantDomainName** | Domain name for the Azure Active Directory tenant of the customer's subscription. | Customer Azure Active Directory tenant domain. |
-| **PartnerTenantID** | Identifier for the partner's Azure Active Directory tenant. | Partner Azure Active Directory Tenant ID called as Partner ID, in GUID format. |
-| **PartnerName** | Name of the partner Azure Active Directory tenant. | Partner name. |
+| **CustomerTenantID** | Identifier of the Microsoft Entra tenant of the customer's subscription. | Customer's organizational ID - the customer's Microsoft Entra TenantID. |
+| **CustomerName** | Name of the Microsoft Entra tenant for the customer's subscription. | Customer's organization name, as shown in the Partner Center. Important for reconciling the invoice with your system information. |
+| **CustomerTenantDomainName** | Domain name for the Microsoft Entra tenant of the customer's subscription. | Customer Microsoft Entra tenant domain. |
+| **PartnerTenantID** | Identifier for the partner's Microsoft Entra tenant. | Partner Microsoft Entra tenant ID called as Partner ID, in GUID format. |
+| **PartnerName** | Name of the partner Microsoft Entra tenant. | Partner name. |
| **ResellerMPNID** | ID for the reseller associated with the subscription. | ID of the reseller on record for the subscription. Not available for current activity. | | costCenter | Cost center associated to the subscription. | N/A | | billingPeriodStartDate | Billing period start date, as shown on the invoice. | N/A |
cost-management-billing Migrate Cost Management Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/migrate-cost-management-api.md
The following items help you transition to MCA APIs.
- Familiarize yourself with the new [Microsoft Customer Agreement billing account](../understand/mca-overview.md). - Determine which APIs you use and see which ones are replaced in the following section. - Familiarize yourself with [Azure Resource Manager REST APIs](/rest/api/azure).-- If you're not already using Azure Resource Manager APIs, [register your client app with Azure AD](/rest/api/azure/#register-your-client-application-with-azure-ad).-- Grant the application that was created during Azure AD app registration read access to the billing account using Access control (IAM).-- Update any programming code to [use Azure AD authentication](/rest/api/azure/#create-the-request).
+- If you're not already using Azure Resource Manager APIs, [register your client app with Microsoft Entra ID](/rest/api/azure/#register-your-client-application-with-azure-ad).
+- Grant the application that was created during Microsoft Entra app registration read access to the billing account using Access control (IAM).
+- Update any programming code to [use Microsoft Entra authentication](/rest/api/azure/#create-the-request).
- Update any programming code to replace EA API calls with MCA API calls. - Update error handling to use new error codes. - Review other integration offerings like Power BI for other needed action. ## EA APIs replaced with MCA APIs
-EA APIs use an API key for authentication and authorization. MCA APIs use Azure AD authentication.
+EA APIs use an API key for authentication and authorization. MCA APIs use Microsoft Entra authentication.
| Purpose | EA API | MCA API | | | | |
The [Get Balance Summary](/rest/api/billing/enterprise/billing-enterprise-api-ba
- Adjustments - Service overage charges
-All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
+All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
The Get Balance Summary API is replaced by the Microsoft.Billing/billingAccounts/billingProfiles/availableBalance API.
Some property names have changed in the new Cost Details dataset available throu
## Billing Periods API replaced by Invoices API
-MCA billing accounts don't use billing periods. Instead, they use invoices to scope costs to specific billing periods. The [Billing Periods API](/rest/api/billing/enterprise/billing-enterprise-api-billing-periods) is replaced by the Invoices API. All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
+MCA billing accounts don't use billing periods. Instead, they use invoices to scope costs to specific billing periods. The [Billing Periods API](/rest/api/billing/enterprise/billing-enterprise-api-billing-periods) is replaced by the Invoices API. All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
To get invoices with the Invoices API:
To get invoices with the Invoices API:
## Price Sheet APIs
-This section discusses existing Price Sheet APIs and provides recommendations to move to the Price Sheet API for Microsoft Customer Agreements. It also discusses the Price Sheet API for Microsoft Customer Agreements and explains fields in the price sheets. The [Enterprise Get price sheet](/rest/api/billing/enterprise/billing-enterprise-api-pricesheet) and [Enterprise Get billing periods](/rest/api/billing/enterprise/billing-enterprise-api-billing-periods) APIs are replaced by the Price Sheet API for Microsoft Customer Agreements (Microsoft.Billing/billingAccounts/billingProfiles/pricesheet). The new API supports both JSON and CSV formats, in asynchronous REST formats. All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
+This section discusses existing Price Sheet APIs and provides recommendations to move to the Price Sheet API for Microsoft Customer Agreements. It also discusses the Price Sheet API for Microsoft Customer Agreements and explains fields in the price sheets. The [Enterprise Get price sheet](/rest/api/billing/enterprise/billing-enterprise-api-pricesheet) and [Enterprise Get billing periods](/rest/api/billing/enterprise/billing-enterprise-api-billing-periods) APIs are replaced by the Price Sheet API for Microsoft Customer Agreements (Microsoft.Billing/billingAccounts/billingProfiles/pricesheet). The new API supports both JSON and CSV formats, in asynchronous REST formats. All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request).
### Billing Enterprise APIs
-You used Billing Enterprise APIs with Enterprise enrollments to get price and billing period information. Authentication and authorization used Azure Active Directory web tokens.
+You used Billing Enterprise APIs with Enterprise enrollments to get price and billing period information. Authentication and authorization used Microsoft Entra web tokens.
To get applicable prices for the specified Enterprise Enrollment with the Price Sheet and Billing Period APIs:
The following fields are either not available in Microsoft Customer Agreement Pr
## Reservation Instance Charge API replaced
-You can get billing transactions for reservation purchases with the [Reserved Instance Charge API](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-charges). The new API includes all purchases, including third-party Marketplace offerings. All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The Reserved Instance Charge API is replaced by the Transactions API.
+You can get billing transactions for reservation purchases with the [Reserved Instance Charge API](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-charges). The new API includes all purchases, including third-party Marketplace offerings. All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The Reserved Instance Charge API is replaced by the Transactions API.
To get reservation purchase transactions with the Transactions API:
Reserved Instance Purchase Recommendations APIs provide virtual machine usage ov
- [Shared Reserved Instance Recommendation API](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation#request-for-shared-reserved-instance-recommendations) - [Single Reserved Instance Recommendations API](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-recommendation#request-for-single-reserved-instance-recommendations)
-All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The reservation recommendations APIs listed previously are replaced by the [Microsoft.Consumption/reservationRecommendations](/rest/api/consumption/reservationrecommendations/list) API.
+All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The reservation recommendations APIs listed previously are replaced by the [Microsoft.Consumption/reservationRecommendations](/rest/api/consumption/reservationrecommendations/list) API.
To get reservation recommendations with the Reservation Recommendations API:
They include:
- [Reserved Instance Usage Details](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-usage#request-for-reserved-instance-usage-details) - [Reserved Instance Usage Summary](/rest/api/billing/enterprise/billing-enterprise-api-reserved-instance-usage)
-All Consumption APIs are replaced by native Azure APIs that use Azure AD for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The reservation recommendations APIs listed previously are replaced by the [Microsoft.Consumption/reservationDetails](/rest/api/consumption/reservationsdetails) and [Microsoft.Consumption/reservationSummaries](/rest/api/consumption/reservationssummaries) APIs.
+All Consumption APIs are replaced by native Azure APIs that use Microsoft Entra ID for authentication and authorization. For more information about calling Azure REST APIs, see [Getting started with REST](/rest/api/azure/#create-the-request). The reservation recommendations APIs listed previously are replaced by the [Microsoft.Consumption/reservationDetails](/rest/api/consumption/reservationsdetails) and [Microsoft.Consumption/reservationSummaries](/rest/api/consumption/reservationssummaries) APIs.
To get reservation details with the Reservation Details API:
cost-management-billing Save Share Views https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/save-share-views.md
Use the following table for each property in the URL.
| URL property | Description| | | | | **portal-domain** | Primary domain for the Azure portal. For example, `portal.azure.com` or `portal.azure.us`). |
-| **directory-domain** | Domain used by your Azure Active Directory. You can also use the tenant ID. If it's omitted, the portal tries to use the default directory for the user that selected the link - it might differ from the scope. |
+| **directory-domain** | Domain used by your Microsoft Entra ID. You can also use the tenant ID. If it's omitted, the portal tries to use the default directory for the user that selected the link - it might differ from the scope. |
| **scope-id** | Full Resource Manager ID for the resource group, subscription, management group, or billing account you want to view cost for. If not specified, Cost Management uses the last view the user used in the Azure portal. The value must be URL encoded. | | **view-config** | Encoded view configuration. See the following details. If not specified, cost analysis uses the `view-id` parameter. If neither are specified, cost analysis uses the built-in Accumulated cost view. | | **view-id** | Full Resource Manager ID for the private or shared view to load. This value must be URL encoded. If not specified, cost analysis uses the `view` parameter. If neither are specified, cost analysis uses the built-in Accumulated cost view. |
cost-management-billing Understand Work Scopes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/costs/understand-work-scopes.md
This article helps you understand billing and resource management scopes availab
## Scopes
-A _scope_ is a node in the Azure resource hierarchy where Azure AD users access and manage services. Most Azure resources are created and deployed into resource groups, which are part of subscriptions. Microsoft also offers two hierarchies above Azure subscriptions that have specialized roles to manage billing data:
+A _scope_ is a node in the Azure resource hierarchy where Microsoft Entra users access and manage services. Most Azure resources are created and deployed into resource groups, which are part of subscriptions. Microsoft also offers two hierarchies above Azure subscriptions that have specialized roles to manage billing data:
- Billing data, such as payments and invoices - Cloud services, such as cost and policy governance
Management groups allow you to organize subscriptions into a hierarchy. For exam
Creating an organizational hierarchy allows cost and policy compliance to roll up organizationally. Then, each leader can view and analyze their current costs. And then they can create budgets to curb bad spending patterns and optimize costs with Advisor recommendations at the lowest level.
-Granting access to view costs and optionally manage cost configuration, such as budgets and exports, is done on governance scopes using Azure RBAC. You use Azure RBAC to grant Azure AD users and groups access to do a predefined set of actions. The actions are defined in a role on a specific scope and lower. For instance, a role assigned to a management group scope also grants the same permissions to nested subscriptions and resource groups.
+Granting access to view costs and optionally manage cost configuration, such as budgets and exports, is done on governance scopes using Azure RBAC. You use Azure RBAC to grant Microsoft Entra users and groups access to do a predefined set of actions. The actions are defined in a role on a specific scope and lower. For instance, a role assigned to a management group scope also grants the same permissions to nested subscriptions and resource groups.
Cost Management supports the following built-in roles for each of the following scopes:
Cost Management Contributor is the recommended least-privilege role. The role al
> [!NOTE] > Management groups aren't currently supported in Cost Management features for Microsoft Customer Agreement subscriptions. The [Cost Details API](/rest/api/cost-management/generate-cost-details-report/create-operation) also doesn't support management groups for either EA or MCA customers.
-Management groups are only supported if they contain up to 3,000 Enterprise Agreement (EA), Pay-as-you-go (PAYG), or Microsoft internal subscriptions. Management groups with more than 3,000 subscriptions or subscriptions with other offer types, like Microsoft Customer Agreement or Azure Active Directory subscriptions, can't view costs.
+Management groups are only supported if they contain up to 3,000 Enterprise Agreement (EA), Pay-as-you-go (PAYG), or Microsoft internal subscriptions. Management groups with more than 3,000 subscriptions or subscriptions with other offer types, like Microsoft Customer Agreement or Microsoft Entra subscriptions, can't view costs.
-If you have a mix of subscriptions, move the unsupported subscriptions to a separate arm of the management group hierarchy to enable Cost Management for the supported subscriptions. As an example, create two management groups under the root management group: **Azure AD** and **My Org**. Move your Azure AD subscription to the **Azure AD** management group and then view and manage costs using the **My Org** management group.
+If you have a mix of subscriptions, move the unsupported subscriptions to a separate arm of the management group hierarchy to enable Cost Management for the supported subscriptions. As an example, create two management groups under the root management group: **Microsoft Entra ID** and **My Org**. Move your Microsoft Entra subscription to the **Microsoft Entra ID** management group and then view and manage costs using the **My Org** management group.
### Feature behavior for each role
Enterprise Agreement (EA) billing accounts, also called enrollments, have the fo
Resource type: `Microsoft.Billing/billingAccounts/enrollmentAccounts`
-Although governance scopes are bound to a single directory, EA billing scopes aren't. An EA billing account may have subscriptions across any number of Azure AD directories.
+Although governance scopes are bound to a single directory, EA billing scopes aren't. An EA billing account may have subscriptions across any number of Microsoft Entra directories.
EA billing scopes support the following roles:
Microsoft Customer Agreement billing accounts have the following scopes:
- **Customer** - Represents a group of subscriptions that are associated to a specific customer that is onboarded to a Microsoft Customer Agreement by partner. This scope is specific to Cloud Solution Providers (CSP).
-Unlike EA billing scopes, Customer Agreement billing accounts _are_ managed by a single directory. Microsoft Customer Agreement billing accounts can have *linked* subscriptions that could be in different Azure AD directories.
+Unlike EA billing scopes, Customer Agreement billing accounts _are_ managed by a single directory. Microsoft Customer Agreement billing accounts can have *linked* subscriptions that could be in different Microsoft Entra directories.
Customer Agreement billing scopes don't apply to partners. Partner roles and permissions are documented at [Assign users roles and permissions](/partner-center/permissions-overview).
cost-management-billing Add Change Subscription Administrator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/add-change-subscription-administrator.md
If you still need help, [contact support](https://portal.azure.com/?#blade/Micro
* [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md) * [Understand the different roles in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md)
-* [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
-* [Administrator role permissions in Azure Active Directory](../../active-directory/roles/permissions-reference.md)
+* [Associate or add an Azure subscription to your Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
+* [Administrator role permissions in Microsoft Entra ID](../../active-directory/roles/permissions-reference.md)
cost-management-billing Assign Roles Azure Service Principals https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/assign-roles-azure-service-principals.md
Before you begin, ensure that you're familiar with the following articles:
## Create and authenticate your service principal
-To automate EA actions by using an SPN, you need to create an Azure Active Directory (Azure AD) application. It can authenticate in an automated manner.
+To automate EA actions by using an SPN, you need to create a Microsoft Entra application. It can authenticate in an automated manner.
Follow the steps in these articles to create and authenticate your service principal.
Here's an example of the application registration page.
### Find your SPN and tenant ID
-You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article. All applications are registered in Azure AD in the tenant. Two types of objects get created when the app registration is completed:
+You also need the object ID of the SPN and the tenant ID of the app. You need this information for permission assignment operations later in this article. All applications are registered in Microsoft Entra ID in the tenant. Two types of objects get created when the app registration is completed:
-- Application object - The application object ID is what you see under App Registrations in Azure AD. The object ID should *not* be used to grant any EA roles.
+- Application object - The application object ID is what you see under App Registrations in Microsoft Entra ID. The object ID should *not* be used to grant any EA roles.
-- Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Azure AD. The object ID is used to grant EA roles to the SPN.
+- Service Principal object - The Service Principal object is what you see in the Enterprise Registration window in Microsoft Entra ID. The object ID is used to grant EA roles to the SPN.
-1. Open Azure Active Directory, and then select **Enterprise applications**.
+1. Open Microsoft Entra ID, and then select **Enterprise applications**.
1. Find your app in the list. :::image type="content" source="./media/assign-roles-azure-service-principals/enterprise-application.png" alt-text="Screenshot showing an example enterprise application." lightbox="./media/assign-roles-azure-service-principals/enterprise-application.png" :::
You also need the object ID of the SPN and the tenant ID of the app. You need th
:::image type="content" source="./media/assign-roles-azure-service-principals/application-id-object-id.png" alt-text="Screenshot showing an application ID and object ID for an enterprise application." lightbox="./media/assign-roles-azure-service-principals/application-id-object-id.png" :::
-1. Go to the Microsoft Azure AD **Overview** page to find the tenant ID.
+1. Go to the Microsoft Entra ID **Overview** page to find the tenant ID.
:::image type="content" source="./media/assign-roles-azure-service-principals/tenant-id.png" alt-text="Screenshot showing the tenant ID." lightbox="./media/assign-roles-azure-service-principals/tenant-id.png" ::: >[!NOTE]
->Your tenant ID might be called a principal ID, SPN, or object ID in other locations. The value of your Azure AD tenant ID looks like a GUID with the following format: `11111111-1111-1111-1111-111111111111`.
+>Your tenant ID might be called a principal ID, SPN, or object ID in other locations. The value of your Microsoft Entra tenant ID looks like a GUID with the following format: `11111111-1111-1111-1111-111111111111`.
## Permissions that can be assigned to the SPN
-Later in this article, you'll give permission to the Azure AD app to act by using an EA role. You can assign only the following roles to the SPN, and you need the role definition ID, exactly as shown.
+Later in this article, you'll give permission to the Microsoft Entra app to act by using an EA role. You can assign only the following roles to the SPN, and you need the role definition ID, exactly as shown.
| Role | Actions allowed | Role definition ID | | | | |
cost-management-billing Billing Subscription Transfer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/billing-subscription-transfer.md
When you send or accept a transfer request, you agree to terms and conditions. F
:::image type="content" source="./media/billing-subscription-transfer/select-transfer-billing-ownership.png" alt-text="Screenshot showing the Transfer billing ownership option." lightbox="./media/billing-subscription-transfer/select-transfer-billing-ownership.png" ::: 1. On the Transfer billing ownership page, enter the email address of a user that is a billing administrator of the account that becomes the new owner for the subscription. :::image type="content" source="./media/billing-subscription-transfer/transfer-billing-ownership-page.png" alt-text="Screenshot showing the Transfer billing ownership page." lightbox="./media/billing-subscription-transfer/transfer-billing-ownership-page.png" :::
-1. If you're transferring your subscription to an account in another Azure AD tenant, select **Move subscription tenant** to move the subscription to the new account's tenant. For more information, see [Transferring subscription to an account in another Azure AD tenant](#transfer-a-subscription-to-another-azure-ad-tenant-account).
+1. If you're transferring your subscription to an account in another Microsoft Entra tenant, select **Move subscription tenant** to move the subscription to the new account's tenant. For more information, see [Transferring subscription to an account in another Microsoft Entra tenant](#transfer-a-subscription-to-another-azure-ad-tenant-account).
> [!IMPORTANT]
- > If you choose to move the subscription to the new account's Azure AD tenant, all [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) to access resources in the subscription are permanently removed. Only the user in the new account who accepts your transfer request will have access to manage resources in the subscription. Alternatively, you can clear the **Move subscription tenant** option to transfer billing ownership without moving the subscription to the new account's tenant. If you do so, existing Azure role assignments to access Azure resources will be maintained.
+ > If you choose to move the subscription to the new account's Microsoft Entra tenant, all [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) to access resources in the subscription are permanently removed. Only the user in the new account who accepts your transfer request will have access to manage resources in the subscription. Alternatively, you can clear the **Move subscription tenant** option to transfer billing ownership without moving the subscription to the new account's tenant. If you do so, existing Azure role assignments to access Azure resources will be maintained.
1. Select **Send transfer request**. 1. The user gets an email with instructions to review your transfer request. ![Subscription transfer email sent to the recipient](./media/billing-subscription-transfer/billing-receiver-email.png)
When you send or accept a transfer request, you agree to terms and conditions. F
![Third subscription transfer web page](./media/billing-subscription-transfer/billing-accept-ownership-step3.png) 1. Success! The subscription is now transferred.
-## Transfer a subscription to another Azure AD tenant account
+<a name='transfer-a-subscription-to-another-azure-ad-tenant-account'></a>
-An Azure Active Directory (AD) tenant is created for you when you sign up for Azure. The tenant represents your account. You use the tenant to manage access to your subscriptions and resources.
+## Transfer a subscription to another Microsoft Entra tenant account
-When you create a new subscription, it's hosted in your account's Azure AD tenant. If you want to give others access to your subscription or its resources, you need to invite them to join your tenant. Doing so helps you control access to your subscriptions and resources.
+A Microsoft Entra tenant is created for you when you sign up for Azure. The tenant represents your account. You use the tenant to manage access to your subscriptions and resources.
-When you transfer billing ownership of your subscription to an account in another Azure AD tenant, you can move the subscription to the new account's tenant. If you do so, all users, groups, or service principals that had [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) to manage subscriptions and its resources lose their access. Only the user in the new account who accepts your transfer request has access to manage the resources. The new owner must manually add these users to the subscription to provide access to the user who lost it. For more information, see [Transfer an Azure subscription to a different Azure AD directory](../../role-based-access-control/transfer-subscription.md).
+When you create a new subscription, it's hosted in your account's Microsoft Entra tenant. If you want to give others access to your subscription or its resources, you need to invite them to join your tenant. Doing so helps you control access to your subscriptions and resources.
+
+When you transfer billing ownership of your subscription to an account in another Microsoft Entra tenant, you can move the subscription to the new account's tenant. If you do so, all users, groups, or service principals that had [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) to manage subscriptions and its resources lose their access. Only the user in the new account who accepts your transfer request has access to manage the resources. The new owner must manually add these users to the subscription to provide access to the user who lost it. For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
## Transfer Visual Studio and Partner Network subscriptions
Use the following troubleshooting information if you're having trouble transferr
> [!Note] > This section specifically applies to a billing account for a Microsoft Customer Agreement. Check if you have access to a [Microsoft Customer Agreement](mca-request-billing-ownership.md#check-for-access).
-It's possible that the original billing account owner who created an Azure account and an Azure subscription leaves your organization. If that situation happens, then their user identity is no longer in the organization's Azure Active Directory. Then the Azure subscription doesn't have a billing owner. This situation prevents anyone from performing billing operations to the account, including viewing and paying bills. The subscription could go into a past-due state. Eventually, the subscription could get disabled because of nonpayment. Ultimately, the subscription could get deleted, affecting every service that runs on the subscription.
+It's possible that the original billing account owner who created an Azure account and an Azure subscription leaves your organization. If that situation happens, then their user identity is no longer in the organization's Microsoft Entra ID. Then the Azure subscription doesn't have a billing owner. This situation prevents anyone from performing billing operations to the account, including viewing and paying bills. The subscription could go into a past-due state. Eventually, the subscription could get disabled because of nonpayment. Ultimately, the subscription could get deleted, affecting every service that runs on the subscription.
-When a subscription no longer has a valid billing account owner, Azure sends an email to other Billing account owners, Service Administrators (if any), Co-Administrators (if any), and Subscription Owners informing them of the situation and provides them with a link to accept billing ownership of the subscription. Any one of the users can select the link to accept billing ownership. For more information about billing roles, see [Billing Roles](understand-mca-roles.md) and [Azure roles, Azure AD roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
+When a subscription no longer has a valid billing account owner, Azure sends an email to other Billing account owners, Service Administrators (if any), Co-Administrators (if any), and Subscription Owners informing them of the situation and provides them with a link to accept billing ownership of the subscription. Any one of the users can select the link to accept billing ownership. For more information about billing roles, see [Billing Roles](understand-mca-roles.md) and [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).
Here's an example of what the email looks like.
cost-management-billing Cancel Azure Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/cancel-azure-subscription.md
You may not have the permissions required to cancel a subscription. See [Who can
*I need to remove my account including all my personal information. I already canceled my active (Free Trial) subscriptions. I don't have any active subscriptions, and would like to totally delete my account*.
-* If you have an Azure Active Directory account via your organization, the Azure AD administrator could delete the account. After that, your services are disabled. That means your virtual machines are deallocated, temporary IP addresses are freed, and storage is read-only. In summary, once you cancel, billing is stopped immediately.
+* If you have a Microsoft Entra account via your organization, the Microsoft Entra administrator could delete the account. After that, your services are disabled. That means your virtual machines are deallocated, temporary IP addresses are freed, and storage is read-only. In summary, once you cancel, billing is stopped immediately.
-* If you don't have an Azure AD account via your organization, you can cancel then delete your Azure subscriptions, and then remove your credit card from the account. While the action doesn't delete the account, it renders it inoperable. You can go a step further and also delete the associated Microsoft account if it's not being used for any other purpose.
+* If you don't have a Microsoft Entra account via your organization, you can cancel then delete your Azure subscriptions, and then remove your credit card from the account. While the action doesn't delete the account, it renders it inoperable. You can go a step further and also delete the associated Microsoft account if it's not being used for any other purpose.
## How do I cancel a Visual Studio Professional account?
cost-management-billing Change Azure Account Profile https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/change-azure-account-profile.md
This article helps you update contact information for a *billing account* in the Azure portal. The instructions to update the contact information vary by the billing account type. To learn more about billing accounts and identify your billing account type, see [View billing accounts in Azure portal](view-all-accounts.md). An Azure billing account is separate from your Azure user account and [Microsoft account](https://account.microsoft.com/).
-If you want to update your Azure Active Directory user profile information, only a user administrator can make the changes. If you're not assigned the user administrator role, contact your user administrator. For more information about changing a user's profile, see [Add or update a user's profile information using Azure Active Directory](../../active-directory/fundamentals/active-directory-users-profile-azure-portal.md).
+If you want to update your Microsoft Entra user profile information, only a user administrator can make the changes. If you're not assigned the user administrator role, contact your user administrator. For more information about changing a user's profile, see [Add or update a user's profile information using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-users-profile-azure-portal.md).
*Sold-to address* - The sold-to address is the address and the contact information of the organization or the individual, who is responsible for a billing account. It's displayed in all the invoices generated for the billing account.
cost-management-billing Create Enterprise Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/create-enterprise-subscription.md
# Create an Enterprise Agreement subscription
-This article helps you create an [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) subscription for yourself or for someone else in your current Azure Active Directory (Azure AD) directory/tenant. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
+This article helps you create an [Enterprise Agreement (EA)](https://azure.microsoft.com/pricing/enterprise-agreement/) subscription for yourself or for someone else in your current Microsoft Entra directory/tenant. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
If you want to create subscriptions for Microsoft Customer Agreements, see [Create a Microsoft Customer Agreement subscription](create-subscription.md). If you're a Microsoft Partner and you want to create a subscription for a customer, see [Create a subscription for a partner's customer](create-customer-subscription.md). Or, if you have a Microsoft Online Service Program (MOSP) billing account, also called pay-as-you-go, you can create subscriptions starting in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and then you complete the process at https://signup.azure.com/.
An account owner uses the following information to create an EA subscription.
1. Select an **Offer type**, select **Enterprise Dev/Test** if the subscription will be used for development or testing workloads. Otherwise, select **Microsoft Azure Enterprise**. :::image type="content" source="./media/create-enterprise-subscription/create-subscription-basics-tab-enterprise-agreement.png" alt-text="Screenshot showing the Basics tab where you enter basic information about the enterprise subscription." lightbox="./media/create-enterprise-subscription/create-subscription-basics-tab-enterprise-agreement.png" ::: 1. Select the **Advanced** tab.
-1. Select your **Subscription directory**. It's the Azure Active Directory (Azure AD) where the new subscription will get created.
-1. Select a **Management group**. It's the Azure AD management group that the new subscription is associated with. You can only select management groups in the current directory.
+1. Select your **Subscription directory**. It's the Microsoft Entra ID where the new subscription will get created.
+1. Select a **Management group**. It's the Microsoft Entra management group that the new subscription is associated with. You can only select management groups in the current directory.
1. Select more or more **Subscription owners**. You can select only users or service principals in the selected subscription directory. You can't select guest directory users. If you select a service principal, enter its App ID. :::image type="content" source="./media/create-enterprise-subscription/create-subscription-advanced-tab.png" alt-text="Screenshot showing the Advanced tab where you specify the directory, management group, and owner for the EA subscription. " lightbox="./media/create-enterprise-subscription/create-subscription-advanced-tab.png" ::: 1. Select the **Tags** tab.
If you have questions or need help, [create a support request](https://go.micros
- [Add or change Azure subscription administrators](add-change-subscription-administrator.md) - [Move resources to new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md) - [Create management groups for resource organization and management](../../governance/management-groups/create-management-group-portal.md)-- [Cancel your subscription for Azure](cancel-azure-subscription.md)
+- [Cancel your subscription for Azure](cancel-azure-subscription.md)
cost-management-billing Create Subscription Request https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/create-subscription-request.md
# Create a Microsoft Customer Agreement subscription request
-This article helps you create a [Microsoft Customer Agreement](https://azure.microsoft.com/pricing/purchase-options/microsoft-customer-agreement/) subscription for someone else that's in a different Azure Active Directory (Azure AD) directory/tenant. After the request is created, the recipient accepts the subscription request. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
+This article helps you create a [Microsoft Customer Agreement](https://azure.microsoft.com/pricing/purchase-options/microsoft-customer-agreement/) subscription for someone else that's in a different Microsoft Entra directory/tenant. After the request is created, the recipient accepts the subscription request. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
-If you instead want to create a subscription for yourself or for someone else in your current Azure Active Directory (Azure AD) directory/tenant, see [Create a Microsoft Customer Agreement subscription](create-subscription.md). If you want to create subscriptions for Enterprise Agreements, see [Create an EA subscription](create-enterprise-subscription.md). If you're a Microsoft Partner and you want to create a subscription for a customer, see [Create a subscription for a partner's customer](create-customer-subscription.md). Or, if you have a Microsoft Online Service Program (MOSP) billing account, also called pay-as-you-go, you can create subscriptions starting in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and then you complete the process at https://signup.azure.com/.
+If you instead want to create a subscription for yourself or for someone else in your current Microsoft Entra directory/tenant, see [Create a Microsoft Customer Agreement subscription](create-subscription.md). If you want to create subscriptions for Enterprise Agreements, see [Create an EA subscription](create-enterprise-subscription.md). If you're a Microsoft Partner and you want to create a subscription for a customer, see [Create a subscription for a partner's customer](create-customer-subscription.md). Or, if you have a Microsoft Online Service Program (MOSP) billing account, also called pay-as-you-go, you can create subscriptions starting in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and then you complete the process at https://signup.azure.com/.
To learn more about billing accounts and identify your billing account type, see [View billing accounts in Azure portal](view-all-accounts.md).
For more information, see [Subscription billing roles and task](understand-mca-r
## Create a subscription request
-The subscription creator uses the following procedure to create a subscription request for a person in a different Azure Active Directory (Azure AD). After creation, the request is sent to the subscription acceptor (recipient) by email.
+The subscription creator uses the following procedure to create a subscription request for a person in a different Microsoft Entra ID. After creation, the request is sent to the subscription acceptor (recipient) by email.
A link to the subscription request is also created. The creator can manually share the link with the acceptor.
A link to the subscription request is also created. The creator can manually sha
1. Next to **Plan**, select **Microsoft Azure Plan for DevTest** if the subscription will be used for development or testing workloads. Otherwise, select **Microsoft Azure Plan**. :::image type="content" source="./media/create-subscription-request/create-subscription-basics-tab.png" alt-text="Screenshot showing the Basics tab where you enter basic information about the subscription." lightbox="./media/create-subscription-request/create-subscription-basics-tab.png" ::: 1. Select the **Advanced** tab.
-1. Select your **Subscription directory**. It's the Azure Active Directory (Azure AD) where the new subscription will get created.
+1. Select your **Subscription directory**. It's the Microsoft Entra ID where the new subscription will get created.
1. The **Management group** option is unavailable because you can only select management groups in the current directory. 1. Select more or more **Subscription owners**. You can select only users or service principals in the selected subscription directory. You can't select guest directory users. If you select a service principal, enter its App ID. :::image type="content" source="./media/create-subscription-request/create-subscription-advanced-tab-external.png" alt-text="Screenshot showing the Advanced tab where you specify the directory, management group, and owner. " lightbox="./media/create-subscription-request/create-subscription-advanced-tab-external.png" :::
Or, the subscription creator might have manually sent the acceptor an **Accept o
1. In either case above, select the link to open the Accept subscription ownership page in the Azure portal. 1. On the Basics tab, you can optionally change the subscription name.
-1. Select the Advanced tab where you can optionally change the Azure AD management group that the new subscription is associated with. You can only select management groups in the current directory.
+1. Select the Advanced tab where you can optionally change the Microsoft Entra management group that the new subscription is associated with. You can only select management groups in the current directory.
1. Select the Tags tab to optionally enter tag pairs for **Name** and **Value**. 1. Select the Review + accept tab. You should see a message stating `Validation passed. Click on the Accept button below to initiate subscription creation`. 1. Select **Accept**. You'll see a status message stating that the subscription is being created. Then you'll see another status message stating th the subscription was successfully created. The acceptor becomes the subscription owner.
If you have questions or need help, [create a support request](https://go.micros
- [Add or change Azure subscription administrators](add-change-subscription-administrator.md) - [Move resources to new resource group or subscription](../../azure-resource-manager/management/move-resource-group-and-subscription.md) - [Create management groups for resource organization and management](../../governance/management-groups/create-management-group-portal.md)-- [Cancel your subscription for Azure](cancel-azure-subscription.md)
+- [Cancel your subscription for Azure](cancel-azure-subscription.md)
cost-management-billing Create Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/create-subscription.md
# Create a Microsoft Customer Agreement subscription
-This article helps you create a [Microsoft Customer Agreement](https://azure.microsoft.com/pricing/purchase-options/microsoft-customer-agreement/) subscription for yourself or for someone else in your current Azure Active Directory (Azure AD) directory/tenant. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
+This article helps you create a [Microsoft Customer Agreement](https://azure.microsoft.com/pricing/purchase-options/microsoft-customer-agreement/) subscription for yourself or for someone else in your current Microsoft Entra directory/tenant. You may want another subscription to avoid hitting subscription quota limits, to create separate environments for security, or to isolate data for compliance reasons.
-If you want to create a Microsoft Customer Agreement subscription in a different Azure AD tenant, see [Create an MCA subscription request](create-subscription-request.md).
+If you want to create a Microsoft Customer Agreement subscription in a different Microsoft Entra tenant, see [Create an MCA subscription request](create-subscription-request.md).
If you want to create subscriptions for Enterprise Agreements, see [Create an EA subscription](create-enterprise-subscription.md). If you're a Microsoft Partner and you want to create a subscription for a customer, see [Create a subscription for a partner's customer](create-customer-subscription.md). Or, if you have a Microsoft Online Service Program (MOSP) billing account, also called pay-as-you-go, you can create subscriptions starting in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and then you complete the process at https://signup.azure.com/.
For more information, see [Subscription billing roles and task](understand-mca-r
## Create a subscription
-Use the following procedure to create a subscription for yourself or for someone in the current Azure Active Directory. When you're done, the new subscription is created immediately.
+Use the following procedure to create a subscription for yourself or for someone in the current Microsoft Entra ID. When you're done, the new subscription is created immediately.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Navigate to **Subscriptions** and then select **Add**.
Use the following procedure to create a subscription for yourself or for someone
1. Next to **Plan**, select **Microsoft Azure Plan for DevTest** if the subscription is used for development or testing workloads. Otherwise, select **Microsoft Azure Plan**. :::image type="content" source="./media/create-subscription/create-subscription-basics-tab.png" alt-text="Screenshot showing the Basics tab where you enter basic information about the subscription." lightbox="./media/create-subscription/create-subscription-basics-tab.png" ::: 1. Select the **Advanced** tab.
-1. Select your **Subscription directory**. It's the Azure Active Directory (Azure AD) where the new subscription gets created.
-1. Select a **Management group**. It's the Azure AD management group that the new subscription is associated with. You can only select management groups in the current directory.
+1. Select your **Subscription directory**. It's the Microsoft Entra ID where the new subscription gets created.
+1. Select a **Management group**. It's the Microsoft Entra management group that the new subscription is associated with. You can only select management groups in the current directory.
1. Select one or more **Subscription owners**. You can select only users or service principals in the selected subscription directory. You can't select guest directory users. If you select a service principal, enter its App ID. :::image type="content" source="./media/create-subscription/create-subscription-advanced-tab.png" alt-text="Screenshot showing the Advanced tab where you can specify the directory, management group, and owner. " lightbox="./media/create-subscription/create-subscription-advanced-tab.png" ::: 1. Select the **Tags** tab.
cost-management-billing Direct Ea Administration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/direct-ea-administration.md
Before starting the ownership transfer, get familiar with the following Azure ro
- Coadministrator roles - Cross-tenant subscription or account ownership transfers result in losing your Azure RBAC policies and role assignments. - Policies and administrator roles don't transfer across different directories. Service administrators are updated to the owner of destination account.-- To avoid losing Azure RBAC policies and role assignments when transferring subscription between tenants, ensure that the **Move the subscriptions to the recipient's Azure AD tenant** selection remains cleared. This selection keeps the services, Azure roles, and policies on the current Azure AD tenant and only transfers the billing ownership for the account.
+- To avoid losing Azure RBAC policies and role assignments when transferring subscription between tenants, ensure that the **Move the subscriptions to the recipient's Microsoft Entra tenant** selection remains cleared. This selection keeps the services, Azure roles, and policies on the current Microsoft Entra tenant and only transfers the billing ownership for the account.
Before changing an account owner:
To transfer account ownership for all subscriptions:
1. Select **Transfer subscriptions**. :::image type="content" source="./media/direct-ea-administration/transfer-subscriptions-01.png" alt-text="Screenshot showing where to transfer subscriptions." lightbox="./media/direct-ea-administration/transfer-subscriptions-01.png" ::: 1. On the Transfer subscriptions page, select the destination account to transfer to and then select **Next**.
-1. If you want to transfer the account ownership across Azure AD tenants, select the **Yes, I would also like to move the subscriptions to the new account's Azure AD tenant** confirmation.
+1. If you want to transfer the account ownership across Microsoft Entra tenants, select the **Yes, I would also like to move the subscriptions to the new account's Microsoft Entra tenant** confirmation.
1. Confirm the transfer and selectΓÇ»**Submit**. :::image type="content" source="./media/direct-ea-administration/transfer-account-confirmation.png" alt-text="Screenshot showing the transfer subscription confirmation." lightbox="./media/direct-ea-administration/transfer-account-confirmation.png" :::
To transfer account ownership for a single subscription:
1. On the Azure Subscriptions page, to the right of a subscription, select the ellipsis (**…**) symbol. 1. Select **Transfer subscription**. 1. On the Transfer subscription page, select the destination account to transfer the subscription and then select  **Next**.
-1. If you want to transfer the subscription ownership across Azure AD tenants, select the **Yes, I would like to also move the subscriptions to the to the new account's Azure AD tenant** option.
+1. If you want to transfer the subscription ownership across Microsoft Entra tenants, select the **Yes, I would like to also move the subscriptions to the to the new account's Microsoft Entra tenant** option.
1. Confirm the transfer and then select **Submit**. ## Associate an account to a department
If you need assistance, create aΓÇ»[support request](https://portal.azure.com/#b
## Convert to work or school account authentication
-Azure Enterprise users can convert from a Microsoft Account (MSA or Live ID) to a Work or School Account. A Work or School Account uses the Azure Active Directory authentication type.
+Azure Enterprise users can convert from a Microsoft Account (MSA or Live ID) to a Work or School Account. A Work or School Account uses the Microsoft Entra authentication type.
### To begin 1. Add the work or school account to the Azure portal in the role(s) needed.
-1. If you get errors, the account may not be valid in Azure Active Directory. Azure uses User Principal Name (UPN), which isn't always identical to the email address.
+1. If you get errors, the account may not be valid in Microsoft Entra ID. Azure uses User Principal Name (UPN), which isn't always identical to the email address.
1. Authenticate to the Azure portal using the work or school account. ### To convert subscriptions from Microsoft accounts to work or school accounts
The person who accesses and manages subscriptions and development projects.
Represents an Azure EA subscription and is a container of Azure services managed by the same service administrator. **Work or school account**<br>
-For organizations that have set up Azure Active Directory with federation to the cloud and all accounts are on a single tenant.
+For organizations that have set up Microsoft Entra ID with federation to the cloud and all accounts are on a single tenant.
## Enrollment status
cost-management-billing Ea Portal Administration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-portal-administration.md
To confirm account ownership:
The status changes from **Pending** to **Active**. When Active, dates shown under the **Start/End Date** column are the start and end dates of the agreement. 1. When the **Warning** message pops up, the account owner needs to select **Continue** to activate the account the first time they sign in to the Azure Enterprise portal.
-## Add an account from another Azure AD tenant
+<a name='add-an-account-from-another-azure-ad-tenant'></a>
-By default, an enrollment is associated with a specific Azure AD tenant. Only accounts from that tenant are allowed to be used to establish an Azure enrollment account. However, you change the behavior to allow an account to get linked from any Azure AD tenant.
+## Add an account from another Microsoft Entra tenant
+
+By default, an enrollment is associated with a specific Microsoft Entra tenant. Only accounts from that tenant are allowed to be used to establish an Azure enrollment account. However, you change the behavior to allow an account to get linked from any Microsoft Entra tenant.
To add an account from any tenant: 1. In the Azure Enterprise portal, select **Manage** in the left navigation area. 1. Select the appropriate enrollment. Note the current setting for **Auth level**, if you want to restore the setting later. 1. If not already configured, change the Auth level to **Work and School Account Cross Tenant**.
-1. Add the account using the Azure AD sign-in information, as described in the previous section.
+1. Add the account using the Microsoft Entra sign-in information, as described in the previous section.
1. Return the **Auth level** to its previous setting, or set it as **Work and School Account**. 1. Sign in to the EA portal to verify that you can view the appropriate subscription offers so that you can then add subscriptions in the Azure portal.
Before performing the ownership transfer, understand these Azure role-based acce
- When performing subscription or account ownership transfers between two organizational IDs within the same tenant, Azure RBAC policies, existing service administrator, and co-administrator roles are preserved. - Cross-tenant subscription or account ownership transfers result in losing your Azure RBAC policies and role assignments. - Policies and administrator roles don't transfer across different directories. Service administrators are updated to the owner of destination account.-- To avoid loss of Azure RBAC policies and role assignments when transferring subscription between tenants, ensure that the **Move the subscriptions to the recipientΓÇÖs Azure AD tenant** checkbox remains **unchecked**. This will retain the services, Azure roles, and policies on the current Azure AD tenant and only transfer the billing ownership for the account.
- :::image type="content" source="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing unselected checkbox for moving subscriptions to Azure AD tenant" lightbox="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
+- To avoid loss of Azure RBAC policies and role assignments when transferring subscription between tenants, ensure that the **Move the subscriptions to the recipientΓÇÖs Microsoft Entra tenant** checkbox remains **unchecked**. This will retain the services, Azure roles, and policies on the current Microsoft Entra tenant and only transfer the billing ownership for the account.
+ :::image type="content" source="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing unselected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/unselected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
Before changing an account owner:
To transfer account ownership for all subscriptions:
1. Select the change account owner icon on the right. The icon resembles a person. ![Image showing the Change Account Owner symbol](./media/ea-portal-administration/create-ea-create-sub-transfer-account-ownership-of-sub.png) 1. Choose the destination account to transfer to and then select **Next**.
-1. If you want to transfer the account ownership across Azure AD tenants, select the **Move the subscriptions to the recipient's Azure AD tenant** checkbox.
- :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Azure AD tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
+1. If you want to transfer the account ownership across Microsoft Entra tenants, select the **Move the subscriptions to the recipient's Microsoft Entra tenant** checkbox.
+ :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
1. Confirm the transfer and select **Submit**. To transfer account ownership for a single subscription:
To transfer account ownership for a single subscription:
1. Select the transfer subscriptions icon on the right. The icon resembles a page. ![Image showing the Transfer Subscriptions symbol](./media/ea-portal-administration/ea-transfer-subscriptions.png) 1. Choose the destination account to transfer the subscription and then select **Next**.
-1. If you want to transfer the subscription ownership across Azure AD tenants, select the **Move the subscriptions to the recipient's Azure AD tenant** checkbox.
- :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Azure AD tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
+1. If you want to transfer the subscription ownership across Microsoft Entra tenants, select the **Move the subscriptions to the recipient's Microsoft Entra tenant** checkbox.
+ :::image type="content" source="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" alt-text="Image showing selected checkbox for moving subscriptions to Microsoft Entra tenant" lightbox="./media/ea-portal-administration/selected-checkbox-move-subscriptions-to-recipients-tenant.png" :::
1. Confirm the transfer and then select **Submit**.
If you need assistance, create aΓÇ»[support request](https://portal.azure.com/#b
## Conversion to work or school account authentication
-Azure Enterprise users can convert from a Microsoft Account (MSA or Live ID) to a Work or School Account (which uses Azure Active Directory) authentication type.
+Azure Enterprise users can convert from a Microsoft Account (MSA or Live ID) to a Work or School Account (which uses Microsoft Entra ID) authentication type.
To begin:
To begin:
- **Resource quantity consumed**: The quantity of an individual Azure service that was used in a month. - **Service administrator**: The person who accesses and manages subscriptions and development projects on the Azure Enterprise portal. - **Subscription**: Represents an Azure Enterprise portal subscription and is a container of Azure services managed by the same service administrator.-- **Work or school account**: For organizations that have set up Azure Active Directory with federation to the cloud and all accounts are on a single tenant.
+- **Work or school account**: For organizations that have set up Microsoft Entra ID with federation to the cloud and all accounts are on a single tenant.
### Enrollment statuses
cost-management-billing Ea Transfers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/ea-transfers.md
The Azure EA portal can transfer subscriptions from one account owner to another
## Subscription transfer effects
-When an Azure subscription is transferred to an account in the same Azure Active Directory tenant, then all users, groups, and service principals that had Azure role-based access control (RBAC) to manage resources keep their access. For more information, see [(Azure RBAC)](../../role-based-access-control/overview.md).
+When an Azure subscription is transferred to an account in the same Microsoft Entra tenant, then all users, groups, and service principals that had Azure role-based access control (RBAC) to manage resources keep their access. For more information, see [(Azure RBAC)](../../role-based-access-control/overview.md).
To view users with Azure RBAC access to the subscription:
To view users with Azure RBAC access to the subscription:
2. Select the subscription you want to view, and then select **Access control (IAM)**. 3. Select **Role assignments**. The role assignments page lists all users who have Azure RBAC access to the subscription.
-If the subscription is transferred to an account in a different Azure AD tenant, then all users, groups, and service principals that had an [Azure RBAC role](../../role-based-access-control/overview.md) to manage resources _lose_ their access. Although Azure RBAC access isn't present, access to the subscription might be available through security mechanisms, including:
+If the subscription is transferred to an account in a different Microsoft Entra tenant, then all users, groups, and service principals that had an [Azure RBAC role](../../role-based-access-control/overview.md) to manage resources _lose_ their access. Although Azure RBAC access isn't present, access to the subscription might be available through security mechanisms, including:
- Management certificates that grant the user admin rights to subscription resources. For more information, see [Create and Upload a Management Certificate for Azure](../../cloud-services/cloud-services-certs-create.md). - Access keys for services like Storage. For more information, see [Azure storage account overview](../../storage/common/storage-account-overview.md).
cost-management-billing Elevate Access Global Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/elevate-access-global-admin.md
# Elevate access to manage billing accounts
-As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all billing accounts in your directory. This article describes the ways that you can elevate your access to all billing accounts.
+As a Global Administrator in Microsoft Entra ID, you might not have access to all billing accounts in your directory. This article describes the ways that you can elevate your access to all billing accounts.
Elevating your access to manage all billing accounts gives you the ability to view and manage cost and billing for your accounts. You can view invoices, charges, products that are purchased, and the users that have access to the billing accounts. If you want to elevate your access to manage subscriptions, management groups, and resources, see [Elevate access to manage all Azure subscriptions and management groups](../../role-based-access-control/elevate-access-global-admin.md#elevate-access-to-manage-all-azure-subscriptions-and-management-groups).
If youΓÇÖre a Global Administrator, there might be times when you want to do the
## How does elevated access work?
-All Global Administrators in Azure Active Directory (Azure AD) get read-only access to all Microsoft Customer Agreement (MCA) and Microsoft Partner Agreement (MPA) billing accounts in their Azure Active Directory. They can view all billing accounts and the corresponding cost and billing information. Along with a read-only view, they get permission to manage role assignments on the billing accounts. They can add themselves as owners of the billing accounts to elevate themselves.
+All Global Administrators in Microsoft Entra ID get read-only access to all Microsoft Customer Agreement (MCA) and Microsoft Partner Agreement (MPA) billing accounts in their Microsoft Entra ID. They can view all billing accounts and the corresponding cost and billing information. Along with a read-only view, they get permission to manage role assignments on the billing accounts. They can add themselves as owners of the billing accounts to elevate themselves.
## Elevate access to manage billing accounts
PUT https://management.azure.com/providers/Microsoft.Billing/billingAccounts/<b
#### Request body
-To add yourself as an owner, you need to get your object ID. You can find the object ID either in the Users page of the Azure Active Directory section in the Azure portal or your can use the [Microsoft Graph API](/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true) to get the object ID.
+To add yourself as an owner, you need to get your object ID. You can find the object ID either in the Users page of the Microsoft Entra ID section in the Azure portal or your can use the [Microsoft Graph API](/graph/api/resources/users?view=graph-rest-1.0&preserve-view=true) to get the object ID.
In the request body, replace `<roleDefinitionName>` with the `name` copied from Step 2. Replace `<principalId>` with the object ID that you got either from the Azure portal or through the Microsoft Graph API.
If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_A
## Next steps - [Manage billing roles in the Azure portal](understand-mca-roles.md#manage-billing-roles-in-the-azure-portal)-- [Get billing ownership of Azure subscriptions from users in other billing accounts](mca-request-billing-ownership.md)
+- [Get billing ownership of Azure subscriptions from users in other billing accounts](mca-request-billing-ownership.md)
cost-management-billing Find Tenant Id Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/find-tenant-id-domain.md
Title: Find tenant ID and primary domain
-description: Describes how to find ID and primary domain for your Azure AD tenant.
+description: Describes how to find ID and primary domain for your Microsoft Entra tenant.
tags: billing
This article describes how to use the Azure portal to locate the following information for a user: -- The Microsoft Azure Active Directory (Azure AD) tenant ID of the user's organization-- The primary domain name of the organization associated with the Azure AD tenant
+- The Microsoft Entra tenant ID of the user's organization
+- The primary domain name of the organization associated with the Microsoft Entra tenant
## Find the tenant ID and primary domain name 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for *Azure Active Directory*.
- :::image type="content" source="./media/find-tenant-id-domain/search-azure-active-directory.png" alt-text="Screenshot showing Search in the Azure portal for Azure Active Directory." lightbox="./media/find-tenant-id-domain/search-azure-active-directory.png" :::
-1. In the Azure Active Directory Overview page, you can find the Azure AD tenant ID and primary domain name in the **Basic information** section.
- :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-overview.png" alt-text="Screenshot showing the Overview page of Azure Active Directory." lightbox="./media/find-tenant-id-domain/azure-active-directory-overview.png" :::
+1. Search for *Microsoft Entra ID*.
+ :::image type="content" source="./media/find-tenant-id-domain/search-azure-active-directory.png" alt-text="Screenshot showing Search in the Azure portal for Microsoft Entra ID." lightbox="./media/find-tenant-id-domain/search-azure-active-directory.png" :::
+1. In the Microsoft Entra Overview page, you can find the Microsoft Entra tenant ID and primary domain name in the **Basic information** section.
+ :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-overview.png" alt-text="Screenshot showing the Overview page of Microsoft Entra ID." lightbox="./media/find-tenant-id-domain/azure-active-directory-overview.png" :::
1. You can also find the tenant ID in the properties page.
- 1. Search for **Azure Active Directory**.
+ 1. Search for **Microsoft Entra ID**.
1. In the left menu, select **Properties**. 1. The tenant ID is displayed on the Properties page.
- :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-properties.png" alt-text="Screenshot showing the Properties page of Azure Active Directory." lightbox="./media/find-tenant-id-domain/azure-active-directory-properties.png" :::
+ :::image type="content" source="./media/find-tenant-id-domain/azure-active-directory-properties.png" alt-text="Screenshot showing the Properties page of Microsoft Entra ID." lightbox="./media/find-tenant-id-domain/azure-active-directory-properties.png" :::
## Need help? contact support
If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_A
## Next steps - [Managing billing across tenants](manage-billing-across-tenants.md)-- [Billing administrative roles](understand-mca-roles.md)
+- [Billing administrative roles](understand-mca-roles.md)
cost-management-billing Grant Access To Create Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/grant-access-to-create-subscription.md
To [create subscriptions under an enrollment account](programmatically-create-su
1. <a id="userObjectId"></a>Get object ID of the user or group you want to give the Azure RBAC Owner role to
- 1. In the Azure portal, search on **Azure Active Directory**.
+ 1. In the Azure portal, search on **Microsoft Entra ID**.
1. If you want to grant a user access, select **Users** in the menu on the left. To give access to a group, select **Groups**. 1. Select the User or Group you want to give the Azure RBAC Owner role to. 1. If you selected a User, you'll find the object ID in the Profile page. If you selected a Group, the object ID will be in the Overview page. Copy the **ObjectID** by selecting the icon to the right of the text box. Paste it somewhere so that you can use it in the next step as `userObjectId`.
To [create subscriptions under an enrollment account](programmatically-create-su
To track the subscriptions created via this API, use the [Tenant Activity Log API](/rest/api/monitor/tenantactivitylogs). It's currently not possible to use PowerShell, CLI, or Azure portal to track subscription creation.
-1. As a tenant admin of the Azure AD tenant, [elevate access](../../role-based-access-control/elevate-access-global-admin.md) then assign a Reader role to the auditing user over the scope `/providers/microsoft.insights/eventtypes/management`. This access is available in the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, the [Monitoring contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) role, or a [custom role](../../role-based-access-control/custom-roles.md).
+1. As a tenant admin of the Microsoft Entra tenant, [elevate access](../../role-based-access-control/elevate-access-global-admin.md) then assign a Reader role to the auditing user over the scope `/providers/microsoft.insights/eventtypes/management`. This access is available in the [Reader](../../role-based-access-control/built-in-roles.md#reader) role, the [Monitoring contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) role, or a [custom role](../../role-based-access-control/custom-roles.md).
1. As the auditing user, call the [Tenant Activity Log API](/rest/api/monitor/tenantactivitylogs) to see subscription creation activities. Example: ```
To conveniently call this API from the command line, try [ARMClient](https://git
* For an example on creating subscriptions using .NET, see [sample code on GitHub](https://github.com/Azure-Samples/create-azure-subscription-dotnet-core). * To learn more about Azure Resource Manager and its APIs, see [Azure Resource Manager overview](../../azure-resource-manager/management/overview.md). * To learn more about managing large numbers of subscriptions using management groups, see [Organize your resources with Azure management groups](../../governance/management-groups/overview.md)
-* To see a comprehensive best practice guidance for large organizations on subscription governance, see [Azure enterprise scaffold - prescriptive subscription governance](/azure/architecture/cloud-adoption-guide/subscription-governance)
+* To see a comprehensive best practice guidance for large organizations on subscription governance, see [Azure enterprise scaffold - prescriptive subscription governance](/azure/architecture/cloud-adoption-guide/subscription-governance)
cost-management-billing Link Partner Id https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/link-partner-id.md
In other words, PAL association can happen for all RBAC roles. The roles determi
For example, if you're partner, your customer might hire you to do a project. Your customer can give you an administrative account to deploy, configure, and support an application. Your customer can scope your access to a resource group. If you use PAL and associate your MPN ID with the administrative account, Microsoft measures the consumed revenue from the services within the resource group.
-If the Azure AD identity that was used for PAL is deleted or disabled, the ACR attribution stops for the partner on the associated resources.
+If the Microsoft Entra identity that was used for PAL is deleted or disabled, the ACR attribution stops for the partner on the associated resources.
Various partner programs have differing rules for the RBAC roles. Contact your Partner Development Manager for rules about the specific Azure RBAC roles that are needed at the time of PAL in order for ACR attribution to be realized.
cost-management-billing Manage Billing Across Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/manage-billing-across-tenants.md
Before you begin, make sure you have either the tenant ID, or the primary domain
1. On the Add tenant page, enter a tenant ID or domain name, provide a friendly name and then select one or both options for access settings. For more information about access settings, see [Access settings for associated billing tenant](#access-settings-for-associated-billing-tenants). :::image type="content" source="./media/manage-billing-across-tenants/associated-tenants-add.png" alt-text="Screenshot showing associated billing tenants form." lightbox="./media/manage-billing-across-tenants/associated-tenants-add.png" ::: > [!NOTE]
- > The friendly name of an associated billing tenant is used to easily identify the tenant in the Cost management + Billing section. The name is different from the display name of the tenant in Azure active directory.
+ > The friendly name of an associated billing tenant is used to easily identify the tenant in the Cost management + Billing section. The name is different from the display name of the tenant in Microsoft Entra ID.
1. Select **Save**. If the Provisioning access setting is turned on, a unique link is created for you to send to the global administrator of the associated billing tenant. They must accept the request before you can move subscriptions to their tenant.
Before moving subscriptions, make sure you [add a tenant as an associated billin
## Move Azure subscriptions to an associated billing tenant
-The provisioning setting that you enable for an associated billing tenant doesn't apply for Azure subscriptions. To move Azure subscriptions to an associated billing tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+The provisioning setting that you enable for an associated billing tenant doesn't apply for Azure subscriptions. To move Azure subscriptions to an associated billing tenant, see [Associate or add an Azure subscription to your Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
## Need help? Contact support
If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_A
## Next steps - [Billing administrative roles](understand-mca-roles.md)-- [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
+- [Associate or add an Azure subscription to your Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
cost-management-billing Mca Setup Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/mca-setup-account.md
Gets the following role after transition:
- Azure subscription creator on the invoice section created for their respective department - Can create Azure subscriptions for their invoice section
-An Azure Active Directory (AD) tenant is selected for the new billing account while accepting your Microsoft Customer Agreement. If a tenant doesn't exist for your organization, a new tenant is created. The tenant represents your organization within Azure Active Directory. Global tenant administrators in your organization use the tenant to manage access of applications and data in your organization.
+A Microsoft Entra tenant is selected for the new billing account while accepting your Microsoft Customer Agreement. If a tenant doesn't exist for your organization, a new tenant is created. The tenant represents your organization within Microsoft Entra ID. Global tenant administrators in your organization use the tenant to manage access of applications and data in your organization.
Your new account only supports users from the tenant that was selected while signing the Microsoft Customer Agreement. If users with administrative permission on your Enterprise Agreement are part of the tenant, they get access to the new billing account during the setup. If they're not part of the tenant, they can't access the new billing account unless you invite them.
-When you invite the users, they're added to the tenant as guest users and get access to the billing account. To invite the users, guest access must be turned on for the tenant. For more information, about enabling guest access see [control guest access in Azure Active Directory](/microsoftteams/teams-dependencies#control-guest-access-in-azure-active-directory). If the guest access is turned off, contact the global administrators of your tenant to turn it on.
+When you invite the users, they're added to the tenant as guest users and get access to the billing account. To invite the users, guest access must be turned on for the tenant. For more information, about enabling guest access see [control guest access in Microsoft Entra ID](/microsoftteams/teams-dependencies#control-guest-access-in-azure-active-directory). If the guest access is turned off, contact the global administrators of your tenant to turn it on.
-As mentioned previously, to send invitations, you must first enable guest access on the tenant using Azure Active Directory.
+As mentioned previously, to send invitations, you must first enable guest access on the tenant using Microsoft Entra ID.
Otherwise, you see an error message saying:
cost-management-billing Mosp Ea Transfer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/mosp-ea-transfer.md
This article helps you understand the steps needed to transfer an individual Mic
If you want to transfer a different subscription type to EA, see [Azure subscription and reservation transfer hub](subscription-transfer.md) for supported transfer options. > [!NOTE]
-> The transfer process doesn't change Azure AD Directory information that the subscriptions are linked to. If you want to make an Azure AD Directory change, see [Transfer an Azure subscription to a different Azure AD directory](../../role-based-access-control/transfer-subscription.md).
+> The transfer process doesn't change Microsoft Entra Directory information that the subscriptions are linked to. If you want to make a Microsoft Entra Directory change, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
## Prerequisites
cost-management-billing Mpa Request Ownership https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/mpa-request-ownership.md
Some of the customer transition requests may require an additional review proces
### Azure subscription directory
-The Azure AD directory (tenant) of the Azure subscriptions that are transferred must be the same Azure AD directory of the customer that was selected while establishing the CSP relationship.
+The Microsoft Entra directory (tenant) of the Azure subscriptions that are transferred must be the same Microsoft Entra directory of the customer that was selected while establishing the CSP relationship.
-If these two directories aren't the same, the subscriptions couldn't be transferred. You need to either establish a new CSP reseller relationship with the customer by selecting the directory of the Azure subscriptions or change the directory of Azure subscriptions to match with the customer CSP relationship directory. For more information, see [Associate an existing subscription to your Azure AD directory](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md#to-associate-an-existing-subscription-to-your-azure-ad-directory).
+If these two directories aren't the same, the subscriptions couldn't be transferred. You need to either establish a new CSP reseller relationship with the customer by selecting the directory of the Azure subscriptions or change the directory of Azure subscriptions to match with the customer CSP relationship directory. For more information, see [Associate an existing subscription to your Microsoft Entra directory](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md#to-associate-an-existing-subscription-to-your-azure-ad-directory).
### EA subscription in the non-organization directory The EA subscriptions from non-organization directories can be transferred as long as the directory has a reseller relationship with the CSP. If the directory doesnΓÇÖt have a reseller relationship, you need to make sure to have the organization user in the directory as a *Global Administrator* who can accept the partner relationship. The domain name portion of the username must either be the initial default domain name *[domain name].onmicrosoft.com* or a verified, non-federated custom domain name such as *contoso.com*.
-To add a new user to the directory, see [Quickstart: Add new users to Azure Active Directory to add the new user to the directory](../../active-directory/fundamentals/add-users-azure-active-directory.md).
+To add a new user to the directory, see [Quickstart: Add new users to Microsoft Entra ID to add the new user to the directory](../../active-directory/fundamentals/add-users-azure-active-directory.md).
## Check access to a Microsoft Partner Agreement
If you need help, [contact support](https://portal.azure.com/?#blade/Microsoft_A
## Next steps * The billing ownership of the Azure products is transferred to you. Keep track of the charges for these products in the [Azure portal](https://portal.azure.com).
-* Work with the customer to get access to the transferred Azure products. [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+* Work with the customer to get access to the transferred Azure products. [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
cost-management-billing Programmatically Create Subscription Enterprise Agreement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement.md
A user must have an Owner role on an Enrollment Account to create a subscription
To use a service principal (SPN) to create an EA subscription, an Owner of the Enrollment Account must [grant that service principal the ability to create subscriptions](/rest/api/billing/2019-10-01-preview/enrollmentaccountroleassignments/put).
-When using an SPN to create subscriptions, use the ObjectId of the Azure AD Enterprise application as the Service Principal ID using [Microsoft Graph PowerShell](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal) or [Azure CLI](/cli/azure/ad/sp#az-ad-sp-list). You can also use the steps at [Find your SPN and tenant ID](assign-roles-azure-service-principals.md#find-your-spn-and-tenant-id) to find the object ID in the Azure portal for an existing SPN.
+When using an SPN to create subscriptions, use the ObjectId of the Microsoft Entra Enterprise application as the Service Principal ID using [Microsoft Graph PowerShell](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal) or [Azure CLI](/cli/azure/ad/sp#az-ad-sp-list). You can also use the steps at [Find your SPN and tenant ID](assign-roles-azure-service-principals.md#find-your-spn-and-tenant-id) to find the object ID in the Azure portal for an existing SPN.
For more information about the EA role assignment API request, see [Assign roles to Azure Enterprise Agreement service principal names](assign-roles-azure-service-principals.md). The article includes a list of roles (and role definition IDs) that can be assigned to an SPN.
cost-management-billing Programmatically Create Subscription Microsoft Customer Agreement Across Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement-across-tenants.md
Title: Programmatically create MCA subscriptions across Azure Active Directory tenants
-description: Learn how to programmatically create an Azure MCA subscription across Azure Active Directory tenants.
+ Title: Programmatically create MCA subscriptions across Microsoft Entra tenants
+description: Learn how to programmatically create an Azure MCA subscription across Microsoft Entra tenants.
-# Programmatically create MCA subscriptions across Azure Active Directory tenants
+# Programmatically create MCA subscriptions across Microsoft Entra tenants
-This article helps you programmatically create a Microsoft Customer Agreement (MCA) subscription across Azure Active Directory tenants. In some situations, you might need to create MCA subscriptions across Azure Active Directory (Azure AD) tenants but have them tied to a single billing account. Examples of such situations include SaaS providers wanting to segregate hosted customer services from internal IT services or internal environments that have strict regulatory compliance requirements, like Payment Card Industry (PCI).
+This article helps you programmatically create a Microsoft Customer Agreement (MCA) subscription across Microsoft Entra tenants. In some situations, you might need to create MCA subscriptions across Microsoft Entra tenants but have them tied to a single billing account. Examples of such situations include SaaS providers wanting to segregate hosted customer services from internal IT services or internal environments that have strict regulatory compliance requirements, like Payment Card Industry (PCI).
-The process to create an MCA subscription across tenants is effectively a two-phase process. It requires actions to be taken in the source and destination Azure AD tenants. This article uses the following terminology:
+The process to create an MCA subscription across tenants is effectively a two-phase process. It requires actions to be taken in the source and destination Microsoft Entra tenants. This article uses the following terminology:
-- Source Azure AD (source.onmicrosoft.com). It represents the source tenant where the MCA billing account exists.-- Destination Cloud Azure AD (destination.onmicrosoft.com). It represents the destination tenant where the new MCA subscriptions are created.
+- Source Microsoft Entra ID (source.onmicrosoft.com). It represents the source tenant where the MCA billing account exists.
+- Destination Cloud Microsoft Entra ID (destination.onmicrosoft.com). It represents the destination tenant where the new MCA subscriptions are created.
## Prerequisites You must you already have the following tenants created: -- A source Azure AD tenant with an active [Microsoft Customer Agreement](create-subscription.md) billing account. If you don't have an active MCA, you can create one. For more information, see [Azure - Sign up](https://signup.azure.com/)-- A destination Azure AD tenant separate from the tenant where your MCA belongs. To create a new Azure AD tenant, see [Azure AD tenant setup](../../active-directory/develop/quickstart-create-new-tenant.md).
+- A source Microsoft Entra tenant with an active [Microsoft Customer Agreement](create-subscription.md) billing account. If you don't have an active MCA, you can create one. For more information, see [Azure - Sign up](https://signup.azure.com/)
+- A destination Microsoft Entra tenant separate from the tenant where your MCA belongs. To create a new Microsoft Entra tenant, see [Microsoft Entra tenant setup](../../active-directory/develop/quickstart-create-new-tenant.md).
## Application set-up
Use the information in the following sections to set up and configure the needed
### Register an application in the source tenant
-To programmatically create an MCA subscription, an Azure AD application must be registered and granted the appropriate Azure RBAC permission. For this step, ensure you're signed into the source tenant (source.onmicrosoft.com) with an account that has permissions to register Azure AD applications.
+To programmatically create an MCA subscription, a Microsoft Entra application must be registered and granted the appropriate Azure RBAC permission. For this step, ensure you're signed into the source tenant (source.onmicrosoft.com) with an account that has permissions to register Microsoft Entra applications.
Following the steps in [Quickstart: Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).
After you determine the scope and role, use the information at [Manage billing r
### Register an application in the destination tenant
-To accept the MCA subscription from the destination tenant (destination.onmicrosoft.com), an Azure AD application must be registered and added to the Billing administrator Azure AD role. For this step, ensure you're signed in to the destination tenant (destination.onmicrosoft.com) with an account that has permissions to register Azure AD applications. It must also have billing administrator role permission.
+To accept the MCA subscription from the destination tenant (destination.onmicrosoft.com), a Microsoft Entra application must be registered and added to the Billing administrator Microsoft Entra role. For this step, ensure you're signed in to the destination tenant (destination.onmicrosoft.com) with an account that has permissions to register Microsoft Entra applications. It must also have billing administrator role permission.
Follow the same steps used above to register an application in the source tenant. Save the following information to test and configure your environment:
Follow the same steps used above to register an application in the source tenant
- Object ID - App secret value that was generated. The value is only visible at the time of creation.
-### Add the destination application to the Billing administrator Azure AD role
+<a name='add-the-destination-application-to-the-billing-administrator-azure-ad-role'></a>
-Use the information at [Assign administrator and non-administrator roles to users with Azure AD](../../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) to add the destination application created in the preceding section to the Billing administrator Azure AD role in the destination tenant.
+### Add the destination application to the Billing administrator Microsoft Entra role
+
+Use the information at [Assign administrator and non-administrator roles to users with Microsoft Entra ID](../../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) to add the destination application created in the preceding section to the Billing administrator Microsoft Entra role in the destination tenant.
## Programmatically create a subscription
Content-Type: application/json
* Now that you've created a subscription, you can grant that ability to other users and service principals. For more information, see [Grant access to create Azure Enterprise subscriptions (preview)](grant-access-to-create-subscription.md). * For more information about managing large numbers of subscriptions using management groups, see [Organize your resources with Azure management groups](../../governance/management-groups/overview.md).
-* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-subscriptions).
+* To change the management group for a subscription, see [Move subscriptions](../../governance/management-groups/manage.md#move-subscriptions).
cost-management-billing Programmatically Create Subscription Microsoft Customer Agreement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement.md
This article helps you programmatically create Azure subscriptions for a Microso
In this article, you learn how to create subscriptions programmatically using Azure Resource Manager.
-If you need to create an Azure MCA subscription across Azure Active Directory tenants, see [Programmatically create MCA subscriptions across Azure Active Directory tenants](programmatically-create-subscription-microsoft-customer-agreement-across-tenants.md).
+If you need to create an Azure MCA subscription across Microsoft Entra tenants, see [Programmatically create MCA subscriptions across Microsoft Entra tenants](programmatically-create-subscription-microsoft-customer-agreement-across-tenants.md).
When you create an Azure subscription programmatically, that subscription is governed by the agreement under which you obtained Azure services from Microsoft or an authorized reseller. For more information, see [Microsoft Azure Legal Information](https://azure.microsoft.com/support/legal/).
When you create an Azure subscription programmatically, that subscription is gov
You must have an owner, contributor, or Azure subscription creator role on an invoice section or owner or contributor role on a billing profile or a billing account to create subscriptions. You can also give the same role to a service principal name (SPN). For more information about roles and assigning permission to them, see [Subscription billing roles and tasks](understand-mca-roles.md#subscription-billing-roles-and-tasks).
-If you're using an SPN to create subscriptions, use the ObjectId of the Azure AD Enterprise application as the Principal ID using [Microsoft Graph PowerShell](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal) or [Azure CLI](/cli/azure/ad/sp#az-ad-sp-list).
+If you're using an SPN to create subscriptions, use the ObjectId of the Microsoft Entra Enterprise application as the Principal ID using [Microsoft Graph PowerShell](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal) or [Azure CLI](/cli/azure/ad/sp#az-ad-sp-list).
> [!NOTE] > Permissions differ between the legacy API (api-version=2018-03-01-preview) and the latest API (api-version=2020-05-01). Although you may have a role sufficient to use the legacy API, you might need an EA admin to delegate you a role to use the latest API.
cost-management-billing Spending Limit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/spending-limit.md
Custom spending limits aren't available.
## A spending limit doesn't prevent all charges
-[Some external services published in the Azure Marketplace](../understand/understand-azure-marketplace-charges.md) can't be used with your subscription credits, and can incur separate charges even when your spending limit is set. Examples include Visual Studio licenses, Azure Active Directory premium, support plans, and most third-party branded services. When you create a new external service, a warning is shown to let you know the services are billed separately:
+[Some external services published in the Azure Marketplace](../understand/understand-azure-marketplace-charges.md) can't be used with your subscription credits, and can incur separate charges even when your spending limit is set. Examples include Visual Studio licenses, Microsoft Entra ID P1 or P2, support plans, and most third-party branded services. When you create a new external service, a warning is shown to let you know the services are billed separately:
![Marketplace purchase warning](./media/spending-limit/marketplace-warning01.png)
cost-management-billing Subscription Transfer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/subscription-transfer.md
If you're an Enterprise Agreement (EA) customer, your enterprise administrators
This article focuses on product transfers. However, resource transfer is also discussed because it's required for some product transfer scenarios.
-For more information about product transfers between different Azure AD tenants, see [Transfer an Azure subscription to a different Azure AD directory](../../role-based-access-control/transfer-subscription.md).
+For more information about product transfers between different Microsoft Entra tenants, see [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md).
> [!NOTE] > Most billing ownership transfers don't change the service tenant of the underlying products. They don't cause any downtime. However, even when a billing tenant does change, the change doesn't affect running services or resources.
To view the steps needed to transfer your product, see [Transfer billing ownersh
### Transferring a product shouldn't create downtime
-If you transfer a product to an account in the same Azure AD tenant, there's no effect on the resources running in the subscription. However, context information saved in PowerShell isn't updated so you might have to clear it or change settings. When you do a resource move or change the service tenant, then resources could be affected.
+If you transfer a product to an account in the same Microsoft Entra tenant, there's no effect on the resources running in the subscription. However, context information saved in PowerShell isn't updated so you might have to clear it or change settings. When you do a resource move or change the service tenant, then resources could be affected.
### New account usage and billing history
If you have a Visual Studio or Microsoft Cloud Partner Program product, you get
### Users keep access to transferred resources
-Keep in mind that users with access to resources in a product keep their access when billing ownership is transferred. However, [administrator roles](add-change-subscription-administrator.md) and [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) might get removed. Losing access occurs when your account is in an Azure AD tenant other than the product's tenant and the user who sent the transfer request moves the product to your account's tenant.
+Keep in mind that users with access to resources in a product keep their access when billing ownership is transferred. However, [administrator roles](add-change-subscription-administrator.md) and [Azure role assignments](../../role-based-access-control/role-assignments-portal.md) might get removed. Losing access occurs when your account is in a Microsoft Entra tenant other than the product's tenant and the user who sent the transfer request moves the product to your account's tenant.
You can view the users who have Azure role assignments to access resources in the product in the Azure portal. Visit the [Subscription page in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade). Then select the product you want to check, and then select **Access control (IAM)** from the left-hand pane. Next, select **Role assignments** from the top of the page. The role assignments page lists all users who have access on the product.
cost-management-billing Transfer Subscriptions Subscribers Csp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/transfer-subscriptions-subscribers-csp.md
To transfer any other Azure subscriptions that aren't supported for billing tran
1. Establish a [reseller relationship](/partner-center/request-a-relationship-with-a-customer) with the customer. Review the [CSP Regional Authorization Overview](/partner-center/regional-authorization-overview) to ensure both customer and Partner tenant are within the same authorized regions. 1. Work with your CSP partner to create target Azure CSP subscriptions.
-1. Ensure that the source and target CSP subscriptions are in the same Azure Active Directory (Azure AD) tenant.
- You can't change the Azure AD tenant for an Azure CSP subscription. Instead, you must add or associate the source subscription to the CSP Azure AD tenant. For more information, see [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+1. Ensure that the source and target CSP subscriptions are in the same Microsoft Entra tenant.
+ You can't change the Microsoft Entra tenant for an Azure CSP subscription. Instead, you must add or associate the source subscription to the CSP Microsoft Entra tenant. For more information, see [Associate or add an Azure subscription to your Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
> [!IMPORTANT]
- > - When you associate a subscription to a different Azure AD directory, users that have roles assigned using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md) lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.
+ > - When you associate a subscription to a different Microsoft Entra directory, users that have roles assigned using [Azure role-based access control (Azure RBAC)](../../role-based-access-control/role-assignments-portal.md) lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access.
> - Policy Assignments are also removed from a subscription when the subscription is associated with a different directory. 1. The user account that you use to do the transfer must have [Azure RBAC](add-change-subscription-administrator.md) owner access on both subscriptions. 1. Before you begin, [validate](/rest/api/resources/resources/validatemoveresources) that all Azure resources can move from the source subscription to the destination subscription.
To transfer any other Azure subscriptions that aren't supported for billing tran
It's possible to transfer other subscriptions from a CSP Partner to other Azure offers that aren't supported for billing transfer from MPA as documented in the [Azure subscription transfer hub](subscription-transfer.md#product-transfer-support) article. However, the subscriber needs to manually move resources between source CSP subscriptions and target subscriptions. All work done by a partner and a customer - it isn't work done by a Microsoft representative. 1. The customer creates target Azure subscriptions.
-1. Ensure that the source and target subscriptions are in the same Azure Active Directory (Azure AD) tenant. For more information about changing an Azure AD tenant, see [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+1. Ensure that the source and target subscriptions are in the same Microsoft Entra tenant. For more information about changing a Microsoft Entra tenant, see [Associate or add an Azure subscription to your Microsoft Entra tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
The change directory option isn't supported for the CSP subscription. For example, you're transferring from a CSP to a pay-as-you-go subscription. You need to change the directory of the pay-as-you-go subscription to match the directory. > [!IMPORTANT]
cost-management-billing Troubleshoot Account Not Found https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/troubleshoot-account-not-found.md
If you're unable to see your billing account in the Azure portal, try the follow
## Sign in to a different tenant
-Your billing account is associated with a single Azure Active Directory tenant. You won't see your billing account on the Cost Management + Billing page if you're signed in to an incorrect tenant. Use the following steps to switch to another tenant in the Azure portal and view your billing accounts in that tenant.
+Your billing account is associated with a single Microsoft Entra tenant. You won't see your billing account on the Cost Management + Billing page if you're signed in to an incorrect tenant. Use the following steps to switch to another tenant in the Azure portal and view your billing accounts in that tenant.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select your profile (email address) at the top right of the page.
Read the following billing and subscription articles to help troubleshoot proble
- [Declined card](./troubleshoot-declined-card.md) - [Subscription sign in issues](./troubleshoot-sign-in-issue.md) - [No subscriptions found](./no-subscriptions-found.md)-- [Enterprise cost view disabled](./enterprise-mgmt-grp-troubleshoot-cost-view.md)
+- [Enterprise cost view disabled](./enterprise-mgmt-grp-troubleshoot-cost-view.md)
cost-management-billing Troubleshoot Azure Sign Up https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/troubleshoot-azure-sign-up.md
To resolve this issue, double-check whether the following items are true:
#### You see the message 'Your current account type is not supported'
-This issue can occur if the account is registered in an [unmanaged Azure AD directory](../../active-directory/enterprise-users/directory-self-service-signup.md), and it isn't in your organization's Azure AD directory. To resolve this issue, sign up the Azure account by using another account, or take over the unmanaged AD directory. For more information, see [Take over an unmanaged directory as administrator in Azure Active Directory](../../active-directory/enterprise-users/domains-admin-takeover.md).
+This issue can occur if the account is registered in an [unmanaged Microsoft Entra directory](../../active-directory/enterprise-users/directory-self-service-signup.md), and it isn't in your organization's Microsoft Entra directory. To resolve this issue, sign up the Azure account by using another account, or take over the unmanaged AD directory. For more information, see [Take over an unmanaged directory as administrator in Microsoft Entra ID](../../active-directory/enterprise-users/domains-admin-takeover.md).
The issue can also occur if the account was created using the Microsoft 365 Developer Program. Microsoft doesn't allow purchasing other paid services using your Microsoft 365 Developer Program subscription. For more information, see [Does the subscription also include a subscription to Azure?](/office/developer-program/microsoft-365-developer-program-faq#does-the-subscription-also-include-a-subscription-to-azure-)
cost-management-billing Troubleshoot Cant Find Invoice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/troubleshoot-cant-find-invoice.md
Some customers have two accounts with the same email address - a work or a schoo
1. Try other account, if you still can't view the invoice in the Azure portal.
-**Verify that you're signed in to the correct Azure Active directory (AAD) tenant:**
+**Verify that you're signed in to the correct Microsoft Entra tenant:**
-Your billing account and subscription is associated with an AAD tenant. If you're signed in to an incorrect tenant, you won't see the invoice for your subscription. Try the following steps to switch tenants in the Azure portal:
+Your billing account and subscription is associated with a Microsoft Entra tenant. If you're signed in to an incorrect tenant, you won't see the invoice for your subscription. Try the following steps to switch tenants in the Azure portal:
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Select your email address from the top-right of the page.
If you have questions or need help, [create a support request](https://portal.az
- [View and download your Azure invoice](../understand/download-azure-invoice.md) - [View and download your Azure usage and charges](../understand/download-azure-daily-usage.md)-- [No subscriptions found sign in error for Azure portal](no-subscriptions-found.md)
+- [No subscriptions found sign in error for Azure portal](no-subscriptions-found.md)
cost-management-billing Understand Ea Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/manage/understand-ea-roles.md
Each account requires a unique work, school, or Microsoft account. For more info
There can be only one account owner per account. However, there can be multiple accounts in an EA enrollment. Each account has a unique account owner.
-For different Azure AD accounts, it can take more than 30 minutes for permission settings to take effect.
+For different Microsoft Entra accounts, it can take more than 30 minutes for permission settings to take effect.
### Service administrator
cost-management-billing Manage Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/microsoft-customer-agreement/manage-tenants.md
The article helps you understand and manage tenants associated with your Microso
## What's a tenant?
-A tenant is a digital representation of your organization and is primarily associated with a domain, like Microsoft.com. It's an environment managed through Azure Active Directory that enables you to assign users permissions to manage Azure resources and billing.
+A tenant is a digital representation of your organization and is primarily associated with a domain, like Microsoft.com. It's an environment managed through Microsoft Entra ID that enables you to assign users permissions to manage Azure resources and billing.
Each tenant is distinct and separate from other tenants. You can allow users from other tenants to access your billing account by using one of the following methods: - Creating guest users in your tenants and assigning the appropriate billing role.
There are three ways users with billing owner access can assign roles to users t
Users that are added to your Microsoft Customer Agreement billing tenant, to manage billing responsibilities from a different tenant, must be invited as a guest.
-To invite someone as a guest, the user must have an existing email address with a domain that's different from your Azure Active Directory (AD) domain. Azure AD sends the guest user an email with a link for authentication.
+To invite someone as a guest, the user must have an existing email address with a domain that's different from your Microsoft Entra domain. Microsoft Entra ID sends the guest user an email with a link for authentication.
:::image type="content" source="./media/manage-tenants/guest-invitation-email.png" alt-text="Screenshot showing an example email invitation." lightbox="./media/manage-tenants/guest-invitation-email.png" :::
After they accept, they can [view the Microsoft Customer Agreement billing accou
:::image type="content" source="./media/manage-tenants/billing-microsoft-customer-agreement-in-list.png" alt-text="Screenshot showing the Microsoft Customer Agreement in the list of billing accounts." lightbox="./media/manage-tenants/billing-microsoft-customer-agreement-in-list.png" :::
-Authorization to invite guest users is controlled by your Azure AD settings. The value of the settings is shown under **Settings** on the **Organizational relationships** page. Ensure that the setting is selected, otherwise the invitation fails. For more information, see [Restrict guest user access permissions](../../active-directory/enterprise-users/users-restrict-guest-permissions.md).
+Authorization to invite guest users is controlled by your Microsoft Entra settings. The value of the settings is shown under **Settings** on the **Organizational relationships** page. Ensure that the setting is selected, otherwise the invitation fails. For more information, see [Restrict guest user access permissions](../../active-directory/enterprise-users/users-restrict-guest-permissions.md).
:::image type="content" source="./media/manage-tenants/external-collaboration-settings.png" alt-text="Screenshot showing External collaboration settings." lightbox="./media/manage-tenants/external-collaboration-settings.png" ::: > [!IMPORTANT] > Guest users get access to the Microsoft Customer Agreement tenant, which can potentially pose a security concern. For more information, see [Learn how to restrict guest users' default permissions](../../active-directory/fundamentals/users-default-permissions.md#restrict-member-users-default-permissions).
-## Manage multiple Microsoft cloud services under an Azure AD tenant
+<a name='manage-multiple-microsoft-cloud-services-under-an-azure-ad-tenant'></a>
-You can manage multiple cloud services for your organization under a single Azure AD tenant. User accounts for all of Microsoft's cloud offerings are stored in the Azure AD tenant, which contains user accounts and groups. The following diagram shows an example of an organization with multiple services using a common Azure AD tenant containing accounts. Each service has its own portal, in blue text, where users manage their services.
+## Manage multiple Microsoft cloud services under a Microsoft Entra tenant
+You can manage multiple cloud services for your organization under a single Microsoft Entra tenant. User accounts for all of Microsoft's cloud offerings are stored in the Microsoft Entra tenant, which contains user accounts and groups. The following diagram shows an example of an organization with multiple services using a common Microsoft Entra tenant containing accounts. Each service has its own portal, in blue text, where users manage their services.
+ ## Next steps
Read the following articles to learn how to administer flexible billing ownershi
- [How to set up a tenant](../../active-directory/develop/quickstart-create-new-tenant.md) - [Azure built-in roles](../../role-based-access-control/built-in-roles.md)-- [Transfer an Azure subscription to a different Azure AD directory](../../role-based-access-control/transfer-subscription.md)-- [Restrict guest access permissions (preview) in Azure Active Directory](../../active-directory/enterprise-users/users-restrict-guest-permissions.md)
+- [Transfer an Azure subscription to a different Microsoft Entra directory](../../role-based-access-control/transfer-subscription.md)
+- [Restrict guest access permissions (preview) in Microsoft Entra ID](../../active-directory/enterprise-users/users-restrict-guest-permissions.md)
- [Add guest users to your directory in the Azure portal](../../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md#accept-the-invitation)-- [What are the default user permissions in Azure Active Directory?](../../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md#accept-the-invitation)-- [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md)
+- [What are the default user permissions in Microsoft Entra ID?](../../active-directory/external-identities/b2b-quickstart-add-guest-users-portal.md#accept-the-invitation)
+- [What is Microsoft Entra ID?](../../active-directory/fundamentals/active-directory-whatis.md)
cost-management-billing Onboard Microsoft Customer Agreement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/microsoft-customer-agreement/onboard-microsoft-customer-agreement.md
In the MCA contract process, there are two main customer roles ΓÇô the _Signer_
There are two customer roles assigned to one person in the Click-to-accept and Embedded e-sign processes. The person that has the Billing Account Owner role can then invite someone else in their organization to complete the contract acceptance process. This person also receives the Billing Account Owner role. - The Signer is the person in your organization who is authorized to accept and enter into contractual agreements on the company's behalf.-- The Billing Account Owner is the administrator of the Billing Account. This person places the order, accepts the proposal, and must have an Azure Active Directory (Azure AD) identity in the customer tenant.
+- The Billing Account Owner is the administrator of the Billing Account. This person places the order, accepts the proposal, and must have a Microsoft Entra identity in the customer tenant.
You can accelerate proposal creation and contract signature by gathering the following information before you contact your Microsoft account
Based on your signature requirements, request the appropriate article from your
- Click-to-accept signing steps ΓÇô The process works best when there's a single person in your organization who is **signer** (to accept the MCA) and the **billing account owner** (to accept the proposal.) There's no need for Microsoft or customer signature blocks. It's the simplest signature option. - Embedded e-sign signing steps ΓÇô The process works best when there's a single person in your organization who is the **signer** (to accept the MCA) and the **billing account owner** (to accept the proposal.) Use it when you need to see actual Microsoft and customer signature blocks.-- Electronic signature signing steps ΓÇô The process works best when you have a **signer** who doesn't necessarily have an Azure AD identity in the tenant and when actual Microsoft and customer signature blocks are required. With the signature option, a different person who has an Azure AD identity in the tenant must be assigned as the **billing account owner** to accept the proposal. The signature option allows one or more reviewers to review the agreement.
+- Electronic signature signing steps ΓÇô The process works best when you have a **signer** who doesn't necessarily have a Microsoft Entra identity in the tenant and when actual Microsoft and customer signature blocks are required. With the signature option, a different person who has a Microsoft Entra identity in the tenant must be assigned as the **billing account owner** to accept the proposal. The signature option allows one or more reviewers to review the agreement.
- Physical signature signing steps ΓÇô The process works best when you require a paper agreement and physical signatures from your organization _and_ from Microsoft. You can assign one or more persons from your organization as **signers** to sign the MCA. One of the signers, or a different person from your organization, must be assigned by your Microsoft account manager as **billing account owner** to accept the proposal so that they can accept the proposal in the Admin Center. The signature option supports one or more reviewers to review the agreement. ### Step 4 ΓÇô Complete purchase
In the MCA contract process, there are two main customer roles - the _Signer_ an
There are two customer roles assigned to one person in the Click-to-accept and Embedded e-sign processes. The person that has the Billing Account Owner role can then invite someone else in their organization to complete the contract acceptance process. They also receive the Billing Account Owner role. - The Signer is the person in your organization who is authorized to accept and enter into contractual agreements on the company's behalf.-- The Billing Account Owner is the administrator of the Billing Account. They place the order, accepts the proposal, and must have an Azure Active Directory (Azure AD) identity in the customer tenant.
+- The Billing Account Owner is the administrator of the Billing Account. They place the order, accepts the proposal, and must have a Microsoft Entra identity in the customer tenant.
You can accelerate proposal creation and contract signature by gathering the following information before you contact your Microsoft account
Based on your signature requirements, request the appropriate article from your
- Click-to-accept signing steps - The process works best when there's a single person in your organization who is the **signer** (to accept the Microsoft Customer Agreement) and the **billing account owner** (to accept the proposal.) There's no need for Microsoft or customer signature blocks. It's the simplest signature option. - Embedded e-sign signing steps - The process works best when there's a single person in your organization who is the **signer** (to accept the MCA) and the **billing account owner** (to accept the proposal.) Use this choice when you need to see actual Microsoft and customer signature blocks.-- Electronic signature signing steps - The process works best when you have a **signer** who doesn't necessarily have an Azure AD identity in the tenant and when actual Microsoft and customer signature blocks are required. With the signature option, a different person who has an Azure AD identity in the tenant must be assigned as the **billing account owner** to accept the proposal. This signature option allows one or more reviewers to look over the agreement.
+- Electronic signature signing steps - The process works best when you have a **signer** who doesn't necessarily have a Microsoft Entra identity in the tenant and when actual Microsoft and customer signature blocks are required. With the signature option, a different person who has a Microsoft Entra identity in the tenant must be assigned as the **billing account owner** to accept the proposal. This signature option allows one or more reviewers to look over the agreement.
- Physical signature signing steps - The process works best when you require a paper agreement and physical signatures from your organization _and_ from Microsoft. You can assign one or more people from your organization as **signers** (to sign the MCA). One of the signers, or a different person from your organization, must be assigned by your Microsoft account manager as **billing account owner** to accept the proposal. This signature option supports one or more reviewers to review the agreement. ### Step 4 - Complete purchase
If you need more support, use your standard support contacts, such as:
- [View and download your Azure invoice](../understand/download-azure-invoice.md) - [Why you might not see an invoice](../understand/download-azure-invoice.md#why-you-might-not-see-an-invoice) - [Azure pricing calculator](../costs/pricing-calculator.md)-- [Microsoft Customer Agreement FAQ](microsoft-customer-agreement-faq.yml)
+- [Microsoft Customer Agreement FAQ](microsoft-customer-agreement-faq.yml)
cost-management-billing Limited Time Central Poland https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/limited-time-central-poland.md
Previously updated : 09/15/2023 Last updated : 10/11/2023 # Save on select VMs in Poland Central for a limited time
-Save up to 67 percent compared to pay-as-you-go pricing when you purchase one or three-year [Azure Reserved Virtual Machine (VM) Instances](../../virtual-machines/prepay-reserved-vm-instances.md?toc=/azure/cost-management-billing/reservations/toc.json) for select VMs Poland Central for a limited time. This offer is available between October 1, 2023 ΓÇô March 31, 2024.
+Save up to 66 percent compared to pay-as-you-go pricing when you purchase one or three-year [Azure Reserved Virtual Machine (VM) Instances](../../virtual-machines/prepay-reserved-vm-instances.md?toc=/azure/cost-management-billing/reservations/toc.json) for select VMs Poland Central for a limited time. This offer is available between October 1, 2023 ΓÇô March 31, 2024.
## Purchase the limited time offer
These terms and conditions (hereinafter referred to as "terms") govern the limit
|`DS13 v2`|`DS13-2 v2`|`DS13-4 v2`|`DS14 v2`| |`DS14-4 v2`|`DS14-8 v2`|`DS15 v2`|`DS15i v2`| |`DS2 v2`|`DS3 v2`|`DS4 v2`|`DS5 v2`|
-|`Dsv3 Type1`|`Dsv3 Type2`|`Dsv3 Type3`|`Dsv3 Type4`|
-|`Dsv4 Type1`|`Dsv4 Type2`|`Dsv5 Type1`|`E104i v5`|
-|`E104id v5`|`E104ids v5`|`E104is v5`|`E112iads v5`|
-|`E112ias v5`|`E112ibds v5`|`E112ibs v5`|`E16 v3`|
-|`E16 v4`|`E16 v5`|`E16-4ads v5`|`E16-4as v5`|
-|`E16-4as_v4`|`E16-4ds v4`|`E16-4ds v5`|`E16-4s v3`|
-|`E16-4s v4`|`E16-4s v5`|`E16-8ads v5`|`E16-8as v5`|
-|`E16-8as_v4`|`E16-8ds v4`|`E16-8ds v5`|`E16-8s v3`|
-|`E16-8s v4`|`E16-8s v5`|`E16a v4`|`E16ads v5`|
-|`E16as v4`|`E16as v5`|`E16bds v5`|`E16bs v5`|
-|`E16d v4`|`E16d v5`|`E16ds v4`|`E16ds v5`|
-|`E16ds_v4_ ADHType1`|`E16s v3`|`E16s v4`|`E16s v5`|
-|`E16s_v4_ ADHType1`|`E2 v3`|`E2 v4`|`E2 v5`|
-|`E20 v3`|`E20 v4`|`E20 v5`|`E20a v4`|
-|`E20ads v5`|`E20as v4`|`E20as v5`|`E20d v4`|
-|`E20d v5`|`E20ds v4`|`E20ds v5`|`E20s v3`|
-|`E20s v4`|`E20s v5`|`E2a v4`|`E2ads v5`|
-|`E2as v4`|`E2as v5`|`E2bds v5`|`E2bs v5`|
-|`E2d v4`|`E2d v5`|`E2ds v4`|`E2ds v5`|
-|`E2s v3`|`E2s v4`|`E2s v5`|`E32 v3`|
-|`E32 v4`|`E32 v5`|`E32-16ads v5`|`E32-16as v5`|
-|`E32-16as_v4`|`E32-16ds v4`|`E32-16ds v5`|`E32-16s v3`|
-|`E32-16s v4`|`E32-16s v5`|`E32-8ads v5`|`E32-8as v5`|
-|`E32-8as_v4`|`E32-8ds v4`|`E32-8ds v5`|`E32-8s v3`|
-|`E32-8s v4`|`E32-8s v5`|`E32a v4`|`E32ads v5`|
-|`E32as v4`|`E32as v5`|`E32bds v5`|`E32bs v5`|
-|`E32d v4`|`E32d v5`|`E32ds v4`|`E32ds v5`|
-|`E32ds_v4_ ADHType1`|`E32s v3`|`E32s v4`|`E32s v5`|
-|`E32s_v4_ ADHType1`|`E4 v3`|`E4 v4`|`E4 v5`|
-|`E4-2ads v5`|`E4-2as v5`|`E4-2as_v4`|`E4-2ds v4`|
-|`E4-2ds v5`|`E4-2s v3`|`E4-2s v4`|`E4-2s v5`|
-|`E48 v3`|`E48 v4`|`E48 v5`|`E48a v4`|
-|`E48ads v5`|`E48as v4`|`E48as v5`|`E48bds v5`|
-|`E48bs v5`|`E48d v4`|`E48d v5`|`E48ds v4`|
-|`E48ds v5`|`E48s v3`|`E48s v4`|`E48s v5`|
-|`E4a v4`|`E4ads v5`|`E4as v4`|`E4as v5`|
-|`E4bds v5`|`E4bs v5`|`E4d v4`|`E4d v5`|
-|`E4ds v4`|`E4ds v5`|`E4ds_v4_ADHType1`|`E4s v3`|
-|`E4s v4`|`E4s v5`|`E4s_v4_ADHType1`|`E64 v3`|
-|`E64 v4`|`E64 v5`|`E64-16ads v5`|`E64-16as v5`|
-|`E64-16as_v4`|`E64-16ds v4`|`E64-16ds v5`|`E64-16s v3`|
-|`E64-16s v4`|`E64-16s v5`|`E64-32ads v5`|`E64-32as v5`|
-|`E64-32as_v4`|`E64-32ds v4`|`E64-32ds v5`|`E64-32s v3`|
-|`E64-32s v4`|`E64-32s v5`|`E64a v4`|`E64ads v5`|
-|`E64as v4`|`E64as v5`|`E64bds v5`|`E64bs v5`|
-|`E64d v4`|`E64d v5`|`E64ds v4`|`E64ds v5`|
-|`E64i v3`|`E64i_v4_SPECIAL`|`E64id_v4_SPECIAL`|`E64ids_v4_SPECIAL`|
-|`E64is v3`|`E64is_v4_SPECIAL`|`E64s v3`|`E64s v4`|
-|`E64s v5`|`E8 v3`|`E8 v4`|`E8 v5`|
-|`E80ids v4`|`E80is v4`|`E8-2ads v5`|`E8-2as v5`|
-|`E8-2as_v4`|`E8-2ds v4`|`E8-2ds v5`|`E8-2s v3`|
-|`E8-2s v4`|`E8-2s v5`|`E8-4ads v5`|`E8-4as v5`|
-|`E8-4as_v4`|`E8-4ds v4`|`E8-4ds v5`|`E8-4s v3`|
-|`E8-4s v4`|`E8-4s v5`|`E8a v4`|`E8ads v5`|
-|`E8as v4`|`E8as v5`|`E8bds v5`|`E8bs v5`|
-|`E8d v4`|`E8d v5`|`E8ds v4`|`E8ds v5`|
-|`E8ds_v4_ ADHType1`|`E8s v3`|`E8s v4`|`E8s v5`|
-|`E8s_v4_ADHType1`|`E96 v5`|`E96-24ads v5`|`E96-24as v5`|
-|`E96-24as_v4`|`E96-24ds v5`|`E96-24s v5`|`E96-48ads v5`|
-|`E96-48as v5`|`E96-48as_v4`|`E96-48ds v5`|`E96-48s v5`|
-|`E96a v4`|`E96ads v5`|`E96as v4`|`E96as v5`|
-|`E96bds v5`|`E96bs v5`|`E96d v5`|`E96ds v5`|
-|`E96iads v5`|`E96ias v4`|`E96ias v5`|`E96s v5`|
-|`Eadsv5 Type1`|`Easv4 Type1`|`Easv4 Type2`|`Easv5 Type1`|
-|`Ebdsv5-Type1`|`Ebsv5-Type1`|`Edsv4 Type 1`|`Edsv4 Type 2`|
-|`Edsv5 Type1`|`Esv3 Type1`|`Esv3 Type2`|`Esv3 Type3`|
+|`Dsv3 Type3`|`Dsv3 Type4`| `Dsv4 Type1`|`Dsv4 Type2`|
+|`Dsv5 Type1`|`E104i v5`| `E104id v5`|`E104ids v5`|
+|`E104is v5`|`E112iads v5`|`E112ias v5`|`E112ibds v5`|
+|`E112ibs v5`|`E16 v3`| `E16 v4`|`E16 v5`|
+|`E16-4ads v5`|`E16-4as v5`|`E16-4as_v4`|`E16-4ds v4`|
+|`E16-4ds v5`|`E16-4s v3`|`E16-4s v4`|`E16-4s v5`|
+|`E16-8ads v5`|`E16-8as v5`|`E16-8as_v4`|`E16-8ds v4`|
+|`E16-8ds v5`|`E16-8s v3`|`E16-8s v4`|`E16-8s v5`|
+|`E16a v4`|`E16ads v5`|`E16as v4`|`E16as v5`|
+|`E16bds v5`|`E16bs v5`|`E16d v4`|`E16d v5`|
+|`E16ds v4`|`E16ds v5`|`E16ds_v4_ ADHType1`|`E16s v3`|
+|`E16s v4`|`E16s v5`| `E16s_v4_ ADHType1`|`E2 v3`|
+|`E2 v4`|`E2 v5`|`E20 v3`|`E20 v4`|
+|`E20 v5`|`E20a v4`|`E20ads v5`|`E20as v4`|
+|`E20as v5`|`E20d v4`|`E20d v5`|`E20ds v4`|
+|`E20ds v5`|`E20s v3`|`E20s v4`|`E20s v5`|
+|`E2a v4`|`E2ads v5`|`E2as v4`|`E2as v5`|
+|`E2bds v5`|`E2bs v5`|`E2d v4`|`E2d v5`|
+|`E2ds v4`|`E2ds v5`|`E2s v3`|`E2s v4`|
+|`E2s v5`|`E32 v3`|`E32 v4`|`E32 v5`|
+|`E32-16ads v5`|`E32-16as v5`|`E32-16as_v4`|`E32-16ds v4`|
+|`E32-16ds v5`|`E32-16s v3`|`E32-16s v4`|`E32-16s v5`|
+|`E32-8ads v5`|`E32-8as v5`|`E32-8as_v4`|`E32-8ds v4`|
+|`E32-8ds v5`|`E32-8s v3`|`E32-8s v4`|`E32-8s v5`|
+|`E32a v4`|`E32ads v5`|`E32as v4`|`E32as v5`|
+|`E32bds v5`|`E32bs v5`|`E32d v4`|`E32d v5`|
+|`E32ds v4`|`E32ds v5`|`E32ds_v4_ ADHType1`|`E32s v3`|
+|`E32s v4`|`E32s v5`|`E32s_v4_ ADHType1`|`E4 v3`|
+|`E4 v4`|`E4 v5`|`E4-2ads v5`|`E4-2as v5`|
+|`E4-2as_v4`|`E4-2ds v4`|`E4-2ds v5`|`E4-2s v3`|
+|`E4-2s v4`|`E4-2s v5`|`E48 v3`|`E48 v4`|
+|`E48 v5`|`E48a v4`|`E48ads v5`|`E48as v4`|
+|`E48as v5`|`E48bds v5`|`E48bs v5`|`E48d v4`|
+|`E48d v5`|`E48ds v4`|`E48ds v5`|`E48s v3`|
+|`E48s v4`|`E48s v5`|`E4a v4`|`E4ads v5`|
+|`E4as v4`|`E4as v5`|`E4bds v5`|`E4bs v5`|
+|`E4d v4`|`E4d v5`|`E4ds v4`|`E4ds v5`|
+|`E4ds_v4_ADHType1`|`E4s v3`|`E4s v4`|`E4s v5`|
+|`E4s_v4_ADHType1`|`E64 v3`|`E64 v4`|`E64 v5`|
+|`E64-16ads v5`|`E64-16as v5`|`E64-16as_v4`|`E64-16ds v4`|
+|`E64-16ds v5`|`E64-16s v3`|`E64-16s v4`|`E64-16s v5`|
+|`E64-32ads v5`|`E64-32as v5`|`E64-32as_v4`|`E64-32ds v4`|
+|`E64-32ds v5`|`E64-32s v3`|`E64-32s v4`|`E64-32s v5`|
+|`E64a v4`|`E64ads v5`|`E64as v4`|`E64as v5`|
+|`E64bds v5`|`E64bs v5`|`E64d v4`|`E64d v5`|
+|`E64ds v4`|`E64ds v5`|`E64i v3`|`E64i_v4_SPECIAL`|
+|`E64id_v4_SPECIAL`|`E64ids_v4_SPECIAL`|`E64is v3`|`E64is_v4_SPECIAL`|
+|`E64s v3`|`E64s v4`|`E64s v5`|`E8 v3`|
+|`E8 v4`|`E8 v5`|`E80ids v4`|`E80is v4`|
+|`E8-2ads v5`|`E8-2as v5`|`E8-2as_v4`|`E8-2ds v4`|
+|`E8-2ds v5`|`E8-2s v3`|`E8-2s v4`|`E8-2s v5`|
+|`E8-4ads v5`|`E8-4as v5`|`E8-4as_v4`|`E8-4ds v4`|
+|`E8-4ds v5`|`E8-4s v3`|`E8-4s v4`|`E8-4s v5`|
+|`E8a v4`|`E8ads v5`|`E8as v4`|`E8as v5`|
+|`E8bds v5`|`E8bs v5`|`E8d v4`|`E8d v5`|
+|`E8ds v4`|`E8ds v5`|`E8ds_v4_ ADHType1`|`E8s v3`|
+|`E8s v4`|`E8s v5`|`E8s_v4_ADHType1`|`E96 v5`|
+|`E96-24ads v5`|`E96-24as v5`|`E96-24as_v4`|`E96-24ds v5`|
+|`E96-24s v5`|`E96-48ads v5`|`E96-48as v5`|`E96-48as_v4`|
+|`E96-48ds v5`|`E96-48s v5`|`E96a v4`|`E96ads v5`|
+|`E96as v4`|`E96as v5`|`E96bds v5`|`E96bs v5`|
+|`E96d v5`|`E96ds v5`|`E96iads v5`|`E96ias v4`|
+|`E96ias v5`|`E96s v5`|`Eadsv5 Type1`|`Easv4 Type1`|
+|`Easv4 Type2`|`Easv5 Type1`|`Ebdsv5-Type1`|`Ebsv5-Type1`|
+|`Edsv4 Type 1`|`Edsv4 Type 2`|`Edsv5 Type1`|`Esv3 Type3`|
|`Esv3 Type4`|`Esv4 Type1`|`Esv4 Type2`|`Esv5 Type1`| |`F1`|`F16`|`F16s`|`F16s v2`| |`F1s`|`F2`|`F2s`|`F2s v2`|
These terms and conditions (hereinafter referred to as "terms") govern the limit
|`F8s`|`F8s v2`|`Fsv2 Type2`|`Fsv2 Type3`| |`Fsv2 Type4`|`SQLG7_AMD_IaaS`|`SQLG7_AMD_NVME`| |
-The 67 percent saving is based on one DS1 v2 Azure VM for Linux in the Poland Central region running for 36 months at a pay-as-you-go rate as of September 2023. Actual savings may vary based on location, term commitment, instance type, or usage. The savings doesn't include operating system costs.
+The 66 percent saving is based on one DS1 v2 Azure VM for Linux in the Poland Central region running for 36 months at a pay-as-you-go rate as of September 2023. Actual savings vary based on location, term commitment, instance type, or usage. The savings doesn't include operating system costs.
**Eligibility** - The Offer is open to individuals who meet the following criteria:
The 67 percent saving is based on one DS1 v2 Azure VM for Linux in the Poland Ce
**Offer details** - Upon successful purchase and payment for the one or three-year Azure Reserved VM Instance in Poland Central for one or more of the qualified VMs during the specified period, the discount applies automatically to the number of running virtual machines in Poland Central that match the reservation scope and attributes. You don't need to assign a reservation to a virtual machine to get the discounts. A reserved instance purchase covers only the compute part of your VM usage. For more information about how to pay and save with an Azure Reserved VM Instance, see [Prepay for Azure virtual machines to save money](../../virtual-machines/prepay-reserved-vm-instances.md?toc=/azure/cost-management-billing/reservations/toc.json). -- Additional taxes may apply.
+- Additional taxes might apply.
- Payment will be processed using the payment method on file for the selected subscriptions. - Estimated savings are calculated based on your current on-demand rate.
The 67 percent saving is based on one DS1 v2 Azure VM for Linux in the Poland Ce
|`DS13 v2`|`DS13-2 v2`|`DS13-4 v2`|`DS14 v2`| |`DS14-4 v2`|`DS14-8 v2`|`DS15 v2`|`DS15i v2`| |`DS2 v2`|`DS3 v2`|`DS4 v2`|`DS5 v2`|
-|`Dsv3 Type1`|`Dsv3 Type2`|`Dsv3 Type3`|`Dsv3 Type4`|
-|`Dsv4 Type1`|`Dsv4 Type2`|`Dsv5 Type1`|`E104i v5`|
-|`E104id v5`|`E104ids v5`|`E104is v5`|`E112iads v5`|
-|`E112ias v5`|`E112ibds v5`|`E112ibs v5`|`E16 v3`|
-|`E16 v4`|`E16 v5`|`E16-4ads v5`|`E16-4as v5`|
-|`E16-4as_v4`|`E16-4ds v4`|`E16-4ds v5`|`E16-4s v3`|
-|`E16-4s v4`|`E16-4s v5`|`E16-8ads v5`|`E16-8as v5`|
-|`E16-8as_v4`|`E16-8ds v4`|`E16-8ds v5`|`E16-8s v3`|
-|`E16-8s v4`|`E16-8s v5`|`E16a v4`|`E16ads v5`|
-|`E16as v4`|`E16as v5`|`E16bds v5`|`E16bs v5`|
-|`E16d v4`|`E16d v5`|`E16ds v4`|`E16ds v5`|
-|`E16ds_v4_ ADHType1`|`E16s v3`|`E16s v4`|`E16s v5`|
-|`E16s_v4_ ADHType1`|`E2 v3`|`E2 v4`|`E2 v5`|
-|`E20 v3`|`E20 v4`|`E20 v5`|`E20a v4`|
-|`E20ads v5`|`E20as v4`|`E20as v5`|`E20d v4`|
-|`E20d v5`|`E20ds v4`|`E20ds v5`|`E20s v3`|
-|`E20s v4`|`E20s v5`|`E2a v4`|`E2ads v5`|
-|`E2as v4`|`E2as v5`|`E2bds v5`|`E2bs v5`|
-|`E2d v4`|`E2d v5`|`E2ds v4`|`E2ds v5`|
-|`E2s v3`|`E2s v4`|`E2s v5`|`E32 v3`|
-|`E32 v4`|`E32 v5`|`E32-16ads v5`|`E32-16as v5`|
-|`E32-16as_v4`|`E32-16ds v4`|`E32-16ds v5`|`E32-16s v3`|
-|`E32-16s v4`|`E32-16s v5`|`E32-8ads v5`|`E32-8as v5`|
-|`E32-8as_v4`|`E32-8ds v4`|`E32-8ds v5`|`E32-8s v3`|
-|`E32-8s v4`|`E32-8s v5`|`E32a v4`|`E32ads v5`|
-|`E32as v4`|`E32as v5`|`E32bds v5`|`E32bs v5`|
-|`E32d v4`|`E32d v5`|`E32ds v4`|`E32ds v5`|
-|`E32ds_v4_ ADHType1`|`E32s v3`|`E32s v4`|`E32s v5`|
-|`E32s_v4_ ADHType1`|`E4 v3`|`E4 v4`|`E4 v5`|
-|`E4-2ads v5`|`E4-2as v5`|`E4-2as_v4`|`E4-2ds v4`|
-|`E4-2ds v5`|`E4-2s v3`|`E4-2s v4`|`E4-2s v5`|
-|`E48 v3`|`E48 v4`|`E48 v5`|`E48a v4`|
-|`E48ads v5`|`E48as v4`|`E48as v5`|`E48bds v5`|
-|`E48bs v5`|`E48d v4`|`E48d v5`|`E48ds v4`|
-|`E48ds v5`|`E48s v3`|`E48s v4`|`E48s v5`|
-|`E4a v4`|`E4ads v5`|`E4as v4`|`E4as v5`|
-|`E4bds v5`|`E4bs v5`|`E4d v4`|`E4d v5`|
-|`E4ds v4`|`E4ds v5`|`E4ds_v4_ADHType1`|`E4s v3`|
-|`E4s v4`|`E4s v5`|`E4s_v4_ADHType1`|`E64 v3`|
-|`E64 v4`|`E64 v5`|`E64-16ads v5`|`E64-16as v5`|
-|`E64-16as_v4`|`E64-16ds v4`|`E64-16ds v5`|`E64-16s v3`|
-|`E64-16s v4`|`E64-16s v5`|`E64-32ads v5`|`E64-32as v5`|
-|`E64-32as_v4`|`E64-32ds v4`|`E64-32ds v5`|`E64-32s v3`|
-|`E64-32s v4`|`E64-32s v5`|`E64a v4`|`E64ads v5`|
-|`E64as v4`|`E64as v5`|`E64bds v5`|`E64bs v5`|
-|`E64d v4`|`E64d v5`|`E64ds v4`|`E64ds v5`|
-|`E64i v3`|`E64i_v4_SPECIAL`|`E64id_v4_SPECIAL`|`E64ids_v4_SPECIAL`|
-|`E64is v3`|`E64is_v4_SPECIAL`|`E64s v3`|`E64s v4`|
-|`E64s v5`|`E8 v3`|`E8 v4`|`E8 v5`|
-|`E80ids v4`|`E80is v4`|`E8-2ads v5`|`E8-2as v5`|
-|`E8-2as_v4`|`E8-2ds v4`|`E8-2ds v5`|`E8-2s v3`|
-|`E8-2s v4`|`E8-2s v5`|`E8-4ads v5`|`E8-4as v5`|
-|`E8-4as_v4`|`E8-4ds v4`|`E8-4ds v5`|`E8-4s v3`|
-|`E8-4s v4`|`E8-4s v5`|`E8a v4`|`E8ads v5`|
-|`E8as v4`|`E8as v5`|`E8bds v5`|`E8bs v5`|
-|`E8d v4`|`E8d v5`|`E8ds v4`|`E8ds v5`|
-|`E8ds_v4_ ADHType1`|`E8s v3`|`E8s v4`|`E8s v5`|
-|`E8s_v4_ADHType1`|`E96 v5`|`E96-24ads v5`|`E96-24as v5`|
-|`E96-24as_v4`|`E96-24ds v5`|`E96-24s v5`|`E96-48ads v5`|
-|`E96-48as v5`|`E96-48as_v4`|`E96-48ds v5`|`E96-48s v5`|
-|`E96a v4`|`E96ads v5`|`E96as v4`|`E96as v5`|
-|`E96bds v5`|`E96bs v5`|`E96d v5`|`E96ds v5`|
-|`E96iads v5`|`E96ias v4`|`E96ias v5`|`E96s v5`|
-|`Eadsv5 Type1`|`Easv4 Type1`|`Easv4 Type2`|`Easv5 Type1`|
-|`Ebdsv5-Type1`|`Ebsv5-Type1`|`Edsv4 Type 1`|`Edsv4 Type 2`|
-|`Edsv5 Type1`|`Esv3 Type1`|`Esv3 Type2`|`Esv3 Type3`|
+|`Dsv3 Type3`|`Dsv3 Type4`| `Dsv4 Type1`|`Dsv4 Type2`|
+|`Dsv5 Type1`|`E104i v5`| `E104id v5`|`E104ids v5`|
+|`E104is v5`|`E112iads v5`|`E112ias v5`|`E112ibds v5`|
+|`E112ibs v5`|`E16 v3`| `E16 v4`|`E16 v5`|
+|`E16-4ads v5`|`E16-4as v5`|`E16-4as_v4`|`E16-4ds v4`|
+|`E16-4ds v5`|`E16-4s v3`|`E16-4s v4`|`E16-4s v5`|
+|`E16-8ads v5`|`E16-8as v5`|`E16-8as_v4`|`E16-8ds v4`|
+|`E16-8ds v5`|`E16-8s v3`|`E16-8s v4`|`E16-8s v5`|
+|`E16a v4`|`E16ads v5`|`E16as v4`|`E16as v5`|
+|`E16bds v5`|`E16bs v5`|`E16d v4`|`E16d v5`|
+|`E16ds v4`|`E16ds v5`|`E16ds_v4_ ADHType1`|`E16s v3`|
+|`E16s v4`|`E16s v5`| `E16s_v4_ ADHType1`|`E2 v3`|
+|`E2 v4`|`E2 v5`|`E20 v3`|`E20 v4`|
+|`E20 v5`|`E20a v4`|`E20ads v5`|`E20as v4`|
+|`E20as v5`|`E20d v4`|`E20d v5`|`E20ds v4`|
+|`E20ds v5`|`E20s v3`|`E20s v4`|`E20s v5`|
+|`E2a v4`|`E2ads v5`|`E2as v4`|`E2as v5`|
+|`E2bds v5`|`E2bs v5`|`E2d v4`|`E2d v5`|
+|`E2ds v4`|`E2ds v5`|`E2s v3`|`E2s v4`|
+|`E2s v5`|`E32 v3`|`E32 v4`|`E32 v5`|
+|`E32-16ads v5`|`E32-16as v5`|`E32-16as_v4`|`E32-16ds v4`|
+|`E32-16ds v5`|`E32-16s v3`|`E32-16s v4`|`E32-16s v5`|
+|`E32-8ads v5`|`E32-8as v5`|`E32-8as_v4`|`E32-8ds v4`|
+|`E32-8ds v5`|`E32-8s v3`|`E32-8s v4`|`E32-8s v5`|
+|`E32a v4`|`E32ads v5`|`E32as v4`|`E32as v5`|
+|`E32bds v5`|`E32bs v5`|`E32d v4`|`E32d v5`|
+|`E32ds v4`|`E32ds v5`|`E32ds_v4_ ADHType1`|`E32s v3`|
+|`E32s v4`|`E32s v5`|`E32s_v4_ ADHType1`|`E4 v3`|
+|`E4 v4`|`E4 v5`|`E4-2ads v5`|`E4-2as v5`|
+|`E4-2as_v4`|`E4-2ds v4`|`E4-2ds v5`|`E4-2s v3`|
+|`E4-2s v4`|`E4-2s v5`|`E48 v3`|`E48 v4`|
+|`E48 v5`|`E48a v4`|`E48ads v5`|`E48as v4`|
+|`E48as v5`|`E48bds v5`|`E48bs v5`|`E48d v4`|
+|`E48d v5`|`E48ds v4`|`E48ds v5`|`E48s v3`|
+|`E48s v4`|`E48s v5`|`E4a v4`|`E4ads v5`|
+|`E4as v4`|`E4as v5`|`E4bds v5`|`E4bs v5`|
+|`E4d v4`|`E4d v5`|`E4ds v4`|`E4ds v5`|
+|`E4ds_v4_ADHType1`|`E4s v3`|`E4s v4`|`E4s v5`|
+|`E4s_v4_ADHType1`|`E64 v3`|`E64 v4`|`E64 v5`|
+|`E64-16ads v5`|`E64-16as v5`|`E64-16as_v4`|`E64-16ds v4`|
+|`E64-16ds v5`|`E64-16s v3`|`E64-16s v4`|`E64-16s v5`|
+|`E64-32ads v5`|`E64-32as v5`|`E64-32as_v4`|`E64-32ds v4`|
+|`E64-32ds v5`|`E64-32s v3`|`E64-32s v4`|`E64-32s v5`|
+|`E64a v4`|`E64ads v5`|`E64as v4`|`E64as v5`|
+|`E64bds v5`|`E64bs v5`|`E64d v4`|`E64d v5`|
+|`E64ds v4`|`E64ds v5`|`E64i v3`|`E64i_v4_SPECIAL`|
+|`E64id_v4_SPECIAL`|`E64ids_v4_SPECIAL`|`E64is v3`|`E64is_v4_SPECIAL`|
+|`E64s v3`|`E64s v4`|`E64s v5`|`E8 v3`|
+|`E8 v4`|`E8 v5`|`E80ids v4`|`E80is v4`|
+|`E8-2ads v5`|`E8-2as v5`|`E8-2as_v4`|`E8-2ds v4`|
+|`E8-2ds v5`|`E8-2s v3`|`E8-2s v4`|`E8-2s v5`|
+|`E8-4ads v5`|`E8-4as v5`|`E8-4as_v4`|`E8-4ds v4`|
+|`E8-4ds v5`|`E8-4s v3`|`E8-4s v4`|`E8-4s v5`|
+|`E8a v4`|`E8ads v5`|`E8as v4`|`E8as v5`|
+|`E8bds v5`|`E8bs v5`|`E8d v4`|`E8d v5`|
+|`E8ds v4`|`E8ds v5`|`E8ds_v4_ ADHType1`|`E8s v3`|
+|`E8s v4`|`E8s v5`|`E8s_v4_ADHType1`|`E96 v5`|
+|`E96-24ads v5`|`E96-24as v5`|`E96-24as_v4`|`E96-24ds v5`|
+|`E96-24s v5`|`E96-48ads v5`|`E96-48as v5`|`E96-48as_v4`|
+|`E96-48ds v5`|`E96-48s v5`|`E96a v4`|`E96ads v5`|
+|`E96as v4`|`E96as v5`|`E96bds v5`|`E96bs v5`|
+|`E96d v5`|`E96ds v5`|`E96iads v5`|`E96ias v4`|
+|`E96ias v5`|`E96s v5`|`Eadsv5 Type1`|`Easv4 Type1`|
+|`Easv4 Type2`|`Easv5 Type1`|`Ebdsv5-Type1`|`Ebsv5-Type1`|
+|`Edsv4 Type 1`|`Edsv4 Type 2`|`Edsv5 Type1`|`Esv3 Type3`|
|`Esv3 Type4`|`Esv4 Type1`|`Esv4 Type2`|`Esv5 Type1`| |`F1`|`F16`|`F16s`|`F16s v2`| |`F1s`|`F2`|`F2s`|`F2s v2`|
By participating in the offer, customers agree to be bound by these terms and th
## Next steps - [Understand Azure Reserved VM Instances discount](../manage/understand-vm-reservation-charges.md)-- [Purchase Azure Reserved VM Instances in the Azure portal](https://aka.ms/azure/pricing/PolandCentral/VM/Purchase)
+- [Purchase Azure Reserved VM Instances in the Azure portal](https://aka.ms/azure/pricing/PolandCentral/VM/Purchase)
cost-management-billing Manage Reserved Vm Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/manage-reserved-vm-instance.md
By default, the following users can view and manage reservations:
- The person who bought the reservation and the account owner for the billing subscription get Azure RBAC access to the reservation order. - Enterprise Agreement and Microsoft Customer Agreement billing contributors can manage all reservations from Cost Management + Billing > Reservation Transactions > select the blue banner.-- A Reservation administrator for reservations in their Azure Active Directory (Azure AD) tenant (directory).-- A Reservation reader has read-only access to reservations in their Azure Active Directory tenant (directory).
+- A Reservation administrator for reservations in their Microsoft Entra tenant (directory).
+- A Reservation reader has read-only access to reservations in their Microsoft Entra tenant (directory).
To allow other people to manage reservations, you have two options:
cost-management-billing Troubleshoot Reservation Transfers Between Tenants https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/troubleshoot-reservation-transfers-between-tenants.md
Title: Change an Azure reservation directory
-description: This article helps reservation owners transfer a reservation order from one Azure Active Directory tenant (directory) to another.
+description: This article helps reservation owners transfer a reservation order from one Microsoft Entra tenant (directory) to another.
Last updated 04/12/2023
# Change an Azure reservation directory between tenants
-This article helps reservation owners change a reservation order's directory from one Azure Active Directory tenant (directory) to another. When you change a reservation order's directory, it removes any Azure RBAC access to the reservation order and dependent reservations. Only you have access after the change. Changing the directory doesn't change billing ownership for the reservation order. The directory is changed for the parent reservation order and dependent reservations.
+This article helps reservation owners change a reservation order's directory from one Microsoft Entra tenant (directory) to another. When you change a reservation order's directory, it removes any Azure RBAC access to the reservation order and dependent reservations. Only you have access after the change. Changing the directory doesn't change billing ownership for the reservation order. The directory is changed for the parent reservation order and dependent reservations.
A reservation exchange and cancellation isn't needed to change a reservation order's directory.
Use the following steps to change a reservation order's directory and its depend
1. Select the reservation that you want to transfer. 1. In the reservation details, select the Reservation order ID. 1. In the reservation order, select **Change directory**.
-1. In the Change directory pane, select the Azure AD directory that you want to transfer the reservation to and then select **Confirm**.
+1. In the Change directory pane, select the Microsoft Entra directory that you want to transfer the reservation to and then select **Confirm**.
## Update reservation scope
cost-management-billing View Reservations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/reservations/view-reservations.md
By default, the following users can view and manage reservations:
- The person who buys a reservation and the account administrator of the billing subscription used to buy the reservation are added to the reservation order. - Enterprise Agreement and Microsoft Customer Agreement billing administrators. - Users with elevated access to manage all Azure subscriptions and management groups-- A Reservation administrator for reservations in their Azure Active Directory (Azure AD) tenant (directory)-- A Reservation reader has read-only access to reservations in their Azure Active Directory tenant (directory)
+- A Reservation administrator for reservations in their Microsoft Entra tenant (directory)
+- A Reservation reader has read-only access to reservations in their Microsoft Entra tenant (directory)
The reservation lifecycle is independent of an Azure subscription, so the reservation isn't a resource under the Azure subscription. Instead, it's a tenant-level resource with its own Azure RBAC permission separate from subscriptions. Reservations don't inherit permissions from subscriptions after the purchase.
If you're a billing administrator, use following steps to view and manage all re
- If you're a Microsoft Customer Agreement billing profile owner, in the left menu, select **Billing profiles**. In the list of billing profiles, select one. 1. In the left menu, select **Products + services** > **Reservations**. 1. The complete list of reservations for your EA enrollment or billing profile is shown.
-1. Billing administrators can take ownership of a reservation by selecting one or multiple reservations, selecting **Grant access** and selecting **Grant access** in the window that appears. For a Microsoft Customer Agreement, user should be in the same Azure Active Directory (Azure AD) tenant (directory) as the reservation.
+1. Billing administrators can take ownership of a reservation by selecting one or multiple reservations, selecting **Grant access** and selecting **Grant access** in the window that appears. For a Microsoft Customer Agreement, user should be in the same Microsoft Entra tenant (directory) as the reservation.
### Add billing administrators
Access granted using PowerShell isn't shown in the Azure portal. Instead, you us
## Assign the owner role for all reservations
-Use the following Azure PowerShell script to give a user Azure RBAC access to all reservations orders in their Azure AD tenant (directory).
+Use the following Azure PowerShell script to give a user Azure RBAC access to all reservations orders in their Microsoft Entra tenant (directory).
```azurepowershell
When you use the PowerShell script to assign the ownership role and it runs succ
### Parameters
-**-ObjectId** Azure AD ObjectId of the user, group, or service principal.
+**-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String - Aliases: Id, PrincipalId - Position: Named
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <Object
#### Parameters
-**-ObjectId** Azure AD ObjectId of the user, group, or service principal.
+**-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String - Aliases: Id, PrincipalId - Position: Named
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <Object
#### Parameters
-**-ObjectId** Azure AD ObjectId of the user, group, or service principal.
+**-ObjectId** Microsoft Entra ObjectId of the user, group, or service principal.
- Type: String - Aliases: Id, PrincipalId - Position: Named
cost-management-billing Download Azure Invoice https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/understand/download-azure-invoice.md
There could be several reasons that you don't see an invoice:
- Some customers have two identities with the same email address - a work account and a Microsoft account. Typically, only one of their identities has permissions to view invoices. If they sign in with the identity that doesn't have permission, they would not see the invoices. Verify that you're using the correct identity to sign in. -- You have signed in to the incorrect Azure Active Directory (Azure AD) tenant.
+- You have signed in to the incorrect Microsoft Entra tenant.
- - Your billing account is associated with an Azure AD tenant. If you're signed in to an incorrect tenant, you won't see the invoice for subscriptions in your billing account. Verify that you're signed in to the correct Azure AD tenant. If you aren't signed in the correct tenant, use the following to switch the tenant in the Azure portal:
+ - Your billing account is associated with a Microsoft Entra tenant. If you're signed in to an incorrect tenant, you won't see the invoice for subscriptions in your billing account. Verify that you're signed in to the correct Microsoft Entra tenant. If you aren't signed in the correct tenant, use the following to switch the tenant in the Azure portal:
1. Select your email from the top right of the page.
If you have an MCA, see:
- [Understand the charges on the invoice for your billing profile](review-customer-agreement-bill.md) - [Understand terms on the invoice for your billing profile](mca-understand-your-invoice.md)-- [Understand the Azure usage and charges file for your billing profile](mca-understand-your-usage.md)
+- [Understand the Azure usage and charges file for your billing profile](mca-understand-your-usage.md)
cost-management-billing Mosp New Customer Experience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/cost-management-billing/understand/mosp-new-customer-experience.md
After your Azure billing account is updated, you'll get an email from Microsoft
Some customers have two identities with the same email address - a work account and a Microsoft account. Typically, only one of their identities has permissions to perform billing administration. If they sign in with the identity that doesn't have permission, they would not be able to accept the terms. Verify that you're using the correct identity to sign in. -- You have signed in to the incorrect Azure Active Directory (Azure AD) tenant.
+- You have signed in to the incorrect Microsoft Entra tenant.
- Your billing account is associated with an Azure AD tenant. If you're signed in to an incorrect tenant, you won't be able to accept the terms. Verify that you're signed in to the correct Azure AD tenant. If you aren't signed in to the correct tenant, use the following to switch the tenant in the Azure portal:
+ Your billing account is associated with a Microsoft Entra tenant. If you're signed in to an incorrect tenant, you won't be able to accept the terms. Verify that you're signed in to the correct Microsoft Entra tenant. If you aren't signed in to the correct tenant, use the following to switch the tenant in the Azure portal:
1. Select your email from the top right of the page.
See the following articles to learn more about your billing account.
- [Understand administrative roles for your new billing account](../manage/understand-mca-roles.md) - [Create an additional Azure subscription for your new billing account](../manage/create-subscription.md)-- [Create sections on your invoice to organize your costs](../manage/mca-section-invoice.md)
+- [Create sections on your invoice to organize your costs](../manage/mca-section-invoice.md)
data-catalog Data Catalog Developer Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/data-catalog-developer-concepts.md
There are several different roles a user can have. For information on roles, see
Individual users and security groups can be added.
-Azure Data Catalog uses Azure Active Directory for identity and access management. Each Catalog user must be a member of the Active Directory for the account.
+Azure Data Catalog uses Microsoft Entra ID for identity and access management. Each Catalog user must be a member of the Active Directory for the account.
### Assets
Common types can be used as the types for properties, but aren't Items.
||address|Dictionary\<string,object\>|Required. Address is a set of data specific to the protocol that is used to identify the data source being referenced. The address data scoped to a particular protocol, meaning it's meaningless without knowing the protocol.| ||authentication|string|Optional. The authentication scheme used to communicate with the data source. For example: windows, oauth, etc.| ||connectionProperties|Dictionary\<string,object\>|Optional. Additional information on how to connect to a data source.|
-|DataSourceLocation|||The backend doesn't perform any validation of provided properties against Azure Active Directory during publishing.|
+|DataSourceLocation|||The backend doesn't perform any validation of provided properties against Microsoft Entra ID during publishing.|
||upn|string|Required. Unique email address of user. Must be specified if objectId isn't provided or in the context of "lastRegisteredBy" property, otherwise optional.|
-||objectId|Guid|Optional. User or security group Azure Active Directory identity. Optional. Must be specified if upn isn't provided, otherwise optional.|
+||objectId|Guid|Optional. User or security group Microsoft Entra identity. Optional. Must be specified if upn isn't provided, otherwise optional.|
||firstName|string|First name of user (for display purposes). Optional. Only valid in the context of "lastRegisteredBy" property. CanΓÇÖt be specified when providing security principal for "roles", "permissions" and "experts".| ||lastName|string|Last name of user (for display purposes). Optional. Only valid in the context of "lastRegisteredBy" property. CanΓÇÖt be specified when providing security principal for "roles", "permissions" and "experts".| |Column|name|string|Name of the column or attribute.|
data-catalog Data Catalog Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/data-catalog-get-started.md
If you donΓÇÖt have an Azure subscription, create a [free account](https://azure
To get started, you need to have: * A [Microsoft Azure](https://azure.microsoft.com/) subscription.
-* You need to have your own [Azure Active Directory tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md).
+* You need to have your own [Microsoft Entra tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md).
To set up Data Catalog, you must be the owner or co-owner of an Azure subscription. ## Create a data catalog
-You can create only one data catalog per organization (Azure Active Directory domain). Therefore, if the owner or co-owner of an Azure subscription who belongs to this Azure Active Directory domain has already created a catalog, then you can't create a catalog again even if you have multiple Azure subscriptions. To test whether a data catalog has been created by a user in your Azure Active Directory domain, go to the [Azure Data Catalog home page](http://azuredatacatalog.com) and verify whether you see the catalog. If a catalog has already been created for you, skip the following procedure and go to the next section.
+You can create only one data catalog per organization (Microsoft Entra domain). Therefore, if the owner or co-owner of an Azure subscription who belongs to this Microsoft Entra domain has already created a catalog, then you can't create a catalog again even if you have multiple Azure subscriptions. To test whether a data catalog has been created by a user in your Microsoft Entra domain, go to the [Azure Data Catalog home page](http://azuredatacatalog.com) and verify whether you see the catalog. If a catalog has already been created for you, skip the following procedure and go to the next section.
1. Go to the [Azure portal](https://portal.azure.com) > **Create a resource** and select **Data Catalog**.
data-catalog Data Catalog How To Register https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/data-catalog-how-to-register.md
Registration is the process of extracting metadata from the data source and copy
To register a data source, follow these steps: 1. In the Azure Data Catalog portal, start the Data Catalog data source registration tool.
-2. Sign in with your work or school account with the same Azure Active Directory credentials that you use to sign in to the portal.
+2. Sign in with your work or school account with the same Microsoft Entra credentials that you use to sign in to the portal.
3. Select the data source you want to register. For more step-by-step details, see the [Get Started with Azure Data Catalog](data-catalog-get-started.md) tutorial.
data-catalog Data Catalog How To Secure Catalog https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/data-catalog-how-to-secure-catalog.md
To give a user or a group the access to a data catalog and set permissions:
3. Select **Add**.
-4. Enter the fully qualified **user name** or name of the **security group** in the Microsoft Azure Active Directory (Azure AD) associated with the catalog. Use comma (`,ΓÇÖ) as a separator if you're adding more than one user or group.
+4. Enter the fully qualified **user name** or name of the **security group** in the Microsoft Entra ID associated with the catalog. Use comma (`,ΓÇÖ) as a separator if you're adding more than one user or group.
:::image type="content" source="media/data-catalog-how-to-secure-catalog/data-catalog-users-groups.png" alt-text="Example user name and security groups added in the space, with a comma separating the two.":::
data-catalog Data Catalog Samples https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/data-catalog-samples.md
Get started developing Azure Data Catalog apps using the Data Catalog REST API.
* [Get started with Azure Data Catalog](https://github.com/Azure-Samples/data-catalog-dotnet-get-started/)
- The get started sample shows you how to authenticate with Azure AD to Register, Search, and Delete a data asset using the Data Catalog REST API.
+ The get started sample shows you how to authenticate with Microsoft Entra ID to Register, Search, and Delete a data asset using the Data Catalog REST API.
* [Get started with Azure Data Catalog using Service Principal](https://github.com/Azure-Samples/data-catalog-dotnet-service-principal-get-started/)
data-catalog Register Data Assets Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/register-data-assets-tutorial.md
description: This tutorial describes how to register data assets in your Azure D
Last updated 12/08/2022
-# Customer intent: As an Azure Active Directory owner, I want to store my data in Azure Data Catalog so that I can search my data all from one centralized place.
+# Customer intent: As a Microsoft Entra owner, I want to store my data in Azure Data Catalog so that I can search my data all from one centralized place.
# Tutorial: Register data assets in Azure Data Catalog
In this tutorial, you learn how to:
## Prerequisites * A [Microsoft Azure](https://azure.microsoft.com/) subscription.
-* You need to have your own [Azure Active Directory tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md).
+* You need to have your own [Microsoft Entra tenant](../active-directory/fundamentals/active-directory-access-create-new-tenant.md).
* An [Azure Data Catalog](data-catalog-get-started.md) To set up Data Catalog, you must be the owner or co-owner of an Azure subscription.
data-catalog Troubleshoot Policy Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-catalog/troubleshoot-policy-configuration.md
In Azure Data Catalog, the following functionality is limited:
- The Azure Data Catalog resource can't be moved between Azure Tenants.
-## Azure Active Directory policy configuration
+<a name='azure-active-directory-policy-configuration'></a>
+
+## Microsoft Entra policy configuration
You may encounter a situation where you can sign in to the Azure Data Catalog portal, but when you attempt to sign in to the data source registration tool, you encounter an error message that prevents you from signing in. This error may occur when you are on the company network or when you're connecting from outside the company network.
-The registration tool uses *forms authentication* to validate user sign-ins against Azure Active Directory. For successful sign-in, an Azure Active Directory administrator must enable forms authentication in the *global authentication policy*.
+The registration tool uses *forms authentication* to validate user sign-ins against Microsoft Entra ID. For successful sign-in, a Microsoft Entra administrator must enable forms authentication in the *global authentication policy*.
With the global authentication policy, you can enable authentication separately for intranet and extranet connections, as shown in the following image. Sign-in errors may occur if forms authentication isn't enabled for the network from which you're connecting.
- ![Azure Active Directory global authentication policy](./media/troubleshoot-policy-configuration/global-auth-policy.png)
+ ![Microsoft Entra global authentication policy](./media/troubleshoot-policy-configuration/global-auth-policy.png)
For more information, see [the article for configuring authentication policies](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486781(v=ws.11)).
data-factory Airflow Create Private Requirement Package https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/airflow-create-private-requirement-package.md
Last updated 09/23/2023
[!INCLUDE[appliesto-adf-xxx-md](includes/appliesto-adf-xxx-md.md)]
-Creating a private requirement package within a Managed Airflow environment involves several key steps to ensure seamless integration. By following these steps, you can effectively manage and utilize your own custom packages. If you're interested in learning how to create a custom package in Python, refer to the guide [Creating a package in python](https://airflow.apache.org/docs/apache-airflow/stable/administration-and-deployment/modules_management.html#creating-a-package-in-python).
+A python package is a way to organize related Python modules into a single directory hierarchy. A package is typically represented as a directory that contains a special file called `__init__.py`. Inside a package directory, you can have multiple Python module files (.py files) that define functions, classes, and variables.
+In the context of Managed Airflow, you can use Python packages to organize and distribute your custom Airflow Plugins and Provider packages.
-## Step 1: Create a storage container
+This guide provides step-by-step instructions on installing `.whl` (Wheel) file, which serve as a binary distribution format for Python package, as a requirement in your Managed Airflow runtime.
-Use the steps described in [Manage blob containers using the Azure portal](/azure/storage/blobs/blob-containers-portal) to create a storage account for the package.
+For illustration purpose, I create custom operator as python package that can be imported as a module inside dags file.
-## Step 2: Upload the private package into your storage account
+### Step 1: Develop a custom operator.
+- Create a file `sample_operator.py`
+```python
+from airflow.models.baseoperator import BaseOperator
-1. Navigate to the designated container where you intend to store your Airflow DAGs and Plugins.
-1. Upload your private package file to the container. Common file formats include zip, whl, or tar.gz. Place the file within either the 'Dags' or 'Plugins' folder, as appropriate.
-## Step 3: Add your private package as a requirement
+class SampleOperator(BaseOperator):
+ def __init__(self, name: str, **kwargs) -> None:
+ super().__init__(**kwargs)
+ self.name = name
+
+ def execute(self, context):
+ message = f"Hello {self.name}"
+ return message
+```
+
+- To create Python package for this file, Refer to the guide: [Creating a package in python](https://airflow.apache.org/docs/apache-airflow/stable/administration-and-deployment/modules_management.html#creating-a-package-in-python)
+
+- Create a dag file, `sample_dag.py` to test your operator.
+```python
+from airflow_operator.hello_operator import SampleCustomOperator
+from airflow import DAG
++
+with DAG(
+ "tutorial",
+ tags=["example"],
+) as dag:
+ sample_task = SampleCustomOperator(task_id="sample-task", name="foo_bar")
+```
+
+### Step 2: Create a storage container.
+
+Use the steps described in [Manage blob containers using the Azure portal](/azure/storage/blobs/blob-containers-portal) to create a storage account to upload dag and your package file.
+
+### Step 3: Upload the private package into your storage account.
+
+1. Navigate to the designated container where you intend to store your Airflow DAGs and Plugins files.
+1. Upload your private package file to the container. Common file formats include `zip`, `.whl`, or `tar.gz`. Place the file within either the 'Dags' or 'Plugins' folder, as appropriate.
+
+### Step 4: Add your private package as a requirement.
1. Add your private package as a requirement in the requirements.txt file. Add this file if it doesn't already exist. 1. Be sure to prepend the prefix "**/opt/airflow**" to the package path. For instance, if your private package resides at _/dats/test/private.wht_, your requirements.txt file should feature the requirement _/opt/airflow/dags/test/private.wht_.
-## Step 4: Import your folder to an Airflow integrated runtime (IR) environment
+### Step 5: Import your folder to an Airflow integrated runtime (IR) environment.
-When performing the import of your folder into an Airflow IR environment, ensure that you enable the import requirements checkbox.
+When performing the import of your folder into an Airflow IR environment, ensure that you check the import requirements checkbox to load your requirements inside your airflow env.
:::image type="content" source="media/airflow-create-private-requirement-package/import-requirements-checkbox.png" alt-text="Screenshot showing the import dialog for an Airflow integrated runtime environment, with the Import requirements checkbox checked."::: +
+### Step 6: Inside Airflow UI, you can run your dag file created at step 1, to check if import is successful.
++ ## Next steps - [What is Azure Data Factory Managed Airflow?](concept-managed-airflow.md)
data-factory Airflow Sync Github Repository https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/airflow-sync-github-repository.md
The following steps describe how to sync your GitHub repository using the Rest A
|airflowRequirements | Array\<string\> | Python libraries you wish to use. Example: ["flask-bcrypy=0.7.1"]. Can be a comma delimited list. | |airflowEnvironmentVariables | Object (Key/Value pair) | Environment variables you wish to use. Example: { ΓÇ£SAMPLE_ENV_NAMEΓÇ¥: ΓÇ£testΓÇ¥ } | |gitSyncProperties | gitSyncProperty | Git configuration properties |
- |enableAADIntegration | boolean | Allows Azure AD to login to Airflow |
+ |enableAADIntegration | boolean | Allows Microsoft Entra ID to login to Airflow |
|userName | string or null | Username for Basic Authentication | |password | string or null | Password for Basic Authentication |
Assuming your private package has already been auto synced via git-sync, all you
- [Run an existing pipeline with Managed Airflow](tutorial-run-existing-pipeline-with-airflow.md) - [Managed Airflow pricing](airflow-pricing.md)-- [How to change the password for Managed Airflow environments](password-change-airflow.md)
+- [How to change the password for Managed Airflow environments](password-change-airflow.md)
data-factory Ci Cd Github Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ci-cd-github-troubleshoot-guide.md
The token was obtained from the original tenant, but the service is in guest ten
#### Recommendation
-You should use the token issued from guest tenant. For example, you have to assign the same Azure Active Directory to be your guest tenant and your DevOps, so it can correctly set token behavior and use the correct tenant.
+You should use the token issued from guest tenant. For example, you have to assign the same Microsoft Entra ID to be your guest tenant and your DevOps, so it can correctly set token behavior and use the correct tenant.
### Template parameters in the parameters file aren't valid
For more help with troubleshooting, try the following resources:
* [Data Factory feature requests](/answers/topics/azure-data-factory.html) * [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory) * [Stack overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)
-* [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
+* [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)
data-factory Compute Linked Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/compute-linked-services.md
The following JSON defines a Linux-based on-demand HDInsight linked service. The
#### Service principal authentication
-The On-Demand HDInsight linked service requires a service principal authentication to create HDInsight clusters on your behalf. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the **Contributor** role of the subscription or the resource group in which the HDInsight cluster is created. For detailed steps, see [Use portal to create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Make note of the following values, which you use to define the linked service:
+The On-Demand HDInsight linked service requires a service principal authentication to create HDInsight clusters on your behalf. To use service principal authentication, register an application entity in Microsoft Entra ID and grant it the **Contributor** role of the subscription or the resource group in which the HDInsight cluster is created. For detailed steps, see [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Make note of the following values, which you use to define the linked service:
- Application ID - Application key
data-factory Concept Managed Airflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/concept-managed-airflow.md
Managed Airflow in Azure Data Factory offers a range of powerful features, inclu
- **Fast and simple deployment**ΓÇ»- You can quickly and easily set up Apache Airflow by selecting an [Apache Airflow version](concept-managed-airflow.md#supported-apache-airflow-versions) when you create a Managed Airflow. - **Cloud scale**ΓÇ»- Managed Airflow automatically scales Apache Airflow nodes when required based on range specification (min, max). -- **Azure Active Directory integration**ΓÇ»- You can enable [Azure AD RBAC](concepts-roles-permissions.md) against your Airflow environment for a single sign on experience that is secured by Azure Active Directory.
+- **Microsoft Entra integration**ΓÇ»- You can enable [Microsoft Entra RBAC](concepts-roles-permissions.md) against your Airflow environment for a single sign on experience that is secured by Microsoft Entra ID.
- **Managed Virtual Network integration**ΓÇ»(coming soon) - You can access your data source via private endpoints or on-premises using ADF Managed Virtual Network that provides extra network isolation. - **Metadata encryption**ΓÇ»- Managed Airflow automatically encrypts metadata using Azure-managed keys to ensure your environment is secure by default. It also supports double encryption with a [Customer-Managed Key (CMK)](enable-customer-managed-key.md). - **Azure Monitoring and alerting**ΓÇ»- All the logs generated by Managed Airflow is exported to Azure Monitor. It also provides metrics to track critical conditions and help you notify if the need be.
data-factory Connector Azure Blob Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-blob-storage.md
When you create a shared access signature URI, consider the following points:
### Service principal authentication
-For general information about Azure Storage service principal authentication, see [Authenticate access to Azure Storage using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md).
+For general information about Azure Storage service principal authentication, see [Authenticate access to Azure Storage using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md).
To use service principal authentication, follow these steps:
-1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
- Application ID - Application key
These properties are supported for an Azure Blob Storage linked service:
| servicePrincipalCredentialType | The credential type to use for service principal authentication. Allowed values are **ServicePrincipalKey** and **ServicePrincipalCert**. | Yes | | servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes | | tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering over the upper-right corner of the Azure portal. | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment, to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment, to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or the self-hosted integration runtime (if your data store is in a private network). If this property isn't specified, the service uses the default Azure integration runtime. | No | >[!NOTE]
These properties are supported for an Azure Blob Storage linked service:
A data factory or Synapse pipeline can be associated with a [system-assigned managed identity for Azure resources](data-factory-service-identity.md#system-assigned-managed-identity), which represents that resource for authentication to other Azure services. You can directly use this system-assigned managed identity for Blob storage authentication, which is similar to using your own service principal. It allows this designated resource to access and copy data from or to Blob storage. To learn more about managed identities for Azure resources, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
-For general information about Azure Storage authentication, see [Authenticate access to Azure Storage using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md). To use managed identities for Azure resource authentication, follow these steps:
+For general information about Azure Storage authentication, see [Authenticate access to Azure Storage using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md). To use managed identities for Azure resource authentication, follow these steps:
1. [Retrieve system-assigned managed identity information](data-factory-service-identity.md#retrieve-managed-identity) by copying the value of the system-assigned managed identity object ID generated along with your factory or Synapse workspace.
These properties are supported for an Azure Blob Storage linked service:
### User-assigned managed identity authentication A data factory can be assigned with one or multiple [user-assigned managed identities](data-factory-service-identity.md#user-assigned-managed-identity). You can use this user-assigned managed identity for Blob storage authentication, which allows to access and copy data from or to Blob storage. To learn more about managed identities for Azure resources, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
-For general information about Azure storage authentication, see [Authenticate access to Azure Storage using Azure Active Directory](../storage/blobs/authorize-access-azure-active-directory.md). To use user-assigned managed identity authentication, follow these steps:
+For general information about Azure storage authentication, see [Authenticate access to Azure Storage using Microsoft Entra ID](../storage/blobs/authorize-access-azure-active-directory.md). To use user-assigned managed identity authentication, follow these steps:
1. [Create one or multiple user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) and grant permission in Azure Blob Storage. For more information on the roles, see [Use the Azure portal to assign an Azure role for access to blob and queue data](../storage/blobs/assign-azure-role-data-access.md).
These properties are supported for an Azure Blob Storage linked service:
``` >[!IMPORTANT]
->If you use PolyBase or COPY statement to load data from Blob storage (as a source or as staging) into Azure Synapse Analytics, when you use managed identity authentication for Blob storage, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Azure AD and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.
+>If you use PolyBase or COPY statement to load data from Blob storage (as a source or as staging) into Azure Synapse Analytics, when you use managed identity authentication for Blob storage, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Microsoft Entra ID and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.
> [!NOTE] >
data-factory Connector Azure Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-cosmos-db.md
The Azure Cosmos DB for NoSQL connector supports the following authentication ty
To use service principal authentication, follow these steps.
-1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
- Application ID - Application key
These properties are supported for the linked service:
| servicePrincipalCredentialType | The credential type to use for service principal authentication. Allowed values are **ServicePrincipalKey** and **ServicePrincipalCert**. | Yes | | servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes | | tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is in a private network. If not specified, the default Azure integration runtime is used. |No | **Example: using service principal key authentication**
data-factory Connector Azure Data Explorer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-data-explorer.md
You can copy data from any supported source data store to Azure Data Explorer. Y
With the Azure Data Explorer connector, you can do the following:
-* Copy data by using Azure Active Directory (Azure AD) application token authentication with a **service principal**.
+* Copy data by using Microsoft Entra application token authentication with a **service principal**.
* As a source, retrieve data by using a KQL (Kusto) query. * As a sink, append data to a destination table.
The Azure Data Explorer connector supports the following authentication types. S
To use service principal authentication, follow these steps to get a service principal and to grant permissions:
-1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
- Application ID - Application key
The following properties are supported for the Azure Data Explorer linked servic
| endpoint | Endpoint URL of the Azure Data Explorer cluster, with the format as `https://<clusterName>.<regionName>.kusto.windows.net`. | Yes | | database | Name of database. | Yes | | tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. This is known as "Authority ID" in [Kusto connection string](/azure/kusto/api/connection-strings/kusto#application-authentication-properties). Retrieve it by hovering the mouse pointer in the upper-right corner of the Azure portal. | Yes |
-| servicePrincipalId | Specify the application's client ID. This is known as "AAD application client ID" in [Kusto connection string](/azure/kusto/api/connection-strings/kusto#application-authentication-properties). | Yes |
-| servicePrincipalKey | Specify the application's key. This is known as "AAD application key" in [Kusto connection string](/azure/kusto/api/connection-strings/kusto#application-authentication-properties). Mark this field as a **SecureString** to store it securely, or [reference secure data stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
+| servicePrincipalId | Specify the application's client ID. This is known as "Microsoft Entra application client ID" in [Kusto connection string](/azure/kusto/api/connection-strings/kusto#application-authentication-properties). | Yes |
+| servicePrincipalKey | Specify the application's key. This is known as "Microsoft Entra application key" in [Kusto connection string](/azure/kusto/api/connection-strings/kusto#application-authentication-properties). Mark this field as a **SecureString** to store it securely, or [reference secure data stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is in a private network. If not specified, the default Azure integration runtime is used. |No | **Example: using service principal key authentication**
data-factory Connector Azure Data Lake Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-data-lake-storage.md
When you create a shared access signature URI, consider the following points:
To use service principal authentication, follow these steps.
-1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
- Application ID - Application key
These properties are supported for the linked service:
| servicePrincipalCredential | The service principal credential. <br/> When you use **ServicePrincipalKey** as the credential type, specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> When you use **ServicePrincipalCert** as the credential, reference a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes | | servicePrincipalKey | Specify the application's key. Mark this field as **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). <br/> This property is still supported as-is for `servicePrincipalId` + `servicePrincipalKey`. As ADF adds new service principal certificate authentication, the new model for service principal authentication is `servicePrincipalId` + `servicePrincipalCredentialType` + `servicePrincipalCredential`. | No | | tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is in a private network. If not specified, the default Azure integration runtime is used. |No | **Example: using service principal key authentication**
These properties are supported for the linked service:
>If you use Data Factory UI to author and the managed identity is not set with "Storage Blob Data Reader/Contributor" role in IAM, when doing test connection or browsing/navigating folders, choose "Test connection to file path" or "Browse from specified path", and specify a path with **Read + Execute** permission to continue. >[!IMPORTANT]
->If you use PolyBase or COPY statement to load data from Data Lake Storage Gen2 into Azure Synapse Analytics, when you use managed identity authentication for Data Lake Storage Gen2, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Azure AD and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.
+>If you use PolyBase or COPY statement to load data from Data Lake Storage Gen2 into Azure Synapse Analytics, when you use managed identity authentication for Data Lake Storage Gen2, make sure you also follow steps 1 to 3 in [this guidance](/azure/azure-sql/database/vnet-service-endpoint-rule-overview#impact-of-using-virtual-network-service-endpoints-with-azure-storage). Those steps will register your server with Microsoft Entra ID and assign the Storage Blob Data Contributor role to your server. Data Factory handles the rest. If you configure Blob storage with an Azure Virtual Network endpoint, you also need to have **Allow trusted Microsoft services to access this storage account** turned on under Azure Storage account **Firewalls and Virtual networks** settings menu as required by Azure Synapse.
## Dataset properties
data-factory Connector Azure Data Lake Store https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-data-lake-store.md
The following properties are supported for the Azure Data Lake Store linked serv
To use service principal authentication, follow these steps.
-1. Register an application entity in Azure Active Directory and grant it access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
+1. Register an application entity in Microsoft Entra ID and grant it access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
- Application ID - Application key
The following properties are supported:
| servicePrincipalId | Specify the application's client ID. | Yes | | servicePrincipalKey | Specify the application's key. Mark this field as a `SecureString` to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes | | tenant | Specify the tenant information, such as domain name or tenant ID, under which your application resides. You can retrieve it by hovering the mouse in the upper-right corner of the Azure portal. | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
**Example:**
data-factory Connector Azure Sql Data Warehouse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-sql-data-warehouse.md
This Azure Synapse Analytics connector is supported for the following capabiliti
For Copy activity, this Azure Synapse Analytics connector supports these functions: -- Copy data by using SQL authentication and Azure Active Directory (Azure AD) Application token authentication with a service principal or managed identities for Azure resources.
+- Copy data by using SQL authentication and Microsoft Entra Application token authentication with a service principal or managed identities for Azure resources.
- As a source, retrieve data by using a SQL query or stored procedure. You can also choose to parallel copy from an Azure Synapse Analytics source, see the [Parallel copy from Azure Synapse Analytics](#parallel-copy-from-azure-synapse-analytics) section for details. - As a sink, load data by using [COPY statement](#use-copy-statement) or [PolyBase](#use-polybase-to-load-data-into-azure-synapse-analytics) or bulk insert. We recommend COPY statement or PolyBase for better copy performance. The connector also supports automatically creating destination table with DISTRIBUTION = ROUND_ROBIN if not exists based on the source schema.
These generic properties are supported for an Azure Synapse Analytics linked ser
| : | :-- | :-- | | type | The type property must be set to **AzureSqlDW**. | Yes | | connectionString | Specify the information needed to connect to the Azure Synapse Analytics instance for the **connectionString** property. <br/>Mark this field as a SecureString to store it securely. You can also put password/service principal key in Azure Key Vault,and if it's SQL authentication pull the `password` configuration out of the connection string. See the JSON example below the table and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md) article with more details. | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are `AzurePublic`, `AzureChina`, `AzureUsGovernment`, and `AzureGermany`. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are `AzurePublic`, `AzureChina`, `AzureUsGovernment`, and `AzureGermany`. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
| connectVia | The [integration runtime](concepts-integration-runtime.md) to be used to connect to the data store. You can use Azure Integration Runtime or a self-hosted integration runtime (if your data store is located in a private network). If not specified, it uses the default Azure Integration Runtime. | No | For different authentication types, refer to the following sections on specific properties, prerequisites and JSON samples, respectively:
To use service principal authentication, in addition to the generic properties t
You also need to follow the steps below:
-1. **[Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)** from the Azure portal. Make note of the application name and the following values that define the linked service:
+1. **[Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)** from the Azure portal. Make note of the application name and the following values that define the linked service:
- Application ID - Application key - Tenant ID
-2. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server in the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.
+2. **[Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server in the Azure portal if you haven't already done so. The Microsoft Entra administrator can be a Microsoft Entra user or Microsoft Entra group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.
-3. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the service principal. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:
+3. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the service principal. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL:
```sql CREATE USER [your_application_name] FROM EXTERNAL PROVIDER;
A data factory or Synapse workspace can be associated with a [system-assigned ma
To use system-assigned managed identity authentication, specify the generic properties that are described in the preceding section, and follow these steps.
-1. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with system-assigned managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.
+1. **[Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Microsoft Entra administrator can be a Microsoft Entra user or Microsoft Entra group. If you grant the group with system-assigned managed identity an admin role, skip steps 3 and 4. The administrator will have full access to the database.
-2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the system-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL.
+2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the system-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL.
```sql CREATE USER [your_resource_name] FROM EXTERNAL PROVIDER;
To use user-assigned managed identity authentication, in addition to the generic
You also need to follow the steps below:
-1. **[Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or Azure AD group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator will have full access to the database.
+1. **[Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database)** for your server on the Azure portal if you haven't already done so. The Microsoft Entra administrator can be a Microsoft Entra user or Microsoft Entra group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator will have full access to the database.
-2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the user-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL.
+2. **[Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities)** for the user-assigned managed identity. Connect to the data warehouse from or to which you want to copy data by using tools like SSMS, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL.
```sql CREATE USER [your_resource_name] FROM EXTERNAL PROVIDER;
data-factory Connector Azure Sql Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-sql-database.md
This Azure SQL Database connector is supported for the following capabilities:
For Copy activity, this Azure SQL Database connector supports these functions: -- Copying data by using SQL authentication and Azure Active Directory (Azure AD) Application token authentication with a service principal or managed identities for Azure resources.
+- Copying data by using SQL authentication and Microsoft Entra Application token authentication with a service principal or managed identities for Azure resources.
- As a source, retrieving data by using a SQL query or a stored procedure. You can also choose to parallel copy from an Azure SQL Database source, see the [Parallel copy from SQL database](#parallel-copy-from-sql-database) section for details. - As a sink, automatically creating destination table if not exists based on the source schema; appending data to a table or invoking a stored procedure with custom logic during the copy.
These generic properties are supported for an Azure SQL Database linked service:
|: |: |: | | type | The **type** property must be set to **AzureSqlDatabase**. | Yes | | connectionString | Specify information needed to connect to the Azure SQL Database instance for the **connectionString** property. <br/>You also can put a password or service principal key in Azure Key Vault. If it's SQL authentication, pull the `password` configuration out of the connection string. For more information, see the JSON example following the table and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory or Synapse pipeline's cloud environment is used. | No |
| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see the JSON example following the table and [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No | | connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. You can use the Azure integration runtime or a self-hosted integration runtime if your data store is located in a private network. If not specified, the default Azure integration runtime is used. | No |
To use service principal authentication, in addition to the generic properties t
You also need to follow the steps below:
-1. [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) from the Azure portal. Make note of the application name and the following values that define the linked service:
+1. [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) from the Azure portal. Make note of the application name and the following values that define the linked service:
- Application ID - Application key - Tenant ID
-2. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator must be an Azure AD user or Azure AD group, but it can't be a service principal. This step is done so that, in the next step, you can use an Azure AD identity to create a contained database user for the service principal.
+2. [Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Microsoft Entra administrator must be a Microsoft Entra user or Microsoft Entra group, but it can't be a service principal. This step is done so that, in the next step, you can use a Microsoft Entra identity to create a contained database user for the service principal.
-3. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the service principal. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:
+3. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the service principal. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL:
```sql CREATE USER [your application name] FROM EXTERNAL PROVIDER;
A data factory or Synapse workspace can be associated with a [system-assigned ma
To use system-assigned managed identity authentication, specify the generic properties that are described in the preceding section, and follow these steps.
-1. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or an Azure AD group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator has full access to the database.
+1. [Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Microsoft Entra administrator can be a Microsoft Entra user or a Microsoft Entra group. If you grant the group with managed identity an admin role, skip steps 3 and 4. The administrator has full access to the database.
-2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:
+2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL:
```sql CREATE USER [your_resource_name] FROM EXTERNAL PROVIDER;
To use user-assigned managed identity authentication, in addition to the generic
You also need to follow the steps below:
-1. [Provision an Azure Active Directory administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Azure AD administrator can be an Azure AD user or an Azure AD group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator has full access to the database.
+1. [Provision a Microsoft Entra administrator](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-database) for your server on the Azure portal if you haven't already done so. The Microsoft Entra administrator can be a Microsoft Entra user or a Microsoft Entra group. If you grant the group with user-assigned managed identity an admin role, skip steps 3. The administrator has full access to the database.
-2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the user-assigned managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with an Azure AD identity that has at least ALTER ANY USER permission. Run the following T-SQL:
+2. [Create contained database users](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities) for the user-assigned managed identity. Connect to the database from or to which you want to copy data by using tools like SQL Server Management Studio, with a Microsoft Entra identity that has at least ALTER ANY USER permission. Run the following T-SQL:
```sql CREATE USER [your_resource_name] FROM EXTERNAL PROVIDER;
data-factory Connector Azure Sql Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-azure-sql-managed-instance.md
This Azure SQL Managed Instance connector is supported for the following capabil
For Copy activity, this Azure SQL Database connector supports these functions: -- Copying data by using SQL authentication and Azure Active Directory (Azure AD) Application token authentication with a service principal or managed identities for Azure resources.
+- Copying data by using SQL authentication and Microsoft Entra Application token authentication with a service principal or managed identities for Azure resources.
- As a source, retrieving data by using a SQL query or a stored procedure. You can also choose to parallel copy from SQL MI source, see the [Parallel copy from SQL MI](#parallel-copy-from-sql-mi) section for details. - As a sink, automatically creating destination table if not exists based on the source schema; appending data to a table or invoking a stored procedure with custom logic during copy.
These generic properties are supported for an SQL Managed Instance linked servic
|: |: |: | | type | The type property must be set to **AzureSqlMI**. | Yes | | connectionString |This property specifies the **connectionString** information that's needed to connect to SQL Managed Instance by using SQL authentication. For more information, see the following examples. <br/>The default port is 1433. If you're using SQL Managed Instance with a public endpoint, explicitly specify port 3342.<br> You also can put a password in Azure Key Vault. If it's SQL authentication, pull the `password` configuration out of the connection string. For more information, see the JSON example following the table and [Store credentials in Azure Key Vault](store-credentials-in-key-vault.md). |Yes |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
| alwaysEncryptedSettings | Specify **alwaysencryptedsettings** information that's needed to enable Always Encrypted to protect sensitive data stored in SQL server by using either managed identity or service principal. For more information, see the JSON example following the table and [Using Always Encrypted](#using-always-encrypted) section. If not specified, the default always encrypted setting is disabled. |No | | connectVia | This [integration runtime](concepts-integration-runtime.md) is used to connect to the data store. You can use a self-hosted integration runtime or an Azure integration runtime if your managed instance has a public endpoint and allows the service to access it. If not specified, the default Azure integration runtime is used. |Yes |
To use service principal authentication, in addition to the generic properties t
You also need to follow the steps below:
-1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
+1. Follow the steps to [Provision a Microsoft Entra administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
-2. [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) from the Azure portal. Make note of the application name and the following values that define the linked service:
+2. [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) from the Azure portal. Make note of the application name and the following values that define the linked service:
- Application ID - Application key
A data factory or Synapse workspace can be associated with a [system-assigned ma
To use system-assigned managed identity authentication, specify the generic properties that are described in the preceding section, and follow these steps.
-1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
+1. Follow the steps to [Provision a Microsoft Entra administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
2. [Create logins](/sql/t-sql/statements/create-login-transact-sql) for the system-assigned managed identity. In SQL Server Management Studio (SSMS), connect to your managed instance using a SQL Server account that is a **sysadmin**. In **master** database, run the following T-SQL:
To use user-assigned managed identity authentication, in addition to the generic
You also need to follow the steps below:
-1. Follow the steps to [Provision an Azure Active Directory administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
+1. Follow the steps to [Provision a Microsoft Entra administrator for your Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
2. [Create logins](/sql/t-sql/statements/create-login-transact-sql) for the user-assigned managed identity. In SQL Server Management Studio (SSMS), connect to your managed instance using a SQL Server account that is a **sysadmin**. In **master** database, run the following T-SQL:
data-factory Connector Dynamics Crm Office 365 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-dynamics-crm-office-365.md
Refer to the following table of supported authentication types and configuration
| Dynamics versions | Authentication types | Linked service samples | |: |: |: |
-| Dataverse <br/><br/> Dynamics 365 online <br/><br/> Dynamics CRM online | Azure Active Directory (Azure AD) service principal <br/><br/> Office 365 <br/><br/> User-assigned managed identity| [Dynamics online and Azure AD service-principal or Office 365 authentication](#dynamics-365-and-dynamics-crm-online) |
+| Dataverse <br/><br/> Dynamics 365 online <br/><br/> Dynamics CRM online | Microsoft Entra service principal <br/><br/> Office 365 <br/><br/> User-assigned managed identity| [Dynamics online and Microsoft Entra service principal or Office 365 authentication](#dynamics-365-and-dynamics-crm-online) |
| Dynamics 365 on-premises with internet-facing deployment (IFD) <br/><br/> Dynamics CRM 2016 on-premises with IFD <br/><br/> Dynamics CRM 2015 on-premises with IFD | IFD | [Dynamics on-premises with IFD and IFD authentication](#dynamics-365-and-dynamics-crm-on-premises-with-ifd) | >[!NOTE] >With the [deprecation of regional Discovery Service](/power-platform/important-changes-coming#regional-discovery-service-is-deprecated), the service has upgraded to leverage [global Discovery Service](/powerapps/developer/data-platform/webapi/discover-url-organization-web-api#global-discovery-service) while using Office 365 Authentication. > [!IMPORTANT]
->If your tenant and user is configured in Azure Active Directory for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required, you will not be able to use Office 365 Authentication type. For those situations, you must use an Azure Active Directory (Azure AD) service principal authentication.
+>If your tenant and user is configured in Microsoft Entra ID for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required, you will not be able to use Office 365 Authentication type. For those situations, you must use a Microsoft Entra service principal authentication.
For Dynamics 365 specifically, the following application types are supported: - Dynamics 365 for Sales
This connector doesn't support other application types like Finance, Operations,
This Dynamics connector is built on top of [Dynamics XRM tooling](/dynamics365/customer-engagement/developer/build-windows-client-applications-xrm-tools). ## Prerequisites
-To use this connector with Azure AD service-principal authentication, you must set up server-to-server (S2S) authentication in Dataverse or Dynamics. First register the application user (Service Principal) in Azure Active Directory. You can find out how to do this [here](../active-directory/develop/howto-create-service-principal-portal.md). During application registration you will need to create that user in Dataverse or Dynamics and grant permissions. Those permissions can either be granted directly or indirectly by adding the application user to a team which has been granted permissions in Dataverse or Dynamics. You can find more information on how to set up an application user to authenticate with Dataverse [here](/powerapps/developer/data-platform/use-single-tenant-server-server-authentication).
+To use this connector with Microsoft Entra service principal authentication, you must set up server-to-server (S2S) authentication in Dataverse or Dynamics. First register the application user (Service Principal) in Microsoft Entra ID. You can find out how to do this [here](../active-directory/develop/howto-create-service-principal-portal.md). During application registration you will need to create that user in Dataverse or Dynamics and grant permissions. Those permissions can either be granted directly or indirectly by adding the application user to a team which has been granted permissions in Dataverse or Dynamics. You can find more information on how to set up an application user to authenticate with Dataverse [here](/powerapps/developer/data-platform/use-single-tenant-server-server-authentication).
## Get started
The following properties are supported for the Dynamics linked service.
| deploymentType | The deployment type of the Dynamics instance. The value must be "Online" for Dynamics online. | Yes | | serviceUri | The service URL of your Dynamics instance, the same one you access from browser. An example is "https://\<organization-name>.crm[x].dynamics.com". | Yes | | authenticationType | The authentication type to connect to a Dynamics server. Valid values are "AADServicePrincipal", "Office365" and "ManagedIdentity". | Yes |
-| servicePrincipalId | The client ID of the Azure AD application. | Yes when authentication is "AADServicePrincipal" |
+| servicePrincipalId | The client ID of the Microsoft Entra application. | Yes when authentication is "AADServicePrincipal" |
| servicePrincipalCredentialType | The credential type to use for service-principal authentication. Valid values are "ServicePrincipalKey" and "ServicePrincipalCert". | Yes when authentication is "AADServicePrincipal" | | servicePrincipalCredential | The service-principal credential. <br/><br/>When you use "ServicePrincipalKey" as the credential type, `servicePrincipalCredential` can be a string that the service encrypts upon linked service deployment. Or it can be a reference to a secret in Azure Key Vault. <br/><br/>When you use "ServicePrincipalCert" as the credential, `servicePrincipalCredential` must be a reference to a certificate in Azure Key Vault, and ensure the certificate content type is **PKCS #12**.| Yes when authentication is "AADServicePrincipal" | | username | The username to connect to Dynamics. | Yes when authentication is "Office365" |
The following properties are supported for the Dynamics linked service.
>[!NOTE] >The Dynamics connector formerly used the optional **organizationName** property to identify your Dynamics CRM or Dynamics 365 online instance. While that property still works, we suggest you specify the new **serviceUri** property instead to gain better performance for instance discovery.
-#### Example: Dynamics online using Azure AD service-principal and key authentication
+<a name='example-dynamics-online-using-azure-ad-service-principal-and-key-authentication'></a>
+
+#### Example: Dynamics online using Microsoft Entra service principal and key authentication
```json {
The following properties are supported for the Dynamics linked service.
} ```
-#### Example: Dynamics online using Azure AD service-principal and certificate authentication
+<a name='example-dynamics-online-using-azure-ad-service-principal-and-certificate-authentication'></a>
+
+#### Example: Dynamics online using Microsoft Entra service principal and certificate authentication
```json {
data-factory Connector Odata https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-odata.md
For a list of data stores that are supported as sources/sinks, see [Supported da
Specifically, this OData connector supports: - OData version 3.0 and 4.0.-- Copying data by using one of the following authentications: **Anonymous**, **Basic**, **Windows**, and **Azure Active Directory service principal**.
+- Copying data by using one of the following authentications: **Anonymous**, **Basic**, **Windows**, and **Microsoft Entra service principal**.
## Prerequisites
The following properties are supported for an OData linked service:
| authHeaders | Additional HTTP request headers for authentication.<br/> For example, to use API key authentication, you can select authentication type as ΓÇ£AnonymousΓÇ¥ and specify API key in the header. | No | | userName | Specify **userName** if you use Basic or Windows authentication. | No | | password | Specify **password** for the user account you specified for **userName**. Mark this field as a **SecureString** type to store it securely. You also can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |
-| servicePrincipalId | Specify the Azure Active Directory application's client ID. | No |
+| servicePrincipalId | Specify the Microsoft Entra application's client ID. | No |
| aadServicePrincipalCredentialType | Specify the credential type to use for service principal authentication. Allowed values are: `ServicePrincipalKey` or `ServicePrincipalCert`. | No |
-| servicePrincipalKey | Specify the Azure Active Directory application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |
-| servicePrincipalEmbeddedCert | Specify the base64 encoded certificate of your application registered in Azure Active Directory, and ensure the certificate content type is **PKCS #12**. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |
+| servicePrincipalKey | Specify the Microsoft Entra application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |
+| servicePrincipalEmbeddedCert | Specify the base64 encoded certificate of your application registered in Microsoft Entra ID, and ensure the certificate content type is **PKCS #12**. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No |
| servicePrincipalEmbeddedCertPassword | Specify the password of your certificate if your certificate is secured with a password. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | No| | tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the top-right corner of the Azure portal. | No |
-| aadResourceId | Specify the Azure AD resource you are requesting for authorization.| No |
-| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Azure Active Directory application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
+| aadResourceId | Specify the Microsoft Entra resource you are requesting for authorization.| No |
+| azureCloudType | For service principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the service's cloud environment is used. | No |
| connectVia | The [Integration Runtime](concepts-integration-runtime.md) to use to connect to the data store. Learn more from [Prerequisites](#prerequisites) section. If not specified, the default Azure Integration Runtime is used. |No | **Example 1: Using Anonymous authentication**
Project Online requires user-based OAuth, which is not supported by Azure Data F
- **Callback URL**: Enter `https://www.localhost.com/`.  - **Auth URL**: Enter `https://login.microsoftonline.com/common/oauth2/authorize?resource=https://<your tenant name>.sharepoint.com`. Replace `<your tenant name>` with your own tenant name. - **Access Token URL**: Enter `https://login.microsoftonline.com/common/oauth2/token`.
- - **Client ID**: Enter your Azure Active Directory service principal ID.
+ - **Client ID**: Enter your Microsoft Entra service principal ID.
- **Client Secret**: Enter your service principal secret. - **Client Authentication**: Select **Send as Basic Auth header**.
data-factory Connector Office 365 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-office-365.md
ADF Microsoft 365 (Office 365) connector and Microsoft Graph Data Connect enable
For now, within a single copy activity and data flow, you can only **ingest data from Microsoft 365 (Office 365) into [Azure Blob Storage](connector-azure-blob-storage.md), [Azure Data Lake Storage Gen1](connector-azure-data-lake-store.md), and [Azure Data Lake Storage Gen2](connector-azure-data-lake-storage.md) in JSON format** (type setOfObjects). When copying to Azure Blob Storage, the output is a blob containing JSON text. If you want to load Microsoft 365 (Office 365) into other types of data stores or in other formats, you can chain the first copy activity or data flow with a subsequent activity to further load data into any of the [supported ADF destination stores](copy-activity-overview.md#supported-data-stores-and-formats) (refer to "supported as a sink" column in the "Supported data stores and formats" table). >[!IMPORTANT]
->- The Azure subscription containing the data factory or Synapse workspace and the sink data store must be under the same Azure Active Directory (Azure AD) tenant as Microsoft 365 (Office 365) tenant.
+>- The Azure subscription containing the data factory or Synapse workspace and the sink data store must be under the same Microsoft Entra tenant as Microsoft 365 (Office 365) tenant.
>- Ensure the Azure Integration Runtime region used for copy activity as well as the destination is in the same region where the Microsoft 365 (Office 365) tenant users' mailbox is located. Refer [here](concepts-integration-runtime.md#integration-runtime-location) to understand how the Azure IR location is determined. Refer to [table here](/graph/data-connect-datasets#regions) for the list of supported Office regions and corresponding Azure regions. >- Service Principal authentication is the only authentication mechanism supported for Azure Blob Storage, Azure Data Lake Storage Gen1, and Azure Data Lake Storage Gen2 as destination stores.
For now, within a single copy activity and data flow, you can only **ingest data
To copy and transform data from Microsoft 365 (Office 365) into Azure, you need to complete the following prerequisite steps: - Your Microsoft 365 (Office 365) tenant admin must complete on-boarding actions as described [here](/events/build-may-2021/microsoft-365-teams/breakouts/od483/).-- Create and configure an Azure AD web application in Azure Active Directory. For instructions, see [Create an Azure AD application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal).
+- Create and configure a Microsoft Entra web application in Microsoft Entra ID. For instructions, see [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal).
- Make note of the following values, which you will use to define the linked service for Microsoft 365 (Office 365): - Tenant ID. For instructions, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application). - Application ID and Application key. For instructions, see [Get application ID and authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).-- Add the user identity who will be making the data access request as the owner of the Azure AD web application (from the Azure AD web application > Settings > Owners > Add owner).
+- Add the user identity who will be making the data access request as the owner of the Microsoft Entra web application (from the Microsoft Entra web application > Settings > Owners > Add owner).
- The user identity must be in the Microsoft 365 (Office 365) organization you are getting data from and must not be a Guest user. ## Approving new data access requests
The following properties are supported for Microsoft 365 (Office 365) linked ser
|: |: |: | | type | The type property must be set to: **Office365** | Yes | | office365TenantId | Azure tenant ID to which the Microsoft 365 (Office 365) account belongs. | Yes |
-| servicePrincipalTenantId | Specify the tenant information under which your Azure AD web application resides. | Yes |
+| servicePrincipalTenantId | Specify the tenant information under which your Microsoft Entra web application resides. | Yes |
| servicePrincipalId | Specify the application's client ID. | Yes | | servicePrincipalKey | Specify the application's key. Mark this field as a SecureString to store it securely. | Yes | | connectVia | The Integration Runtime to be used to connect to the data store. If not specified, it uses the default Azure Integration Runtime. | No | >[!NOTE] > The difference between **office365TenantId** and **servicePrincipalTenantId** and the corresponding value to provide:
->- If you are an enterprise developer developing an application against Microsoft 365 (Office 365) data for your own organization's usage, then you should supply the same tenant ID for both properties, which is your organization's AAD tenant ID.
->- If you are an ISV developer developing an application for your customers, then office365TenantId will be your customer's (application installer) AAD tenant ID and servicePrincipalTenantId will be your company's AAD tenant ID.
+>- If you are an enterprise developer developing an application against Microsoft 365 (Office 365) data for your own organization's usage, then you should supply the same tenant ID for both properties, which is your organization's Microsoft Entra tenant ID.
+>- If you are an ISV developer developing an application for your customers, then office365TenantId will be your customer's (application installer) Microsoft Entra tenant ID and servicePrincipalTenantId will be your company's Microsoft Entra tenant ID.
**Example:**
data-factory Connector Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-rest.md
Set the **authenticationType** property to **AadServicePrincipal**. In addition
| Property | Description | Required | |: |: |: |
-| servicePrincipalId | Specify the Azure Active Directory application's client ID. | Yes |
-| servicePrincipalKey | Specify the Azure Active Directory application's key. Mark this field as a **SecureString** to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
+| servicePrincipalId | Specify the Microsoft Entra application's client ID. | Yes |
+| servicePrincipalKey | Specify the Microsoft Entra application's key. Mark this field as a **SecureString** to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
| tenant | Specify the tenant information (domain name or tenant ID) under which your application resides. Retrieve it by hovering the mouse in the top-right corner of the Azure portal. | Yes |
-| aadResourceId | Specify the Microsoft Azure Active Directory (Azure AD) resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
-| azureCloudType | For Service Principal authentication, specify the type of Azure cloud environment to which your Azure AD application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory's cloud environment is used. | No |
+| aadResourceId | Specify the Microsoft Entra resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
+| azureCloudType | For Service Principal authentication, specify the type of Azure cloud environment to which your Microsoft Entra application is registered. <br/> Allowed values are **AzurePublic**, **AzureChina**, **AzureUsGovernment**, and **AzureGermany**. By default, the data factory's cloud environment is used. | No |
**Example**
Set the **authenticationType** property to **ManagedServiceIdentity**. In additi
| Property | Description | Required | |: |: |: |
-| aadResourceId | Specify the Microsoft Azure Active Directory resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
+| aadResourceId | Specify the Microsoft Entra resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
**Example**
Set the **authenticationType** property to **ManagedServiceIdentity**. In additi
| Property | Description | Required | |: |: |: |
-| aadResourceId | Specify the Azure AD resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
+| aadResourceId | Specify the Microsoft Entra resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |
| credentials | Specify the user-assigned managed identity as the credential object. | Yes |
data-factory Connector Sharepoint Online List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-sharepoint-online-list.md
Specifically, this SharePoint List Online connector uses service principal authe
The SharePoint List Online connector uses service principal authentication to connect to SharePoint. Follow these steps to set it up:
-1. Register an application with the Microsoft Identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
+1. Register an application with the Microsoft identity platform. To learn how, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md). Make note of these values, which you use to define the linked service:
- Application ID - Application key
The SharePoint List Online connector uses service principal authentication to co
:::image type="content" source="media/connector-sharepoint-online-list/sharepoint-online-grant-permission-admin.png" alt-text="Grant SharePoint Online site permission to your registered application when you have site admin role."::: > [!NOTE]
- > In the context of configuring the SharePoint connector, the "App Domain" and "Redirect URL" refer to the SharePoint app that you have registered in Azure Active Directory (AAD) to allow access to your SharePoint data. The "App Domain" is the domain where your SharePoint site is hosted. For example, if your SharePoint site is located at "https://contoso.sharepoint.com", then the "App Domain" would be "contoso.sharepoint.com". The "Redirect URL" is the URL that the SharePoint app will redirect to after the user has authenticated and granted permissions to the app. This URL should be a page on your SharePoint site that the app has permission to access. For example, you could use the URL of a page that displays a list of files in a library, or a page that displays the contents of a document.
+ > In the context of configuring the SharePoint connector, the "App Domain" and "Redirect URL" refer to the SharePoint app that you have registered in Microsoft Entra ID to allow access to your SharePoint data. The "App Domain" is the domain where your SharePoint site is hosted. For example, if your SharePoint site is located at "https://contoso.sharepoint.com", then the "App Domain" would be "contoso.sharepoint.com". The "Redirect URL" is the URL that the SharePoint app will redirect to after the user has authenticated and granted permissions to the app. This URL should be a page on your SharePoint site that the app has permission to access. For example, you could use the URL of a page that displays a list of files in a library, or a page that displays the contents of a document.
3. Click "Trust It" for this app.
The following properties are supported for a SharePoint Online List linked servi
| - | | | | type | The type property must be set to:ΓÇ»**SharePointOnlineList**. | Yes | | siteUrl | The SharePoint Online site url, e.g. `https://contoso.sharepoint.com/sites/siteName`. | Yes |
-| servicePrincipalId | The Application (client) ID of the application registered in Azure Active Directory. Refer to [Prerequisites](#prerequisites) for more details including the permission settings.| Yes |
+| servicePrincipalId | The Application (client) ID of the application registered in Microsoft Entra ID. Refer to [Prerequisites](#prerequisites) for more details including the permission settings.| Yes |
| servicePrincipalKey | The application's key. Mark this field as a **SecureString** to store it securely, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes | | tenantId | The tenant ID under which your application resides. | Yes | | connectVia | The [Integration Runtime](concepts-integration-runtime.md) to use to connect to the data store. If not specified, the default Azure Integration Runtime is used. | No |
You can copy file from SharePoint Online by using **Web activity** to authentica
:::image type="content" source="media/connector-sharepoint-online-list/sharepoint-online-copy-file-flow.png" alt-text="sharepoint copy file flow":::
-1. Follow the [Prerequisites](#prerequisites) section to create AAD application and grant permission to SharePoint Online.
+1. Follow the [Prerequisites](#prerequisites) section to create Microsoft Entra application and grant permission to SharePoint Online.
2. Create a **Web Activity** to get the access token from SharePoint Online:
You can copy file from SharePoint Online by using **Web activity** to authentica
- Configure the copy activity sink as usual. > [!NOTE]
-> Even if an Azure AD application has `FullControl` permissions on SharePoint Online, you can't copy files from document libraries with IRM enabled.
+> Even if a Microsoft Entra application has `FullControl` permissions on SharePoint Online, you can't copy files from document libraries with IRM enabled.
## Lookup activity properties
data-factory Connector Troubleshoot Azure Data Lake https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-troubleshoot-azure-data-lake.md
This article provides suggestions to troubleshoot common problems with the Azure
`Failed to get access token by using service principal. ADAL Error: service_unavailable, The remote server returned an error: (503) Server Unavailable.` -- **Cause**: When the Service Token Server (STS) that's owned by Azure Active Directory is not available, that means it's too busy to handle requests, and it returns HTTP error 503.
+- **Cause**: When the Service Token Server (STS) that's owned by Microsoft Entra ID is not available, that means it's too busy to handle requests, and it returns HTTP error 503.
- **Resolution**: Rerun the copy activity after several minutes.
data-factory Connector Troubleshoot Dynamics Dataverse https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/connector-troubleshoot-dynamics-dataverse.md
This article provides suggestions to troubleshoot common problems with the Dynam
| Cause analysis | Recommendation | | :-- | :-- |
- | You are seeing `ERROR REQUESTING ORGS FROM THE DISCOVERY SERVERFCB 'EnableRegionalDisco' is disabled.` or otherwise `Unable to Login to Dynamics CRM, message:ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000007-0000-0000-c000-000000000000'` If your use case meets **all** of the following three conditions: <li>You are connecting to Dynamics 365, Common Data Service, or Dynamics CRM.</li><li>You are using Office365 Authentication.</li><li>Your tenant and user is configured in Azure Active Directory for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required (see this [link](/powerapps/developer/data-platform/authenticate-office365-deprecation) to Dataverse doc).</li> Under these circumstances, the connection used to succeed before 6/8/2021. Starting 6/9/2021 connection will start to fail because of the deprecation of regional Discovery Service (see this [link](/power-platform/important-changes-coming#regional-discovery-service-is-deprecated)).| If your tenant and user is configured in Azure Active Directory for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required, you must use 'Azure AD service-principal' to authenticate after 6/8/2021. Refer this [link](./connector-dynamics-crm-office-365.md#prerequisites) for detailed steps.|
- |If you see `Office 365 auth with OAuth failed` in the error message, it means that your server might have some configurations not compatible with OAuth.| <li>Contact Dynamics support team with the detailed error message for help.</li><li>Use the service principal authentication, and you can refer to this article: [Example: Dynamics online using Azure AD service-principal and certificate authentication](./connector-dynamics-crm-office-365.md#example-dynamics-online-using-azure-ad-service-principal-and-certificate-authentication).</li>
+ | You are seeing `ERROR REQUESTING ORGS FROM THE DISCOVERY SERVERFCB 'EnableRegionalDisco' is disabled.` or otherwise `Unable to Login to Dynamics CRM, message:ERROR REQUESTING Token FROM THE Authentication context - USER intervention required but not permitted by prompt behavior AADSTS50079: Due to a configuration change made by your administrator, or because you moved to a new location, you must enroll in multi-factor authentication to access '00000007-0000-0000-c000-000000000000'` If your use case meets **all** of the following three conditions: <li>You are connecting to Dynamics 365, Common Data Service, or Dynamics CRM.</li><li>You are using Office365 Authentication.</li><li>Your tenant and user is configured in Microsoft Entra ID for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required (see this [link](/powerapps/developer/data-platform/authenticate-office365-deprecation) to Dataverse doc).</li> Under these circumstances, the connection used to succeed before 6/8/2021. Starting 6/9/2021 connection will start to fail because of the deprecation of regional Discovery Service (see this [link](/power-platform/important-changes-coming#regional-discovery-service-is-deprecated)).| If your tenant and user is configured in Microsoft Entra ID for [conditional access](../active-directory/conditional-access/overview.md) and/or Multi-Factor Authentication is required, you must use 'Microsoft Entra service principal' to authenticate after 6/8/2021. Refer this [link](./connector-dynamics-crm-office-365.md#prerequisites) for detailed steps.|
+ |If you see `Office 365 auth with OAuth failed` in the error message, it means that your server might have some configurations not compatible with OAuth.| <li>Contact Dynamics support team with the detailed error message for help.</li><li>Use the service principal authentication, and you can refer to this article: [Example: Dynamics online using Microsoft Entra service principal and certificate authentication](./connector-dynamics-crm-office-365.md#example-dynamics-online-using-azure-ad-service-principal-and-certificate-authentication).</li>
|If you see `Unable to retrieve authentication parameters from the serviceUri` in the error message, it means that either you input the wrong Dynamics service URL or proxy/firewall to intercept the traffic. |<li>Make sure you have put the correct service URI in the linked service.</li><li>If you use the Self Hosted IR, make sure that the firewall/proxy does not intercept the requests to the Dynamics server.</li> | |If you see `An unsecured or incorrectly secured fault was received from the other party` in the error message, it means that unexpected responses were gotten from the server side. | <li>Make sure your username and password are correct if you use the Office 365 authentication. </li><li> Make sure you have input the correct service URI.</li><li>If you use regional CRM URL (URL has a number after 'crm'), make sure you use the correct regional identifier.</li><li>Contact the Dynamics support team for help.</li>| |If you see `No Organizations Found` in the error message, it means that either your organization name is wrong or you used a wrong CRM region identifier in the service URL.|<li>Make sure you have input the correct service URI.</li><li>If you use the regional CRM URL (URL has a number after 'crm'), make sure that you use the correct regional identifier.</li><li>Contact the Dynamics support team for help.</li>|
- | If you see `401 Unauthorized` and AAD-related error message, it means that there's an issue with the service principal. |Follow the guidance in the error message to fix the service principal issue. |
+ | If you see `401 Unauthorized` and Microsoft Entra related error message, it means that there's an issue with the service principal. |Follow the guidance in the error message to fix the service principal issue. |
|For other errors, usually the issue is on the server side. |Use [XrmToolBox](https://www.xrmtoolbox.com/) to make connection. If the error persists, contact the Dynamics support team for help. | ## Error code: DynamicsOperationFailed
data-factory Continuous Integration Delivery Automate Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/continuous-integration-delivery-automate-github-actions.md
The workflow leverages the [automated publishing capability](continuous-integrat
## Create a user-assigned managed identity
-You need credentials that authenticate and authorize GitHub Actions to deploy your ARM template to the target Data Factory. We leverage a user-assigned managed identity (UAMI) with [workload identity federation](../active-directory/workload-identities/workload-identity-federation.md). Using workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets. In this scenario, GitHub Actions are able to access the Azure resource group and deploy the target Data Factory instance.
+You need credentials that authenticate and authorize GitHub Actions to deploy your ARM template to the target Data Factory. We leverage a user-assigned managed identity (UAMI) with [workload identity federation](../active-directory/workload-identities/workload-identity-federation.md). Using workload identity federation allows you to access Microsoft Entra protected resources without needing to manage secrets. In this scenario, GitHub Actions are able to access the Azure resource group and deploy the target Data Factory instance.
Follow the tutorial to [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity). Once the UAMI is created, browse to the Overview page and take a note of the Subscription ID and Client ID. We need these values later.
Follow the tutorial to [create a user-assigned managed identity](../active-direc
:::image type="content" source="media/continuous-integration-delivery-github-actions/add-federated-credential.png" lightbox="media/continuous-integration-delivery-github-actions/add-federated-credential.png"alt-text="Screenshot of adding Federated Credential in Azure Portal.":::
-2. After creating the credential, navigate to Azure Active Directory Overview page and take a note of the tenant ID. We need this value later.
+2. After creating the credential, navigate to Microsoft Entra Overview page and take a note of the tenant ID. We need this value later.
3. Browse to the Resource Group containing the target Data Factory instance and assign the UAMI the [Data Factory Contributor role](concepts-roles-permissions.md#roles-and-requirements).
You need to provide your application's Client ID, Tenant ID and Subscription ID
:::image type="content" source="media/continuous-integration-delivery-github-actions/github-secrets.png" lightbox="media/continuous-integration-delivery-github-actions/github-secrets.png" alt-text="Screenshot of navigating to GitHub Secrets.":::
-3. Create secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID. Use these values from your Azure Active Directory application for your GitHub secrets:
+3. Create secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID. Use these values from your Microsoft Entra application for your GitHub secrets:
- | GitHub Secret | Azure Active Directory Application |
+ | GitHub Secret | Microsoft Entra Application |
||-| | AZURE_CLIENT_ID | Application (client) ID | | AZURE_TENANT_ID | Directory (tenant) ID |
data-factory Control Flow Azure Function Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/control-flow-azure-function-activity.md
Function Key provides secure access to function name with each one having separa
| Function app url | URL for the Azure Function App. Format is `https://<accountname>.azurewebsites.net`. This URL is the value under **URL** section when viewing your Function App in the Azure portal | Yes | | Function key | Access key for the Azure Function. Click on the **Manage** section for the respective function, and copy either the **Function Key** or the **Host key**. Find out more here: [Azure Functions HTTP triggers and bindings](../azure-functions/functions-bindings-http-webhook-trigger.md#authorization-keys) | Yes | | Authentication | The authentication method used for calling the Azure Function. The supported values are 'System-assigned managed identity' or 'anonymous'.| Yes |
-| Resource ID | The App (client) ID of the Azure Function. Switch to **Authentication** section for the respective function, and get the App (client) ID under **Identity provider**. This property will be displayed when you use system-assigned managed identity. For more information, see [Configure your App Service or Azure Functions app to use Azure AD login](../app-service/configure-authentication-provider-aad.md).| No |
+| Resource ID | The App (client) ID of the Azure Function. Switch to **Authentication** section for the respective function, and get the App (client) ID under **Identity provider**. This property will be displayed when you use system-assigned managed identity. For more information, see [Configure your App Service or Azure Functions app to use Microsoft Entra login](../app-service/configure-authentication-provider-aad.md).| No |
>[!Note] > When you use anonymous authentication, ensure that you have taken down your identity on the Azure Function side.
data-factory Create Azure Ssis Integration Runtime Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-portal.md
If you select the check box, complete the following steps to bring your own data
If you select an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB, or if you require access to on-premises data without configuring a self-hosted IR, you need to join your Azure-SSIS IR to a virtual network. For more information, see [Join an Azure-SSIS IR to a virtual network](./join-azure-ssis-integration-runtime-virtual-network.md).
-1. Select either the **Use AAD authentication with the system managed identity for Data Factory** or **Use AAD authentication with a user-assigned managed identity for Data Factory** check box to choose Azure AD authentication method for Azure-SSIS IR to access your database server that hosts SSISDB. Don't select any of the check boxes to choose SQL authentication method instead.
+1. Select either the **Use Microsoft Entra authentication with the system managed identity for Data Factory** or **Use Microsoft Entra authentication with a user-assigned managed identity for Data Factory** check box to choose Microsoft Entra authentication method for Azure-SSIS IR to access your database server that hosts SSISDB. Don't select any of the check boxes to choose SQL authentication method instead.
- If you select any of the check boxes, you'll need to add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to your database server. If you select the **Use AAD authentication with a user-assigned managed identity for Data Factory** check box, you can then select any existing credentials created using your specified user-assigned managed identities or create new ones. For more information, see [Enable Azure AD authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md).
+ If you select any of the check boxes, you'll need to add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to your database server. If you select the **Use Microsoft Entra authentication with a user-assigned managed identity for Data Factory** check box, you can then select any existing credentials created using your specified user-assigned managed identities or create new ones. For more information, see [Enable Microsoft Entra authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md).
1. For **Admin Username**, enter the SQL authentication username for your database server that hosts SSISDB.
data-factory Create Azure Ssis Integration Runtime Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime-powershell.md
If you don't use an Azure SQL Database server with IP firewall rules/virtual net
If you use managed instance to host SSISDB, you can omit the `CatalogPricingTier` parameter or pass an empty value for it. Otherwise, you can't omit it and must pass a valid value from the list of supported pricing tiers for Azure SQL Database. For more information, see [SQL Database resource limits](/azure/azure-sql/database/resource-limits-logical-server).
-If you use Azure AD authentication with the specified system/user-assigned managed identity for your data factory to connect to the database server, you can omit the `CatalogAdminCredential` parameter. But you must add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to the database server. For more information, see [Enable Azure AD authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md). Otherwise, you can't omit it and must pass a valid object formed from your server admin username and password for SQL authentication.
+If you use Microsoft Entra authentication with the specified system/user-assigned managed identity for your data factory to connect to the database server, you can omit the `CatalogAdminCredential` parameter. But you must add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to the database server. For more information, see [Enable Microsoft Entra authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md). Otherwise, you can't omit it and must pass a valid object formed from your server admin username and password for SQL authentication.
```powershell Set-AzDataFactoryV2IntegrationRuntime -ResourceGroupName $ResourceGroupName `
data-factory Create Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-azure-ssis-integration-runtime.md
The [Provisioning Azure-SSIS IR](./tutorial-deploy-ssis-packages-azure.md) tutor
- Use an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB. As a prerequisite, you need to configure virtual network permissions and settings for your Azure-SSIS IR to join a virtual network. -- Use Azure Active Directory (Azure AD) authentication with the specified system/user-assigned managed identity for your data factory to connect to an Azure SQL Database server or managed instance. As a prerequisite, you need to add the specified system/user-assigned managed identity for your data factory as a database user who can create an SSISDB instance.
+- Use Microsoft Entra authentication with the specified system/user-assigned managed identity for your data factory to connect to an Azure SQL Database server or managed instance. As a prerequisite, you need to add the specified system/user-assigned managed identity for your data factory as a database user who can create an SSISDB instance.
- Join your Azure-SSIS IR to a virtual network, or configure a self-hosted IR as proxy for your Azure-SSIS IR to access data on-premises.
These articles shows how to provision an Azure-SSIS IR by using the [Azure porta
- Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).
- - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Azure AD authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to the database server. For more information, see [Enable Azure AD authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md).
+ - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Microsoft Entra authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to the database server. For more information, see [Enable Microsoft Entra authentication for an Azure-SSIS IR](./enable-aad-authentication-azure-ssis-ir.md).
- Confirm that your database server does not have an SSISDB instance already. The provisioning of an Azure-SSIS IR does not support using an existing SSISDB instance.
The following table compares certain features of an Azure SQL Database server an
| Feature | SQL Database| SQL Managed instance | ||--|| | **Scheduling** | The SQL Server Agent is not available.<br/><br/>See [Schedule a package execution in a Data Factory pipeline](/sql/integration-services/lift-shift/ssis-azure-schedule-packages#activity).| The Managed Instance Agent is available. |
-| **Authentication** | You can create an SSISDB instance with a contained database user who represents any Azure AD group with the managed identity of your data factory as a member in the **db_owner** role.<br/><br/>See [Enable Azure AD authentication to create an SSISDB in Azure SQL Database server](enable-aad-authentication-azure-ssis-ir.md#enable-azure-ad-authentication-on-azure-sql-database). | You can create an SSISDB instance with a contained database user who represents the managed identity of your data factory. <br/><br/>See [Enable Azure AD authentication to create an SSISDB in Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#enable-azure-ad-authentication-on-azure-sql-managed-instance). |
+| **Authentication** | You can create an SSISDB instance with a contained database user who represents any Microsoft Entra group with the managed identity of your data factory as a member in the **db_owner** role.<br/><br/>See [Enable Microsoft Entra authentication to create an SSISDB in Azure SQL Database server](enable-aad-authentication-azure-ssis-ir.md#enable-azure-ad-authentication-on-azure-sql-database). | You can create an SSISDB instance with a contained database user who represents the managed identity of your data factory. <br/><br/>See [Enable Microsoft Entra authentication to create an SSISDB in Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#enable-azure-ad-authentication-on-azure-sql-managed-instance). |
| **Service tier** | When you create an Azure-SSIS IR with your Azure SQL Database server, you can select the service tier for SSISDB. There are multiple service tiers. | When you create an Azure-SSIS IR with your managed instance, you can't select the service tier for SSISDB. All databases in your managed instance share the same resource allocated to that instance. | | **Virtual network** | Your Azure-SSIS IR can join an Azure Resource Manager virtual network if you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints. | Your Azure-SSIS IR can join an Azure Resource Manager virtual network if you use a managed instance with private endpoint. The virtual network is required when you don't enable a public endpoint for your managed instance.<br/><br/>If you join your Azure-SSIS IR to the same virtual network as your managed instance, make sure that your Azure-SSIS IR is in a different subnet from your managed instance. If you join your Azure-SSIS IR to a different virtual network from your managed instance, we recommend either a virtual network peering or a network-to-network connection. See [Connect your application to an Azure SQL Database Managed Instance](/azure/azure-sql/managed-instance/connect-application-instance). | | **Distributed transactions** | This feature is supported through elastic transactions. Microsoft Distributed Transaction Coordinator (MSDTC) transactions are not supported. If your SSIS packages use MSDTC to coordinate distributed transactions, consider migrating to elastic transactions for Azure SQL Database. For more information, see [Distributed transactions across cloud databases](/azure/azure-sql/database/elastic-transactions-overview). | Not supported. |
data-factory Create Self Hosted Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-self-hosted-integration-runtime.md
This article describes how you can create and configure a self-hosted IR.
## Considerations for using a self-hosted IR -- You can use a single self-hosted integration runtime for multiple on-premises data sources. You can also share it with another data factory within the same Azure Active Directory (Azure AD) tenant. For more information, see [Sharing a self-hosted integration runtime](./create-shared-self-hosted-integration-runtime-powershell.md).
+- You can use a single self-hosted integration runtime for multiple on-premises data sources. You can also share it with another data factory within the same Microsoft Entra tenant. For more information, see [Sharing a self-hosted integration runtime](./create-shared-self-hosted-integration-runtime-powershell.md).
- You can install only one instance of a self-hosted integration runtime on any single machine. If you have two data factories that need to access on-premises data sources, either use the [self-hosted IR sharing feature](./create-shared-self-hosted-integration-runtime-powershell.md) to share the self-hosted IR, or install the self-hosted IR on two on-premises computers, one for each data factory or Synapse workspace. Synapse workspace doesn't support Integration Runtime Sharing. - The self-hosted integration runtime doesn't need to be on the same machine as the data source. However, having the self-hosted integration runtime close to the data source reduces the time for the self-hosted integration runtime to connect to the data source. We recommend that you install the self-hosted integration runtime on a machine that differs from the one that hosts the on-premises data source. When the self-hosted integration runtime and data source are on different machines, the self-hosted integration runtime doesn't compete with the data source for resources. - You can have multiple self-hosted integration runtimes on different machines that connect to the same on-premises data source. For example, if you have two self-hosted integration runtimes that serve two data factories, the same on-premises data source can be registered with both data factories.
data-factory Create Shared Self Hosted Integration Runtime Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/create-shared-self-hosted-integration-runtime-powershell.md
Remove-AzDataFactoryV2IntegrationRuntime `
* To grant permission, you need the Owner role or the inherited Owner role in the data factory where the shared IR exists.
-* The sharing feature works only for data factories within the same Azure AD tenant.
+* The sharing feature works only for data factories within the same Microsoft Entra tenant.
-* For Azure AD [guest users](../active-directory/governance/manage-guest-access-with-access-reviews.md), the search functionality in the UI, which lists all data factories by using a search keyword, doesn't work. But as long as the guest user is the owner of the data factory, you can share the IR without the search functionality. For the Managed Identity of the data factory that needs to share the IR, enter that Managed Identity in the **Assign Permission** box and select **Add** in the Data Factory UI.
+* For Microsoft Entra ID [guest users](../active-directory/governance/manage-guest-access-with-access-reviews.md), the search functionality in the UI, which lists all data factories by using a search keyword, doesn't work. But as long as the guest user is the owner of the data factory, you can share the IR without the search functionality. For the Managed Identity of the data factory that needs to share the IR, enter that Managed Identity in the **Assign Permission** box and select **Add** in the Data Factory UI.
> [!NOTE] > This feature is available only in Data Factory V2.
data-factory Credentials https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/credentials.md
Users must have the Managed Identity Operator (Azure RBAC) role or a custom role
## Using credentials
-We are introducing Credentials which can contain user-assigned managed identities, service principals, and also lists the system-assigned managed identity that you can use in the linked services that support Azure Active Directory (Azure AD) authentication. It helps you consolidate and manage all your Azure AD-based credentials.
+We are introducing Credentials which can contain user-assigned managed identities, service principals, and also lists the system-assigned managed identity that you can use in the linked services that support Microsoft Entra authentication. It helps you consolidate and manage all your Microsoft Entra ID-based credentials.
Below are the generic steps for using a **user-assigned managed identity** in the linked services for authentication.
data-factory Data Factory Service Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-factory-service-identity.md
This article helps you understand managed identity (formerly known as Managed Se
## Overview
-Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Azure Active Directory (Azure AD) authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Azure AD tokens.
+Managed identities eliminate the need to manage credentials. Managed identities provide an identity for the service instance when connecting to resources that support Microsoft Entra authentication. For example, the service can use a managed identity to access resources like [Azure Key Vault](../key-vault/general/overview.md), where data admins can securely store credentials or access storage accounts. The service uses the managed identity to obtain Microsoft Entra tokens.
There are two types of supported managed identities: -- **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Azure AD tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Azure AD. So when the resource is deleted, Azure automatically deletes the identity for you.
+- **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Microsoft Entra tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. So when the resource is deleted, Azure automatically deletes the identity for you.
- **User-assigned:** You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) and assign it to one or more instances of a data factory. In user-assigned managed identities, the identity is managed separately from the resources that use it. Managed identity provides the below benefits:
PrincipalId TenantId
765ad4ab-XXXX-XXXX-XXXX-51ed985819dc 72f988bf-XXXX-XXXX-XXXX-2d7cd011db47 ```
-You can get the application ID by copying above principal ID, then running below Azure Active Directory command with principal ID as parameter.
+You can get the application ID by copying above principal ID, then running below Microsoft Entra ID command with principal ID as parameter.
```powershell PS C:\> Get-AzADServicePrincipal -ObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{
## User-assigned managed identity
-You can create, delete, manage user-assigned managed identities in Azure Active Directory. For more details refer to [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
+You can create, delete, manage user-assigned managed identities in Microsoft Entra ID. For more details refer to [Create, list, delete, or assign a role to a user-assigned managed identity using the Azure portal](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
In order to use a user-assigned managed identity, you must first [create credentials](credentials.md) in your service instance for the UAMI.
data-factory Data Factory Troubleshoot Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-factory-troubleshoot-guide.md
The following table applies to U-SQL.
- **Message**: `The access token is from the wrong tenant.` -- **Cause**: Incorrect Azure Active Directory (Azure AD) tenant.
+- **Cause**: Incorrect Microsoft Entra tenant.
-- **Recommendation**: Incorrect Azure Active Directory (Azure AD) tenant.
+- **Recommendation**: Incorrect Microsoft Entra tenant.
<br/>
data-factory Data Migration Guidance Hdfs Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-migration-guidance-hdfs-azure-storage.md
We recommend that you follow these best practices when you implement your data m
### Authentication and credential management - To authenticate to HDFS, you can use [either Windows (Kerberos) or Anonymous](./connector-hdfs.md#linked-service-properties). -- Multiple authentication types are supported for connecting to Azure Blob storage. We highly recommend using [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity). Built on top of an automatically managed Data Factory identity in Azure Active Directory (Azure AD), managed identities allow you to configure pipelines without supplying credentials in the linked service definition. Alternatively, you can authenticate to Blob storage by using a [service principal](./connector-azure-blob-storage.md#service-principal-authentication), a [shared access signature](./connector-azure-blob-storage.md#shared-access-signature-authentication), or a [storage account key](./connector-azure-blob-storage.md#account-key-authentication).
+- Multiple authentication types are supported for connecting to Azure Blob storage. We highly recommend using [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity). Built on top of an automatically managed Data Factory identity in Microsoft Entra ID, managed identities allow you to configure pipelines without supplying credentials in the linked service definition. Alternatively, you can authenticate to Blob storage by using a [service principal](./connector-azure-blob-storage.md#service-principal-authentication), a [shared access signature](./connector-azure-blob-storage.md#shared-access-signature-authentication), or a [storage account key](./connector-azure-blob-storage.md#account-key-authentication).
- Multiple authentication types also are supported for connecting to Data Lake Storage Gen2. We highly recommend using [managed identities for Azure resources](./connector-azure-data-lake-storage.md#managed-identity), but you also can use a [service principal](./connector-azure-data-lake-storage.md#service-principal-authentication) or a [storage account key](./connector-azure-data-lake-storage.md#account-key-authentication). - When you're not using managed identities for Azure resources, we highly recommend [storing the credentials in Azure Key Vault](./store-credentials-in-key-vault.md) to make it easier to centrally manage and rotate keys without modifying Data Factory linked services. This is also a [best practice for CI/CD](./continuous-integration-delivery.md#best-practices-for-cicd).
data-factory Data Migration Guidance Netezza Azure Sqldw https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-migration-guidance-netezza-azure-sqldw.md
The preceding diagram can be interpreted as follows:
- To authenticate to Azure Blob storage:
- - We highly recommend using [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity). Built on top of an automatically managed Azure Data Factory identity in Azure Active Directory (Azure AD), managed identities allows you to configure pipelines without having to supply credentials in the Linked Service definition.
+ - We highly recommend using [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity). Built on top of an automatically managed Azure Data Factory identity in Microsoft Entra ID, managed identities allows you to configure pipelines without having to supply credentials in the Linked Service definition.
- Alternatively, you can authenticate to Azure Blob storage by using [service principal](./connector-azure-blob-storage.md#service-principal-authentication), a [shared access signature](./connector-azure-blob-storage.md#shared-access-signature-authentication), or a [storage account key](./connector-azure-blob-storage.md#account-key-authentication).
For more information, see the following articles and guides:
## Next steps -- [Copy files from multiple containers by using Azure Data Factory](solution-template-copy-files-multiple-containers.md)
+- [Copy files from multiple containers by using Azure Data Factory](solution-template-copy-files-multiple-containers.md)
data-factory Data Migration Guidance S3 Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/data-migration-guidance-s3-azure-storage.md
Migrate data over private link:
### Authentication and credential management - To authenticate to Amazon S3 account, you must use [access key for IAM account](./connector-amazon-simple-storage-service.md#linked-service-properties). -- Multiple authentication types are supported to connect to Azure Blob Storage. Use of [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity) is highly recommended: built on top of an automatically managed ADF identify in Azure AD, it allows you to configure pipelines without supplying credentials in Linked Service definition. Alternatively, you can authenticate to Azure Blob Storage using [Service Principal](./connector-azure-blob-storage.md#service-principal-authentication), [shared access signature](./connector-azure-blob-storage.md#shared-access-signature-authentication), or [storage account key](./connector-azure-blob-storage.md#account-key-authentication).
+- Multiple authentication types are supported to connect to Azure Blob Storage. Use of [managed identities for Azure resources](./connector-azure-blob-storage.md#managed-identity) is highly recommended: built on top of an automatically managed ADF identify in Microsoft Entra ID, it allows you to configure pipelines without supplying credentials in Linked Service definition. Alternatively, you can authenticate to Azure Blob Storage using [Service Principal](./connector-azure-blob-storage.md#service-principal-authentication), [shared access signature](./connector-azure-blob-storage.md#shared-access-signature-authentication), or [storage account key](./connector-azure-blob-storage.md#account-key-authentication).
- Multiple authentication types are also supported to connect to Azure Data Lake Storage Gen2. Use of [managed identities for Azure resources](./connector-azure-data-lake-storage.md#managed-identity) is highly recommended, although [service principal](./connector-azure-data-lake-storage.md#service-principal-authentication) or [storage account key](./connector-azure-data-lake-storage.md#account-key-authentication) can also be used. - When you aren't using managed identities for Azure resources, [storing the credentials in Azure Key Vault](./store-credentials-in-key-vault.md) is highly recommended to make it easier to centrally manage and rotate keys without modifying ADF linked services. This is also one of the [best practices for CI/CD](./continuous-integration-delivery.md#best-practices-for-cicd).
Here's the [template](solution-template-migration-s3-azure.md) to start with to
## Next steps -- [Copy files from multiple containers with Azure Data Factory](solution-template-copy-files-multiple-containers.md)
+- [Copy files from multiple containers with Azure Data Factory](solution-template-copy-files-multiple-containers.md)
data-factory Enable Aad Authentication Azure Ssis Ir https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/enable-aad-authentication-azure-ssis-ir.md
Title: Enable Azure Active Directory authentication for Azure SSIS integration runtime
-description: This article describes how to enable Azure Active Directory authentication with the specified system/user-assigned managed identity for Azure Data Factory to create Azure-SSIS integration runtime.
+ Title: Enable Microsoft Entra authentication for Azure SSIS integration runtime
+description: This article describes how to enable Microsoft Entra authentication with the specified system/user-assigned managed identity for Azure Data Factory to create Azure-SSIS integration runtime.
ms.devlang: powershell
Last updated 07/17/2023
-# Enable Azure Active Directory authentication for Azure-SSIS integration runtime
+# Enable Microsoft Entra authentication for Azure-SSIS integration runtime
[!INCLUDE[appliesto-adf-asa-preview-md](includes/appliesto-adf-asa-preview-md.md)]
-This article shows you how to enable Azure Active Directory (Azure AD) authentication with the specified system/user-assigned managed identity for your Azure Data Factory (ADF) or Azure Synapse and use it instead of conventional authentication methods (like SQL authentication) to:
+This article shows you how to enable Microsoft Entra authentication with the specified system/user-assigned managed identity for your Azure Data Factory (ADF) or Azure Synapse and use it instead of conventional authentication methods (like SQL authentication) to:
- Create an Azure-SSIS integration runtime (IR) that will in turn provision SSIS catalog database (SSISDB) in Azure SQL Database server/Managed Instance on your behalf.
This article shows you how to enable Azure Active Directory (Azure AD) authentic
For more info about the managed identity for your ADF, see [Managed identity for Data Factory and Azure Synapse](./data-factory-service-identity.md). > [!NOTE]
-> - In this scenario, Azure AD authentication with the specified system/user-assigned managed identity for your ADF is only used in the provisioning and subsequent starting operations of your Azure-SSIS IR that will in turn provision and or connect to SSISDB. For SSIS package executions, your Azure-SSIS IR will still connect to SSISDB to fetch packages using SQL authentication with fully managed accounts (*AzureIntegrationServiceDbo* and *AzureIntegrationServiceWorker*) that are created during SSISDB provisioning.
+> - In this scenario, Microsoft Entra authentication with the specified system/user-assigned managed identity for your ADF is only used in the provisioning and subsequent starting operations of your Azure-SSIS IR that will in turn provision and or connect to SSISDB. For SSIS package executions, your Azure-SSIS IR will still connect to SSISDB to fetch packages using SQL authentication with fully managed accounts (*AzureIntegrationServiceDbo* and *AzureIntegrationServiceWorker*) that are created during SSISDB provisioning.
> > - To use **connection manager user-assigned managed identity** feature, [OLEDB connection manager](/sql/integration-services/connection-manager/ole-db-connection-manager) for example, SSIS IR needs to be provisioned with the same user-assigned managed identity used in connection manager. >
-> - If you have already created your Azure-SSIS IR using SQL authentication, you can not reconfigure it to use Azure AD authentication via PowerShell at this time, but you can do so via Azure portal/ADF app.
+> - If you have already created your Azure-SSIS IR using SQL authentication, you can not reconfigure it to use Microsoft Entra authentication via PowerShell at this time, but you can do so via Azure portal/ADF app.
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
-## Enable Azure AD authentication on Azure SQL Database
+<a name='enable-azure-ad-authentication-on-azure-sql-database'></a>
-Azure SQL Database supports creating a database with an Azure AD user. First, you need to create an Azure AD group with the specified system/user-assigned managed identity for your ADF as a member. Next, you need to set an Azure AD user as the Active Directory admin for your Azure SQL Database server and then connect to it on SQL Server Management Studio (SSMS) using that user. Finally, you need to create a contained user representing the Azure AD group, so the specified system/user-assigned managed identity for your ADF can be used by Azure-SSIS IR to create SSISDB on your behalf.
+## Enable Microsoft Entra authentication on Azure SQL Database
-### Create an Azure AD group with the specified system/user-assigned managed identity for your ADF as a member
+Azure SQL Database supports creating a database with a Microsoft Entra user. First, you need to create a Microsoft Entra group with the specified system/user-assigned managed identity for your ADF as a member. Next, you need to set a Microsoft Entra user as the Active Directory admin for your Azure SQL Database server and then connect to it on SQL Server Management Studio (SSMS) using that user. Finally, you need to create a contained user representing the Microsoft Entra group, so the specified system/user-assigned managed identity for your ADF can be used by Azure-SSIS IR to create SSISDB on your behalf.
-You can use an existing Azure AD group or create a new one using Azure AD PowerShell.
+<a name='create-an-azure-ad-group-with-the-specified-systemuser-assigned-managed-identity-for-your-adf-as-a-member'></a>
+
+### Create a Microsoft Entra group with the specified system/user-assigned managed identity for your ADF as a member
+
+You can use an existing Microsoft Entra group or create a new one using Azure AD PowerShell.
1. Install the [Azure AD PowerShell](/powershell/azure/active-directory/install-adv2) module.
You can use an existing Azure AD group or create a new one using Azure AD PowerS
Get-AzureAdGroupMember -ObjectId $Group.ObjectId ```
-### Configure Azure AD authentication for Azure SQL Database
+<a name='configure-azure-ad-authentication-for-azure-sql-database'></a>
-You can [Configure and manage Azure AD authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure) using the following steps:
+### Configure Microsoft Entra authentication for Azure SQL Database
+
+You can [Configure and manage Microsoft Entra authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure) using the following steps:
1. In Azure portal, select **All services** -> **SQL servers** from the left-hand navigation.
-2. Select your Azure SQL Database server to be configured with Azure AD authentication.
+2. Select your Azure SQL Database server to be configured with Microsoft Entra authentication.
3. In the **Settings** section of the blade, select **Active Directory admin**. 4. In the command bar, select **Set admin**.
-5. Select an Azure AD user account to be made administrator of the server, and then select **Select.**
+5. Select a Microsoft Entra user account to be made administrator of the server, and then select **Select.**
6. In the command bar, select **Save.**
-### Create a contained user in Azure SQL Database representing the Azure AD group
+<a name='create-a-contained-user-in-azure-sql-database-representing-the-azure-ad-group'></a>
+
+### Create a contained user in Azure SQL Database representing the Microsoft Entra group
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-studio-ssms).
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
2. In the **Connect to Server** dialog, enter your server name in the **Server name** field.
-3. In the **Authentication** field, select **Active Directory - Universal with MFA support** (you can also use the other two Active Directory authentication types, see [Configure and manage Azure AD authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure)).
+3. In the **Authentication** field, select **Active Directory - Universal with MFA support** (you can also use the other two Active Directory authentication types, see [Configure and manage Microsoft Entra authentication for Azure SQL Database](/azure/azure-sql/database/authentication-aad-configure)).
-4. In the **User name** field, enter the name of Azure AD account that you set as the server administrator, e.g. testuser@xxxonline.com.
+4. In the **User name** field, enter the name of Microsoft Entra account that you set as the server administrator, e.g. testuser@xxxonline.com.
5. Select **Connect** and complete the sign-in process.
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
The command should complete successfully, granting the contained user the ability to create a database (SSISDB).
-10. If your SSISDB was created using SQL authentication and you want to switch to use Azure AD authentication for your Azure-SSIS IR to access it, first make sure that the above steps to grant permissions to the **master** database have finished successfully. Then, right-click on the **SSISDB** database and select **New query**.
+10. If your SSISDB was created using SQL authentication and you want to switch to use Microsoft Entra authentication for your Azure-SSIS IR to access it, first make sure that the above steps to grant permissions to the **master** database have finished successfully. Then, right-click on the **SSISDB** database and select **New query**.
1. In the query window, enter the following T-SQL command, and select **Execute** on the toolbar.
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
The command should complete successfully, granting the contained user the ability to access SSISDB.
-## Enable Azure AD authentication on Azure SQL Managed Instance
+<a name='enable-azure-ad-authentication-on-azure-sql-managed-instance'></a>
-Azure SQL Managed Instance supports creating a database with the specified system/user-assigned managed identity for your ADF directly. You need not join the specified system/user-assigned managed identity for your ADF to an Azure AD group nor create a contained user representing that group in Azure SQL Managed Instance.
+## Enable Microsoft Entra authentication on Azure SQL Managed Instance
-### Configure Azure AD authentication for Azure SQL Managed Instance
+Azure SQL Managed Instance supports creating a database with the specified system/user-assigned managed identity for your ADF directly. You need not join the specified system/user-assigned managed identity for your ADF to a Microsoft Entra group nor create a contained user representing that group in Azure SQL Managed Instance.
-Follow the steps in [Provision an Azure AD administrator for Azure SQL Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
+<a name='configure-azure-ad-authentication-for-azure-sql-managed-instance'></a>
+
+### Configure Microsoft Entra authentication for Azure SQL Managed Instance
+
+Follow the steps in [Provision a Microsoft Entra administrator for Azure SQL Managed Instance](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
### Add the specified system/user-assigned managed identity for your ADF or Azure Synapse as a user in Azure SQL Managed Instance
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
1. Start SSMS.
-2. Connect to Azure SQL Managed Instance using SQL Server account that is a **sysadmin**. This is a temporary limitation that will be removed once the support for Azure AD server principals (logins) on Azure SQL Managed Instance becomes generally available. You will see the following error if you try to use an Azure AD admin account to create the login: *Msg 15247, Level 16, State 1, Line 1 User does not have permission to perform this action*.
+2. Connect to Azure SQL Managed Instance using SQL Server account that is a **sysadmin**. This is a temporary limitation that will be removed once the support for Microsoft Entra server principals (logins) on Azure SQL Managed Instance becomes generally available. You will see the following error if you try to use a Microsoft Entra admin account to create the login: *Msg 15247, Level 16, State 1, Line 1 User does not have permission to perform this action*.
3. In the **Object Explorer**, expand the **Databases** -> **System Databases** folder.
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
The command should complete successfully, granting the system/user-assigned managed identity for your ADF the ability to create a database (SSISDB).
-6. If your SSISDB was created using SQL authentication and you want to switch to use Azure AD authentication for your Azure-SSIS IR to access it, first make sure that the above steps to grant permissions to the **master** database have finished successfully. Then, right-click on the **SSISDB** database and select **New query**.
+6. If your SSISDB was created using SQL authentication and you want to switch to use Microsoft Entra authentication for your Azure-SSIS IR to access it, first make sure that the above steps to grant permissions to the **master** database have finished successfully. Then, right-click on the **SSISDB** database and select **New query**.
1. In the query window, enter the following T-SQL command, and select **Execute** on the toolbar.
For this next step, you need [SSMS](/sql/ssms/download-sql-server-management-st
## Provision Azure-SSIS IR in Azure portal/ADF app
-When you provision your Azure-SSIS IR in Azure portal/ADF app, on the **Deployment settings** page, select the **Create SSIS catalog (SSISDB) hosted by Azure SQL Database server/Managed Instance to store your projects/packages/environments/execution logs** check box and select either the **Use AAD authentication with the system managed identity for Data Factory** or **Use AAD authentication with a user-assigned managed identity for Data Factory** check box to choose Azure AD authentication method for Azure-SSIS IR to access your database server that hosts SSISDB.
+When you provision your Azure-SSIS IR in Azure portal/ADF app, on the **Deployment settings** page, select the **Create SSIS catalog (SSISDB) hosted by Azure SQL Database server/Managed Instance to store your projects/packages/environments/execution logs** check box and select either the **Use Microsoft Entra authentication with the system managed identity for Data Factory** or **Use Microsoft Entra authentication with a user-assigned managed identity for Data Factory** check box to choose Microsoft Entra authentication method for Azure-SSIS IR to access your database server that hosts SSISDB.
For more information, see [Create an Azure-SSIS IR in ADF](./create-azure-ssis-integration-runtime.md).
To provision your Azure-SSIS IR with PowerShell, do the following things:
-Name $AzureSSISName ```
-## Run SSIS packages using Azure AD authentication with the specified system/user-assigned managed identity for your ADF
+<a name='run-ssis-packages-using-azure-ad-authentication-with-the-specified-systemuser-assigned-managed-identity-for-your-adf'></a>
+
+## Run SSIS packages using Microsoft Entra authentication with the specified system/user-assigned managed identity for your ADF
-When you run SSIS packages on Azure-SSIS IR, you can use Azure AD authentication with the specified system/user-assigned managed identity for your ADF to connect to various Azure resources. Currently we support Azure AD authentication with the specified system/user-assigned managed identity for your ADF on the following connection managers.
+When you run SSIS packages on Azure-SSIS IR, you can use Microsoft Entra authentication with the specified system/user-assigned managed identity for your ADF to connect to various Azure resources. Currently we support Microsoft Entra authentication with the specified system/user-assigned managed identity for your ADF on the following connection managers.
- [OLEDB Connection Manager](/sql/integration-services/connection-manager/ole-db-connection-manager#managed-identities-for-azure-resources-authentication)
data-factory Enable Customer Managed Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/enable-customer-managed-key.md
Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data factory. For extra security guarantees, you can now enable Bring Your Own Key (BYOK) with customer-managed keys feature in Azure Data Factory. When you specify a customer-managed key, Data Factory uses __both__ the factory system key and the CMK to encrypt customer data. Missing either would result in Deny of Access to data and factory.
-Azure Key Vault is required to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. Key vault and Data Factory must be in the same Azure Active Directory (Azure AD) tenant and in the same region, but they may be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/general/overview.md)
+Azure Key Vault is required to store customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. Key vault and Data Factory must be in the same Microsoft Entra tenant and in the same region, but they may be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../key-vault/general/overview.md)
## About customer-managed keys
-The following diagram shows how Data Factory uses Azure Active Directory and Azure Key Vault to make requests using the customer-managed key:
+The following diagram shows how Data Factory uses Microsoft Entra ID and Azure Key Vault to make requests using the customer-managed key:
:::image type="content" source="media/enable-customer-managed-key/encryption-customer-managed-keys-diagram.png" alt-text="Diagram showing how customer-managed keys work in Azure Data Factory.":::
The following list explains the numbered steps in the diagram:
1. An Azure Key Vault admin grants permissions to encryption keys to the managed identity that's associated with the Data Factory 1. A Data Factory admin enables customer-managed key feature in the factory
-1. Data Factory uses the managed identity that's associated with the factory to authenticate access to Azure Key Vault via Azure Active Directory
+1. Data Factory uses the managed identity that's associated with the factory to authenticate access to Azure Key Vault via Microsoft Entra ID
1. Data Factory wraps the factory encryption key with the customer key in Azure Key Vault 1. For read/write operations, Data Factory sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations
If you are creating a new Azure Key Vault through Azure portal, __Soft Delete__
### Grant Data Factory access to Azure Key Vault
-Make sure Azure Key Vault and Azure Data Factory are in the same Azure Active Directory (Azure AD) tenant and in the _same region_. From Azure Key Vault access control, grant data factory following permissions: _Get_, _Unwrap Key_, and _Wrap Key_. These permissions are required to enable customer-managed keys in Data Factory.
+Make sure Azure Key Vault and Azure Data Factory are in the same Microsoft Entra tenant and in the _same region_. From Azure Key Vault access control, grant data factory following permissions: _Get_, _Unwrap Key_, and _Wrap Key_. These permissions are required to enable customer-managed keys in Data Factory.
* If you want to add customer managed key encryption [after factory creation in Data Factory UI](#post-factory-creation-in-data-factory-ui), ensure data factory's managed service identity (MSI) has the three permissions to Key Vault * If you want to add customer managed key encryption [during factory creation time in Azure portal](#during-factory-creation-in-azure-portal), ensure the user-assigned managed identity (UA-MI) has the three permissions to Key Vault
data-factory How Does Managed Airflow Work https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-does-managed-airflow-work.md
The following steps set up and configure your Managed Airflow environment.
:::image type="content" source="media/how-does-managed-airflow-work/airflow-environment-details.png" alt-text="Screenshot that shows some Managed Airflow environment details."::: > [!IMPORTANT]
- > When using **Basic** authentication, remember the username and password specified in this screen. It will be needed to login later in the Managed Airflow UI. The default option is **Azure AD** and it does not require creating username/ password for your Airflow environment, but instead uses the logged in user's credential to Azure Data Factory to login/ monitor DAGs.
+ > When using **Basic** authentication, remember the username and password specified in this screen. It will be needed to login later in the Managed Airflow UI. The default option is **Microsoft Entra ID** and it does not require creating username/ password for your Airflow environment, but instead uses the logged in user's credential to Azure Data Factory to login/ monitor DAGs.
1. **Environment variables** a simple key value store within Airflow to store and retrieve arbitrary content or settings. 1. **Requirements** can be used to pre-install python libraries. You can update these later as well.
data-factory How To Invoke Ssis Package Azure Enabled Dtexec https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-azure-enabled-dtexec.md
The modern AzureDTExec utility comes with a SQL Server Management Studio (SSMS)
AzureDTExec runs your packages as Execute SSIS Package activities in Data Factory pipelines. For more information, see [Run SSIS packages as Azure Data Factory activities](./how-to-invoke-ssis-package-ssis-activity.md).
-AzureDTExec can be configured via SSMS to use an Azure Active Directory (Azure AD) application that generates pipelines in your data factory. It can also be configured to access file systems, file shares, or Azure Files where you store your packages. Based on the values you give for its invocation options, AzureDTExec generates and runs a unique Data Factory pipeline with an Execute SSIS Package activity in it. Invoking AzureDTExec with the same values for its options reruns the existing pipeline.
+AzureDTExec can be configured via SSMS to use a Microsoft Entra application that generates pipelines in your data factory. It can also be configured to access file systems, file shares, or Azure Files where you store your packages. Based on the values you give for its invocation options, AzureDTExec generates and runs a unique Data Factory pipeline with an Execute SSIS Package activity in it. Invoking AzureDTExec with the same values for its options reruns the existing pipeline.
## Prerequisites To use AzureDTExec, download and install the latest version of SSMS, which is version 18.3 or later. Download it from [this website](/sql/ssms/download-sql-server-management-studio-ssms).
This action opens a **AzureDTExecConfig** window that needs to be opened with ad
In the **AzureDTExecConfig** window, enter your configuration settings as follows: -- **ApplicationId**: Enter the unique identifier of the Azure AD app that you create with the right permissions to generate pipelines in your data factory. For more information, see [Create an Azure AD app and service principal via Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).-- **AuthenticationKey**: Enter the authentication key for your Azure AD app.-- **TenantId**: Enter the unique identifier of the Azure AD tenant, under which your Azure AD app is created.
+- **ApplicationId**: Enter the unique identifier of the Microsoft Entra app that you create with the right permissions to generate pipelines in your data factory. For more information, see [Create a Microsoft Entra app and service principal via Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
+- **AuthenticationKey**: Enter the authentication key for your Microsoft Entra app.
+- **TenantId**: Enter the unique identifier of the Microsoft Entra tenant, under which your Microsoft Entra app is created.
- **DataFactory**: Enter the name of your data factory in which unique pipelines with Execute SSIS Package activity in them are generated based on the values of options provided when you invoke AzureDTExec. - **IRName**: Enter the name of the Azure-SSIS IR in your data factory, on which the packages specified in their Universal Naming Convention (UNC) path will run when you invoke AzureDTExec. - **PipelineNameHashStrLen**: Enter the length of hash strings to be generated from the values of options you provide when you invoke AzureDTExec. The strings are used to form unique names for Data Factory pipelines that run your packages on the Azure-SSIS IR. Usually a length of 32 characters is sufficient.
Invoking AzureDTExec offers similar options as invoking dtexec. For more informa
After unique pipelines with the Execute SSIS Package activity in them are generated and run when you invoke AzureDTExec, they can be monitored on the Data Factory portal. You can also assign Data Factory triggers to them if you want to orchestrate/schedule them using Data Factory. For more information, see [Run SSIS packages as Data Factory activities](./how-to-invoke-ssis-package-ssis-activity.md). > [!WARNING]
-> The generated pipeline is expected to be used only by AzureDTExec. Its properties or parameters might change in the future, so don't modify or reuse them for any other purposes. Modifications might break AzureDTExec. If this happens, delete the pipeline. AzureDTExec generates a new pipeline the next time it's invoked.
+> The generated pipeline is expected to be used only by AzureDTExec. Its properties or parameters might change in the future, so don't modify or reuse them for any other purposes. Modifications might break AzureDTExec. If this happens, delete the pipeline. AzureDTExec generates a new pipeline the next time it's invoked.
data-factory How To Invoke Ssis Package Ssis Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-invoke-ssis-package-ssis-activity.md
On the **Connection Managers** tab of Execute SSIS Package activity, complete th
For example, without modifying your original package on SSDT, you can convert its on-premises-to-on-premises data flows running on SQL Server into on-premises-to-cloud data flows running on SSIS IR in ADF by overriding the values of **ConnectByProxy**, **ConnectionString**, and **ConnectUsingManagedIdentity** properties in existing connection managers at run-time.
- These run-time overrides can enable Self-Hosted IR (SHIR) as a proxy for SSIS IR when accessing data on premises, see [Configuring SHIR as a proxy for SSIS IR](./self-hosted-integration-runtime-proxy-ssis.md), and Azure SQL Database/Managed Instance connections using the latest MSOLEDBSQL driver that in turn enables Azure Active Directory (AAD) authentication with ADF managed identity, see [Configuring AAD authentication with ADF managed identity for OLEDB connections](/sql/integration-services/connection-manager/ole-db-connection-manager#managed-identities-for-azure-resources-authentication).
+ These run-time overrides can enable Self-Hosted IR (SHIR) as a proxy for SSIS IR when accessing data on premises, see [Configuring SHIR as a proxy for SSIS IR](./self-hosted-integration-runtime-proxy-ssis.md), and Azure SQL Database/Managed Instance connections using the latest MSOLEDBSQL driver that in turn enables Microsoft Entra authentication with ADF managed identity, see [Configuring Microsoft Entra authentication with ADF managed identity for OLEDB connections](/sql/integration-services/connection-manager/ole-db-connection-manager#managed-identities-for-azure-resources-authentication).
:::image type="content" source="media/how-to-invoke-ssis-package-ssis-activity/ssis-activity-connection-managers2.png" alt-text="Set properties from SSDT on the Connection Managers tab":::
data-factory How To Schedule Azure Ssis Integration Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-schedule-azure-ssis-integration-runtime.md
In this section, you learn how to create Azure Automation runbook that runs a Po
If you don't have an Azure Automation account, create one by following the instructions in this section. For detailed steps, see [Create an Azure Automation account](../automation/quickstarts/create-azure-automation-account-portal.md).
-As part of this process, you create an **Azure Run As** account (a service principal in Azure Active Directory) and assign it a **Contributor** role in your Azure subscription. Ensure that it's the same subscription that contains your data factory with the Azure-SSIS IR. Azure Automation will use this account to authenticate to Azure Resource Manager and operate on your resources.
+As part of this process, you create an **Azure Run As** account (a service principal in Microsoft Entra ID) and assign it a **Contributor** role in your Azure subscription. Ensure that it's the same subscription that contains your data factory with the Azure-SSIS IR. Azure Automation will use this account to authenticate to Azure Resource Manager and operate on your resources.
1. Open the Microsoft Edge or Google Chrome web browser. Currently, the Data Factory UI is supported only in these browsers. 2. Sign in to the [Azure portal](https://portal.azure.com/).
As part of this process, you create an **Azure Run As** account (a service princ
2. For **Subscription**, select the subscription that has your data factory with the Azure-SSIS IR. 3. For **Resource group**, select **Create new** to create a new resource group, or select **Use existing** to use an existing one. 4. For **Location**, select a location for your Azure Automation account.
- 5. For **Create Azure Run As account**, select **Yes**. A service principal will be created in your Azure Active Directory instance and assigned a **Contributor** role in your Azure subscription.
+ 5. For **Create Azure Run As account**, select **Yes**. A service principal will be created in your Microsoft Entra instance and assigned a **Contributor** role in your Azure subscription.
6. Select **Pin to dashboard** to display the account permanently on the Azure dashboard. 7. Select **Create**.
data-factory How To Use Sql Managed Instance With Ir https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/how-to-use-sql-managed-instance-with-ir.md
You can now move your SQL Server Integration Services (SSIS) projects, packages,
### Prerequisites
-1. [Enable Azure Active Directory (Azure AD) on Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#configure-azure-ad-authentication-for-azure-sql-managed-instance), when choosing Azure Active Directory authentication.
+1. [Enable Microsoft Entra ID on Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#configure-azure-ad-authentication-for-azure-sql-managed-instance), when choosing Microsoft Entra authentication.
1. Choose how to connect SQL Managed Instance, over private endpoint or over public endpoint:
You can now move your SQL Server Integration Services (SSIS) projects, packages,
:::image type="content" source="./media/how-to-use-sql-managed-instance-with-ir/catalog-public-endpoint.png" alt-text="Screenshot shows Integration runtime setup with Create S S I S catalog selected and Catalog database server endpoint entered.":::
-1. Select Azure AD authentication when applies.
+1. Select Microsoft Entra authentication when applies.
:::image type="content" source="./media/how-to-use-sql-managed-instance-with-ir/catalog-aad.png" alt-text="catalog-public-endpoint":::
- For more info about how to enable Azure AD authentication, see [Enable Azure AD on Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#configure-azure-ad-authentication-for-azure-sql-managed-instance).
+ For more info about how to enable Microsoft Entra authentication, see [Enable Microsoft Entra ID on Azure SQL Managed Instance](enable-aad-authentication-azure-ssis-ir.md#configure-azure-ad-authentication-for-azure-sql-managed-instance).
1. Join Azure-SSIS IR to the virtual network when applies.
data-factory Lab Data Flow Data Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/lab-data-flow-data-share.md
Once you have created a data share, you'll then switch hats and become the *data
> [!IMPORTANT] > Before running the script, you must set yourself as the Active Directory Admin for the SQL Server.
-1. Open a new tab and navigate to the Azure portal. Copy the script provided to create a user in the database that you want to share data from. Do this by logging into the EDW database using Query Explorer (preview) using Azure AD authentication.
+1. Open a new tab and navigate to the Azure portal. Copy the script provided to create a user in the database that you want to share data from. Do this by logging into the EDW database using Query Explorer (preview) using Microsoft Entra authentication.
You'll need to modify the script so that the user created is contained within brackets. Eg:
You may be prompted to select a subscription. Make sure you select the subscript
1. Select **Query editor (preview)**
-1. Use Azure AD authentication to log on to Query editor.
+1. Use Microsoft Entra authentication to log on to Query editor.
1. Run the query provided in your data share (copied to clipboard in step 14).
You may be prompted to select a subscription. Make sure you select the subscript
1. Navigate back to the Data consumer's data share. Once the status of the trigger is successful, navigate to the destination SQL database and data lake to see that the data has landed in the respective stores.
-Congratulations, you have completed the lab!
+Congratulations, you have completed the lab!
data-factory Monitor Logs Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/monitor-logs-rest.md
https://management.azure.com/{resource-id}/providers/microsoft.insights/diagnost
* Replace `{api-version}` with `2016-09-01`. * Replace `{resource-id}` with the ID of the resource for which you want to edit diagnostic settings. For more information, see [Using resource groups to manage your Azure resources](../azure-resource-manager/management/manage-resource-groups-portal.md). * Set the `Content-Type` header to `application/json`.
-* Set the authorization header to the JSON web token that you got from Azure Active Directory (Azure AD). For more information, see [Authenticating requests](../active-directory/develop/authentication-vs-authorization.md).
+* Set the authorization header to the JSON web token that you got from Microsoft Entra ID. For more information, see [Authenticating requests](../active-directory/develop/authentication-vs-authorization.md).
#### Body
https://management.azure.com/{resource-id}/providers/microsoft.insights/diagnost
* Replace `{api-version}` with `2016-09-01`. * Replace `{resource-id}` with the ID of the resource for which you want to edit diagnostic settings. For more information, see [Using resource groups to manage your Azure resources](../azure-resource-manager/management/manage-resource-groups-portal.md). * Set the `Content-Type` header to `application/json`.
-* Set the authorization header to a JSON web token that you got from Azure AD. For more information, see [Authenticating requests](../active-directory/develop/authentication-vs-authorization.md).
+* Set the authorization header to a JSON web token that you got from Microsoft Entra ID. For more information, see [Authenticating requests](../active-directory/develop/authentication-vs-authorization.md).
#### Response
data-factory Password Change Airflow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/password-change-airflow.md
This article describes how to change the password for a Managed Airflow environm
## Updating the password
-We recommend using **Azure AD** authentication in Managed Airflow environments. However, if you choose to use **Basic** authentication, you can still update the Airflow password by editing the Airflow environment configuration and updating the username/password in the integration runtime settings, as shown here:
+We recommend using **Microsoft Entra ID** authentication in Managed Airflow environments. However, if you choose to use **Basic** authentication, you can still update the Airflow password by editing the Airflow environment configuration and updating the username/password in the integration runtime settings, as shown here:
:::image type="content" source="media/password-change-airflow/password-change-airflow.png" alt-text="Screenshot showing how to change an Airflow password in the integration runtime settings.":::
data-factory Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Data Factory
data-factory Quickstart Create Data Factory Dot Net https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/quickstart-create-data-factory-dot-net.md
This quickstart describes how to use .NET SDK to create an Azure Data Factory. T
The walkthrough in this article uses Visual Studio 2019. The procedures for Visual Studio 2013, 2015, or 2017 differ slightly.
-## Create an application in Azure Active Directory
+<a name='create-an-application-in-azure-active-directory'></a>
-From the sections in *How to: Use the portal to create an Azure AD application and service principal that can access resources*, follow the instructions to do these tasks:
+## Create an application in Microsoft Entra ID
-1. In [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal), create an application that represents the .NET application you're creating in this tutorial. For the sign-on URL, you can provide a dummy URL as shown in the article (`https://contoso.org/exampleapp`).
+From the sections in *How to: Use the portal to create a Microsoft Entra application and service principal that can access resources*, follow the instructions to do these tasks:
+
+1. In [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal), create an application that represents the .NET application you're creating in this tutorial. For the sign-on URL, you can provide a dummy URL as shown in the article (`https://contoso.org/exampleapp`).
2. In [Get values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application), get the **application ID** and **tenant ID**, and note down these values that you use later in this tutorial. 3. In [Certificates and secrets](../active-directory/develop/howto-create-service-principal-portal.md#set-up-authentication), get the **authentication key**, and note down this value that you use later in this tutorial. 4. In [Assign the application to a role](../active-directory/develop/howto-create-service-principal-portal.md#assign-a-role-to-the-application), assign the application to the **Contributor** role at the subscription level so that the application can create data factories in the subscription.
data-factory Quickstart Create Data Factory Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/quickstart-create-data-factory-python.md
Pipelines can ingest data from disparate data stores. Pipelines process or trans
* [Azure Storage Explorer](https://storageexplorer.com/) (optional).
-* [An application in Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Create the application by following the steps in this link, using Authentication Option 2 (application secret), and assign the application to the **Contributor** role by following instructions in the same article. Make note of the following values as shown in the article to use in later steps: **Application (client) ID, client secret value, and tenant ID.**
+* [An application in Microsoft Entra ID](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Create the application by following the steps in this link, using Authentication Option 2 (application secret), and assign the application to the **Contributor** role by following instructions in the same article. Make note of the following values as shown in the article to use in later steps: **Application (client) ID, client secret value, and tenant ID.**
## Create and upload an input file
data-factory Quickstart Create Data Factory Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/quickstart-create-data-factory-rest-api.md
If you don't have an Azure subscription, create a [free](https://azure.microsoft
* **Azure Storage account**. You use the blob storage as **source** and **sink** data store. If you don't have an Azure storage account, see the [Create a storage account](../storage/common/storage-account-create.md) article for steps to create one. * Create a **blob container** in Blob Storage, create an input **folder** in the container, and upload some files to the folder. You can use tools such as [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/) to connect to Azure Blob storage, create a blob container, upload input file, and verify the output file. * Install **Azure PowerShell**. Follow the instructions in [How to install and configure Azure PowerShell](/powershell/azure/install-azure-powershell). This quickstart uses PowerShell to invoke REST API calls.
-* **Create an application in Azure Active Directory** following [this instruction](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Make note of the following values that you use in later steps: **application ID**, **clientSecrets**, and **tenant ID**. Assign application to "**Contributor**" role at either subscription or resource group level.
+* **Create an application in Microsoft Entra ID** following [this instruction](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Make note of the following values that you use in later steps: **application ID**, **clientSecrets**, and **tenant ID**. Assign application to "**Contributor**" role at either subscription or resource group level.
>[!NOTE] > For Sovereign clouds, you must use the appropriate cloud-specific endpoints for ActiveDirectoryAuthority and ResourceManagerUrl (BaseUri). > You can use PowerShell to easily get the endpoint Urls for various clouds by executing ΓÇ£Get-AzEnvironment | Format-ListΓÇ¥, which will return a list of endpoints for each cloud environment.
If you don't have an Azure subscription, create a [free](https://azure.microsoft
$apiVersion = "2018-06-01" ```
-## Authenticate with Azure AD
+<a name='authenticate-with-azure-ad'></a>
-Run the following commands to authenticate with Azure Active Directory (AAD):
+## Authenticate with Microsoft Entra ID
+
+Run the following commands to authenticate with Microsoft Entra ID:
```powershell $credentials = Get-Credential -UserName $appId
data-factory Rest Apis For Airflow Integrated Runtime https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/rest-apis-for-airflow-integrated-runtime.md
This article documents the REST APIs for the Managed Airflow integrated runtime.
|airflowRequirements | Array\<string\> | Python libraries you wish to use. Example: ["flask-bcrypy=0.7.1"]. Can be a comma delimited list. | |airflowEnvironmentVariables | Object (Key/Value pair) | Environment variables you wish to use. Example: { ΓÇ£SAMPLE_ENV_NAMEΓÇ¥: ΓÇ£testΓÇ¥ } | |gitSyncProperties | gitSyncProperty | Git configuration properties |
- |enableAADIntegration | boolean | Allows Azure AD to login to Airflow |
+ |enableAADIntegration | boolean | Allows Microsoft Entra ID to login to Airflow |
|userName | string or null | Username for Basic Authentication | |password | string or null | Password for Basic Authentication |
Sample Response:
```rest Status Code: 202
-```
+```
data-factory Self Hosted Integration Runtime Proxy Ssis https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/self-hosted-integration-runtime-proxy-ssis.md
If you haven't already done so, create an Azure Blob Storage linked service in t
>If your data factory instance is Git-enabled, a linked service without key authentication will not be immediately published, which means you cannot save the integration runtime that depends on the linked service in your feature-branch. Authenticating with account key or SAS URI will immediately publish the linked service. >[!TIP]
->If you select the **Service Principal** method, grant your service principal at least a *Storage Blob Data Contributor* role. For more information, see [Azure Blob Storage connector](connector-azure-blob-storage.md#linked-service-properties). If you select the **Managed Identity**/**User-Assigned Managed Identity** method, grant the specified system/user-assigned managed identity for your ADF a proper role to access Azure Blob Storage. For more information, see [Access Azure Blob Storage using Azure Active Directory (Azure AD) authentication with the specified system/user-assigned managed identity for your ADF](/sql/integration-services/connection-manager/azure-storage-connection-manager#managed-identities-for-azure-resources-authentication).
+>If you select the **Service Principal** method, grant your service principal at least a *Storage Blob Data Contributor* role. For more information, see [Azure Blob Storage connector](connector-azure-blob-storage.md#linked-service-properties). If you select the **Managed Identity**/**User-Assigned Managed Identity** method, grant the specified system/user-assigned managed identity for your ADF a proper role to access Azure Blob Storage. For more information, see [Access Azure Blob Storage using Microsoft Entra authentication with the specified system/user-assigned managed identity for your ADF](/sql/integration-services/connection-manager/azure-storage-connection-manager#managed-identities-for-azure-resources-authentication).
:::image type="content" source="media/self-hosted-integration-runtime-proxy-ssis/shir-azure-blob-storage-linked-service.png" alt-text="Prepare the Azure Blob storage-linked service for staging":::
data-factory Source Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/source-control.md
The configuration pane shows the following Azure Repos code repository settings:
| Setting | Description | Value | |: |: |: | | **Repository Type** | The type of the Azure Repos code repository.<br/> | Azure DevOps Git or GitHub |
-| **Azure Active Directory** | Your Azure AD tenant name. | `<your tenant name>` |
+| **Microsoft Entra ID** | Your Microsoft Entra tenant name. | `<your tenant name>` |
| **Azure Repos Organization** | Your Azure Repos organization name. You can locate your Azure Repos organization name at `https://{organization name}.visualstudio.com`. You can [sign in to your Azure Repos organization](https://www.visualstudio.com/team-services/git/) to access your Visual Studio profile and see your repositories and projects. | `<your organization name>` | | **ProjectName** | Your Azure Repos project name. You can locate your Azure Repos project name at `https://{organization name}.visualstudio.com/{project name}`. | `<your Azure Repos project name>` | | **RepositoryName** | Your Azure Repos code repository name. Azure Repos projects contain Git repositories to manage your source code as your project grows. You can create a new repository or use an existing repository that's already in your project. | `<your Azure Repos code repository name>` |
You can update your publish branch and decide whether or not to disable the publ
:::image type="content" source="media/author-visually/repo-settings-3.png" alt-text="Screenshot showing a checkbox for disabling the publish button for Data Factory studio.":::
-### Use a different Azure Active Directory tenant
+<a name='use-a-different-azure-active-directory-tenant'></a>
-The Azure Repos Git repo can be in a different Azure Active Directory tenant. To specify a different Azure AD tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../cost-management-billing/manage/add-change-subscription-administrator.md#to-assign-a-user-as-an-administrator)
+### Use a different Microsoft Entra tenant
+
+The Azure Repos Git repo can be in a different Microsoft Entra tenant. To specify a different Microsoft Entra tenant, you have to have administrator permissions for the Azure subscription that you're using. For more info, see [change subscription administrator](../cost-management-billing/manage/add-change-subscription-administrator.md#to-assign-a-user-as-an-administrator)
> [!IMPORTANT]
-> To connect to another Azure Active Directory, the user logged in must be a part of that active directory.
+> To connect to another Microsoft Entra ID, the user logged in must be a part of that active directory.
### Use your personal Microsoft account To use a personal Microsoft account for Git integration, you can link your personal Azure Repo to your organization's Active Directory.
-1. Add your personal Microsoft account to your organization's Active Directory as a guest. For more info, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
+1. Add your personal Microsoft account to your organization's Active Directory as a guest. For more info, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
2. Log in to the Azure portal with your personal Microsoft account. Then switch to your organization's Active Directory.
To use a personal Microsoft account for Git integration, you can link your perso
After these configuration steps, your personal repo is available when you set up Git integration in the Data Factory UI.
-For more info about connecting Azure Repos to your organization's Active Directory, see [Connect your Azure DevOps organization to Azure Active Directory](/azure/devops/organizations/accounts/connect-organization-to-azure-ad).
+For more info about connecting Azure Repos to your organization's Active Directory, see [Connect your Azure DevOps organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad).
## Author with GitHub integration
data-factory Ssis Integration Runtime Management Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-integration-runtime-management-troubleshoot.md
You might see this issue when you're provisioning a new SSIS IR or while IR is r
* A network connection issue. Check whether the host name for SQL Database or SQL Managed Instance is accessible. Also verify that no firewall or network security group (NSG) is blocking SSIS IR access to the server. * Login failed during SQL authentication. The account provided can't sign in to the SQL Server database. Make sure you provide the correct user account.
-* Login failed during Microsoft Azure Active Directory (Azure AD)
- authentication (managed identity). Add the managed identity of your factory to an AAD group, and make sure the managed identity has access permissions to your catalog database server.
+* Login failed during Microsoft Entra ID
+ authentication (managed identity). Add the managed identity of your factory to a Microsoft Entra group, and make sure the managed identity has access permissions to your catalog database server.
* Connection timeout. This error is always caused by a security-related configuration. We recommend that you: 1. Create a new VM. 1. Join the VM to the same Microsoft Azure Virtual Network of IR if IR is in a virtual network.
When you want to bring your own static public IP addresses, two public IP addres
### Resource tag not updated
-You can apply [tags](../azure-resource-manager/management/tag-resources.md) to your Azure resources to logically organize them into a taxonomy. While the SSIS IR is running, changes to SSIS IR parent data factory tags will not take effective until SSIS IR is restarted.
+You can apply [tags](../azure-resource-manager/management/tag-resources.md) to your Azure resources to logically organize them into a taxonomy. While the SSIS IR is running, changes to SSIS IR parent data factory tags will not take effective until SSIS IR is restarted.
data-factory Ssis Integration Runtime Ssis Activity Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/ssis-integration-runtime-ssis-activity-faq.md
This error occurs when the SSIS integration runtime can't access the storage con
### Error message: "Microsoft OLE DB Provider for Analysis Services. 'Hresult: 0x80004005 Description:' COM error: COM error: mscorlib; Exception has been thrown by the target of an invocation "
-One potential cause is that the username or password with Azure AD Multi-Factor Authentication enabled is configured for Azure Analysis Services authentication. This authentication isn't supported in the SSIS integration runtime. Try to use a service principal for Azure Analysis Services authentication:
+One potential cause is that the username or password with Microsoft Entra multifactor authentication enabled is configured for Azure Analysis Services authentication. This authentication isn't supported in the SSIS integration runtime. Try to use a service principal for Azure Analysis Services authentication:
1. Prepare a service principal as described in [Automation with service principals](../analysis-services/analysis-services-service-principal.md). 2. In the Connection Manager, configure **Use a specific user name and password:** set **app:*&lt;AppID&gt;*@*&lt;TenantID&gt;*** as the username and clientSecret as the password. Here is an example of a correctly formatted user name:
data-factory Transform Data Using Data Lake Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/transform-data-using-data-lake-analytics.md
The following table provides descriptions for the generic properties used in the
| **resourceGroupName** | Azure resource group name | No | ### Service principal authentication
-The Azure Data Lake Analytics linked service requires a service principal authentication to connect to the Azure Data Lake Analytics service. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to both the Data Lake Analytics and the Data Lake Store it uses. For detailed steps, see [Service-to-service authentication](../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
+The Azure Data Lake Analytics linked service requires a service principal authentication to connect to the Azure Data Lake Analytics service. To use service principal authentication, register an application entity in Microsoft Entra ID and grant it the access to both the Data Lake Analytics and the Data Lake Store it uses. For detailed steps, see [Service-to-service authentication](../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
* Application ID * Application key
data-factory Tutorial Control Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-control-flow.md
If you don't have an Azure subscription, create a [free account](https://azure.m
For a list of Azure regions in which Data Factory is currently available, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/). The data stores and computes can be in other regions. The stores include Azure Storage and Azure SQL Database. The computes include HDInsight, which Data Factory uses.
-Create an application as described in [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Assign the application to the **Contributor** role by following instructions in the same article. You'll need several values for later parts of this tutorial, such as **Application (client) ID** and **Directory (tenant) ID**.
+Create an application as described in [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal). Assign the application to the **Contributor** role by following instructions in the same article. You'll need several values for later parts of this tutorial, such as **Application (client) ID** and **Directory (tenant) ID**.
### Create a blob table
data-factory Tutorial Copy Data Dot Net https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-copy-data-dot-net.md
If you don't have an Azure subscription, create a [free Azure account](https://a
* *Azure SQL Database*. You use the database as *sink* data store. If you don't have a database in Azure SQL Database, see the [Create a database in Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart). * *Visual Studio*. The walkthrough in this article uses Visual Studio 2019. * *[Azure SDK for .NET](/dotnet/azure/dotnet-tools)*.
-* *Azure Active Directory application*. If you don't have an Azure Active Directory application, see the [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) section of [How to: Use the portal to create an Azure AD application](../active-directory/develop/howto-create-service-principal-portal.md). Copy the following values for use in later steps: **Application (client) ID**, **authentication key**, and **Directory (tenant) ID**. Assign the application to the **Contributor** role by following the instructions in the same article.
+* *Microsoft Entra application*. If you don't have a Microsoft Entra application, see the [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) section of [How to: Use the portal to create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md). Copy the following values for use in later steps: **Application (client) ID**, **authentication key**, and **Directory (tenant) ID**. Assign the application to the **Contributor** role by following the instructions in the same article.
### Create a blob and a SQL table
data-factory Tutorial Deploy Ssis Packages Azure Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-deploy-ssis-packages-azure-powershell.md
In this tutorial, you will:
- Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).
- - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Azure AD authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to the database server. For more information, see [Create an Azure-SSIS IR with Azure AD authentication](./create-azure-ssis-integration-runtime.md).
+ - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Microsoft Entra authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to the database server. For more information, see [Create an Azure-SSIS IR with Microsoft Entra authentication](./create-azure-ssis-integration-runtime.md).
- Confirm that your database server does not have an SSISDB instance already. The provisioning of an Azure-SSIS IR does not support using an existing SSISDB instance.
data-factory Tutorial Deploy Ssis Packages Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-deploy-ssis-packages-azure.md
In this tutorial, you complete the following steps:
- Add the IP address of the client machine, or a range of IP addresses that includes the IP address of the client machine, to the client IP address list in the firewall settings for the database server. For more information, see [Azure SQL Database server-level and database-level firewall rules](/azure/azure-sql/database/firewall-configure).
- - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Azure Active Directory (Azure AD) authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to the database server. For more information, see [Create an Azure-SSIS IR with Azure AD authentication](./create-azure-ssis-integration-runtime.md).
+ - You can connect to the database server by using SQL authentication with your server admin credentials, or by using Microsoft Entra authentication with the specified system/user-assigned managed identity for your data factory. For the latter, you need to add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to the database server. For more information, see [Create an Azure-SSIS IR with Microsoft Entra authentication](./create-azure-ssis-integration-runtime.md).
- Confirm that your database server doesn't have an SSISDB instance already. The provisioning of an Azure-SSIS IR doesn't support using an existing SSISDB instance.
If you select the check box, complete the following steps to bring your own data
If you select an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB, or if you require access to on-premises data without configuring a self-hosted IR, you need to join your Azure-SSIS IR to a virtual network. For more information, see [Create an Azure-SSIS IR in a virtual network](./create-azure-ssis-integration-runtime.md).
- 1. Select either the **Use AAD authentication with the system managed identity for Data Factory** or **Use AAD authentication with a user-assigned managed identity for Data Factory** check box to choose Azure AD authentication method for Azure-SSIS IR to access your database server that hosts SSISDB. Don't select any of the check boxes to choose SQL authentication method instead.
+ 1. Select either the **Use Microsoft Entra authentication with the system managed identity for Data Factory** or **Use Microsoft Entra authentication with a user-assigned managed identity for Data Factory** check box to choose Microsoft Entra authentication method for Azure-SSIS IR to access your database server that hosts SSISDB. Don't select any of the check boxes to choose SQL authentication method instead.
- If you select any of the check boxes, you'll need to add the specified system/user-assigned managed identity for your data factory into an Azure AD group with access permissions to your database server. If you select the **Use AAD authentication with a user-assigned managed identity for Data Factory** check box, you can then select any existing credentials created using your specified user-assigned managed identities or create new ones. For more information, see [Create an Azure-SSIS IR with Azure AD authentication](./create-azure-ssis-integration-runtime.md).
+ If you select any of the check boxes, you'll need to add the specified system/user-assigned managed identity for your data factory into a Microsoft Entra group with access permissions to your database server. If you select the **Use Microsoft Entra authentication with a user-assigned managed identity for Data Factory** check box, you can then select any existing credentials created using your specified user-assigned managed identities or create new ones. For more information, see [Create an Azure-SSIS IR with Microsoft Entra authentication](./create-azure-ssis-integration-runtime.md).
1. For **Admin Username**, enter the SQL authentication username for your database server that hosts SSISDB.
See also the following SSIS documentation:
To learn about customizing your Azure-SSIS integration runtime, advance to the following article: > [!div class="nextstepaction"]
-> [Customize an Azure-SSIS IR](./how-to-configure-azure-ssis-ir-custom-setup.md)
+> [Customize an Azure-SSIS IR](./how-to-configure-azure-ssis-ir-custom-setup.md)
data-factory Tutorial Transform Data Spark Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-transform-data-spark-portal.md
You author two linked services in this section:
e. For **Service principal id**, enter the ID of the service principal that has permission to create an HDInsight cluster.
- This service principal needs to be a member of the Contributor role of the subscription or the resource group in which the cluster is created. For more information, see [Create an Azure Active Directory application and service principal](../active-directory/develop/howto-create-service-principal-portal.md). The **Service principal id** is equivalent to the *Application ID*, and a **Service principal key** is equivalent to the value for a *Client secret*.
+ This service principal needs to be a member of the Contributor role of the subscription or the resource group in which the cluster is created. For more information, see [Create a Microsoft Entra application and service principal](../active-directory/develop/howto-create-service-principal-portal.md). The **Service principal id** is equivalent to the *Application ID*, and a **Service principal key** is equivalent to the value for a *Client secret*.
f. For **Service principal key**, enter the key.
To learn how to transform data by running a Hive script on an Azure HDInsight cl
> [!div class="nextstepaction"] > [Tutorial: Transform data using Hive in Azure Virtual Network](tutorial-transform-data-hive-virtual-network-portal.md).-----
data-factory Tutorial Transform Data Spark Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/tutorial-transform-data-spark-powershell.md
Update values for the following properties in the linked service definition:
- **hostSubscriptionId**. Replace &lt;subscriptionID&gt; with the ID of your Azure subscription. The on-demand HDInsight cluster is created in this subscription. - **tenant**. Replace &lt;tenantID&gt; with ID of your Azure tenant. -- **servicePrincipalId**, **servicePrincipalKey**. Replace &lt;servicePrincipalID&gt; and &lt;servicePrincipalKey&gt; with ID and key of your service principal in the Azure Active Directory. This service principal needs to be a member of the Contributor role of the subscription or the resource Group in which the cluster is created. See [create Azure Active Directory application and service principal](../active-directory/develop/howto-create-service-principal-portal.md) for details. The **Service principal id** is equivalent to the *Application ID* and a **Service principal key** is equivalent to the value for a *Client secret*.
+- **servicePrincipalId**, **servicePrincipalKey**. Replace &lt;servicePrincipalID&gt; and &lt;servicePrincipalKey&gt; with ID and key of your service principal in the Microsoft Entra ID. This service principal needs to be a member of the Contributor role of the subscription or the resource Group in which the cluster is created. See [create Microsoft Entra application and service principal](../active-directory/develop/howto-create-service-principal-portal.md) for details. The **Service principal id** is equivalent to the *Application ID* and a **Service principal key** is equivalent to the value for a *Client secret*.
- **clusterResourceGroup**. Replace &lt;resourceGroupOfHDICluster&gt; with the name of the resource group in which the HDInsight cluster needs to be created. > [!NOTE]
data-factory Update Machine Learning Models https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/update-machine-learning-models.md
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{reso
You can get values for place holders in the URL when querying the web service on the [Machine Learning Studio (classic) Web Services Portal](https://services.azureml.net/).
-The new type of update resource endpoint requires service principal authentication. To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the **Contributor** or **Owner** role of the subscription or the resource group where the web service belongs to. The See [how to create service principal and assign permissions to manage Azure resource](../active-directory/develop/howto-create-service-principal-portal.md). Make note of the following values, which you use to define the linked service:
+The new type of update resource endpoint requires service principal authentication. To use service principal authentication, register an application entity in Microsoft Entra ID and grant it the **Contributor** or **Owner** role of the subscription or the resource group where the web service belongs to. The See [how to create service principal and assign permissions to manage Azure resource](../active-directory/develop/howto-create-service-principal-portal.md). Make note of the following values, which you use to define the linked service:
- Application ID - Application key
data-factory Data Factory Azure Datalake Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-azure-datalake-connector.md
A linked service links a data store to a data factory. You create a linked servi
| **resourceGroupName** | Azure resource group name to which the Data Lake Store account belongs. | Required for sink | ### Service principal authentication (recommended)
-To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
+To use service principal authentication, register an application entity in Microsoft Entra ID and grant it the access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
* Application ID * Application key * Tenant ID
The following table shows the expiration times of different types of user accoun
| User type | Expires after | |: |: |
-| User accounts *not* managed by Azure Active Directory (for example, @hotmail.com or @live.com) |12 hours |
-| Users accounts managed by Azure Active Directory |14 days after the last slice run <br/><br/>90 days, if a slice based on an OAuth-based linked service runs at least once every 14 days |
+| User accounts *not* managed by Microsoft Entra ID (for example, @hotmail.com or @live.com) |12 hours |
+| Users accounts managed by Microsoft Entra ID |14 days after the last slice run <br/><br/>90 days, if a slice based on an OAuth-based linked service runs at least once every 14 days |
If you change your password before the token expiration time, the token expires immediately. You will see the message mentioned earlier in this section.
In the following example, the pipeline contains a copy activity that is configur
In the copy activity definition, you can also map columns from the source dataset to columns in the sink dataset. For details, see [Mapping dataset columns in Azure Data Factory](data-factory-map-columns.md). ## Performance and tuning
-To learn about the factors that affect Copy Activity performance and how to optimize it, see the [Copy Activity performance and tuning guide](data-factory-copy-activity-performance.md) article.
+To learn about the factors that affect Copy Activity performance and how to optimize it, see the [Copy Activity performance and tuning guide](data-factory-copy-activity-performance.md) article.
data-factory Data Factory Azure Ml Update Resource Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-azure-ml-update-resource-activity.md
If the web service is the new type of web service that exposes an Azure Resource
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resource-group-name}/providers/Microsoft.MachineLearning/webServices/{web-service-name}?api-version=2016-05-01-preview. ```
-You can get values for place holders in the URL when querying the web service on the [ML Studio (classic) Web Services Portal](https://services.azureml.net/). The new type of update resource endpoint requires an AAD (Azure Active Directory) token. Specify **servicePrincipalId** and **servicePrincipalKey** in the Studio (classic) linked service. See [how to create service principal and assign permissions to manage Azure resource](../../active-directory/develop/howto-create-service-principal-portal.md). Here is a sample AzureML linked service definition:
+You can get values for place holders in the URL when querying the web service on the [ML Studio (classic) Web Services Portal](https://services.azureml.net/). The new type of update resource endpoint requires a Microsoft Entra token. Specify **servicePrincipalId** and **servicePrincipalKey** in the Studio (classic) linked service. See [how to create service principal and assign permissions to manage Azure resource](../../active-directory/develop/howto-create-service-principal-portal.md). Here is a sample AzureML linked service definition:
```json {
data-factory Data Factory Build Your First Pipeline Using Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-build-your-first-pipeline-using-rest-api.md
The pipeline in this tutorial has one activity: **HDInsight Hive activity**. Thi
* Read through [Tutorial Overview](data-factory-build-your-first-pipeline.md) article and complete the **prerequisite** steps. * Install [Curl](https://curl.haxx.se/dlwiz/) on your machine. You use the CURL tool with REST commands to create a data factory. * Follow instructions from [this article](../../active-directory/develop/howto-create-service-principal-portal.md) to:
- 1. Create a Web application named **ADFGetStartedApp** in Azure Active Directory.
+ 1. Create a Web application named **ADFGetStartedApp** in Microsoft Entra ID.
2. Get **client ID** and **secret key**. 3. Get **tenant ID**. 4. Assign the **ADFGetStartedApp** application to the **Data Factory Contributor** role.
$adf = "FirstDataFactoryREST"
```
-## Authenticate with AAD
+<a name='authenticate-with-aad'></a>
+
+## Authenticate with Microsoft Entra ID
```powershell $cmd = { .\curl.exe -X POST https://login.microsoftonline.com/$tenant/oauth2/token -F grant_type=client_credentials -F resource=https://management.core.windows.net/ -F client_id=$client_id -F client_secret=$client_secret };
data-factory Data Factory Compute Linked Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-compute-linked-services.md
The following table describes the generic properties that are used in the JSON d
For your Data Lake Analytics linked service, you can choose between authentication by using a service principal or a user credential. #### Service principal authentication (recommended)
-To use service principal authentication, register an application entity in Azure Active Directory (Azure AD). Then, grant Azure AD access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
+To use service principal authentication, register an application entity in Microsoft Entra ID. Then, grant Microsoft Entra ID access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
* Application ID * Application key * Tenant ID
The following table shows expirations by user account type:
| User type | Expires after | | : | : |
-| User accounts that are *not* managed by Azure AD (Hotmail, Live, and so on) | 12 hours. |
-| User accounts that *are* managed by Azure AD | 14 days after the last slice run. <br /><br />90 days, if a slice that's based on an OAuth-based linked service runs at least once every 14 days. |
+| User accounts that are *not* managed by Microsoft Entra ID (Hotmail, Live, and so on) | 12 hours. |
+| User accounts that *are* managed by Microsoft Entra ID | 14 days after the last slice run. <br /><br />90 days, if a slice that's based on an OAuth-based linked service runs at least once every 14 days. |
To avoid or resolve this error, reauthorize by selecting the **Authorize** button when the token expires. Then, redeploy the linked service. You can also generate values for the **sessionId** and **authorization** properties programmatically by using the following code:
You can create a SQL linked service and use it with the [Stored Procedure Activi
You can create an Azure Synapse Analytics linked service and use it with the [Stored Procedure Activity](data-factory-stored-proc-activity.md) to invoke a stored procedure from a Data Factory pipeline. For more information, see [Azure Synapse Analytics connector](data-factory-azure-sql-data-warehouse-connector.md#linked-service-properties). ## SQL Server linked service
-You can create a SQL Server linked service and use it with the [Stored Procedure Activity](data-factory-stored-proc-activity.md) to invoke a stored procedure from a Data Factory pipeline. For more information, see [SQL Server connector](data-factory-sqlserver-connector.md#linked-service-properties).
+You can create a SQL Server linked service and use it with the [Stored Procedure Activity](data-factory-stored-proc-activity.md) to invoke a stored procedure from a Data Factory pipeline. For more information, see [SQL Server connector](data-factory-sqlserver-connector.md#linked-service-properties).
data-factory Data Factory Copy Activity Tutorial Using Dotnet Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-copy-activity-tutorial-using-dotnet-api.md
A pipeline can have more than one activity. And, you can chain two activities (r
* Go through [Tutorial Overview and Pre-requisites](data-factory-copy-data-from-azure-blob-storage-to-sql-database.md) to get an overview of the tutorial and complete the **prerequisite** steps. * Visual Studio 2012 or 2013 or 2015 * Download and install [Azure .NET SDK](https://azure.microsoft.com/downloads/)
-* Azure PowerShell. Follow instructions in [How to install and configure Azure PowerShell](/powershell/azure/install-azure-powershell) article to install Azure PowerShell on your computer. You use Azure PowerShell to create an Azure Active Directory application.
+* Azure PowerShell. Follow instructions in [How to install and configure Azure PowerShell](/powershell/azure/install-azure-powershell) article to install Azure PowerShell on your computer. You use Azure PowerShell to create a Microsoft Entra application.
-### Create an application in Azure Active Directory
-Create an Azure Active Directory application, create a service principal for the application, and assign it to the **Data Factory Contributor** role.
+<a name='create-an-application-in-azure-active-directory'></a>
+
+### Create an application in Microsoft Entra ID
+Create a Microsoft Entra application, create a service principal for the application, and assign it to the **Data Factory Contributor** role.
1. Launch **PowerShell**. 2. Run the following command and enter the user name and password that you use to sign in to the Azure portal.
Create an Azure Active Directory application, create a service principal for the
If the resource group already exists, you specify whether to update it (Y) or keep it as (N). If you use a different resource group, you need to use the name of your resource group in place of ADFTutorialResourceGroup in this tutorial.
-6. Create an Azure Active Directory application.
+6. Create a Microsoft Entra application.
```powershell $azureAdApplication = New-AzADApplication -DisplayName "ADFCopyTutotiralApp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.adfcopytutorialapp.org/example" -Password "Pass@word1"
You should have following four values from these steps:
2. Click **Tools**, point to **NuGet Package Manager**, and click **Package Manager Console**. 3. In the **Package Manager Console**, do the following steps: 1. Run the following command to install Data Factory package: `Install-Package Microsoft.Azure.Management.DataFactories`
- 2. Run the following command to install Azure Active Directory package (you use Active Directory API in the code): `Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.19.208020213`
+ 2. Run the following command to install Microsoft Entra ID package (you use Active Directory API in the code): `Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.19.208020213`
4. Add the following **appSetttings** section to the **App.config** file. These settings are used by the helper method: **GetAuthorizationHeader**. Replace values for **&lt;Application ID&gt;**, **&lt;Password&gt;**, **&lt;Subscription ID&gt;**, and **&lt;tenant ID&gt;** with your own values.
data-factory Data Factory Copy Activity Tutorial Using Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-copy-activity-tutorial-using-rest-api.md
A pipeline can have more than one activity. And, you can chain two activities (r
* Go through [Tutorial Overview](data-factory-copy-data-from-azure-blob-storage-to-sql-database.md) and complete the **prerequisite** steps. * Install [Curl](https://curl.haxx.se/dlwiz/) on your machine. You use the Curl tool with REST commands to create a data factory. * Follow instructions from [this article](../../active-directory/develop/howto-create-service-principal-portal.md) to:
- 1. Create a Web application named **ADFCopyTutorialApp** in Azure Active Directory.
+ 1. Create a Web application named **ADFCopyTutorialApp** in Microsoft Entra ID.
2. Get **client ID** and **secret key**. 3. Get **tenant ID**. 4. Assign the **ADFCopyTutorialApp** application to the **Data Factory Contributor** role.
Run the following command after updating the name of the data factory you are us
$adf = "ADFCopyTutorialDF" ```
-## Authenticate with AAD
-Run the following command to authenticate with Azure Active Directory (AAD):
+<a name='authenticate-with-aad'></a>
+
+## Authenticate with Microsoft Entra ID
+Run the following command to authenticate with Microsoft Entra ID:
```PowerShell $cmd = { .\curl.exe -X POST https://login.microsoftonline.com/$tenant/oauth2/token -F grant_type=client_credentials -F resource=https://management.core.windows.net/ -F client_id=$client_id -F client_secret=$client_secret };
data-factory Data Factory Create Data Factories Programmatically https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-create-data-factories-programmatically.md
You can create, monitor, and manage Azure data factories programmatically using
* Visual Studio 2012 or 2013 or 2015 * Download and install [Azure .NET SDK](https://azure.microsoft.com/downloads/).
-* Azure PowerShell. Follow instructions in [How to install and configure Azure PowerShell](/powershell/azure/) article to install Azure PowerShell on your computer. You use Azure PowerShell to create an Azure Active Directory application.
+* Azure PowerShell. Follow instructions in [How to install and configure Azure PowerShell](/powershell/azure/) article to install Azure PowerShell on your computer. You use Azure PowerShell to create a Microsoft Entra application.
-### Create an application in Azure Active Directory
-Create an Azure Active Directory application, create a service principal for the application, and assign it to the **Data Factory Contributor** role.
+<a name='create-an-application-in-azure-active-directory'></a>
+
+### Create an application in Microsoft Entra ID
+Create a Microsoft Entra application, create a service principal for the application, and assign it to the **Data Factory Contributor** role.
1. Launch **PowerShell**. 2. Run the following command and enter the user name and password that you use to sign in to the Azure portal.
Create an Azure Active Directory application, create a service principal for the
If the resource group already exists, you specify whether to update it (Y) or keep it as (N). If you use a different resource group, you need to use the name of your resource group in place of ADFTutorialResourceGroup in this tutorial.
-6. Create an Azure Active Directory application.
+6. Create a Microsoft Entra application.
```powershell $azureAdApplication = New-AzADApplication -DisplayName "ADFDotNetWalkthroughApp" -HomePage "https://www.contoso.org" -IdentifierUris "https://www.adfdotnetwalkthroughapp.org/example" -Password "Pass@word1"
The Copy Activity performs the data movement in Azure Data Factory. The activity
2. Click **Tools**, point to **NuGet Package Manager**, and click **Package Manager Console**. 3. In the **Package Manager Console**, do the following steps: 1. Run the following command to install Data Factory package: `Install-Package Microsoft.Azure.Management.DataFactories`
- 2. Run the following command to install Azure Active Directory package (you use Active Directory API in the code): `Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.19.208020213`
+ 2. Run the following command to install Microsoft Entra ID package (you use Active Directory API in the code): `Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.19.208020213`
4. Replace the contents of **App.config** file in the project with the following content: ```xml
data-factory Data Factory Json Scripting Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-json-scripting-reference.md
To define an OData linked service, set the **type** of the linked service to **O
| Property | Description | Required | | | | | | url |Url of the OData service. |Yes |
-| authenticationType |Type of authentication used to connect to the OData source. <br/><br/> For cloud OData, possible values are Anonymous, Basic, and OAuth (note Azure Data Factory currently only support Azure Active Directory based OAuth). <br/><br/> For on-premises OData, possible values are Anonymous, Basic, and Windows. |Yes |
+| authenticationType |Type of authentication used to connect to the OData source. <br/><br/> For cloud OData, possible values are Anonymous, Basic, and OAuth (note Azure Data Factory currently only support Microsoft Entra ID based OAuth). <br/><br/> For on-premises OData, possible values are Anonymous, Basic, and Windows. |Yes |
| username |Specify user name if you are using Basic authentication. |Yes (only if you are using Basic authentication) | | password |Specify password for the user account you specified for the username. |Yes (only if you are using Basic authentication) | | authorizedCredential |If you are using OAuth, click **Authorize** button in the Data Factory Copy Wizard or Editor and enter your credential, then the value of this property will be auto-generated. |Yes (only if you are using OAuth authentication) |
data-factory Data Factory Odata Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-odata-connector.md
This OData connector support OData version 3.0 and 4.0, and you can copy data fr
Below authentication types are supported:
-* To access **cloud** OData feed, you can use anonymous, basic (user name and password), or Azure Active Directory based OAuth authentication.
+* To access **cloud** OData feed, you can use anonymous, basic (user name and password), or Microsoft Entra ID based OAuth authentication.
* To access **on-premises** OData feed, you can use anonymous, basic (user name and password), or Windows authentication. ## Getting started
The following table provides description for JSON elements specific to OData lin
| | | | | type |The type property must be set to: **OData** |Yes | | url |Url of the OData service. |Yes |
-| authenticationType |Type of authentication used to connect to the OData source. <br/><br/> For cloud OData, possible values are Anonymous, Basic, and OAuth (note Azure Data Factory currently only support Azure Active Directory based OAuth). <br/><br/> For on-premises OData, possible values are Anonymous, Basic, and Windows. |Yes |
+| authenticationType |Type of authentication used to connect to the OData source. <br/><br/> For cloud OData, possible values are Anonymous, Basic, and OAuth (note Azure Data Factory currently only support Microsoft Entra ID based OAuth). <br/><br/> For on-premises OData, possible values are Anonymous, Basic, and Windows. |Yes |
| username |Specify user name if you are using Basic authentication. |Yes (only if you are using Basic authentication) | | password |Specify password for the user account you specified for the username. |Yes (only if you are using Basic authentication) | | authorizedCredential |If you are using OAuth, click **Authorize** button in the Data Factory Copy Wizard or Editor and enter your credential, then the value of this property will be auto-generated. |Yes (only if you are using OAuth authentication) |
data-factory Data Factory Usql Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-factory/v1/data-factory-usql-activity.md
The following table provides descriptions for the generic properties used in the
| **resourceGroupName** |Azure resource group name |No (If not specified, resource group of the data factory is used). | ### Service principal authentication (recommended)
-To use service principal authentication, register an application entity in Azure Active Directory (Azure AD) and grant it the access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
+To use service principal authentication, register an application entity in Microsoft Entra ID and grant it the access to Data Lake Store. For detailed steps, see [Service-to-service authentication](../../data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md). Make note of the following values, which you use to define the linked service:
* Application ID * Application key * Tenant ID
The authorization code you generated by using the **Authorize** button expires a
| User type | Expires after | |: |: |
-| User accounts NOT managed by Azure Active Directory (@hotmail.com, @live.com, etc.) |12 hours |
-| Users accounts managed by Azure Active Directory (AAD) |14 days after the last slice run. <br/><br/>90 days, if a slice based on OAuth-based linked service runs at least once every 14 days. |
+| User accounts NOT managed by Microsoft Entra ID (@hotmail.com, @live.com, etc.) |12 hours |
+| Users accounts managed by Microsoft Entra ID |14 days after the last slice run. <br/><br/>90 days, if a slice based on OAuth-based linked service runs at least once every 14 days. |
To avoid/resolve this error, reauthorize using the **Authorize** button when the **token expires** and redeploy the linked service. You can also generate values for **sessionId** and **authorization** properties programmatically using code as follows:
It is possible to use dynamic parameters instead. For example:
} ```
-In this case, input files are still picked up from the /datalake/input folder and output files are generated in the /datalake/output folder. The file names are dynamic based on the slice start time.
+In this case, input files are still picked up from the /datalake/input folder and output files are generated in the /datalake/output folder. The file names are dynamic based on the slice start time.
data-lake-analytics Data Lake Analytics Cicd Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/data-lake-analytics-cicd-overview.md
Take the following steps to set up a database deployment task in Azure Pipelines
|Account|Specifies which Azure Data Lake Analytics account to deploy to by account name.|null|true| |ResourceGroup|The Azure resource group name for the Azure Data Lake Analytics account.|null|true| |SubscriptionId|The Azure subscription ID for the Azure Data Lake Analytics account.|null|true|
-|Tenant|The tenant name is the Azure Active Directory (Azure AD) domain name. Find it in the subscription management page in the Azure portal.|null|true|
+|Tenant|The tenant name is the Microsoft Entra domain name. Find it in the subscription management page in the Azure portal.|null|true|
|AzureSDKPath|The path to search dependent assemblies in the Azure SDK.|null|true| |Interactive|Whether or not to use interactive mode for authentication.|false|false|
-|ClientId|The Azure AD application ID required for non-interactive authentication.|null|Required for non-interactive authentication.|
+|ClientId|The Microsoft Entra application ID required for non-interactive authentication.|null|Required for non-interactive authentication.|
|Secret|The secret or password for non-interactive authentication. It should be used only in a trusted and secure environment.|null|Required for non-interactive authentication, or else use SecreteFile.| |SecretFile|The file saves the secret or password for non-interactive authentication. Make sure to keep it readable only by the current user.|null|Required for non-interactive authentication, or else use Secret.| |CertFile|The file saves X.509 certification for non-interactive authentication. The default is to use client secret authentication.|null|false|
data-lake-analytics Data Lake Analytics Manage Use Java Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/data-lake-analytics-manage-use-java-sdk.md
This article describes how to manage Azure Data Lake Analytics accounts, data so
* **Java Development Kit (JDK) 8** (using Java version 1.8). * **IntelliJ** or another suitable Java development environment. The instructions in this document use IntelliJ.
-* Create an Azure Active Directory (Azure AD) application and retrieve its **Client ID**, **Tenant ID**, and **Key**. For more information about Azure AD applications and instructions on how to get a client ID, see [Create Active Directory application and service principal using portal](../active-directory/develop/howto-create-service-principal-portal.md). The Reply URI and Key is available from the portal once you have the application created and key generated.
+* Create a Microsoft Entra application and retrieve its **Client ID**, **Tenant ID**, and **Key**. For more information about Microsoft Entra applications and instructions on how to get a client ID, see [Create Active Directory application and service principal using portal](../active-directory/develop/howto-create-service-principal-portal.md). The Reply URI and Key is available from the portal once you have the application created and key generated.
-## Authenticating using Azure Active Directory
+<a name='authenticating-using-azure-active-directory'></a>
+
+## Authenticating using Microsoft Entra ID
The code following snippet provides code for **non-interactive** authentication, where the application provides its own credentials.
data-lake-analytics Data Lake Analytics Manage Use Nodejs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/data-lake-analytics-manage-use-nodejs.md
The following versions are supported:
npm install @azure/arm-datalake-analytics ```
-## Authenticate using Azure Active Directory
+<a name='authenticate-using-azure-active-directory'></a>
+
+## Authenticate using Microsoft Entra ID
```javascript const { DefaultAzureCredential } = require("@azure/identity");
data-lake-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-analytics/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Analytics description: Lists Azure Policy built-in policy definitions for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
data-lake-store Data Lake Store Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-access-control.md
Every file and folder has distinct permissions for these identities:
* Named groups * All other users
-The identities of users and groups are Azure Active Directory (Azure AD) identities. So unless otherwise noted, a "user," in the context of Data Lake Storage Gen1, can either mean an Azure AD user or an Azure AD security group.
+The identities of users and groups are Microsoft Entra identities. So unless otherwise noted, a "user," in the context of Data Lake Storage Gen1, can either mean a Microsoft Entra user or a Microsoft Entra security group.
### The super-user
The owning user can change the permissions of the file to give themselves any RW
### When I look at ACLs in the Azure portal I see user names but through APIs, I see GUIDs, why is that?
-Entries in the ACLs are stored as GUIDs that correspond to users in Azure AD. The APIs return the GUIDs as is. The Azure portal tries to make ACLs easier to use by translating the GUIDs into friendly names when possible.
+Entries in the ACLs are stored as GUIDs that correspond to users in Microsoft Entra ID. The APIs return the GUIDs as is. The Azure portal tries to make ACLs easier to use by translating the GUIDs into friendly names when possible.
### Why do I sometimes see GUIDs in the ACLs when I'm using the Azure portal?
-A GUID is shown when the user doesn't exist in Azure AD anymore. Usually this happens when the user has left the company or if their account has been deleted in Azure AD. Also, ensure that you're using the right ID for setting ACLs (details in question below).
+A GUID is shown when the user doesn't exist in Microsoft Entra anymore. Usually this happens when the user has left the company or if their account has been deleted in Microsoft Entra ID. Also, ensure that you're using the right ID for setting ACLs (details in question below).
### When using service principal, what ID should I use to set ACLs?
-On the Azure Portal, go to **Azure Active Directory -> Enterprise applications** and select your application. The **Overview** tab should display an Object ID and this is what should be used when adding ACLs for data access (and not Application Id).
+On the Azure Portal, go to **Microsoft Entra ID -> Enterprise applications** and select your application. The **Overview** tab should display an Object ID and this is what should be used when adding ACLs for data access (and not Application Id).
### Does Data Lake Storage Gen1 support inheritance of ACLs?
data-lake-store Data Lake Store Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-best-practices.md
In this article, you learn about best practices and considerations for working w
## Security considerations
-Azure Data Lake Storage Gen1 offers POSIX access controls and detailed auditing for Azure Active Directory (Azure AD) users, groups, and service principals. These access controls can be set to existing files and folders. The access controls can also be used to create defaults that can be applied to new files or folders. When permissions are set to existing folders and child objects, the permissions need to be propagated recursively on each object. If there are large number of files, propagating the permissions can take a long time. The time taken can range between 30-50 objects processed per second. Hence, plan the folder structure and user groups appropriately. Otherwise, it can cause unanticipated delays and issues when you work with your data.
+Azure Data Lake Storage Gen1 offers POSIX access controls and detailed auditing for Microsoft Entra users, groups, and service principals. These access controls can be set to existing files and folders. The access controls can also be used to create defaults that can be applied to new files or folders. When permissions are set to existing folders and child objects, the permissions need to be propagated recursively on each object. If there are large number of files, propagating the permissions can take a long time. The time taken can range between 30-50 objects processed per second. Hence, plan the folder structure and user groups appropriately. Otherwise, it can cause unanticipated delays and issues when you work with your data.
Assume you have a folder with 100,000 child objects. If you take the lower bound of 30 objects processed per second, to update the permission for the whole folder could take an hour. More details on Data Lake Storage Gen1 ACLs are available at [Access control in Azure Data Lake Storage Gen1](data-lake-store-access-control.md). For improved performance on assigning ACLs recursively, you can use the Azure Data Lake Command-Line Tool. The tool creates multiple threads and recursive navigation logic to quickly apply ACLs to millions of files. The tool is available for Linux and Windows, and the [documentation](https://github.com/Azure/data-lake-adlstool) and [downloads](https://aka.ms/adlstool-download) for this tool can be found on GitHub. These same performance improvements can be enabled by your own tools written with the Data Lake Storage Gen1 [.NET](data-lake-store-data-operations-net-sdk.md) and [Java](data-lake-store-get-started-java-sdk.md) SDKs. ### Use security groups versus individual users
-When working with big data in Data Lake Storage Gen1, most likely a service principal is used to allow services such as Azure HDInsight to work with the data. However, there might be cases where individual users need access to the data as well. In such cases, you must use Azure Active Directory [security groups](data-lake-store-secure-data.md#create-security-groups-in-azure-active-directory) instead of assigning individual users to folders and files.
+When working with big data in Data Lake Storage Gen1, most likely a service principal is used to allow services such as Azure HDInsight to work with the data. However, there might be cases where individual users need access to the data as well. In such cases, you must use Microsoft Entra ID [security groups](data-lake-store-secure-data.md#create-security-groups-in-azure-active-directory) instead of assigning individual users to folders and files.
Once a security group is assigned permissions, adding or removing users from the group doesnΓÇÖt require any updates to Data Lake Storage Gen1. This also helps ensure you don't exceed the limit of [32 Access and Default ACLs](../azure-resource-manager/management/azure-subscription-service-limits.md#data-lake-storage-limits) (this includes the four POSIX-style ACLs that are always associated with every file and folder: [the owning user](data-lake-store-access-control.md#the-owning-user), [the owning group](data-lake-store-access-control.md#the-owning-group), [the mask](data-lake-store-access-control.md#the-mask), and other). ### Security for groups
-As discussed, when users need access to Data Lake Storage Gen1, itΓÇÖs best to use Azure Active Directory security groups. Some recommended groups to start with might be **ReadOnlyUsers**, **WriteAccessUsers**, and **FullAccessUsers** for the root of the account, and even separate ones for key subfolders. If there are any other anticipated groups of users that might be added later, but have not been identified yet, you might consider creating dummy security groups that have access to certain folders. Using security group ensures that later you do not need a long processing time for assigning new permissions to thousands of files.
+As discussed, when users need access to Data Lake Storage Gen1, itΓÇÖs best to use Microsoft Entra security groups. Some recommended groups to start with might be **ReadOnlyUsers**, **WriteAccessUsers**, and **FullAccessUsers** for the root of the account, and even separate ones for key subfolders. If there are any other anticipated groups of users that might be added later, but have not been identified yet, you might consider creating dummy security groups that have access to certain folders. Using security group ensures that later you do not need a long processing time for assigning new permissions to thousands of files.
### Security for service principals
-Azure Active Directory service principals are typically used by services like Azure HDInsight to access data in Data Lake Storage Gen1. Depending on the access requirements across multiple workloads, there might be some considerations to ensure security inside and outside of the organization. For many customers, a single Azure Active Directory service principal might be adequate, and it can have full permissions at the root of the Data Lake Storage Gen1 account. Other customers might require multiple clusters with different service principals where one cluster has full access to the data, and another cluster with only read access. As with the security groups, you might consider making a service principal for each anticipated scenario (read, write, full) once a Data Lake Storage Gen1 account is created.
+Microsoft Entra service principals are typically used by services like Azure HDInsight to access data in Data Lake Storage Gen1. Depending on the access requirements across multiple workloads, there might be some considerations to ensure security inside and outside of the organization. For many customers, a single Microsoft Entra service principal might be adequate, and it can have full permissions at the root of the Data Lake Storage Gen1 account. Other customers might require multiple clusters with different service principals where one cluster has full access to the data, and another cluster with only read access. As with the security groups, you might consider making a service principal for each anticipated scenario (read, write, full) once a Data Lake Storage Gen1 account is created.
### Enable the Data Lake Storage Gen1 firewall with Azure service access
data-lake-store Data Lake Store Comparison With Blob Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-comparison-with-blob-storage.md
The table in this article summarizes the differences between Azure Data Lake Sto
| API |REST API over HTTPS |REST API over HTTP/HTTPS | | Server-side API |[WebHDFS-compatible REST API](/rest/api/datalakestore/) |[Azure Blob Storage REST API](/rest/api/storageservices/Blob-Service-REST-API) | | Hadoop File System Client |Yes |Yes |
-| Data Operations - Authentication |Based on [Azure Active Directory Identities](../active-directory/develop/authentication-vs-authorization.md) |Based on shared secrets - [Account Access Keys](../storage/common/storage-account-keys-manage.md) and [Shared Access Signature Keys](../storage/common/storage-sas-overview.md). |
-| Data Operations - Authentication Protocol |[OpenID Connect](https://openid.net/connect/). Calls must contain a valid JWT (JSON web token) issued by Azure Active Directory.|Hash-based Message Authentication Code (HMAC). Calls must contain a Base64-encoded SHA-256 hash over a part of the HTTP request. |
-| Data Operations - Authorization |POSIX Access Control Lists (ACLs). ACLs based on Azure Active Directory Identities can be set at the file and folder level. |For account-level authorization ΓÇô Use [Account Access Keys](../storage/common/storage-account-keys-manage.md)<br>For account, container, or blob authorization - Use [Shared Access Signature Keys](../storage/common/storage-sas-overview.md) |
+| Data Operations - Authentication |Based on [Microsoft Entra identities](../active-directory/develop/authentication-vs-authorization.md) |Based on shared secrets - [Account Access Keys](../storage/common/storage-account-keys-manage.md) and [Shared Access Signature Keys](../storage/common/storage-sas-overview.md). |
+| Data Operations - Authentication Protocol |[OpenID Connect](https://openid.net/connect/). Calls must contain a valid JWT (JSON web token) issued by Microsoft Entra ID.|Hash-based Message Authentication Code (HMAC). Calls must contain a Base64-encoded SHA-256 hash over a part of the HTTP request. |
+| Data Operations - Authorization |POSIX Access Control Lists (ACLs). ACLs based on Microsoft Entra identities can be set at the file and folder level. |For account-level authorization ΓÇô Use [Account Access Keys](../storage/common/storage-account-keys-manage.md)<br>For account, container, or blob authorization - Use [Shared Access Signature Keys](../storage/common/storage-sas-overview.md) |
| Data Operations - Auditing |Available. See [here](data-lake-store-diagnostic-logs.md) for information. |Available | | Encryption data at rest |<ul><li>Transparent, Server side</li> <ul><li>With service-managed keys</li><li>With customer-managed keys in Azure KeyVault</li></ul></ul> |<ul><li>Transparent, Server side</li> <ul><li>With service-managed keys</li><li>With customer-managed keys in Azure KeyVault (preview)</li></ul><li>Client-side encryption</li></ul> | | Management operations (for example, Account Create) |[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) for account management |[Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) for account management |
The table in this article summarizes the differences between Azure Data Lake Sto
| Geo-redundancy |Locally redundant (multiple copies of data in one Azure region) |Locally redundant (LRS), zone redundant (ZRS), globally redundant (GRS), read-access globally redundant (RA-GRS). See [here](../storage/common/storage-redundancy.md) for more information | | Service state |Generally available |Generally available | | Regional availability |See [here](https://azure.microsoft.com/regions/#services) |Available in all Azure regions |
-| Price |See [Pricing](https://azure.microsoft.com/pricing/details/data-lake-store/) |See [Pricing](https://azure.microsoft.com/pricing/details/storage/) |
+| Price |See [Pricing](https://azure.microsoft.com/pricing/details/data-lake-store/) |See [Pricing](https://azure.microsoft.com/pricing/details/storage/) |
data-lake-store Data Lake Store Data Operations Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-data-operations-python.md
pip install azure-datalake-store
## Authentication
-In this section, we talk about the different ways to authenticate with Azure AD. The options available are:
+In this section, we talk about the different ways to authenticate with Microsoft Entra ID. The options available are:
* For end-user authentication for your application, see [End-user authentication with Data Lake Storage Gen1 using Python](data-lake-store-end-user-authenticate-python.md). * For service-to-service authentication for your application, see [Service-to-service authentication with Data Lake Storage Gen1 using Python](data-lake-store-service-to-service-authenticate-python.md).
adlsFileSystemClient.rm('/mysampledirectory', recursive=True)
## See also * [Azure Data Lake Storage Gen1 Python (Filesystem) Reference](/python/api/azure-datalake-store/azure.datalake.store.core)
-* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
+* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
data-lake-store Data Lake Store Data Operations Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-data-operations-rest-api.md
In this article, you learn how to use WebHDFS REST APIs and Data Lake Storage Ge
* **[cURL](https://curl.haxx.se/)**. This article uses cURL to demonstrate how to make REST API calls against a Data Lake Storage Gen1 account.
-## How do I authenticate using Azure Active Directory?
-You can use two approaches to authenticate using Azure Active Directory.
+<a name='how-do-i-authenticate-using-azure-active-directory'></a>
+
+## How do I authenticate using Microsoft Entra ID?
+You can use two approaches to authenticate using Microsoft Entra ID.
* For end-user authentication for your application (interactive), see [End-user authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-end-user-authenticate-rest-api.md). * For service-to-service authentication for your application (non-interactive), see [Service-to-service authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-service-to-service-authenticate-rest-api.md).
HTTP/1.1 200 OK
## See also * [Azure Data Lake Storage Gen1 REST API Reference](/rest/api/datalakestore/)
-* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
+* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
data-lake-store Data Lake Store End User Authenticate Java Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-end-user-authenticate-java-sdk.md
Title: End-user authentication - Java with Data Lake Storage Gen1 - Azure
-description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory with Java
+description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID with Java
In this article, you learn about how to use the Java SDK to do end-user authenti
## Prerequisites * **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-end-user-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-end-user-authenticate-using-active-directory.md).
* [Maven](https://maven.apache.org/install.html). This tutorial uses Maven for build and project dependencies. Although it is possible to build without using a build system like Maven or Gradle, these systems make is much easier to manage dependencies.
In this article, you learn about how to use the Java SDK to do end-user authenti
import com.microsoft.azure.datalake.store.oauth2.DeviceCodeTokenProvider; ```
-4. Use the following snippet in your Java application to obtain token for the Active Directory native application you created earlier using the `DeviceCodeTokenProvider`. Replace **FILL-IN-HERE** with the actual values for the Azure Active Directory native application.
+4. Use the following snippet in your Java application to obtain token for the Active Directory native application you created earlier using the `DeviceCodeTokenProvider`. Replace **FILL-IN-HERE** with the actual values for the Microsoft Entra native application.
```java private static String nativeAppId = "FILL-IN-HERE";
In this article, you learn about how to use the Java SDK to do end-user authenti
AccessTokenProvider provider = new DeviceCodeTokenProvider(nativeAppId); ```
-The Data Lake Storage Gen1 SDK provides convenient methods that let you manage the security tokens needed to talk to the Data Lake Storage Gen1 account. However, the SDK does not mandate that only these methods be used. You can use any other means of obtaining token as well, like using the [Azure Active Directory SDK](https://github.com/AzureAD/azure-activedirectory-library-for-java), or your own custom code.
+The Data Lake Storage Gen1 SDK provides convenient methods that let you manage the security tokens needed to talk to the Data Lake Storage Gen1 account. However, the SDK does not mandate that only these methods be used. You can use any other means of obtaining token as well, like using the [Azure AD SDK](https://github.com/AzureAD/azure-activedirectory-library-for-java), or your own custom code.
## Next steps In this article, you learned how to use end-user authentication to authenticate with Azure Data Lake Storage Gen1 using Java SDK. You can now look at the following articles that talk about how to use the Java SDK to work with Azure Data Lake Storage Gen1.
data-lake-store Data Lake Store End User Authenticate Net Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-end-user-authenticate-net-sdk.md
Title: End-user authentication - .NET with Data Lake Storage Gen1 - Azure
-description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory with .NET SDK
+description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID with .NET SDK
In this article, you learn about how to use the .NET SDK to do end-user authenti
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-end-user-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-end-user-authenticate-using-active-directory.md).
## Create a .NET application 1. In Visual Studio, select the **File** menu, **New**, and then **Project**.
In this article, you learn about how to use the .NET SDK to do end-user authenti
``` ## End-user authentication
-Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from an Azure AD native application (listed as prerequisite). This snippet lets you authenticate your application **interactively** with Data Lake Storage Gen1, which means you are prompted to enter your Azure credentials.
+Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from a Microsoft Entra native application (listed as prerequisite). This snippet lets you authenticate your application **interactively** with Data Lake Storage Gen1, which means you are prompted to enter your Azure credentials.
For ease of use, the following snippet uses default values for client ID and redirect URI that are valid for any Azure subscription. In the following snippet, you only need to provide the value for your tenant ID. You can retrieve the Tenant ID using the instructions provided at [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
A couple of things to know about the preceding snippet:
* The preceding snippet uses a helper functions `GetTokenCache` and `GetCreds_User_Popup`. The code for these helper functions is available [here on GitHub](https://github.com/Azure-Samples/data-lake-analytics-dotnet-auth-options#gettokencache). * To help you complete the tutorial faster, the snippet uses a native application client ID that is available by default for all Azure subscriptions. So, you can **use this snippet as-is in your application**.
-* However, if you do want to use your own Azure AD domain and application client ID, you must create an Azure AD native application and then use the Azure AD tenant ID, client ID, and redirect URI for the application you created. See [Create an Active Directory Application for end-user authentication with Data Lake Storage Gen1](data-lake-store-end-user-authenticate-using-active-directory.md) for instructions.
+* However, if you do want to use your own Microsoft Entra domain and application client ID, you must create a Microsoft Entra native application and then use the Microsoft Entra tenant ID, client ID, and redirect URI for the application you created. See [Create an Active Directory Application for end-user authentication with Data Lake Storage Gen1](data-lake-store-end-user-authenticate-using-active-directory.md) for instructions.
## Next steps
data-lake-store Data Lake Store End User Authenticate Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-end-user-authenticate-python.md
Title: End-user authentication - Python with Data Lake Storage Gen1 - Azure
-description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory with Python
+description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID with Python
Both these options are discussed in this article. For service-to-service authent
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-end-user-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-end-user-authenticate-using-active-directory.md).
## Install the modules
pip install azure-datalake-store
### For account management
-Use the following snippet to authenticate with Azure AD for account management operations on a Data Lake Storage Gen1 account. The following snippet can be used to authenticate your application using multi-factor authentication. Provide the values below for an existing Azure AD **native** application.
+Use the following snippet to authenticate with Microsoft Entra ID for account management operations on a Data Lake Storage Gen1 account. The following snippet can be used to authenticate your application using multi-factor authentication. Provide the values below for an existing Microsoft Entra ID **native** application.
```python authority_host_url = "https://login.microsoftonline.com"
armCreds = AADTokenCredentials(mgmt_token, client_id, resource = RESOURCE)
### For filesystem operations
-Use this to authenticate with Azure AD for filesystem operations on a Data Lake Storage Gen1 account. The following snippet can be used to authenticate your application using multi-factor authentication. Provide the values below for an existing Azure AD **native** application.
+Use this to authenticate with Microsoft Entra ID for filesystem operations on a Data Lake Storage Gen1 account. The following snippet can be used to authenticate your application using multi-factor authentication. Provide the values below for an existing Microsoft Entra ID **native** application.
```console adlCreds = lib.auth(tenant_id='FILL-IN-HERE', resource = 'https://datalake.azure.net/')
This is deprecated. For more information, see [Azure Authentication using Python
In this article, you learned how to use end-user authentication to authenticate with Azure Data Lake Storage Gen1 using Python. You can now look at the following articles that talk about how to use Python to work with Azure Data Lake Storage Gen1. * [Account management operations on Data Lake Storage Gen1 using Python](data-lake-store-get-started-python.md)
-* [Data operations on Data Lake Storage Gen1 using Python](data-lake-store-data-operations-python.md)
+* [Data operations on Data Lake Storage Gen1 using Python](data-lake-store-data-operations-python.md)
data-lake-store Data Lake Store End User Authenticate Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-end-user-authenticate-rest-api.md
Title: End-user authentication - REST with Data Lake Storage Gen1 - Azure
-description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory using REST API
+description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID using REST API
In this article, you learn about how to use the REST API to do end-user authenti
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-end-user-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Native" Application**. You must have completed the steps in [End-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-end-user-authenticate-using-active-directory.md).
* **[cURL](https://curl.haxx.se/)**. This article uses cURL to demonstrate how to make REST API calls against a Data Lake Storage Gen1 account. ## End-user authentication
-End-user authentication is the recommended approach if you want a user to log in to your application using Azure AD. Your application is able to access Azure resources with the same level of access as the logged-in user. The user needs to provide their credentials periodically in order for your application to maintain access.
+End-user authentication is the recommended approach if you want a user to log in to your application using Microsoft Entra ID. Your application is able to access Azure resources with the same level of access as the logged-in user. The user needs to provide their credentials periodically in order for your application to maintain access.
The result of having the end-user login is that your application is given an access token and a refresh token. The access token gets attached to each request made to Data Lake Storage Gen1 or Data Lake Analytics, and it is valid for one hour by default. The refresh token can be used to obtain a new access token, and it is valid for up to two weeks by default, if used regularly. You can use two different approaches for end-user login.
For more information on interactive user authentication, see [Authorization code
In this article, you learned how to use service-to-service authentication to authenticate with Azure Data Lake Storage Gen1 using REST API. You can now look at the following articles that talk about how to use the REST API to work with Azure Data Lake Storage Gen1. * [Account management operations on Data Lake Storage Gen1 using REST API](data-lake-store-get-started-rest-api.md)
-* [Data operations on Data Lake Storage Gen1 using REST API](data-lake-store-data-operations-rest-api.md)
+* [Data operations on Data Lake Storage Gen1 using REST API](data-lake-store-data-operations-rest-api.md)
data-lake-store Data Lake Store End User Authenticate Using Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-end-user-authenticate-using-active-directory.md
Title: End-user authentication - Data Lake Storage Gen1 with Azure AD
-description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory
+ Title: End-user authentication - Data Lake Storage Gen1 with Microsoft Entra ID
+description: Learn how to achieve end-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID
Last updated 05/29/2018
-# End-user authentication with Azure Data Lake Storage Gen1 using Azure Active Directory
+# End-user authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID
> [!div class="op_single_selector"] > * [End-user authentication](data-lake-store-end-user-authenticate-using-active-directory.md) > * [Service-to-service authentication](data-lake-store-service-to-service-authenticate-using-active-directory.md) > >
-Azure Data Lake Storage Gen1 uses Azure Active Directory for authentication. Before authoring an application that works with Data Lake Storage Gen1 or Azure Data Lake Analytics, you must decide how to authenticate your application with Azure Active Directory (Azure AD). The two main options available are:
+Azure Data Lake Storage Gen1 uses Microsoft Entra ID for authentication. Before authoring an application that works with Data Lake Storage Gen1 or Azure Data Lake Analytics, you must decide how to authenticate your application with Microsoft Entra ID. The two main options available are:
* End-user authentication (this article) * Service-to-service authentication (pick this option from the drop-down above) Both these options result in your application being provided with an OAuth 2.0 token, which gets attached to each request made to Data Lake Storage Gen1 or Azure Data Lake Analytics.
-This article talks about how to create an **Azure AD native application for end-user authentication**. For instructions on Azure AD application configuration for service-to-service authentication, see [Service-to-service authentication with Data Lake Storage Gen1 using Azure Active Directory](./data-lake-store-service-to-service-authenticate-using-active-directory.md).
+This article talks about how to create an **Microsoft Entra native application for end-user authentication**. For instructions on Microsoft Entra application configuration for service-to-service authentication, see [Service-to-service authentication with Data Lake Storage Gen1 using Microsoft Entra ID](./data-lake-store-service-to-service-authenticate-using-active-directory.md).
## Prerequisites * An Azure subscription. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
This article talks about how to create an **Azure AD native application for end-
![Get subscription ID](./media/data-lake-store-end-user-authenticate-using-active-directory/get-subscription-id.png)
-* Your Azure AD domain name. You can retrieve it by hovering the mouse in the top-right corner of the Azure portal. From the screenshot below, the domain name is **contoso.onmicrosoft.com**, and the GUID within brackets is the tenant ID.
+* Your Microsoft Entra domain name. You can retrieve it by hovering the mouse in the top-right corner of the Azure portal. From the screenshot below, the domain name is **contoso.onmicrosoft.com**, and the GUID within brackets is the tenant ID.
- ![Get AAD domain](./media/data-lake-store-end-user-authenticate-using-active-directory/get-aad-domain.png)
+ ![Get Microsoft Entra domain](./media/data-lake-store-end-user-authenticate-using-active-directory/get-aad-domain.png)
* Your Azure tenant ID. For instructions on how to retrieve the tenant ID, see [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application). ## End-user authentication
-This authentication mechanism is the recommended approach if you want an end user to sign in to your application via Azure AD. Your application is then able to access Azure resources with the same level of access as the end user that logged in. Your end user needs to provide their credentials periodically in order for your application to maintain access.
+This authentication mechanism is the recommended approach if you want an end user to sign in to your application via Microsoft Entra ID. Your application is then able to access Azure resources with the same level of access as the end user that logged in. Your end user needs to provide their credentials periodically in order for your application to maintain access.
The result of having the end-user sign-in is that your application is given an access token and a refresh token. The access token gets attached to each request made to Data Lake Storage Gen1 or Data Lake Analytics, and it's valid for one hour by default. The refresh token can be used to obtain a new access token, and it's valid for up to two weeks by default. You can use two different approaches for end-user sign-in. ### Using the OAuth 2.0 pop-up
-Your application can trigger an OAuth 2.0 authorization pop-up, in which the end user can enter their credentials. This pop-up also works with the Azure AD Two-factor Authentication (2FA) process, if necessary.
+Your application can trigger an OAuth 2.0 authorization pop-up, in which the end user can enter their credentials. This pop-up also works with the Microsoft Entra Two-factor Authentication (2FA) process, if necessary.
> [!NOTE] > This method is not yet supported in the Azure AD Authentication Library (ADAL) for Python or Java.
Your application can trigger an OAuth 2.0 authorization pop-up, in which the end
> ### Directly passing in user credentials
-Your application can directly provide user credentials to Azure AD. This method only works with organizational ID user accounts; it isn't compatible with personal / ΓÇ£live IDΓÇ¥ user accounts, including the accounts ending in @outlook.com or @live.com. Furthermore, this method isn't compatible with user accounts that require Azure AD Two-factor Authentication (2FA).
+Your application can directly provide user credentials to Microsoft Entra ID. This method only works with organizational ID user accounts; it isn't compatible with personal / ΓÇ£live IDΓÇ¥ user accounts, including the accounts ending in @outlook.com or @live.com. Furthermore, this method isn't compatible with user accounts that require Microsoft Entra Two-factor Authentication (2FA).
### What do I need for this approach?
-* Azure AD domain name. This requirement is already listed in the prerequisite of this article.
-* Azure AD tenant ID. This requirement is already listed in the prerequisite of this article.
-* Azure AD **native application**
-* Application ID for the Azure AD native application
-* Redirect URI for the Azure AD native application
+* Microsoft Entra domain name. This requirement is already listed in the prerequisite of this article.
+* Microsoft Entra tenant ID. This requirement is already listed in the prerequisite of this article.
+* Microsoft Entra ID **native application**
+* Application ID for the Microsoft Entra native application
+* Redirect URI for the Microsoft Entra native application
* Set delegated permissions ## Step 1: Create an Active Directory native application
-Create and configure an Azure AD native application for end-user authentication with Data Lake Storage Gen1 using Azure Active Directory. For instructions, see [Create an Azure AD application](../active-directory/develop/howto-create-service-principal-portal.md).
+Create and configure a Microsoft Entra native application for end-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID. For instructions, see [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md).
While following the instructions in the link, make sure you select **Native** for application type, as shown in the following screenshot:
See [Get the application ID](../active-directory/develop/howto-create-service-pr
To retrieve the redirect URI, do the following steps.
-1. From the Azure portal, select **Azure Active Directory**, select **App registrations**, and then find and select the Azure AD native application that you created.
+1. From the Azure portal, select **Microsoft Entra ID**, select **App registrations**, and then find and select the Microsoft Entra native application that you created.
2. From the **Settings** blade for the application, select **Redirect URIs**.
To retrieve the redirect URI, do the following steps.
## Step 3: Set permissions
-1. From the Azure portal, select **Azure Active Directory**, select **App registrations**, and then find and select the Azure AD native application that you created.
+1. From the Azure portal, select **Microsoft Entra ID**, select **App registrations**, and then find and select the Microsoft Entra native application that you created.
2. From the **Settings** blade for the application, select **Required permissions**, and then select **Add**.
To retrieve the redirect URI, do the following steps.
5. Repeat the last two steps to grant permissions for **Windows Azure Service Management API** as well. ## Next steps
-In this article, you created an Azure AD native application and gathered the information you need in your client applications that you author using .NET SDK, Java SDK, REST API, etc. You can now proceed to the following articles that talk about how to use the Azure AD web application to first authenticate with Data Lake Storage Gen1 and then perform other operations on the store.
+In this article, you created a Microsoft Entra native application and gathered the information you need in your client applications that you author using .NET SDK, Java SDK, REST API, etc. You can now proceed to the following articles that talk about how to use the Microsoft Entra web application to first authenticate with Data Lake Storage Gen1 and then perform other operations on the store.
* [End-user-authentication with Data Lake Storage Gen1 using Java SDK](data-lake-store-end-user-authenticate-java-sdk.md) * [End-user authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-end-user-authenticate-net-sdk.md) * [End-user authentication with Data Lake Storage Gen1 using Python](data-lake-store-end-user-authenticate-python.md)
-* [End-user authentication with Data Lake Storage Gen1 using REST API](data-lake-store-end-user-authenticate-rest-api.md)
+* [End-user authentication with Data Lake Storage Gen1 using REST API](data-lake-store-end-user-authenticate-rest-api.md)
data-lake-store Data Lake Store Get Started Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-get-started-portal.md
Click the ellipsis icon against a file, and from the pop-up menu, click the acti
## Secure your data
-You can secure the data stored in your Data Lake Storage Gen1 account using Azure Active Directory and access control (ACLs). For instructions on how to do that, see [Securing data in Azure Data Lake Storage Gen1](data-lake-store-secure-data.md).
+You can secure the data stored in your Data Lake Storage Gen1 account using Microsoft Entra ID and access control (ACLs). For instructions on how to do that, see [Securing data in Azure Data Lake Storage Gen1](data-lake-store-secure-data.md).
## Delete your account
data-lake-store Data Lake Store Get Started Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-get-started-python.md
pip install azure-datalake-store
## Authentication
-In this section, we talk about the different ways to authenticate with Azure AD. The options available are:
+In this section, we talk about the different ways to authenticate with Microsoft Entra ID. The options available are:
* For end-user authentication for your application, see [End-user authentication with Data Lake Storage Gen1 using Python](data-lake-store-end-user-authenticate-python.md). * For service-to-service authentication for your application, see [Service-to-service authentication with Data Lake Storage Gen1 using Python](data-lake-store-service-to-service-authenticate-python.md).
data-lake-store Data Lake Store Get Started Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-get-started-rest-api.md
In this article, you learn how to perform account management operations on Azure
* **[cURL](https://curl.haxx.se/)**. This article uses cURL to demonstrate how to make REST API calls against a Data Lake Storage Gen1 account.
-## How do I authenticate using Azure Active Directory?
-You can use two approaches to authenticate using Azure Active Directory.
+<a name='how-do-i-authenticate-using-azure-active-directory'></a>
+
+## How do I authenticate using Microsoft Entra ID?
+You can use two approaches to authenticate using Microsoft Entra ID.
* For end-user authentication for your application (interactive), see [End-user authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-end-user-authenticate-rest-api.md). * For service-to-service authentication for your application (non-interactive), see [Service-to-service authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-service-to-service-authenticate-rest-api.md).
HTTP/1.1 200 OK
## See also * [Azure Data Lake Storage Gen1 REST API Reference](/rest/api/datalakestore/)
-* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
+* [Open Source Big Data applications compatible with Azure Data Lake Storage Gen1](data-lake-store-compatible-oss-other-applications.md)
data-lake-store Data Lake Store Hdinsight Hadoop Use Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-hdinsight-hadoop-use-portal.md
Before you begin, ensure that you've met the following requirements:
* **An Azure subscription**. Go to [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). * **An Azure Data Lake Storage Gen1 account**. Follow the instructions from [Get started with Azure Data Lake Storage Gen1 by using the Azure portal](data-lake-store-get-started-portal.md). You must also create a root folder on the account. In this article, a root folder called __/clusters__ is used.
-* **An Azure Active Directory service principal**. This how-to guide provides instructions on how to create a service principal in Azure Active Directory (Azure AD). However, to create a service principal, you must be an Azure AD administrator. If you're an administrator, you can skip this prerequisite and continue.
+* **a Microsoft Entra service principal**. This how-to guide provides instructions on how to create a service principal in Microsoft Entra ID. However, to create a service principal, you must be a Microsoft Entra administrator. If you're an administrator, you can skip this prerequisite and continue.
>[!NOTE]
->You can create a service principal only if you're an Azure AD administrator. Your Azure AD administrator must create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created with a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate).
+>You can create a service principal only if you're a Microsoft Entra administrator. Your Microsoft Entra administrator must create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created with a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate).
> ## Create an HDInsight cluster
To create a HDInsight cluster with Data Lake Storage Gen1 as an additional stora
## Configure Data Lake Storage Gen1 access
-In this section, you configure Data Lake Storage Gen1 access from HDInsight clusters using an Azure Active Directory service principal.
+In this section, you configure Data Lake Storage Gen1 access from HDInsight clusters using a Microsoft Entra service principal.
### Specify a service principal From the Azure portal, you can either use an existing service principal or create a new one. To create a service principal from the Azure portal:
-1. See [Create Service Principal and Certificates](../active-directory/develop/howto-create-service-principal-portal.md) using Azure Active Directory.
+1. See [Create Service Principal and Certificates](../active-directory/develop/howto-create-service-principal-portal.md) using Microsoft Entra ID.
To use an existing service principal from the Azure portal:
data-lake-store Data Lake Store Hdinsight Hadoop Use Powershell For Default Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-hdinsight-hadoop-use-powershell-for-default-storage.md
Before you begin this tutorial, make sure that you meet the following requiremen
* **An Azure subscription**: Go to [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). * **Azure PowerShell 1.0 or greater**: See [How to install and configure PowerShell](/powershell/azure/). * **Windows Software Development Kit (SDK)**: To install Windows SDK, go to [Downloads and tools for Windows 10](https://dev.windows.com/downloads). The SDK is used to create a security certificate.
-* **Azure Active Directory service principal**: This tutorial describes how to create a service principal in Azure Active Directory (Azure AD). However, to create a service principal, you must be an Azure AD administrator. If you are an administrator, you can skip this prerequisite and proceed with the tutorial.
+* **Microsoft Entra service principal**: This tutorial describes how to create a service principal in Microsoft Entra ID. However, to create a service principal, you must be a Microsoft Entra administrator. If you are an administrator, you can skip this prerequisite and proceed with the tutorial.
>[!NOTE]
- >You can create a service principal only if you are an Azure AD administrator. Your Azure AD administrator must create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. The service principal must be created with a certificate, as described in [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
+ >You can create a service principal only if you are a Microsoft Entra administrator. Your Microsoft Entra administrator must create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. The service principal must be created with a certificate, as described in [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
> ## Create an Azure Data Lake Storage Gen1 account
To create a Data Lake Storage Gen1 account, do the following:
```` ## Set up authentication for role-based access to Data Lake Storage Gen1
-Every Azure subscription is associated with an Azure AD entity. Users and services that access subscription resources by using the Azure portal or the Azure Resource Manager API must first authenticate with Azure AD. Access is granted to Azure subscriptions and services by assigning them the appropriate role on an Azure resource. For services, a service principal identifies the service in Azure AD.
+Every Azure subscription is associated with a Microsoft Entra entity. Users and services that access subscription resources by using the Azure portal or the Azure Resource Manager API must first authenticate with Microsoft Entra ID. Access is granted to Azure subscriptions and services by assigning them the appropriate role on an Azure resource. For services, a service principal identifies the service in Microsoft Entra ID.
This section illustrates how to grant an application service, such as HDInsight, access to an Azure resource (the Data Lake Storage Gen1 account that you created earlier). You do so by creating a service principal for the application and assigning roles to it via PowerShell.
Make sure you have [Windows SDK](https://dev.windows.com/en-us/downloads) instal
When you are prompted, enter the private key password that you specified earlier. The value you specify for the **-po** parameter is the password that's associated with the .pfx file. After the command has been completed successfully, you should also see a **CertFile.pfx** in the certificate directory that you specified.
-### Create an Azure AD and a service principal
-In this section, you create a service principal for an Azure AD application, assign a role to the service principal, and authenticate as the service principal by providing a certificate. To create an application in Azure AD, run the following commands:
+<a name='create-an-azure-ad-and-a-service-principal'></a>
+
+### Create a Microsoft Entra ID and a service principal
+In this section, you create a service principal for a Microsoft Entra application, assign a role to the service principal, and authenticate as the service principal by providing a certificate. To create an application in Microsoft Entra ID, run the following commands:
1. Paste the following cmdlets in the PowerShell console window. Make sure that the value you specify for the **-DisplayName** property is unique. The values for **-HomePage** and **-IdentiferUris** are placeholder values and are not verified.
You can also use the `hdfs dfs -put` command to upload some files to Data Lake S
* [Azure portal: Create an HDInsight cluster to use Data Lake Storage Gen1](data-lake-store-hdinsight-hadoop-use-portal.md) [makecert]: /windows-hardware/drivers/devtest/makecert
-[pvk2pfx]: /windows-hardware/drivers/devtest/pvk2pfx
+[pvk2pfx]: /windows-hardware/drivers/devtest/pvk2pfx
data-lake-store Data Lake Store Hdinsight Hadoop Use Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-hdinsight-hadoop-use-powershell.md
Before you begin this tutorial, you must have the following:
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). * **Azure PowerShell 1.0 or greater**. See [How to install and configure Azure PowerShell](/powershell/azure/). * **Windows SDK**. You can install it from [here](https://dev.windows.com/en-us/downloads). You use this to create a security certificate.
-* **Azure Active Directory Service Principal**. Steps in this tutorial provide instructions on how to create a service principal in Azure AD. However, you must be an Azure AD administrator to be able to create a service principal. If you are an Azure AD administrator, you can skip this prerequisite and proceed with the tutorial.
+* **Microsoft Entra service principal**. Steps in this tutorial provide instructions on how to create a service principal in Microsoft Entra ID. However, you must be a Microsoft Entra administrator to be able to create a service principal. If you are a Microsoft Entra administrator, you can skip this prerequisite and proceed with the tutorial.
- **If you are not an Azure AD administrator**, you will not be able to perform the steps required to create a service principal. In such a case, your Azure AD administrator must first create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created using a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
+ **If you are not a Microsoft Entra administrator**, you will not be able to perform the steps required to create a service principal. In such a case, your Microsoft Entra administrator must first create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created using a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
## Create a Data Lake Storage Gen1 account Follow these steps to create a Data Lake Storage Gen1 account.
Follow these steps to create a Data Lake Storage Gen1 account.
## Set up authentication for role-based access to Data Lake Storage Gen1
-Every Azure subscription is associated with an Azure Active Directory. Users and services that access resources of the subscription using the Azure portal or Azure Resource Manager API must first authenticate with that Azure Active Directory. Access is granted to Azure subscriptions and services by assigning them the appropriate role on an Azure resource. For services, a service principal identifies the service in the Azure Active Directory (Azure AD). This section illustrates how to grant an application service, like HDInsight, access to an Azure resource (the storage account with Data Lake Storage Gen1 you created earlier) by creating a service principal for the application and assigning roles to that via Azure PowerShell.
+Every Azure subscription is associated with a Microsoft Entra ID. Users and services that access resources of the subscription using the Azure portal or Azure Resource Manager API must first authenticate with that Microsoft Entra ID. Access is granted to Azure subscriptions and services by assigning them the appropriate role on an Azure resource. For services, a service principal identifies the service in the Microsoft Entra ID. This section illustrates how to grant an application service, like HDInsight, access to an Azure resource (the storage account with Data Lake Storage Gen1 you created earlier) by creating a service principal for the application and assigning roles to that via Azure PowerShell.
To set up Active Directory authentication for Data Lake Storage Gen1, you must perform the following tasks. * Create a self-signed certificate
-* Create an application in Azure Active Directory and a Service Principal
+* Create an application in Microsoft Entra ID and a Service Principal
### Create a self-signed certificate
Make sure you have [Windows SDK](https://dev.windows.com/en-us/downloads) instal
When prompted enter the private key password you specified earlier. The value you specify for the **-po** parameter is the password that is associated with the .pfx file. After the command successfully completes, you should also see a CertFile.pfx in the certificate directory you specified.
-### Create an Azure Active Directory and a service principal
+<a name='create-an-azure-active-directory-and-a-service-principal'></a>
-In this section, you perform the steps to create a service principal for an Azure Active Directory application, assign a role to the service principal, and authenticate as the service principal by providing a certificate. Run the following commands to create an application in Azure Active Directory.
+### Create a Microsoft Entra ID and a service principal
+
+In this section, you perform the steps to create a service principal for a Microsoft Entra application, assign a role to the service principal, and authenticate as the service principal by providing a certificate. Run the following commands to create an application in Microsoft Entra ID.
1. Paste the following cmdlets in the PowerShell console window. Make sure the value you specify for the **-DisplayName** property is unique. Also, the values for **-HomePage** and **-IdentiferUris** are placeholder values and are not verified.
data-lake-store Data Lake Store Hdinsight Hadoop Use Resource Manager Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-hdinsight-hadoop-use-resource-manager-template.md
Before you begin this tutorial, you must have the following:
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). * **Azure PowerShell 1.0 or greater**. See [How to install and configure Azure PowerShell](/powershell/azure/).
-* **Azure Active Directory Service Principal**. Steps in this tutorial provide instructions on how to create a service principal in Azure AD. However, you must be an Azure AD administrator to be able to create a service principal. If you are an Azure AD administrator, you can skip this prerequisite and proceed with the tutorial.
+* **Microsoft Entra service principal**. Steps in this tutorial provide instructions on how to create a service principal in Microsoft Entra ID. However, you must be a Microsoft Entra administrator to be able to create a service principal. If you are a Microsoft Entra administrator, you can skip this prerequisite and proceed with the tutorial.
- **If you are not an Azure AD administrator**, you will not be able to perform the steps required to create a service principal. In such a case, your Azure AD administrator must first create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created using a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
+ **If you are not a Microsoft Entra administrator**, you will not be able to perform the steps required to create a service principal. In such a case, your Microsoft Entra administrator must first create a service principal before you can create an HDInsight cluster with Data Lake Storage Gen1. Also, the service principal must be created using a certificate, as described at [Create a service principal with certificate](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-certificate-from-certificate-authority).
## Create an HDInsight cluster with Data Lake Storage Gen1 The Resource Manager template, and the prerequisites for using the template, are available on GitHub at [Deploy a HDInsight Linux cluster with new Data Lake Storage Gen1](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.hdinsight/hdinsight-datalake-store-azure-storage). Follow the instructions provided at this link to create an HDInsight cluster with Data Lake Storage Gen1 as the additional storage.
The template deploys these resource types:
The Resource Manager template creates a new storage account with Data Lake Storage Gen1 and associates it with the HDInsight cluster. You must now upload some sample data to Data Lake Storage Gen1. You'll need this data later in the tutorial to run jobs from an HDInsight cluster that access data in the storage account with Data Lake Storage Gen1. For instructions on how to upload data, see [Upload a file to Data Lake Storage Gen1](data-lake-store-get-started-portal.md#uploaddata). If you are looking for some sample data to upload, you can get the **Ambulance Data** folder from the [Azure Data Lake Git Repository](https://github.com/Azure/usql/tree/master/Examples/Samples/Data/AmbulanceData). ## Set relevant ACLs on the sample data
-To make sure the sample data you upload is accessible from the HDInsight cluster, you must ensure that the Azure AD application that is used to establish identity between the HDInsight cluster and Data Lake Storage Gen1 has access to the file/folder you are trying to access. To do this, perform the following steps.
+To make sure the sample data you upload is accessible from the HDInsight cluster, you must ensure that the Microsoft Entra application that is used to establish identity between the HDInsight cluster and Data Lake Storage Gen1 has access to the file/folder you are trying to access. To do this, perform the following steps.
-1. Find the name of the Azure AD application that is associated with HDInsight cluster and the storage account with Data Lake Storage Gen1. One way to look for the name is to open the HDInsight cluster blade that you created using the Resource Manager template, click the **Cluster Azure AD Identity** tab, and look for the value of **Service Principal Display Name**.
-2. Now, provide access to this Azure AD application on the file/folder that you want to access from the HDInsight cluster. To set the right ACLs on the file/folder in Data Lake Storage Gen1, see [Securing data in Data Lake Storage Gen1](data-lake-store-secure-data.md#filepermissions).
+1. Find the name of the Microsoft Entra application that is associated with HDInsight cluster and the storage account with Data Lake Storage Gen1. One way to look for the name is to open the HDInsight cluster blade that you created using the Resource Manager template, click the **Cluster Microsoft Entra identity** tab, and look for the value of **Service Principal Display Name**.
+2. Now, provide access to this Microsoft Entra application on the file/folder that you want to access from the HDInsight cluster. To set the right ACLs on the file/folder in Data Lake Storage Gen1, see [Securing data in Data Lake Storage Gen1](data-lake-store-secure-data.md#filepermissions).
## Run test jobs on the HDInsight cluster to use Data Lake Storage Gen1 After you have configured an HDInsight cluster, you can run test jobs on the cluster to test that the HDInsight cluster can access Data Lake Storage Gen1. To do so, we will run a sample Hive job that creates a table using the sample data that you uploaded earlier to your storage account with Data Lake Storage Gen1.
data-lake-store Data Lake Store Network Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-network-security.md
This article introduces virtual network integration for Azure Data Lake Storage
This feature helps to secure your Data Lake Storage account from external threats.
-Virtual network integration for Data Lake Storage Gen1 makes use of the virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate additional security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access.
+Virtual network integration for Data Lake Storage Gen1 makes use of the virtual network service endpoint security between your virtual network and Microsoft Entra ID to generate additional security claims in the access token. These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access.
> [!NOTE] > There's no additional charge associated with using these capabilities. Your account is billed at the standard rate for Data Lake Storage Gen1. For more information, see [pricing](https://azure.microsoft.com/pricing/details/data-lake-store/?cdn=disable). For all other Azure services that you use, see [pricing](https://azure.microsoft.com/pricing/#product-picker).
Some available options are:
## Configuration
-### Step 1: Configure your virtual network to use an Azure AD service endpoint
+<a name='step-1-configure-your-virtual-network-to-use-an-azure-ad-service-endpoint'></a>
+
+### Step 1: Configure your virtual network to use a Microsoft Entra service endpoint
1. Go to the Azure portal, and sign in to your account.
You can enable connectivity from Azure services and VMs outside of your selected
![Firewall and virtual network exceptions](media/data-lake-store-network-security/firewall-exceptions.png)
-We recommend that you keep these exceptions turned off. Turn them on only if you need connectivity from these other services from outside your virtual network.
+We recommend that you keep these exceptions turned off. Turn them on only if you need connectivity from these other services from outside your virtual network.
data-lake-store Data Lake Store Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-overview.md
Data Lake Storage Gen1 containers for data are essentially folders and files. Yo
## <a name="DataLakeStoreSecurity"></a>Securing data
-Data Lake Storage Gen1 uses Azure Active Directory (Azure AD) for authentication, and access control lists (ACLs) to manage access to your data.
+Data Lake Storage Gen1 uses Microsoft Entra ID for authentication, and access control lists (ACLs) to manage access to your data.
| Feature | Description | | | |
-| Authentication |Data Lake Storage Gen1 integrates with Azure AD for identity and access management for all the data stored in Data Lake Storage Gen1. Because of the integration, Data Lake Storage Gen1 benefits from all Azure AD feature such as multi-factor authentication, Conditional Access, Azure role-based access control, application usage monitoring, security monitoring and alerting, and so on. Data Lake Storage Gen1 supports the OAuth 2.0 protocol for authentication within the REST interface. See [Data Lake Storage Gen1 authentication](data-lakes-store-authentication-using-azure-active-directory.md).|
+| Authentication |Data Lake Storage Gen1 integrates with Microsoft Entra ID for identity and access management for all the data stored in Data Lake Storage Gen1. Because of the integration, Data Lake Storage Gen1 benefits from all Microsoft Entra feature such as multi-factor authentication, Conditional Access, Azure role-based access control, application usage monitoring, security monitoring and alerting, and so on. Data Lake Storage Gen1 supports the OAuth 2.0 protocol for authentication within the REST interface. See [Data Lake Storage Gen1 authentication](data-lakes-store-authentication-using-azure-active-directory.md).|
| Access control |Data Lake Storage Gen1 provides access control by supporting POSIX-style permissions exposed by the WebHDFS protocol. You can enable ACLs on the root folder, on subfolders, and on individual files. For more information about how ACLs work in the context of Data Lake Storage Gen1, see [Access control in Data Lake Storage Gen1](data-lake-store-access-control.md). | | Encryption |Data Lake Storage Gen1 also provides encryption for data that's stored in the account. You specify the encryption settings while creating a Data Lake Storage Gen1 account. You can choose to have your data encrypted or opt for no encryption. For more information, see [Encryption in Data Lake Storage Gen1](data-lake-store-encryption.md). For instructions on how to provide encryption-related configuration, see [Get started with Data Lake Storage Gen1 using the Azure portal](data-lake-store-get-started-portal.md). |
You can access your data in Data Lake Storage Gen1 using `adl://<data_lake_stora
- [Get started with Data Lake Storage Gen1 using the Azure portal](data-lake-store-get-started-portal.md) - [Get started with Data Lake Storage Gen1 using .NET SDK](data-lake-store-get-started-net-sdk.md)-- [Use Azure HDInsight with Data Lake Storage Gen1](data-lake-store-hdinsight-hadoop-use-portal.md)
+- [Use Azure HDInsight with Data Lake Storage Gen1](data-lake-store-hdinsight-hadoop-use-portal.md)
data-lake-store Data Lake Store Secure Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-secure-data.md
# Securing data stored in Azure Data Lake Storage Gen1 Securing data in Azure Data Lake Storage Gen1 is a three-step approach. Both Azure role-based access control (Azure RBAC) and access control lists (ACLs) must be set to fully enable access to data for users and security groups.
-1. Start by creating security groups in Azure Active Directory (Azure AD). These security groups are used to implement Azure role-based access control (Azure RBAC) in the Azure portal. For more information, see [Azure RBAC](../role-based-access-control/role-assignments-portal.md).
-2. Assign the Azure AD security groups to the Data Lake Storage Gen1 account. This controls access to the Data Lake Storage Gen1 account from the portal and management operations from the portal or APIs.
-3. Assign the Azure AD security groups as access control lists (ACLs) on the Data Lake Storage Gen1 file system.
+1. Start by creating security groups in Microsoft Entra ID. These security groups are used to implement Azure role-based access control (Azure RBAC) in the Azure portal. For more information, see [Azure RBAC](../role-based-access-control/role-assignments-portal.md).
+2. Assign the Microsoft Entra security groups to the Data Lake Storage Gen1 account. This controls access to the Data Lake Storage Gen1 account from the portal and management operations from the portal or APIs.
+3. Assign the Microsoft Entra security groups as access control lists (ACLs) on the Data Lake Storage Gen1 file system.
4. Additionally, you can also set an IP address range for clients that can access the data in Data Lake Storage Gen1. This article provides instructions on how to use the Azure portal to perform the above tasks. For in-depth information on how Data Lake Storage Gen1 implements security at the account and data level, see [Security in Azure Data Lake Storage Gen1](data-lake-store-security-overview.md). For deep-dive information on how ACLs are implemented in Data Lake Storage Gen1, see [Overview of Access Control in Data Lake Storage Gen1](data-lake-store-access-control.md).
Before you begin this tutorial, you must have the following:
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). * **A Data Lake Storage Gen1 account**. For instructions on how to create one, see [Get started with Azure Data Lake Storage Gen1](data-lake-store-get-started-portal.md)
-## Create security groups in Azure Active Directory
-For instructions on how to create Azure AD security groups and how to add users to the group, see [Managing security groups in Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
+<a name='create-security-groups-in-azure-active-directory'></a>
+
+## Create security groups in Microsoft Entra ID
+For instructions on how to create Microsoft Entra security groups and how to add users to the group, see [Managing security groups in Microsoft Entra ID](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
> [!NOTE]
-> You can add both users and other groups to a group in Azure AD using the Azure portal. However, in order to add a service principal to a group, use [Azure ADΓÇÖs PowerShell module](../active-directory/enterprise-users/groups-settings-v2-cmdlets.md).
+> You can add both users and other groups to a group in Microsoft Entra ID using the Azure portal. However, in order to add a service principal to a group, use [Microsoft Entra IDΓÇÖs PowerShell module](../active-directory/enterprise-users/groups-settings-v2-cmdlets.md).
> > ```powershell > # Get the desired group and service principal and identify the correct object IDs
When you assign users or security groups to Data Lake Storage Gen1 accounts, you
![Assign security group to Azure Data Lake Storage Gen1 account](./media/data-lake-store-secure-data/adl.select.user.icon1.png "Assign security group to Azure Data Lake Storage Gen1 account")
-3. In the **Access Control (IAM)** blade, click **Add** to open the **Add permissions** blade. In the **Add permissions** blade, select a **Role** for the user/group. Look for the security group you created earlier in Azure Active Directory and select it. If you have a lot of users and groups to search from, use the **Select** text box to filter on the group name.
+3. In the **Access Control (IAM)** blade, click **Add** to open the **Add permissions** blade. In the **Add permissions** blade, select a **Role** for the user/group. Look for the security group you created earlier in Microsoft Entra ID and select it. If you have a lot of users and groups to search from, use the **Select** text box to filter on the group name.
![Add a role for the user](./media/data-lake-store-secure-data/adl.add.user.1.png "Add a role for the user")
By assigning user/security groups to the Data Lake Storage Gen1 file system, you
* **Assigned permissions** corresponds to the POSIX ACLs that enable you to set permissions for specific named users or groups beyond the file's owner or group. For more information, see [HDFS ACLs](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists). For more information on how ACLs are implemented in Data Lake Storage Gen1, see [Access Control in Data Lake Storage Gen1](data-lake-store-access-control.md).
-4. Click the **Add** icon to open the **Assign permissions** blade. In this blade, click **Select user or group**, and then in **Select user or group** blade, look for the security group you created earlier in Azure Active Directory. If you have a lot of groups to search from, use the text box at the top to filter on the group name. Click the group you want to add and then click **Select**.
+4. Click the **Add** icon to open the **Assign permissions** blade. In this blade, click **Select user or group**, and then in **Select user or group** blade, look for the security group you created earlier in Microsoft Entra ID. If you have a lot of groups to search from, use the text box at the top to filter on the group name. Click the group you want to add and then click **Select**.
![Add a group](./media/data-lake-store-secure-data/adl.acl.3.png "Add a group") 5. Click **Select permissions**, select the permissions, whether the permissions should be applied to recursively, and whether you want to assign the permissions as an access ACL, default ACL, or both. Click **OK**.
data-lake-store Data Lake Store Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-security-overview.md
Many enterprises are taking advantage of big data analytics for business insight
## Authentication and identity management
-Authentication is the process by which a user's identity is verified when the user interacts with Data Lake Storage Gen1 or with any service that connects to Data Lake Storage Gen1. For identity management and authentication, Data Lake Storage Gen1 uses [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md), a comprehensive identity and access management cloud solution that simplifies the management of users and groups.
+Authentication is the process by which a user's identity is verified when the user interacts with Data Lake Storage Gen1 or with any service that connects to Data Lake Storage Gen1. For identity management and authentication, Data Lake Storage Gen1 uses [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md), a comprehensive identity and access management cloud solution that simplifies the management of users and groups.
-Each Azure subscription can be associated with an instance of Azure Active Directory. Only users and service identities that are defined in your Azure Active Directory service can access your Data Lake Storage Gen1 account, by using the Azure portal, command-line tools, or through client applications your organization builds by using the Data Lake Storage Gen1 SDK. Key advantages of using Azure Active Directory as a centralized access control mechanism are:
+Each Azure subscription can be associated with an instance of Microsoft Entra ID. Only users and service identities that are defined in your Microsoft Entra service can access your Data Lake Storage Gen1 account, by using the Azure portal, command-line tools, or through client applications your organization builds by using the Data Lake Storage Gen1 SDK. Key advantages of using Microsoft Entra ID as a centralized access control mechanism are:
* Simplified identity lifecycle management. The identity of a user or a service (a service principal identity) can be quickly created and quickly revoked by simply deleting or disabling the account in the directory. * Multi-factor authentication. [Multi-factor authentication](../active-directory/authentication/concept-mfa-howitworks.md) provides an additional layer of security for user sign-ins and transactions.
Each Azure subscription can be associated with an instance of Azure Active Direc
## Authorization and access control
-After Azure Active Directory authenticates a user so that the user can access Data Lake Storage Gen1, authorization controls access permissions for Data Lake Storage Gen1. Data Lake Storage Gen1 separates authorization for account-related and data-related activities in the following manner:
+After Microsoft Entra authenticates a user so that the user can access Data Lake Storage Gen1, authorization controls access permissions for Data Lake Storage Gen1. Data Lake Storage Gen1 separates authorization for account-related and data-related activities in the following manner:
* [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md) for account management * POSIX ACL for accessing data in the store
For instructions, see [Assign users or security groups to Data Lake Storage Gen1
Data Lake Storage Gen1 is a hierarchical file system like Hadoop Distributed File System (HDFS), and it supports [POSIX ACLs](https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-hdfs/HdfsPermissionsGuide.html#ACLs_Access_Control_Lists). It controls read (r), write (w), and execute (x) permissions to resources for the Owner role, for the Owners group, and for other users and groups. In Data Lake Storage Gen1, ACLs can be enabled on the root folder, on subfolders, and on individual files. For more information on how ACLs work in context of Data Lake Storage Gen1, see [Access control in Data Lake Storage Gen1](data-lake-store-access-control.md).
-We recommend that you define ACLs for multiple users by using [security groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). Add users to a security group, and then assign the ACLs for a file or folder to that security group. This is useful when you want to provide assigned permissions, because you are limited to a maximum of 28 entries for assigned permissions. For more information about how to better secure data stored in Data Lake Storage Gen1 by using Azure Active Directory security groups, see [Assign users or security group as ACLs to the Data Lake Storage Gen1 file system](data-lake-store-secure-data.md#filepermissions).
+We recommend that you define ACLs for multiple users by using [security groups](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). Add users to a security group, and then assign the ACLs for a file or folder to that security group. This is useful when you want to provide assigned permissions, because you are limited to a maximum of 28 entries for assigned permissions. For more information about how to better secure data stored in Data Lake Storage Gen1 by using Microsoft Entra security groups, see [Assign users or security group as ACLs to the Data Lake Storage Gen1 file system](data-lake-store-secure-data.md#filepermissions).
![List access permissions](./media/data-lake-store-security-overview/adl.acl.2.png "List access permissions")
For more information on working with diagnostic logs with Data Lake Storage Gen1
## Summary
-Enterprise customers demand a data analytics cloud platform that is secure and easy to use. Data Lake Storage Gen1 is designed to help address these requirements through identity management and authentication via Azure Active Directory integration, ACL-based authorization, network isolation, data encryption in transit and at rest, and auditing.
+Enterprise customers demand a data analytics cloud platform that is secure and easy to use. Data Lake Storage Gen1 is designed to help address these requirements through identity management and authentication via Microsoft Entra integration, ACL-based authorization, network isolation, data encryption in transit and at rest, and auditing.
If you want to see new features in Data Lake Storage Gen1, send us your feedback in the [Data Lake Storage Gen1 UserVoice forum](https://feedback.azure.com/d365community/forum/7fd97106-7326-ec11-b6e6-000d3a4f032c).
data-lake-store Data Lake Store Service To Service Authenticate Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-service-to-service-authenticate-java.md
Title: Service-to-service authentication - Data Lake Storage Gen2 ΓÇô Java SDK
-description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen2 using Azure Active Directory with Java
+description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen2 using Microsoft Entra ID with Java
In this article, you learn about how to use the Java SDK to do service-to-servic
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen2 using Azure Active Directory](data-lake-store-service-to-service-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen2 using Microsoft Entra ID](data-lake-store-service-to-service-authenticate-using-active-directory.md).
* [Maven](https://maven.apache.org/install.html). This tutorial uses Maven for build and project dependencies. Although it is possible to build without using a build system like Maven or Gradle, these systems make it much easier to manage dependencies.
In this article, you learn about how to use the Java SDK to do service-to-servic
4. Use the following snippet in your Java app to obtain a token for the Active Directory web app you created earlier using one of the class of `StorageSharedKeyCredential` (the following example uses `credential`). The token provider caches the credentials used to obtain the token in memory, and automatically renews the token if it's about to expire. It's possible to create your own subclasses of `StorageSharedKeyCredential` so tokens are obtained by your customer code. For now, let's just use the one provided in the SDK.
- Replace **FILL-IN-HERE** with the actual values for the Azure Active Directory Web application.
+ Replace **FILL-IN-HERE** with the actual values for the Microsoft Entra Web application.
```java private static String clientId = "FILL-IN-HERE";
data-lake-store Data Lake Store Service To Service Authenticate Net Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-service-to-service-authenticate-net-sdk.md
Title: .NET - Service-to-service authentication - Data Lake Storage Gen1
-description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Azure Active Directory using .NET SDK
+description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID using .NET SDK
In this article, you learn about how to use the .NET SDK to do service-to-servic
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-service-to-service-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-service-to-service-authenticate-using-active-directory.md).
## Create a .NET application 1. In Visual Studio, select the **File** menu, **New**, and then **Project**.
using Microsoft.IdentityModel.Clients.ActiveDirectory;
``` ## Service-to-service authentication with client secret
-Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from an Azure AD web application (listed as a prerequisite). This snippet lets you authenticate your application **non-interactively** with Data Lake Storage Gen1 using the client secret/key for Azure AD web application.
+Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from a Microsoft Entra web application (listed as a prerequisite). This snippet lets you authenticate your application **non-interactively** with Data Lake Storage Gen1 using the client secret/key for Microsoft Entra web application.
```csharp private static void Main(string[] args)
The preceding snippet uses a helper function `GetCreds_SPI_SecretKey`. The code
## Service-to-service authentication with certificate
-Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from an Azure AD web application (listed as a prerequisite). This snippet lets you authenticate your application **non-interactively** with Data Lake Storage Gen1 using the certificate for an Azure AD web application. For instructions on how to create an Azure AD application, see [Create service principal with certificates](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate).
+Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from a Microsoft Entra web application (listed as a prerequisite). This snippet lets you authenticate your application **non-interactively** with Data Lake Storage Gen1 using the certificate for a Microsoft Entra web application. For instructions on how to create a Microsoft Entra application, see [Create service principal with certificates](../active-directory/develop/howto-authenticate-service-principal-powershell.md#create-service-principal-with-self-signed-certificate).
```csharp private static void Main(string[] args)
data-lake-store Data Lake Store Service To Service Authenticate Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-service-to-service-authenticate-python.md
Title: Python - Service-to-service authentication - Data Lake Storage Gen1
-description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Azure Active Directory using Python
+description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID using Python
In this article, you learn about how to use the Python SDK to do service-to-serv
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-service-to-service-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-service-to-service-authenticate-using-active-directory.md).
## Install the modules
pip install azure-datalake-store
## Service-to-service authentication with client secret for account management
-Use this snippet to authenticate with Azure AD for account management operations on Data Lake Storage Gen1 such as create a Data Lake Storage Gen1 account, delete a Data Lake Storage Gen1 account, etc. The following snippet can be used to authenticate your application non-interactively, using the client secret for an application / service principal of an existing Azure AD "Web App" application.
+Use this snippet to authenticate with Microsoft Entra ID for account management operations on Data Lake Storage Gen1 such as create a Data Lake Storage Gen1 account, delete a Data Lake Storage Gen1 account, etc. The following snippet can be used to authenticate your application non-interactively, using the client secret for an application / service principal of an existing Microsoft Entra ID "Web App" application.
```python authority_host_uri = 'https://login.microsoftonline.com'
armCreds = AADTokenCredentials(mgmt_token, client_id, resource=RESOURCE)
## Service-to-service authentication with client secret for filesystem operations
-Use the following snippet to authenticate with Azure AD for filesystem operations on Data Lake Storage Gen1 such as create folder, upload file, etc. The following snippet can be used to authenticate your application non-interactively, using the client secret for an application / service principal. Use this with an existing Azure AD "Web App" application.
+Use the following snippet to authenticate with Microsoft Entra ID for filesystem operations on Data Lake Storage Gen1 such as create folder, upload file, etc. The following snippet can be used to authenticate your application non-interactively, using the client secret for an application / service principal. Use this with an existing Microsoft Entra ID "Web App" application.
```python tenant = '<TENANT>'
Use this snippet to authenticate with Azure AD for account management operations
In this article, you learned how to use service-to-service authentication to authenticate with Data Lake Storage Gen1 using Python. You can now look at the following articles that talk about how to use Python to work with Data Lake Storage Gen1. * [Account management operations on Data Lake Storage Gen1 using Python](data-lake-store-get-started-python.md)
-* [Data operations on Data Lake Storage Gen1 using Python](data-lake-store-data-operations-python.md)
+* [Data operations on Data Lake Storage Gen1 using Python](data-lake-store-data-operations-python.md)
data-lake-store Data Lake Store Service To Service Authenticate Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-service-to-service-authenticate-rest-api.md
Title: REST - Service-to-service authentication - Data Lake Storage Gen1 - Azure
-description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 and Azure Active Directory using the REST API.
+description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 and Microsoft Entra ID using the REST API.
In this article, you learn how to use the REST API to do service-to-service auth
* **An Azure subscription**. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
-* **Create an Azure Active Directory "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-service-to-service-authenticate-using-active-directory.md).
+* **Create a Microsoft Entra ID "Web" Application**. You must have completed the steps in [Service-to-service authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-service-to-service-authenticate-using-active-directory.md).
## Service-to-service authentication
This article uses the **non-interactive** approach. For more information on non-
In this article, you learned how to use service-to-service authentication to authenticate with Data Lake Storage Gen1 using REST API. You can now look at the following articles that talk about how to use the REST API to work with Data Lake Storage Gen1. * [Account management operations on Data Lake Storage Gen1 using REST API](data-lake-store-get-started-rest-api.md)
-* [Data operations on Data Lake Storage Gen1 using REST API](data-lake-store-data-operations-rest-api.md)
+* [Data operations on Data Lake Storage Gen1 using REST API](data-lake-store-data-operations-rest-api.md)
data-lake-store Data Lake Store Service To Service Authenticate Using Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md
Title: Service-to-service authentication - Data Lake Storage Gen1 - Azure
-description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Azure Active Directory.
+description: Learn how to achieve service-to-service authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID.
Last updated 05/29/2018
-# Service-to-service authentication with Azure Data Lake Storage Gen1 using Azure Active Directory
+# Service-to-service authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID
> [!div class="op_single_selector"] > * [End-user authentication](data-lake-store-end-user-authenticate-using-active-directory.md) > * [Service-to-service authentication](data-lake-store-service-to-service-authenticate-using-active-directory.md) > >
-Azure Data Lake Storage Gen1 uses Azure Active Directory for authentication. Before authoring an application that works with Data Lake Storage Gen1, you must decide how to authenticate your application with Azure Active Directory (Azure AD). The two main options available are:
+Azure Data Lake Storage Gen1 uses Microsoft Entra ID for authentication. Before authoring an application that works with Data Lake Storage Gen1, you must decide how to authenticate your application with Microsoft Entra ID. The two main options available are:
* End-user authentication * Service-to-service authentication (this article) Both these options result in your application being provided with an OAuth 2.0 token, which gets attached to each request made to Data Lake Storage Gen1.
-This article talks about how to create an **Azure AD web application for service-to-service authentication**. For instructions on Azure AD application configuration for end-user authentication, see [End-user authentication with Data Lake Storage Gen1 using Azure Active Directory](data-lake-store-end-user-authenticate-using-active-directory.md).
+This article talks about how to create an **Microsoft Entra web application for service-to-service authentication**. For instructions on Microsoft Entra application configuration for end-user authentication, see [End-user authentication with Data Lake Storage Gen1 using Microsoft Entra ID](data-lake-store-end-user-authenticate-using-active-directory.md).
## Prerequisites * An Azure subscription. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/). ## Step 1: Create an Active Directory web application
-Create and configure an Azure AD web application for service-to-service authentication with Azure Data Lake Storage Gen1 using Azure Active Directory. For instructions, see [Create an Azure AD application](../active-directory/develop/howto-create-service-principal-portal.md).
+Create and configure a Microsoft Entra web application for service-to-service authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID. For instructions, see [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md).
While following the instructions at the preceding link, make sure you select **Web App / API** for application type, as shown in the following screenshot:
When programmatically logging in, you need the ID for your application. If the a
* For instructions on how to retrieve the tenant ID, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
-## Step 3: Assign the Azure AD application to the Azure Data Lake Storage Gen1 account file or folder
+<a name='step-3-assign-the-azure-ad-application-to-the-azure-data-lake-storage-gen1-account-file-or-folder'></a>
+## Step 3: Assign the Microsoft Entra application to the Azure Data Lake Storage Gen1 account file or folder
-1. Sign on to the [Azure portal](https://portal.azure.com). Open the Data Lake Storage Gen1 account that you want to associate with the Azure Active Directory application you created earlier.
+
+1. Sign on to the [Azure portal](https://portal.azure.com). Open the Data Lake Storage Gen1 account that you want to associate with the Microsoft Entra application you created earlier.
2. In your Data Lake Storage Gen1 account blade, click **Data Explorer**. ![Create directories in Data Lake Storage Gen1 account](./media/data-lake-store-authenticate-using-active-directory/adl.start.data.explorer.png "Create directories in Data Lake account")
-3. In the **Data Explorer** blade, click the file or folder for which you want to provide access to the Azure AD application, and then click **Access**. To configure access to a file, you must click **Access** from the **File Preview** blade.
+3. In the **Data Explorer** blade, click the file or folder for which you want to provide access to the Microsoft Entra application, and then click **Access**. To configure access to a file, you must click **Access** from the **File Preview** blade.
![Set ACLs on Data Lake file system](./media/data-lake-store-authenticate-using-active-directory/adl.acl.1.png "Set ACLs on Data Lake file system") 4. The **Access** blade lists the standard access and custom access already assigned to the root. Click the **Add** icon to add custom-level ACLs. ![List standard and custom access](./media/data-lake-store-authenticate-using-active-directory/adl.acl.2.png "List standard and custom access")
-5. Click the **Add** icon to open the **Add Custom Access** blade. In this blade, click **Select User or Group**, and then in **Select User or Group** blade, look for the Azure Active Directory application you created earlier. If you have many groups to search from, use the text box at the top to filter on the group name. Click the group you want to add and then click **Select**.
+5. Click the **Add** icon to open the **Add Custom Access** blade. In this blade, click **Select User or Group**, and then in **Select User or Group** blade, look for the Microsoft Entra application you created earlier. If you have many groups to search from, use the text box at the top to filter on the group name. Click the group you want to add and then click **Select**.
![Add a group](./media/data-lake-store-authenticate-using-active-directory/adl.acl.3.png "Add a group") 6. Click **Select Permissions**, select the permissions and whether you want to assign the permissions as a default ACL, access ACL, or both. Click **OK**.
When programmatically logging in, you need the ID for your application. If the a
![Screenshot of the Access blade with the newly added group called out in the Custom Access section.](./media/data-lake-store-authenticate-using-active-directory/adl.acl.5.png "Assign permissions to group") > [!NOTE]
-> If you plan on restricting your Azure Active Directory application to a specific folder, you will also need to give that same Azure Active directory application **Execute** permission to the root to enable file creation access via the .NET SDK.
+> If you plan on restricting your Microsoft Entra application to a specific folder, you will also need to give that same Microsoft Entra application **Execute** permission to the root to enable file creation access via the .NET SDK.
> [!NOTE]
-> If you want to use the SDKs to create a Data Lake Storage Gen1 account, you must assign the Azure AD web application as a role to the Resource Group in which you create the Data Lake Storage Gen1 account.
+> If you want to use the SDKs to create a Data Lake Storage Gen1 account, you must assign the Microsoft Entra web application as a role to the Resource Group in which you create the Data Lake Storage Gen1 account.
> >
When programmatically logging in, you need the ID for your application. If the a
![Screenshot of the Endpoints blade with the O AUTH 2 point O TOKEN ENDPOINT copy icon called out.](./media/data-lake-store-authenticate-using-active-directory/oauth-token-endpoint-1.png "OAuth token endpoint") ## Next steps
-In this article, you created an Azure AD web application and gathered the information you need in your client applications that you author using .NET SDK, Java, Python, REST API, etc. You can now proceed to the following articles that talk about how to use the Azure AD native application to first authenticate with Data Lake Storage Gen1 and then perform other operations on the store.
+In this article, you created a Microsoft Entra web application and gathered the information you need in your client applications that you author using .NET SDK, Java, Python, REST API, etc. You can now proceed to the following articles that talk about how to use the Microsoft Entra native application to first authenticate with Data Lake Storage Gen1 and then perform other operations on the store.
* [Service-to-service authentication with Data Lake Storage Gen1 using Java](data-lake-store-service-to-service-authenticate-java.md) * [Service-to-service authentication with Data Lake Storage Gen1 using .NET SDK](data-lake-store-service-to-service-authenticate-net-sdk.md)
data-lake-store Data Lakes Store Authentication Using Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/data-lakes-store-authentication-using-azure-active-directory.md
Title: Authentication - Data Lake Storage Gen1 with Azure AD
-description: Learn how to authenticate with Azure Data Lake Storage Gen1 using Azure Active Directory.
+ Title: Authentication - Data Lake Storage Gen1 with Microsoft Entra ID
+description: Learn how to authenticate with Azure Data Lake Storage Gen1 using Microsoft Entra ID.
Last updated 05/29/2018
-# Authentication with Azure Data Lake Storage Gen1 using Azure Active Directory
+# Authentication with Azure Data Lake Storage Gen1 using Microsoft Entra ID
-Azure Data Lake Storage Gen1 uses Azure Active Directory for authentication. Before authoring an application that works with Data Lake Storage Gen1, you must decide how to authenticate your application with Azure Active Directory (Azure AD).
+Azure Data Lake Storage Gen1 uses Microsoft Entra ID for authentication. Before authoring an application that works with Data Lake Storage Gen1, you must decide how to authenticate your application with Microsoft Entra ID.
## Authentication options * **End-user authentication** - An end user's Azure credentials are used to authenticate with Data Lake Storage Gen1. The application you create to work with Data Lake Storage Gen1 prompts for these user credentials. As a result, this authentication mechanism is *interactive* and the application runs in the logged in user's context. For more information and instructions, see [End-user authentication for Data Lake Storage Gen1](data-lake-store-end-user-authenticate-using-active-directory.md).
-* **Service-to-service authentication** - Use this option if you want an application to authenticate itself with Data Lake Storage Gen1. In such cases, you create an Azure Active Directory (AD) application and use the key from the Azure AD application to authenticate with Data Lake Storage Gen1. As a result, this authentication mechanism is *non-interactive*. For more information and instructions, see [Service-to-service authentication for Data Lake Storage Gen1](data-lake-store-service-to-service-authenticate-using-active-directory.md).
+* **Service-to-service authentication** - Use this option if you want an application to authenticate itself with Data Lake Storage Gen1. In such cases, you create a Microsoft Entra application and use the key from the Microsoft Entra application to authenticate with Data Lake Storage Gen1. As a result, this authentication mechanism is *non-interactive*. For more information and instructions, see [Service-to-service authentication for Data Lake Storage Gen1](data-lake-store-service-to-service-authenticate-using-active-directory.md).
The following table illustrates how end-user and service-to-service authentication mechanisms are supported for Data Lake Storage Gen1. Here's how you read the table.
The following table illustrates how end-user and service-to-service authenticati
<i>* Click the <b>Γ£ö\*</b> symbol. It's a link.</i><br> <i>** MFA stands for multi-factor authentication</i>
-See [Authentication Scenarios for Azure Active Directory](../active-directory/develop/authentication-vs-authorization.md) for more information on how to use Azure Active Directory for authentication.
+See [Authentication Scenarios for Microsoft Entra ID](../active-directory/develop/authentication-vs-authorization.md) for more information on how to use Microsoft Entra ID for authentication.
## Next steps * [End-user authentication](data-lake-store-end-user-authenticate-using-active-directory.md)
-* [Service-to-service authentication](data-lake-store-service-to-service-authenticate-using-active-directory.md)
+* [Service-to-service authentication](data-lake-store-service-to-service-authenticate-using-active-directory.md)
data-lake-store Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-lake-store/policy-reference.md
Title: Built-in policy definitions for Azure Data Lake Storage Gen1 description: Lists Azure Policy built-in policy definitions for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
data-manager-for-agri How To Set Up Sensors Customer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-manager-for-agri/how-to-set-up-sensors-customer.md
Follow the steps to integrate with a sensor partner to enable the partner to sta
## Step 1: Identify the sensor partner app and provide consent
-Each sensor partner has their own multi-tenant Azure Active Directory app created and published on the Data Manager for Agriculture platform. The sensor partner supported by default on the platform is Davis Instruments (sensorPartnerId: `DavisInstruments`).
+Each sensor partner has their own multi-tenant Microsoft Entra app created and published on the Data Manager for Agriculture platform. The sensor partner supported by default on the platform is Davis Instruments (sensorPartnerId: `DavisInstruments`).
To start using the on-boarded sensor partners, you need to give consent to the sensor partner so that they start showing up in `App Registrations`. The steps for you to follow:
To start using the on-boarded sensor partners, you need to give consent to the s
2. For Davis Instruments, click on this [link](https://login.microsoftonline.com/common/adminconsent?client_id=30b00405-3b4e-4003-933c-0d96ce47d670) to provide consent.
-3. On the permission review page, Azure Active Directory app requests for minimum "read user profile" permission. This permission level is sufficient for sensor integration with Data Manager for Agriculture.
+3. On the permission review page, Microsoft Entra app requests for minimum "read user profile" permission. This permission level is sufficient for sensor integration with Data Manager for Agriculture.
4. Click on "Accept" button to grant admin consent.
API Endpoint: GET /sensor-events
## Next steps
-* Test our APIs [here](/rest/api/data-manager-for-agri).
+* Test our APIs [here](/rest/api/data-manager-for-agri).
data-manager-for-agri How To Set Up Sensors Partner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-manager-for-agri/how-to-set-up-sensors-partner.md
Partners need to be authenticated and authorized to access the Data Manager for
Hence to enable authentication & authorization, partners need to do the following 1. **Create an Azure account** (If you don't have one already created.)
-2. **Create a multi-tenant Azure Active Directory app** - The multi-tenant Azure Active Directory app as the name signifies, has access to multiple customersΓÇÖ tenants, if the customers have given explicit consent to the partner app (explained in the role assignment step).
+2. **Create a multi-tenant Microsoft Entra app** - The multi-tenant Microsoft Entra app as the name signifies, has access to multiple customersΓÇÖ tenants, if the customers have given explicit consent to the partner app (explained in the role assignment step).
-Partners can access the APIs in customer tenant using the multi-tenant Azure Active Directory App, registered in Azure Active Directory. App registration is done on the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application that in turn accesses Data Manager for Agriculture.
+Partners can access the APIs in customer tenant using the multi-tenant Microsoft Entra App, registered in Microsoft Entra ID. App registration is done on the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application that in turn accesses Data Manager for Agriculture.
Follow the steps provided in [App Registration](/azure/active-directory/develop/quickstart-register-app#register-an-application) **until the Step 8** to generate the following information:
Follow the steps provided in [Add a client secret](/azure/active-directory/devel
### Registration
-Once the partner has created a multi-tenant Azure Active Directory app successfully, partners manually share the APP ID and Partner ID with Data Manager for Agriculture by emailing madma@microsoft.com alias. Using this information Data Manager for Agriculture validates if itΓÇÖs an authentic partner and creating a partner identity (sensorPartnerId) using the internal APIs. As part of the registration process, partners are enabled to use their partner ID (sensorPartnerId) while creating the sensor/devices object and also as part of the sensor data that they push.
+Once the partner has created a multi-tenant Microsoft Entra app successfully, partners manually share the APP ID and Partner ID with Data Manager for Agriculture by emailing madma@microsoft.com alias. Using this information Data Manager for Agriculture validates if itΓÇÖs an authentic partner and creating a partner identity (sensorPartnerId) using the internal APIs. As part of the registration process, partners are enabled to use their partner ID (sensorPartnerId) while creating the sensor/devices object and also as part of the sensor data that they push.
Getting the partner ID marks the completion of partner-Data Manager for Agriculture integration. Now, the partner waits for input from any of their sensor customers to initiate their data ingestion into Data Manager for Agriculture.
Based on the sensors that customers use and their respective sensor partnerΓÇÖs
Customers who choose to onboard to a specific partner should have the app ID of that specific partner. Using the app ID customer needs to do the following things in sequence.
-1. **Consent** ΓÇô Since the partnerΓÇÖs app resides in a different tenant and the customer wants the partner to access certain APIs in their Data Manager for Agriculture instance, the customers are required to call a specific endpoint `https://login.microsoft.com/common/adminconsent/clientId=[client_id]` and replace the [client_id] with the partnersΓÇÖ app ID. This enables the customersΓÇÖ Azure Active Directory to recognize this APP ID whenever they use it for role assignment.
+1. **Consent** ΓÇô Since the partnerΓÇÖs app resides in a different tenant and the customer wants the partner to access certain APIs in their Data Manager for Agriculture instance, the customers are required to call a specific endpoint `https://login.microsoft.com/common/adminconsent/clientId=[client_id]` and replace the [client_id] with the partnersΓÇÖ app ID. This enables the customersΓÇÖ Microsoft Entra ID to recognize this APP ID whenever they use it for role assignment.
2. **Identity Access Management (IAM)** ΓÇô As part of Identity access management, customers create a new role assignment to the above app ID, which was provided consent. Data Manager for Agriculture creates a new role called Sensor Partner (In addition to the existing Admin, Contributor, Reader roles). Customers choose the sensor partner role and add the partner app ID and provide access.
data-manager-for-agri Quickstart Install Data Manager For Agriculture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-manager-for-agri/quickstart-install-data-manager-for-agriculture.md
After providing the details and accepting terms and conditions, select "review +
:::image type="content" source="./media/resource-creation-new.png" alt-text="Screenshot showing data manager for agriculture resource creation flow on Azure portal."::: ## 4: Azure app registration
-You can access Data Manager for Agriculture resource through an app registered in Azure Active Directory. Use the Azure portal for App registration, this enables Microsoft identity platform to provide authentication and authorization services for your app accessing Data Manager for Agriculture.
+You can access Data Manager for Agriculture resource through an app registered in Microsoft Entra ID. Use the Azure portal for App registration, this enables Microsoft identity platform to provide authentication and authorization services for your app accessing Data Manager for Agriculture.
Follow the steps provided in <a href="/azure/active-directory/develop/quickstart-register-app#register-an-application" target="_blank">App Registration</a> **until step 8** to generate the following information:
This ensures that the App (registered in the previous step) has been granted acc
The next step is to generate access token, which contains the security credentials required to identify the application against the Azure Role assignments done in the previous step.
-To access Azure Data Manager for Agriculture REST APIs with the service principal, you need to get an Azure AD access token for the service principal.
+To access Azure Data Manager for Agriculture REST APIs with the service principal, you need to get a Microsoft Entra access token for the service principal.
Replace the following parameters in the request: | Parameter | Description | |:|:|
-| Tenant ID | Tenant ID in Azure AD generated in the app registration (step 1) |
+| Tenant ID | Tenant ID in Microsoft Entra ID generated in the app registration (step 1) |
| Client ID | The application (service principal) ID of the application you registered | | Client Secret | The secret generated for the application. |
With working **API endpoint (instanceUri)** and **access_token**, you now can st
## Next steps * See the Hierarchy Model and learn how to create and organize your agriculture data [here](./concepts-hierarchy-model.md) * Understand our REST APIs [here](/rest/api/data-manager-for-agri)
-* [How to create an Azure support request](./how-to-create-azure-support-request.md)
+* [How to create an Azure support request](./how-to-create-azure-support-request.md)
data-share Concepts Roles Permissions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/concepts-roles-permissions.md
For storage and data lake snapshot-based sharing, you also need permission to cr
|Azure Data Lake Gen2 | Storage Blob Data Reader | Storage Blob Data Contributor |
-For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in Azure SQL Database with the same name as the Azure Data Share resource. Azure Active Directory admin permission is required to create this user. Below is a summary of the permission required by the SQL user.
+For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in Azure SQL Database with the same name as the Azure Data Share resource. Microsoft Entra admin permission is required to create this user. Below is a summary of the permission required by the SQL user.
|**SQL Database Type**|**Data Provider SQL User Permission**|**Data Consumer SQL User Permission**| ||||
To create a role assignment for the data share resource's managed identity manua
To learn more about role assignments, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). If you're sharing data using REST APIs, you can create role assignment using API by referencing [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md).
-For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Azure Active Directory authentication. This user needs to be granted *db_datareader* permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [Share from Azure SQL Database or Azure Synapse Analytics](how-to-share-from-sql.md) tutorial.
+For SQL snapshot-based sharing, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Microsoft Entra authentication. This user needs to be granted *db_datareader* permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [Share from Azure SQL Database or Azure Synapse Analytics](how-to-share-from-sql.md) tutorial.
### Data consumer
Alternatively, user can have owner of the storage account add the data share res
To learn more about role assignments, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md). If you're receiving data using REST APIs, you can create role assignment using API by referencing [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md).
-For SQL-based target, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Azure Active Directory authentication. This user needs to be granted *db_datareader, db_datawriter, db_ddladmin* permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [Share from Azure SQL Database or Azure Synapse Analytics](how-to-share-from-sql.md) tutorial.
+For SQL-based target, a SQL user needs to be created from an external provider in SQL Database with the same name as the Azure Data Share resource while connecting to SQL database using Microsoft Entra authentication. This user needs to be granted *db_datareader, db_datawriter, db_ddladmin* permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [Share from Azure SQL Database or Azure Synapse Analytics](how-to-share-from-sql.md) tutorial.
## Resource provider registration
data-share Data Share Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/data-share-troubleshoot.md
For storage accounts, a snapshot can fail because a file is being updated at the
For SQL sources, a snapshot can fail for these other reasons:
-* The source SQL script or target SQL script that grants Data Share permission hasn't run. Or for Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL Data Warehouse), the script runs by using SQL authentication rather than Azure Active Directory authentication. You can run the below query to check if the Data Share account has proper permission to the SQL database. For source SQL database, query result should show Data Share account has *db_datareader* role. For target SQL database, query result should show Data Share account has *db_datareader*, *db_datawriter*, and *db_dlladmin* roles.
+* The source SQL script or target SQL script that grants Data Share permission hasn't run. Or for Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL Data Warehouse), the script runs by using SQL authentication rather than Microsoft Entra authentication. You can run the below query to check if the Data Share account has proper permission to the SQL database. For source SQL database, query result should show Data Share account has *db_datareader* role. For target SQL database, query result should show Data Share account has *db_datareader*, *db_datawriter*, and *db_dlladmin* roles.
```sql SELECT DP1.name AS DatabaseRoleName,
Dataset mapping can fail for Azure Data Explorer clusters due to the following r
To learn how to start sharing data, continue to the [Share data](share-your-data.md) tutorial.
-To learn how to receive data, continue to the [Accept and receive data](subscribe-to-data-share.md) tutorial.
+To learn how to receive data, continue to the [Accept and receive data](subscribe-to-data-share.md) tutorial.
data-share How To Share From Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/how-to-share-from-sql.md
There are also prerequisites for sharing that depend on where your data is comin
You can use one of these methods to authenticate with Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW): -- [Azure Active Directory authentication](#azure-active-directory-authentication)
+- [Microsoft Entra authentication](#azure-active-directory-authentication)
- [SQL authentication](#sql-authentication)
-#### Azure Active Directory authentication
+<a name='azure-active-directory-authentication'></a>
+
+#### Microsoft Entra authentication
These prerequisites cover the authentication you'll need so Azure Data Share can connect with your Azure SQL Database: - You'll need permission to write to the databases on SQL server: *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role.-- SQL Server **Azure Active Directory Admin** permissions.
+- SQL Server **Microsoft Entra Admin** permissions.
- SQL Server Firewall access: 1. In the [Azure portal](https://portal.azure.com/), navigate to your SQL server. Select *Firewalls and virtual networks* from left navigation. 1. Select **Yes** for *Allow Azure services and resources to access this server*.
You can follow the [step by step demo video](https://youtu.be/hIE-TjJD8Dc) to co
- Permission to write to the databases on SQL server: *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role. - Permission for the Azure Data Share resource's managed identity to access the database:
- 1. In the [Azure portal](https://portal.azure.com/), navigate to the SQL server and set yourself as the **Azure Active Directory Admin**.
- 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Azure Active Directory authentication.
+ 1. In the [Azure portal](https://portal.azure.com/), navigate to the SQL server and set yourself as the **Microsoft Entra Admin**.
+ 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Microsoft Entra authentication.
1. Execute the following script to add the Data Share resource-Managed Identity as a db_datareader. Connect using Active Directory and not SQL Server authentication. ```sql
You can follow the [step by step demo video](https://youtu.be/hIE-TjJD8Dc) to co
- Permission to write to the SQL pool in Synapse workspace: *Microsoft.Synapse/workspaces/sqlPools/write*. This permission exists in the **Contributor** role. - Permission for the Data Share resource's managed identity to access Synapse workspace SQL pool:
- 1. In the [Azure portal](https://portal.azure.com/), navigate to your Synapse workspace. Select **SQL Active Directory admin** from left navigation and set yourself as the **Azure Active Directory admin**.
+ 1. In the [Azure portal](https://portal.azure.com/), navigate to your Synapse workspace. Select **SQL Active Directory admin** from left navigation and set yourself as the **Microsoft Entra admin**.
1. Open the Synapse Studio, select **Manage** from the left navigation. Select **Access control** under Security. Assign yourself the **SQL admin** or **Workspace admin** role. 1. Select **Develop** from the left navigation in the Synapse Studio. Execute the following script in SQL pool to add the Data Share resource-Managed Identity as a db_datareader.
You can follow the [step by step demo video](https://youtu.be/hIE-TjJD8Dc) to co
:::image type="content" source="./media/add-datasets.png" alt-text="Screenshot showing the available dataset types.":::
-1. Select your SQL server or Synapse workspace. If you're using Azure Active Directory authentication and the checkbox **Allow Data Share to run the above 'create user' SQL script on my behalf** appears, check the checkbox. If you're using SQL authentication, provide credentials, and be sure you've followed the prerequisites so that you have permissions.
+1. Select your SQL server or Synapse workspace. If you're using Microsoft Entra authentication and the checkbox **Allow Data Share to run the above 'create user' SQL script on my behalf** appears, check the checkbox. If you're using SQL authentication, provide credentials, and be sure you've followed the prerequisites so that you have permissions.
Select **Next** to navigate to the object you would like to share and select 'Add Datasets'. You can select tables and views from Azure SQL Database and Azure Synapse Analytics (formerly Azure SQL DW), or tables from Azure Synapse Analytics (workspace) dedicated SQL pool.
If you choose to receive data into Azure Storage, complete these prerequisites b
<a id="prerequisitesforreceivingtoazuresqlorsynapse"></a> ### Prerequisites for receiving data into Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW)
-For a SQL server where you're the **Azure Active Directory admin** of the SQL server, complete these prerequisites before accepting a data share:
+For a SQL server where you're the **Microsoft Entra admin** of the SQL server, complete these prerequisites before accepting a data share:
- An [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) or [Azure Synapse Analytics (formerly Azure SQL DW)](../synapse-analytics/get-started-create-workspace.md). - Permission to write to the databases on SQL server: *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role.
For a SQL server where you're the **Azure Active Directory admin** of the SQL se
1. Select **+Add client IP**. Client IP address can change, so you may need to add your client IP again next time you share data from the portal. 1. Select **Save**.
-For a SQL server where you're **not** the **Azure Active Directory admin**, complete these prerequisites before accepting a data share:
+For a SQL server where you're **not** the **Microsoft Entra admin**, complete these prerequisites before accepting a data share:
You can follow the [step by step demo video](https://youtu.be/aeGISgK1xro), or the steps below to configure prerequisites. - An [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart) or [Azure Synapse Analytics (formerly Azure SQL DW)](../synapse-analytics/get-started-create-workspace.md). - Permission to write to databases on the SQL server: *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role. - Permission for the Data Share resource's managed identity to access the Azure SQL Database or Azure Synapse Analytics:
- 1. In the [Azure portal](https://portal.azure.com/), navigate to the SQL server and set yourself as the **Azure Active Directory Admin**.
- 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Azure Active Directory authentication.
+ 1. In the [Azure portal](https://portal.azure.com/), navigate to the SQL server and set yourself as the **Microsoft Entra Admin**.
+ 1. Connect to the Azure SQL Database/Data Warehouse using the [Query Editor](/azure/azure-sql/database/connect-query-portal#connect-using-azure-active-directory) or SQL Server Management Studio with Microsoft Entra authentication.
1. Execute the following script to add the Data Share Managed Identity as a 'db_datareader, db_datawriter, db_ddladmin'. ```sql
You can follow the [step by step demo video](https://youtu.be/aeGISgK1xro), or t
- Permission to write to the SQL pool in Synapse workspace: *Microsoft.Synapse/workspaces/sqlPools/write*. This permission exists in the **Contributor** role. - Permission for the Data Share resource's managed identity to access the Synapse workspace SQL pool: 1. In the [Azure portal](https://portal.azure.com/), navigate to Synapse workspace.
- 1. Select SQL Active Directory admin from left navigation and set yourself as the **Azure Active Directory admin**.
+ 1. Select SQL Active Directory admin from left navigation and set yourself as the **Microsoft Entra admin**.
1. Open Synapse Studio, select **Manage** from the left navigation. Select **Access control** under Security. Assign yourself the **SQL admin** or **Workspace admin** role. 1. In Synapse Studio, select **Develop** from the left navigation. Execute the following script in SQL pool to add the Data Share resource-Managed Identity as a 'db_datareader, db_datawriter, db_ddladmin'.
For large tables where incremental updates are desired, you can export updates t
## Troubleshoot snapshot failure
-The most common cause of snapshot failure is that Data Share doesn't have permission to the source or target data store. In order to grant Data Share permission to the source or target Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW), you must run the provided SQL script when connecting to the SQL database using Azure Active Directory authentication. To troubleshoot other SQL snapshot failures, refer to [Troubleshoot snapshot failure](data-share-troubleshoot.md#snapshots).
+The most common cause of snapshot failure is that Data Share doesn't have permission to the source or target data store. In order to grant Data Share permission to the source or target Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW), you must run the provided SQL script when connecting to the SQL database using Microsoft Entra authentication. To troubleshoot other SQL snapshot failures, refer to [Troubleshoot snapshot failure](data-share-troubleshoot.md#snapshots).
## Next steps
data-share Share Your Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/share-your-data.md
Below is the list of prerequisites for sharing data from SQL source.
* An Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW) with tables and views that you want to share. * Permission to write to the databases on SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role.
-* **Azure Active Directory Admin** of the SQL server
+* **Microsoft Entra Admin** of the SQL server
* SQL Server Firewall access. This can be done through the following steps: 1. In Azure portal, navigate to SQL server. Select *Firewalls and virtual networks* from left navigation. 1. Select **Yes** for *Allow Azure services and resources to access this server*.
Below is the list of prerequisites for sharing data from SQL source.
* * An Azure Synapse Analytics (workspace) dedicated SQL pool with tables that you want to share. Sharing of view isn't currently supported. Sharing from serverless SQL pool isn't currently supported. * Permission to write to the SQL pool in Synapse workspace, which is present in *Microsoft.Synapse/workspaces/sqlPools/write*. This permission exists in the **Contributor** role. * Permission for the Data Share resource's managed identity to access Synapse workspace SQL pool. This can be done through the following steps:
- 1. In Azure portal, navigate to Synapse workspace. Select SQL Active Directory admin from left navigation and set yourself as the **Azure Active Directory admin**.
+ 1. In Azure portal, navigate to Synapse workspace. Select SQL Active Directory admin from left navigation and set yourself as the **Microsoft Entra admin**.
1. Open Synapse Studio, select *Manage* from the left navigation. Select *Access control* under Security. Assign yourself **SQL admin** or **Workspace admin** role. 1. In Synapse Studio, select *Develop* from the left navigation. Execute the following script in SQL pool to add the Data Share resource Managed Identity as a db_datareader.
Use these commands to create the resource:
:::image type="content" source="./media/datasets.png" alt-text="Screenshot of the datasets page in share creation, the add datasets button is highlighted.":::
-1. Select the dataset type that you would like to add. You'll see a different list of dataset types depending on the share type (snapshot or in-place) you've selected in the previous step. If sharing from an Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW), you'll be prompted for authentication method to list tables. Select Azure Active Directory authentication, and check the checkbox **Allow Data Share to run the above 'create user' script on my behalf**.
+1. Select the dataset type that you would like to add. You'll see a different list of dataset types depending on the share type (snapshot or in-place) you've selected in the previous step. If sharing from an Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW), you'll be prompted for authentication method to list tables. Select Microsoft Entra authentication, and check the checkbox **Allow Data Share to run the above 'create user' script on my behalf**.
:::image type="content" source="./media/add-datasets.png" alt-text="Screenshot showing the available dataset types.":::
data-share Subscribe To Data Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/data-share/subscribe-to-data-share.md
If you choose to receive data into Azure SQL Database, Azure Synapse Analytics,
* An Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL DW). * Permission to write to databases on the SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the **Contributor** role.
-* **Azure Active Directory Admin** of the SQL server
+* **Microsoft Entra Admin** of the SQL server
* SQL Server Firewall access. This can be done through the following steps: 1. In SQL server in Azure portal, navigate to *Firewalls and virtual networks* 1. Select **Yes** for *Allow Azure services and resources to access this server*.
If you choose to receive data into Azure SQL Database, Azure Synapse Analytics,
* An Azure Synapse Analytics (workspace) dedicated SQL pool. Receiving data into serverless SQL pool isn't currently supported. * Permission to write to the SQL pool in Synapse workspace, which is present in *Microsoft.Synapse/workspaces/sqlPools/write*. This permission exists in the **Contributor** role. * Permission for the Data Share resource's managed identity to access the Synapse workspace SQL pool. This can be done through the following steps:
- 1. In Azure portal, navigate to Synapse workspace. Select SQL Active Directory admin from left navigation and set yourself as the **Azure Active Directory admin**.
+ 1. In Azure portal, navigate to Synapse workspace. Select SQL Active Directory admin from left navigation and set yourself as the **Microsoft Entra admin**.
1. Open Synapse Studio, select *Manage* from the left navigation. Select *Access control* under Security. Assign yourself **SQL admin** or **Workspace admin** role. 1. In Synapse Studio, select *Develop* from the left navigation. Execute the following script in SQL pool to add the Data Share resource Managed Identity as a 'db_datareader, db_datawriter, db_ddladmin'.
databox-gateway Data Box Gateway System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-gateway/data-box-gateway-system-requirements.md
The following table lists the ports that need to be opened in your firewall to a
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Data Box Gateway device and the Data Box Gateway service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. This in turn will require the network administrator to monitor and update firewall rules for your Data Box Gateway as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Data Box Gateway device and the Data Box Gateway service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. This in turn will require the network administrator to monitor and update firewall rules for your Data Box Gateway as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Data Box Gateway fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
We recommend that you set your firewall rules for outbound traffic, based on Dat
## Next step * [Deploy your Azure Data Box Gateway](data-box-gateway-deploy-prep.md)-
databox-online Azure Stack Edge Deploy Prep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-deploy-prep.md
Before you begin, make sure that:
For information on how to register, see [Register resource provider](azure-stack-edge-manage-access-power-connectivity-mode.md#register-resource-providers).
-* You have admin or user access to Azure Active Directory Graph API. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
+* You have admin or user access to Azure AD Graph API. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
* You have your Microsoft Azure storage account with access credentials.
In this tutorial, you learned about Azure Stack Edge Pro FPGA topics such as:
Advance to the next tutorial to learn how to install Azure Stack Edge Pro FPGA. > [!div class="nextstepaction"]
-> [Install Azure Stack Edge Pro FPGA](./azure-stack-edge-deploy-install.md)
+> [Install Azure Stack Edge Pro FPGA](./azure-stack-edge-deploy-install.md)
databox-online Azure Stack Edge Gpu Deploy Prep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-prep.md
Before you begin, make sure that:
- Search for the specific resource provider, for example, `Microsoft.DataBoxEdge`, and register the resource provider. - To create a Storage account resource, again you need contributor or higher access scoped at the resource group level. Azure Storage is by default a registered resource provider. - To create an order in the Azure Edge Hardware Center, you need to make sure that the `Microsoft.EdgeOrder` provider is registered. For information on how to register, go to [Register resource provider](azure-stack-edge-gpu-manage-access-power-connectivity-mode.md#register-resource-providers).-- You have admin or user access to Azure Active Directory Graph API for generating activation key or credential operations such as share creation that uses a storage account. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
+- You have admin or user access to Azure AD Graph API for generating activation key or credential operations such as share creation that uses a storage account. For more information, see [Azure Active Directory Graph API](/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-permission-scopes#default-access-for-administrators-users-and-guest-users-).
### For the Azure Stack Edge Pro GPU device
databox-online Azure Stack Edge Gpu Deploy Virtual Machine Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-portal.md
You can create and manage virtual machines (VMs) on an Azure Stack Edge Pro GPU device by using the Azure portal, templates, and Azure PowerShell cmdlets, and via the Azure CLI or Python scripts. This article describes how to create and manage a VM on your Azure Stack Edge Pro GPU device by using the Azure portal. > [!IMPORTANT]
-> You will need to enable multifactor authentication for the user who manages the VMs and images that are deployed on your device from the cloud. The cloud operations will fail if the user doesn't have multifactor authentication enabled. For steps to enable multifactor authentication, see [Enable Azure AD Multi-Factor Authentication](/training/modules/secure-aad-users-with-mfa/4-exercise-mfa).
+> You will need to enable multifactor authentication for the user who manages the VMs and images that are deployed on your device from the cloud. The cloud operations will fail if the user doesn't have multifactor authentication enabled. For steps to enable multifactor authentication, see [Enable Microsoft Entra multifactor authentication](/training/modules/secure-aad-users-with-mfa/4-exercise-mfa).
## VM deployment workflow
Follow these steps to connect to a Windows VM.
- [Deploy a GPU VM](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md) - [Troubleshoot VM deployment](azure-stack-edge-gpu-troubleshoot-virtual-machine-provisioning.md) - [Monitor VM activity on your device](azure-stack-edge-gpu-monitor-virtual-machine-activity.md)-- [Monitor CPU and memory on a VM](azure-stack-edge-gpu-monitor-virtual-machine-metrics.md)
+- [Monitor CPU and memory on a VM](azure-stack-edge-gpu-monitor-virtual-machine-metrics.md)
databox-online Azure Stack Edge Gpu Manage Access Power Connectivity Mode https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-manage-access-power-connectivity-mode.md
When generating the activation key for the Azure Stack Edge Pro device, or perfo
- Creating a share with an associated storage account. - Creating a user who can access the shares on the device.
-You should have a `User` access on the Azure Active Directory tenant as you need to be able to `Read all directory objects`. You can't be a Guest user as they don't have permissions to `Read all directory objects`. If you're a guest, then the operations such as generation of an activation key, creation of a share on your Azure Stack Edge Pro device, creation of a user, configuration of Edge compute role, reset device password will all fail.
+You should have a `User` access on the Microsoft Entra tenant as you need to be able to `Read all directory objects`. You can't be a Guest user as they don't have permissions to `Read all directory objects`. If you're a guest, then the operations such as generation of an activation key, creation of a share on your Azure Stack Edge Pro device, creation of a user, configuration of Edge compute role, reset device password will all fail.
For more information on how to provide access to users to Microsoft Graph API, see [Overview of Microsoft Graph permissions](/graph/permissions-overview).
databox-online Azure Stack Edge Gpu System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-gpu-system-requirements.md
For complete information, go to [Firewall and port configuration rules for IoT E
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
databox-online Azure Stack Edge Mini R System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-mini-r-system-requirements.md
For complete information, go to [Firewall and port configuration rules for IoT E
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Mini R device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Mini R as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Mini R device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Mini R as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Mini R fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
databox-online Azure Stack Edge Pro 2 System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-pro-2-system-requirements.md
For complete information, go to [Firewall and port configuration rules for IoT E
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro 2 device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro 2 as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro 2 device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro 2 as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro 2 fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
databox-online Azure Stack Edge Pro R System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-pro-r-system-requirements.md
For complete information, go to [Firewall and port configuration rules for IoT E
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro R device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro R as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro R device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro R as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro R fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
Finally, make sure that you validate your solution on your dataset and quantify
## Next step -- [Deploy your Azure Stack Edge Pro R](azure-stack-edge-pro-r-deploy-prep.md)
+- [Deploy your Azure Stack Edge Pro R](azure-stack-edge-pro-r-deploy-prep.md)
databox-online Azure Stack Edge System Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/azure-stack-edge-system-requirements.md
For complete information, go to [Firewall and port configuration rules for IoT E
## URL patterns for firewall rules
-Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro FPGA device and the service depend on other Microsoft applications such as Azure Service Bus, Azure Active Directory Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro FPGA as and when needed.
+Network administrators can often configure advanced firewall rules based on the URL patterns to filter the inbound and the outbound traffic. Your Azure Stack Edge Pro FPGA device and the service depend on other Microsoft applications such as Azure Service Bus, Microsoft Entra Access Control, storage accounts, and Microsoft Update servers. The URL patterns associated with these applications can be used to configure firewall rules. It is important to understand that the URL patterns associated with these applications can change. These changes require the network administrator to monitor and update firewall rules for your Azure Stack Edge Pro FPGA as and when needed.
We recommend that you set your firewall rules for outbound traffic, based on Azure Stack Edge Pro FPGA fixed IP addresses, liberally in most cases. However, you can use the information below to set advanced firewall rules that are needed to create secure environments.
Finally, make sure that you validate your solution on your dataset and quantify
## Next step -- [Deploy your Azure Stack Edge Pro FPGA](azure-stack-edge-deploy-prep.md)
+- [Deploy your Azure Stack Edge Pro FPGA](azure-stack-edge-deploy-prep.md)
databox-online Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox-online/policy-reference.md
Title: Built-in policy definitions for Azure Stack Edge description: Lists Azure Policy built-in policy definitions for Azure Stack Edge. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
databox Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/databox/policy-reference.md
Title: Built-in policy definitions for Azure Data Box description: Lists Azure Policy built-in policy definitions for Azure Data Box. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
ddos-protection Fundamental Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/fundamental-best-practices.md
Previously updated : 02/08/2023 Last updated : 10/06/2023 # Azure DDoS Protection fundamental best practices
Ensure that security is a priority throughout the entire lifecycle of an applica
To help protect a service running on Microsoft Azure, you should have a good understanding of your application architecture and focus on the [five pillars of software quality](/azure/architecture/guide/pillars). You should know typical traffic volumes, the connectivity model between the application and other applications, and the service endpoints that are exposed to the public internet.
-Ensuring that an application is resilient enough to handle a denial of service that's targeted at the application itself is most important. Security and privacy are built into the Azure platform, beginning with the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure.
+Ensuring that an application is resilient enough to handle a denial of service that's targeted at the application itself is most important. Security and privacy are built into the Azure platform, beginning with the [Security Development Lifecycle (SDL)](https://www.microsoft.com/sdl/default.aspx). The SDL addresses security at every development phase and ensures that Azure is continually updated to make it even more secure. To learn more about maximizing your effectiveness using DDoS Protection, see [Maximizing Effectiveness: Best Practices for Azure DDoS Protection and Application Resilience](https://techcommunity.microsoft.com/t5/azure-network-security-blog/maximizing-effectiveness-best-practices-for-azure-ddos/ba-p/3914324).
++ ## Design for scalability
ddos-protection Manage Ddos Protection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/manage-ddos-protection.md
Get started with Azure DDoS Network Protection by using the Azure portal.
-A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions under a single Azure AD tenant to the same plan.
+A DDoS protection plan defines a set of virtual networks that have DDoS Network Protection enabled, across subscriptions. You can configure one DDoS protection plan for your organization and link virtual networks from multiple subscriptions under a single Microsoft Entra tenant to the same plan.
In this QuickStart, you create a DDoS protection plan and link it to a virtual network.
In this QuickStart, you create a DDoS protection plan and link it to a virtual n
| Region | Enter **East US**. | 1. In the *Security* pane, select **Enable** on the **Azure DDoS Network Protection** radio.
-1. Select **MyDdosProtectionPlan** from the **DDoS protection plan** pane. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Azure Active Directory tenant.
+1. Select **MyDdosProtectionPlan** from the **DDoS protection plan** pane. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Microsoft Entra tenant.
1. Select **Next**. In the IP address pane, select **Add IPv4 address space** and enter the following values. Then select **Add**. | Setting | Value |
In this QuickStart, you create a DDoS protection plan and link it to a virtual n
1. Create a DDoS protection plan by completing the steps in [Create a DDoS protection plan](#create-a-ddos-protection-plan), if you don't have an existing DDoS protection plan. 1. Enter the name of the virtual network that you want to enable DDoS Network Protection for in the **Search resources, services, and docs box** at the top of the Azure portal. When the name of the virtual network appears in the search results, select it. 1. Select **DDoS protection**, under **Settings**.
-1. Select **Enable**. Under **DDoS protection plan**, select an existing DDoS protection plan, or the plan you created in step 1, and then select **Save**. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Azure Active Directory tenant.
+1. Select **Enable**. Under **DDoS protection plan**, select an existing DDoS protection plan, or the plan you created in step 1, and then select **Save**. The plan you select can be in the same, or different subscription than the virtual network, but both subscriptions must be associated to the same Microsoft Entra tenant.
:::image type="content" source="./media/manage-ddos-protection/ddos-update-virtual-network.gif" alt-text="Gif of enabling DDoS Protection for a virtual network.":::
ddos-protection Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/ddos-protection/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023
defender-for-cloud Attack Path Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/attack-path-reference.md
This section lists all of the cloud security graph components (connections and i
| Has tags | Lists the resource tags of the cloud resource | All Azure, AWS, and GCP resources | | Installed software | Lists all software installed on the machine. This insight is applicable only for VMs that have threat and vulnerability management integration with Defender for Cloud enabled and are connected to Defender for Cloud. | Azure virtual machine, AWS EC2 | | Allows public access | Indicates that a public read access is allowed to the resource with no authorization required. [Learn more](concept-data-security-posture-prepare.md#exposed-to-the-internetallows-public-access) | Azure storage account, AWS S3 bucket, GitHub repository, GCP cloud storage bucket |
-| Doesn't have MFA enabled | Indicates that the user account does not have a multi-factor authentication solution enabled | Azure AD User account, IAM user |
-| Is external user | Indicates that the user account is outside the organization's domain | Azure AD User account |
+| Doesn't have MFA enabled | Indicates that the user account does not have a multi-factor authentication solution enabled | Microsoft Entra user account, IAM user |
+| Is external user | Indicates that the user account is outside the organization's domain | Microsoft Entra user account |
| Is managed | Indicates that an identity is managed by the cloud provider | Azure Managed Identity | | Contains common usernames | Indicates that a SQL server has user accounts with common usernames which are prone to brute force attacks. | SQL VM, Arc-Enabled SQL VM | | Can execute code on the host | Indicates that a SQL server allows executing code on the underlying VM using a built-in mechanism such as xp_cmdshell. | SQL VM, Arc-Enabled SQL VM |
This section lists all of the cloud security graph components (connections and i
| Has high severity vulnerabilities | Indicates that a resource has high severity vulnerabilities | Azure VM, AWS EC2, Container image, GCP VM instance | | Vulnerable to remote code execution | Indicates that a resource has vulnerabilities allowing remote code execution | Azure VM, AWS EC2, Container image, GCP VM instance | | Public IP metadata | Lists the metadata of an Public IP | Public IP |
-| Identity metadata | Lists the metadata of an identity | Azure AD Identity |
+| Identity metadata | Lists the metadata of an identity | Microsoft Entra identity |
### Connections | Connection | Description | Source entity types | Destination entity types | |--|--|--|--|
-| Can authenticate as | Indicates that an Azure resource can authenticate to an identity and use its privileges | Azure VM, Azure VMSS, Azure Storage Account, Azure App Services, SQL Servers | Azure AD managed identity |
-| Has permission to | Indicates that an identity has permissions to a resource or a group of resources | Azure AD user account, Managed Identity, IAM user, EC2 instance | All Azure & AWS resources|
+| Can authenticate as | Indicates that an Azure resource can authenticate to an identity and use its privileges | Azure VM, Azure VMSS, Azure Storage Account, Azure App Services, SQL Servers | Microsoft Entra managed identity |
+| Has permission to | Indicates that an identity has permissions to a resource or a group of resources | Microsoft Entra user account, Managed Identity, IAM user, EC2 instance | All Azure & AWS resources|
| Contains | Indicates that the source entity contains the target entity | Azure subscription, Azure resource group, AWS account, Kubernetes namespace, Kubernetes pod, Kubernetes cluster, GitHub owner, Azure DevOps project, Azure DevOps organization, Azure SQL server, RDS Cluster, RDS Instance, GCP project, GCP Folder, GCP Organization | All Azure, AWS, and GCP resources, All Kubernetes entities, All DevOps entities, Azure SQL database, RDS Instance, RDS Instance Database | | Routes traffic to | Indicates that the source entity can route network traffic to the target entity | Public IP, Load Balancer, VNET, Subnet, VPC, Internet Gateway, Kubernetes service, Kubernetes pod| Azure VM, Azure VMSS, AWS EC2, Subnet, Load Balancer, Internet gateway, Kubernetes pod, Kubernetes service, GCP VM instance, GCP instance group | | Is running | Indicates that the source entity is running the target entity as a process | Azure VM, EC2, Kubernetes container | SQL, Arc-Enabled SQL, Hosted MongoDB, Hosted MySQL, Hosted Oracle, Hosted PostgreSQL, Hosted SQL Server, Container image, Kubernetes pod |
-| Member of | Indicates that the source identity is a member of the target identities group | Azure AD group, Azure AD user | Azure AD group |
+| Member of | Indicates that the source identity is a member of the target identities group | Microsoft Entra group, Microsoft Entra user | Microsoft Entra group |
| Maintains | Indicates that the source Kubernetes entity manages the life cycle of the target Kubernetes entity | Kubernetes workload controller, Kubernetes replica set, Kubernetes stateful set, Kubernetes daemon set, Kubernetes jobs, Kubernetes cron job | Kubernetes pod | ## Next steps
defender-for-cloud Concept Aws Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-aws-connector.md
The architecture of the authentication process across clouds is as follows:
:::image type="content" source="media/quickstart-onboard-aws/architecture-authentication-across-clouds.png" alt-text="Diagram showing architecture of authentication process across clouds." lightbox="media/quickstart-onboard-aws/architecture-authentication-across-clouds.png":::
-1. Microsoft Defender for Cloud CSPM service acquires an Azure AD token with a validity life time of 1 hour that is signed by the Azure AD using the RS256 algorithm.
+1. Microsoft Defender for Cloud CSPM service acquires a Microsoft Entra token with a validity life time of 1 hour that is signed by the Microsoft Entra ID using the RS256 algorithm.
-1. The Azure AD token is exchanged with AWS short living credentials and Defender for Cloud's CSPM service assumes the CSPM IAM role (assumed with web identity).
+1. The Microsoft Entra token is exchanged with AWS short living credentials and Defender for Cloud's CSPM service assumes the CSPM IAM role (assumed with web identity).
-1. Since the principle of the role is a federated identity as defined in a trust relationship policy, the AWS identity provider validates the Azure AD token against the Azure AD through a process that includes:
+1. Since the principle of the role is a federated identity as defined in a trust relationship policy, the AWS identity provider validates the Microsoft Entra token against the Microsoft Entra ID through a process that includes:
- audience validation - signing of the token
The architecture of the authentication process across clouds is as follows:
1. The Microsoft Defender for Cloud CSPM role is assumed only after the validation conditions defined at the trust relationship have been met. The conditions defined for the role level are used for validation within AWS and allows only the Microsoft Defender for Cloud CSPM application (validated audience) access to the specific role (and not any other Microsoft token).
-1. After the Azure AD token validated by the AWS identity provider, the AWS STS exchanges the token with AWS short-living credentials which CSPM service uses to scan the AWS account.
+1. After the Microsoft Entra token validated by the AWS identity provider, the AWS STS exchanges the token with AWS short-living credentials which CSPM service uses to scan the AWS account.
## Native connector plan requirements
defender-for-cloud Concept Credential Scanner Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-credential-scanner-rules.md
Azure SQL Connection String
**Sample**: `<add key="ConnectionString" value="server=tcp:server.database.windows.net;database=database;user=user;password=ZYXWVU_2;"`
-Learn more about [SQL database Azure AD authentication configure](/azure/sql-database/sql-database-aad-authentication-configure).
+Learn more about [SQL database Microsoft Entra authentication configure](/azure/sql-database/sql-database-aad-authentication-configure).
### CSCAN-AZURE0030
Learn more about [Security claims](../notification-hubs/notification-hubs-push-n
### CSCAN-AZURE0140
-Azure AD Client Access Token
+Microsoft Entra Client Access Token
**Sample**: `Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJS...`
Learn more about [Requesting an access token in Azure Active Directory B2C](../a
### CSCAN-AZURE0150
-Azure AD User Credentials
+Microsoft Entra user Credentials
**Sample**: `username=user@tenant.onmicrosoft.com;password=ZYXWVU$1;`
-Learn more about [Resetting a user's password using Azure Active Directory](../active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md).
+Learn more about [Resetting a user's password using Microsoft Entra ID](../active-directory/fundamentals/active-directory-users-reset-password-azure-portal.md).
### CSCAN-AZURE0151
-Azure AD Client Secret
+Microsoft Entra Client Secret
**Sample**: `"AppId=01234567-abcd-abcd-abcd-abcdef012345;AppSecret="abc7Q~defghijklmnopqrstuvwxyz-_.~0123"` <br> `"AppId=01234567-abcd-abcd-abcd-abcdef012345;AppSecret="abc8Q~defghijklmnopqrstuvwxyz-_.~0123456"`
Client Secret / API Key
**Sample**: `client_secret=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=` <br> `ida:password=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=` <br> `ida:...issuer...Api...abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=` <br> `Namespace...ACS...Issuer...abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=` <br> `IssuerName...IssuerSecret=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDE=` <br> `App_Secret=abcdefghijklmnopqrstuvwxyz0123456789/+ABCDEabcdefghijklmnopqrstuvwxyz0123456789/+ABCDE==`
-Learn more about [The Client ID and Secret](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/) and [How and why applications are added to Azure AD](../active-directory/develop/how-applications-are-added.md).
+Learn more about [The Client ID and Secret](https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/) and [How and why applications are added to Microsoft Entra ID](../active-directory/develop/how-applications-are-added.md).
### CSCAN-GENERAL0140
defender-for-cloud Concept Data Security Posture Prepare https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-data-security-posture-prepare.md
The table summarizes support for data-aware posture management.
|What GCP regions are supported? | europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1| |Do I need to install an agent? | No, discovery requires no agent installation. | |What's the cost? | The feature is included with the Defender CSPM and Defender for Storage plans, and doesnΓÇÖt incur additional costs except for the respective plan costs. |
-|What permissions do I need to view/edit data sensitivity settings? | You need one of these Azure Active directory roles: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.|
-| What permissions do I need to perform onboarding? | You need one of these Azure Active directory roles: Security Admin, Contributor, Owner on the subscription level (where the GCP project/s reside in). For consuming the security findings: Security Reader, Security Admin, Reader, Contributor, Owner on the subscription level (where the GCP project/s reside). |
+|What permissions do I need to view/edit data sensitivity settings? | You need one of these Microsoft Entra roles: Global Administrator, Compliance Administrator, Compliance Data Administrator, Security Administrator, Security Operator.|
+| What permissions do I need to perform onboarding? | You need one of these Microsoft Entra roles: Security Admin, Contributor, Owner on the subscription level (where the GCP project/s reside in). For consuming the security findings: Security Reader, Security Admin, Reader, Contributor, Owner on the subscription level (where the GCP project/s reside). |
## Configuring data sensitivity settings
defender-for-cloud Concept Gcp Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/concept-gcp-connector.md
The authentication process works as follows:
:::image type="content" source="media/concept-gcp-connector/authentication-process.png" alt-text="A diagram of the Defender for Cloud GCP connector authentication process." lightbox="media/concept-gcp-connector/authentication-process.png":::
-(1) - Microsoft Defender for Cloud's CSPM service acquires an Azure AD token. The token is signed by Azure AD using the RS256 algorithm and is valid for 1 hour.
+(1) - Microsoft Defender for Cloud's CSPM service acquires a Microsoft Entra token. The token is signed by Microsoft Entra ID using the RS256 algorithm and is valid for 1 hour.
-(2) - The Azure AD token is exchanged with Google's STS token.
+(2) - The Microsoft Entra token is exchanged with Google's STS token.
-(3) - Google STS validates the token with the workload identity provider. The Azure AD token is sent to Google's STS that validates the token with the workload identity provider. Audience validation then occurs and the token is signed. A Google STS token is then returned to Defender for Cloud's CSPM service.
+(3) - Google STS validates the token with the workload identity provider. The Microsoft Entra token is sent to Google's STS that validates the token with the workload identity provider. Audience validation then occurs and the token is signed. A Google STS token is then returned to Defender for Cloud's CSPM service.
(4) - Defender for Cloud's CSPM service uses the Google STS token to impersonate the service account. Defender for Cloud's CSPM receives service account credentials that are used to scan the project.
defender-for-cloud Continuous Export https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/continuous-export.md
When collecting data into a tenant, you can analyze the data from one central lo
To export data to an Azure Event Hubs or Log Analytics workspace in a different tenant: 1. In the tenant that has the Azure Event Hubs or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-portal) from the tenant that hosts the continuous export configuration, or alternatively configure Azure Lighthouse for the source and destination tenant.
-1. If using Azure AD B2B Guest access, ensure that the user accepts the invitation to access the tenant as a guest.
+1. If using Microsoft Entra B2B Guest access, ensure that the user accepts the invitation to access the tenant as a guest.
1. If you're using a Log Analytics Workspace, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, or Monitoring Contributor. 1. Create and submit the request to the Azure REST API to configure the required resources. You'll need to manage the bearer tokens in both the context of the local (workspace) and the remote (continuous export) tenant.
defender-for-cloud Cross Tenant Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/cross-tenant-management.md
The views and actions are basically the same. Here are some examples:
- **Manage advanced cloud defense features and more**: Manage the various threat protection services, such as [just-in-time (JIT) VM access](just-in-time-access-usage.md), [Adaptive network hardening](adaptive-network-hardening.md), [adaptive application controls](adaptive-application-controls.md), and more. ## Next steps
-This article explains how cross-tenant management works in Defender for Cloud. To discover how Azure Lighthouse can simplify cross-tenant management within an enterprise which uses multiple Azure AD tenants, see [Azure Lighthouse in enterprise scenarios](../lighthouse/concepts/enterprise.md).
+This article explains how cross-tenant management works in Defender for Cloud. To discover how Azure Lighthouse can simplify cross-tenant management within an enterprise which uses multiple Microsoft Entra tenants, see [Azure Lighthouse in enterprise scenarios](../lighthouse/concepts/enterprise.md).
defender-for-cloud Defender For Cloud Glossary https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-cloud-glossary.md
This glossary provides a brief description of important terms and concepts for t
Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines. See [Adaptive Application Controls](adaptive-application-controls.md).
-### **AAD**
+<a name='aad'></a>
-Azure Active Directory (Azure AD) is a cloud-based identity and access management service. See [Adaptive Application Controls](../active-directory/fundamentals/active-directory-whatis.md).
+### **Microsoft Entra ID**
+
+Microsoft Entra ID is a cloud-based identity and access management service. See [Adaptive Application Controls](../active-directory/fundamentals/active-directory-whatis.md).
### **ACR Tasks**
defender-for-cloud Defender For Key Vault Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-key-vault-introduction.md
If you don't recognize the user or application, or if you think the access shoul
1. Open the key vault's access policy settings. 1. Remove the corresponding security principal, or restrict the operations the security principal can perform. -- If the source of the alert has an Azure Active Directory role in your tenant:
+- If the source of the alert has a Microsoft Entra role in your tenant:
1. Contact your administrator.
- 1. Determine whether there's a need to reduce or revoke Azure Active Directory permissions.
+ 1. Determine whether there's a need to reduce or revoke Microsoft Entra permissions.
### Step 3: Measure the impact When the event has been mitigated, investigate the secrets in your key vault that were affected:
defender-for-cloud Defender For Storage Configure Malware Scan https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/defender-for-storage-configure-malware-scan.md
Here are some response options that you can use to automate your response:
## Block access to unscanned or malicious files using ABAC (attribute-based access control)
-You can block access to malicious and unscanned files with Entra ID (Azure AD) Attribute-based access control (ABAC) authorization. It allows you to set conditional access to blobs based on the scanning results, and allow applications and users to access only scanned files that are clean.
+You can block access to malicious and unscanned files with Microsoft Entra Attribute-based access control (ABAC) authorization. It allows you to set conditional access to blobs based on the scanning results, and allow applications and users to access only scanned files that are clean.
Follow the instructions in the following [video](https://www.microsoft.com/videoplayer/embed/RW193F2) to set it up.
You can use code or workflow automation to delete or move malicious files to qua
- **Move the malicious file to quarantine** - You can move files to a dedicated storage container or storage account that are considered as ΓÇ£quarantineΓÇ¥. You may want only certain users, such as a security admin or a SOC analyst, to have permission to access this dedicated container or storage account.
- - Using [Azure Active Directory (Azure AD) to control access to blob storage](../storage/blobs/authorize-access-azure-active-directory.md) is considered a best practice. To control access to the dedicated quarantine storage container, you can use [container-level role assignments using Azure AD Role-based access control (RBAC)](../storage/blobs/authorize-access-azure-active-directory.md). Users with storage account-level permissions may still be able to access the ΓÇ£quarantineΓÇ¥ container. You can either edit their permissions to be container-level or choose a different approach and move the malicious file to a dedicated storage account.
- - If you must use other methods, such as [SAS (shared access signatures)](../storage/common/storage-sas-overview.md) tokens on the protected storage account, it's best practice to move malicious files to another storage account (quarantine). Then, it's best only to grant Azure AD permission to access the quarantined storage account.
+ - Using [Microsoft Entra ID to control access to blob storage](../storage/blobs/authorize-access-azure-active-directory.md) is considered a best practice. To control access to the dedicated quarantine storage container, you can use [container-level role assignments using Microsoft Entra role-based access control (RBAC)](../storage/blobs/authorize-access-azure-active-directory.md). Users with storage account-level permissions may still be able to access the ΓÇ£quarantineΓÇ¥ container. You can either edit their permissions to be container-level or choose a different approach and move the malicious file to a dedicated storage account.
+ - If you must use other methods, such as [SAS (shared access signatures)](../storage/common/storage-sas-overview.md) tokens on the protected storage account, it's best practice to move malicious files to another storage account (quarantine). Then, it's best only to grant Microsoft Entra permission to access the quarantined storage account.
### Set up automation
defender-for-cloud Detect Exposed Secrets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/detect-exposed-secrets.md
When credentials are discovered in your code, you can remove them. Instead you c
- Using secret storage such as Azure Key Vault (AKV). -- Updating your authentication methods to take advantage of managed identities (MSI) via Azure Active Directory (AAD).
+- Updating your authentication methods to take advantage of managed identities (MSI) via Microsoft Entra ID.
### Remediate secrets findings using Azure Key Vault
defender-for-cloud Episode Seventeen https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/episode-seventeen.md
Last updated 04/27/2023
## Recommended resources
-Learn more about [Entra Permission Management](other-threat-protections.md#entra-permission-management-formerly-cloudknox)
+Learn more about [Microsoft Entra Permission Management](other-threat-protections.md#entra-permission-management-formerly-cloudknox)
- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa0ZoTml2Qm9kZ2pjRzNMUXFqVUwyNl80YVNtd3xBQ3Jtc0trVm9QM2Z0NlpOeC1KSUE2UEd1cVJ5aHQ0MTN6WjJEYmNlOG9rWC1KZ1ZqaTNmcHdOOHMtWXRLSGhUTVBhQlhhYzlUc2xmTHZtaUpkd1c4LUQzLWt1YmRTbkVQVE5EcTJIM0Foc042SGdQZU5acVRJbw&q=https%3A%2F%2Faka.ms%2FSubscribeMicrosoftSecurity)
Learn more about [Entra Permission Management](other-threat-protections.md#entra
## Next steps > [!div class="nextstepaction"]
-> [New AWS Connector in Microsoft Defender for Cloud](episode-eighteen.md)
+> [New AWS Connector in Microsoft Defender for Cloud](episode-eighteen.md)
defender-for-cloud Export To Siem https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/export-to-siem.md
Before you set up the Azure services for exporting alerts, make sure you have:
- Azure resource group ([Create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md)) - **Owner** role on the alerts scope (subscription, management group or tenant), or these specific permissions: - Write permissions for event hubs and the Event Hub Policy
- - Create permissions for [Azure AD applications](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app), if you aren't using an existing Azure AD application
+ - Create permissions for [Microsoft Entra applications](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app), if you aren't using an existing Microsoft Entra application
- Assign permissions for policies, if you're using the Azure Policy 'DeployIfNotExist' <!- - if it **has the SecurityCenterFree solution**, you'll need a minimum of read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`
You can set up your Azure environment to support continuous export using either:
5. Enable continuous export of security alerts to the defined event hub. 6. **If you're streaming alerts to QRadar** - Create a storage account, then copy and save the connection string to the account that youΓÇÖll use in QRadar. 7. **If you're streaming alerts to Splunk**:
- 1. Create an Azure Active Directory (AD) application.
+ 1. Create a Microsoft Entra application.
2. Save the Tenant, App ID, and App password.
- 3. Give permissions to the Azure AD Application to read from the event hub you created before.
+ 3. Give permissions to the Microsoft Entra Application to read from the event hub you created before.
For more detailed instructions, see [Prepare Azure resources for exporting to Splunk and QRadar](export-to-splunk-or-qradar.md).
defender-for-cloud Export To Splunk Or Qradar https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/export-to-splunk-or-qradar.md
Last updated 04/04/2022
# Prepare Azure resources for exporting to Splunk and QRadar
-In order to stream Microsoft Defender for Cloud security alerts to IBM QRadar and Splunk, you have to set up resources in Azure, such as Event Hubs and Azure Active Directory (Azure AD). Here are the instructions for configuring these resources in the Azure portal, but you can also configure them using a PowerShell script. Make sure you review [Stream alerts to QRadar and Splunk](export-to-siem.md#stream-alerts-to-qradar-and-splunk) before you configure the Azure resources for exporting alerts to QRadar and Splunk.
+In order to stream Microsoft Defender for Cloud security alerts to IBM QRadar and Splunk, you have to set up resources in Azure, such as Event Hubs and Microsoft Entra ID. Here are the instructions for configuring these resources in the Azure portal, but you can also configure them using a PowerShell script. Make sure you review [Stream alerts to QRadar and Splunk](export-to-siem.md#stream-alerts-to-qradar-and-splunk) before you configure the Azure resources for exporting alerts to QRadar and Splunk.
To configure the Azure resources for QRadar and Splunk in the Azure portal:
To configure the Azure resources for QRadar and Splunk in the Azure portal:
:::image type="content" source="media/export-to-siem/copy-storage-account-key.png" alt-text="Screenshot of copying storage account key." lightbox="media/export-to-siem/copy-storage-account-key.png":::
-## Step 6: **For streaming alerts to Splunk SIEM** - Create an Azure AD application
+<a name='step-6-for-streaming-alerts-to-splunk-siemcreate-an-azure-ad-application'></a>
-1. In the menu search box, search for "Azure Active Directory" and go to Azure Active Directory.
-1. Go to the Azure portal, select **Create a resource**, and select **Azure Active Directory**. If that option isn't shown, search for "active directory".
+## Step 6: **For streaming alerts to Splunk SIEM** - Create a Microsoft Entra application
+
+1. In the menu search box, search for "Microsoft Entra ID" and go to Microsoft Entra ID.
+1. Go to the Azure portal, select **Create a resource**, and select **Microsoft Entra ID**. If that option isn't shown, search for "active directory".
1. In the menu, select **App registrations**. 1. Select **New registration**. 1. Enter a unique name for the application and select **Register**.
To configure the Azure resources for QRadar and Splunk in the Azure portal:
1. After the secret is created, copy the Secret ID and save it for later use together with the Application ID and Directory (tenant) ID.
-## Step 7: **For streaming alerts to Splunk SIEM** - Allow Azure AD to read from the event hub
+<a name='step-7-for-streaming-alerts-to-splunk-siemallow-azure-ad-to-read-from-the-event-hub'></a>
+
+## Step 7: **For streaming alerts to Splunk SIEM** - Allow Microsoft Entra ID to read from the event hub
1. Go to the Event Hubs namespace you created. 1. In the menu, go to **Access control**.
To configure the Azure resources for QRadar and Splunk in the Azure portal:
1. In the Roles tab, search for **Azure Event Hubs Data Receiver**. 1. Select **Next**. 1. Select **Select Members**.
-1. Search for the Azure AD application you created before and select it.
+1. Search for the Microsoft Entra application you created before and select it.
1. Select **Close**. To continue setting up export of alerts, [install the built-in connectors](export-to-siem.md#step-2-connect-the-event-hub-to-your-preferred-solution-using-the-built-in-connectors) for the SIEM you're using.
defender-for-cloud Governance Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/governance-rules.md
The owner is shown as unspecified when the owner wasn't found on the resource, t
:::image type="content" source="media/governance-rules/unspecified owner.png" alt-text="Screenshot showing unspecified owner line." lightbox="media/governance-rules/unspecified owner.png":::
-By default, email notifications are sent to the resource owners weekly to provide a list of the on time and overdue tasks. If an email for the owner's manager is found in the organizational Azure Active Directory (Azure AD), the owner's manager receives a weekly email showing any overdue recommendations by default.
+By default, email notifications are sent to the resource owners weekly to provide a list of the on time and overdue tasks. If an email for the owner's manager is found in the organizational Microsoft Entra ID, the owner's manager receives a weekly email showing any overdue recommendations by default.
:::image type="content" source="./media/governance-rules/add-governance-rules.png" alt-text="Screenshot of fields required to add a governance rule." lightbox="media/governance-rules/add-governance-rules.png":::
You can see the list of owners and recommendations for the selected rules, and t
- Hover over the (i) in the overdue recommendations to see the breakdown of overdue recommendations by severity.
- - If the owner email address is found in the organizational Azure Active Directory (Azure AD), you'll see the full name and picture of the owner.
+ - If the owner email address is found in the organizational Microsoft Entra ID, you'll see the full name and picture of the owner.
1. Select **View recommendations** to go to the list of recommendations associated with the owner.
defender-for-cloud Management Groups Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/management-groups-roles.md
# Organize subscriptions into management groups and assign roles to users
-Manage your organizationΓÇÖs security posture at scale by applying security policies to all Azure subscriptions linked to your Azure Active Directory tenant.
+Manage your organizationΓÇÖs security posture at scale by applying security policies to all Azure subscriptions linked to your Microsoft Entra tenant.
-For visibility into the security posture of all subscriptions linked to an Azure AD tenant, you'll need an Azure role with sufficient read permissions assigned on the root management group.
+For visibility into the security posture of all subscriptions linked to a Microsoft Entra tenant, you'll need an Azure role with sufficient read permissions assigned on the root management group.
## Organize your subscriptions into management groups
For visibility into the security posture of all subscriptions linked to an Azure
Use management groups to efficiently manage access, policies, and reporting on groups of subscriptions, and effectively manage the entire Azure estate by performing actions on the root management group. You can organize subscriptions into management groups and apply your governance policies to the management groups. All subscriptions within a management group automatically inherit the policies applied to the management group.
-Each Azure AD tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.
+Each Microsoft Entra tenant is given a single top-level management group called the root management group. This root management group is built into the hierarchy to have all management groups and subscriptions fold up to it. This group allows global policies and Azure role assignments to be applied at the directory level.
The root management group is created automatically when you do any of the following actions: - In the [Azure portal](https://portal.azure.com), select **Management Groups** . - Create a management group with an API call. - Create a management group with PowerShell. For PowerShell instructions, see [Create management groups for resource and organization management](../governance/management-groups/create-management-group-portal.md).
-Management groups aren't required to onboard Defender for Cloud, but we recommend creating at least one so that the root management group gets created. After the group is created, all subscriptions under your Azure AD tenant will be linked to it.
+Management groups aren't required to onboard Defender for Cloud, but we recommend creating at least one so that the root management group gets created. After the group is created, all subscriptions under your Microsoft Entra tenant will be linked to it.
For a detailed overview of management groups, see the [Organize your resources with Azure management groups](../governance/management-groups/overview.md) article.
Once the Azure roles have been assigned to the users, the tenant administrator s
1. Sign in to the [Azure portal](https://portal.azure.com).
-2. In the navigation list, select **Azure Active Directory** and then select **Properties**.
+2. In the navigation list, select **Microsoft Entra ID** and then select **Properties**.
3. Under **Access management for Azure resources**, set the switch to **No**.
defender-for-cloud Multi Factor Authentication Enforcement https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/multi-factor-authentication-enforcement.md
Title: Security recommendations for multi-factor authentication
-description: Learn how to enforce multi-factor authentication for your Azure subscriptions using Microsoft Defender for Cloud
+ Title: Security recommendations for multifactor authentication
+description: Learn how to enforce multifactor authentication for your Azure subscriptions using Microsoft Defender for Cloud
Last updated 08/22/2023
-# Manage multi-factor authentication (MFA) on your subscriptions
+# Manage multifactor authentication (MFA) on your subscriptions
If you're using passwords only to authenticate your users, you're leaving an attack vector open. Users often use weak passwords or reuse them for multiple services. With [MFA](https://www.microsoft.com/security/business/identity/mfa) enabled, your accounts are more secure, and users can still authenticate to almost any application with single sign-on (SSO).
-There are multiple ways to enable MFA for your Azure Active Directory (Azure AD) users based on the licenses that your organization owns. This page provides the details for each in the context of Microsoft Defender for Cloud.
+There are multiple ways to enable MFA for your Microsoft Entra users based on the licenses that your organization owns. This page provides the details for each in the context of Microsoft Defender for Cloud.
## MFA and Microsoft Defender for Cloud
There are three ways to enable MFA and be compliant with the two recommendations
### Free option - security defaults
-If you're using the free edition of Azure AD, you should use the [security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to enable multi-factor authentication on your tenant.
+If you're using the free edition of Microsoft Entra ID, you should use the [security defaults](../active-directory/fundamentals/concept-fundamentals-security-defaults.md) to enable multifactor authentication on your tenant.
### MFA for Microsoft 365 Business, E3, or E5 customers
-Customers with Microsoft 365 can use **Per-user assignment**. In this scenario, Azure AD MFA is either enabled or disabled for all users, for all sign-in events. There's no ability to enable multi-factor authentication for a subset of users, or under certain scenarios, and management is through the Office 365 portal.
+Customers with Microsoft 365 can use **Per-user assignment**. In this scenario, Microsoft Entra multifactor authentication is either enabled or disabled for all users, for all sign-in events. There's no ability to enable multifactor authentication for a subset of users, or under certain scenarios, and management is through the Office 365 portal.
-### MFA for Azure AD Premium customers
+<a name='mfa-for-azure-ad-premium-customers'></a>
-For an improved user experience, upgrade to Azure AD Premium P1 or P2 for **conditional access (CA) policy** options. To configure a CA policy, you need [Azure Active Directory (Azure AD) tenant permissions](../active-directory/roles/permissions-reference.md).
+### MFA for Microsoft Entra ID P1 or P2 customers
+
+For an improved user experience, upgrade to Microsoft Entra ID P1 or P2 for **conditional access (CA) policy** options. To configure a CA policy, you need [Microsoft Entra tenant permissions](../active-directory/roles/permissions-reference.md).
Your CA policy must:
Your CA policy must:
- not exclude the Microsoft Azure Management app ID
-**Azure AD Premium P1** customers can use Azure AD CA to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements. Other licenses that include this functionality: Enterprise Mobility + Security E3, Microsoft 365 F1, and Microsoft 365 E3.
+**Microsoft Entra ID P1** customers can use Microsoft Entra CA to prompt users for multifactor authentication during certain scenarios or events to fit your business requirements. Other licenses that include this functionality: Enterprise Mobility + Security E3, Microsoft 365 F1, and Microsoft 365 E3.
-**Azure AD Premium P2** provides the strongest security features and an improved user experience. This license adds [risk-based conditional access](../active-directory/conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features. Risk-based CA adapts to your users' patterns and minimizes multi-factor authentication prompts. Other licenses that include this functionality: Enterprise Mobility + Security E5 or Microsoft 365 E5.
+**Microsoft Entra ID P2** provides the strongest security features and an improved user experience. This license adds [risk-based conditional access](../active-directory/conditional-access/howto-conditional-access-policy-risk.md) to the Microsoft Entra ID P1 features. Risk-based CA adapts to your users' patterns and minimizes multifactor authentication prompts. Other licenses that include this functionality: Enterprise Mobility + Security E5 or Microsoft 365 E5.
Learn more in the [Azure Conditional Access documentation](../active-directory/conditional-access/overview.md).
-## Identify accounts without multi-factor authentication (MFA) enabled
+<a name='identify-accounts-without-multi-factor-authentication-mfa-enabled'></a>
+
+## Identify accounts without multifactor authentication (MFA) enabled
You can view the list of user accounts without MFA enabled from either the Defender for Cloud recommendations details page, or by using the Azure Resource Graph.
To see which accounts don't have MFA enabled, use the following Azure Resource G
## Limitations - Conditional Access feature to enforce MFA on external users/tenants isn't supported yet.-- Conditional Access policy applied to Azure AD roles (such as all global admins, external users, external domain, etc.) isn't supported yet.
+- Conditional Access policy applied to Microsoft Entra roles (such as all global admins, external users, external domain, etc.) isn't supported yet.
- External MFA solutions such as Okta, Ping, Duo, and more aren't supported within the identity MFA recommendations.
defender-for-cloud Onboard Machines With Defender For Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/onboard-machines-with-defender-for-endpoint.md
This tenant-level setting allows you to automatically and natively onboard any n
| - | | | Release state | GA | | Supported operating systems | All [Windows](/microsoft-365/security/defender-endpoint/minimum-requirements#supported-windows-versions) and [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux#system-requirements) **Server** operating systems supported by Defender for Endpoint |
-| Required roles and permissions | To manage this setting, you need **Subscription Owner** (on the chosen subscription), and **AAD Global Administrator** or **AAD Security Administrator** |
+| Required roles and permissions | To manage this setting, you need **Subscription Owner** (on the chosen subscription), and **Microsoft Entra Global Administrator** or **Microsoft Entra Security Administrator** |
| Environments | On-premises servers <br />Multicloud VMs ΓÇô limited support (see limitations section)| | Supported plans | Defender for Servers P1 <br />Defender for Servers P2 ΓÇô limited features (see limitations section) |
Direct onboarding is a seamless integration between Defender for Endpoint and De
## Enabling direct onboarding
-Enabling direct onboarding is an opt-in setting at the tenant level. It affects both existing and new servers onboarded to Defender for Endpoint in the same Azure AD tenant. Shortly after enabling this setting, your server devices will show under the designated subscription. Alerts, software inventory, and vulnerability data are integrated with Defender for Cloud, in a similar way to how it works with Azure VMs.
+Enabling direct onboarding is an opt-in setting at the tenant level. It affects both existing and new servers onboarded to Defender for Endpoint in the same Microsoft Entra tenant. Shortly after enabling this setting, your server devices will show under the designated subscription. Alerts, software inventory, and vulnerability data are integrated with Defender for Cloud, in a similar way to how it works with Azure VMs.
Before you begin:
defender-for-cloud Other Threat Protections https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/other-threat-protections.md
To defend against DDoS attacks, purchase a license for Azure DDoS Protection and
If you have Azure DDoS Protection enabled, your DDoS alerts are streamed to Defender for Cloud with no other configuration needed. For more information on the alerts generated by DDoS Protection, see [Reference table of alerts](alerts-reference.md#alerts-azureddos).
-## Entra Permission Management (formerly Cloudknox)
+<a name='entra-permission-management-formerly-cloudknox'></a>
-[Microsoft Entra Permissions Management](../active-directory/cloud-infrastructure-entitlement-management/index.yml) is a cloud infrastructure entitlement management (CIEM) solution. Entra Permission Management provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and GCP.
+## Microsoft Entra Permissions Management (formerly Cloudknox)
+
+[Microsoft Entra Permissions Management](../active-directory/cloud-infrastructure-entitlement-management/index.yml) is a cloud infrastructure entitlement management (CIEM) solution. Microsoft Entra Permission Management provides comprehensive visibility and control over permissions for any identity and any resource in Azure, AWS, and GCP.
As part of the integration, each onboarded Azure subscription, AWS account, and GCP project give you a view of your [Permission Creep Index (PCI)](../active-directory/cloud-infrastructure-entitlement-management/ui-dashboard.md). The PCI is an aggregated metric that periodically evaluates the level of risk associated with the number of unused or excessive permissions across identities and resources. PCI measures how risky identities can potentially be, based on the permissions available to them.
defender-for-cloud Partner Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/partner-integration.md
Select **VIEW** for additional information and options such as:
### Discovered solutions
-Defender for Cloud automatically discovers security solutions running in Azure but not connected to Defender for Cloud and displays the solutions in the **Discovered solutions** section. These solutions include Azure solutions, like [Azure AD Identity Protection](../active-directory/identity-protection/overview-identity-protection.md), and partner solutions.
+Defender for Cloud automatically discovers security solutions running in Azure but not connected to Defender for Cloud and displays the solutions in the **Discovered solutions** section. These solutions include Azure solutions, like [Microsoft Entra ID Protection](../active-directory/identity-protection/overview-identity-protection.md), and partner solutions.
> [!NOTE] > Enable **advanced protections** at the subscription level for the discovered solutions feature. Learn more in [Quickstart: Enable enhanced security features](enable-enhanced-security.md).
defender-for-cloud Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/policy-reference.md
Title: Built-in policy definitions description: Lists Azure Policy built-in policy definitions for Microsoft Defender for Cloud. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
defender-for-cloud Support Matrix Defender For Cloud https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/support-matrix-defender-for-cloud.md
Defender for Cloud provides recommendations, security alerts, and vulnerability
\* These features are currently supported in preview.
-\*\* Azure Active Directory (Azure AD) recommendations are available only for subscriptions with [enhanced security features enabled](enable-enhanced-security.md).
+\*\* Microsoft Entra recommendations are available only for subscriptions with [enhanced security features enabled](enable-enhanced-security.md).
defender-for-cloud Tenant Wide Permissions Management https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/tenant-wide-permissions-management.md
Last updated 01/08/2023
# Grant and request tenant-wide visibility
-A user with the Azure Active Directory (AD) role of **Global Administrator** might have tenant-wide responsibilities, but lack the Azure permissions to view that organization-wide information in Microsoft Defender for Cloud. Permission elevation is required because Azure AD role assignments don't grant access to Azure resources.
+A user with the Microsoft Entra role of **Global Administrator** might have tenant-wide responsibilities, but lack the Azure permissions to view that organization-wide information in Microsoft Defender for Cloud. Permission elevation is required because Microsoft Entra role assignments don't grant access to Azure resources.
## Grant tenant-wide permissions to yourself **To assign yourself tenant-level permissions**:
-1. If your organization manages resource access with [Azure AD Privileged Identity Management (PIM)](../active-directory/privileged-identity-management/pim-configure.md), or any other PIM tool, the global administrator role must be active for the user.
+1. If your organization manages resource access with [Microsoft Entra Privileged Identity Management (PIM)](../active-directory/privileged-identity-management/pim-configure.md), or any other PIM tool, the global administrator role must be active for the user.
1. As a Global Administrator user without an assignment on the root management group of the tenant, open Defender for Cloud's **Overview** page and select the **tenant-wide visibility** link in the banner.
A user with the Azure Active Directory (AD) role of **Global Administrator** mig
1. Sign out of the Azure portal, and then log back in again.
-1. Once you have elevated access, open or refresh Microsoft Defender for Cloud to verify you have visibility into all subscriptions under your Azure AD tenant.
+1. Once you have elevated access, open or refresh Microsoft Defender for Cloud to verify you have visibility into all subscriptions under your Microsoft Entra tenant.
The process of assigning yourself tenant-level permissions, performs many operations automatically for you:
The process of assigning yourself tenant-level permissions, performs many opera
- The elevated permissions are removed.
-For more information of the Azure AD elevation process, see [Elevate access to manage all Azure subscriptions and management groups](../role-based-access-control/elevate-access-global-admin.md).
+For more information of the Microsoft Entra elevation process, see [Elevate access to manage all Azure subscriptions and management groups](../role-based-access-control/elevate-access-global-admin.md).
## Request tenant-wide permissions when yours are insufficient
defender-for-cloud Troubleshooting Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-cloud/troubleshooting-guide.md
GCP connector issues:
- Make sure that the GCP Cloud Shell script completed successfully. - Make sure that GKE clusters are successfully connected to Arc-enabled Kubernetes. - Make sure that Azure Arc endpoints are in the firewall allowlist. The GCP connector makes API calls to these endpoints to fetch the necessary onboarding files.-- If the onboarding of GCP projects failed, make sure you have ΓÇ£compute.regions.listΓÇ¥ permission and Azure AD permission to create the service principle used as part of the onboarding process. Make sure that the GCP resources `WorkloadIdentityPoolId`, `WorkloadIdentityProviderId`, and `ServiceAccountEmail` are created in the GCP project.
+- If the onboarding of GCP projects failed, make sure you have ΓÇ£compute.regions.listΓÇ¥ permission and Microsoft Entra permission to create the service principle used as part of the onboarding process. Make sure that the GCP resources `WorkloadIdentityPoolId`, `WorkloadIdentityProviderId`, and `ServiceAccountEmail` are created in the GCP project.
## Troubleshooting the Log Analytics agent
defender-for-iot Plan Corporate Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/best-practices/plan-corporate-monitoring.md
For example:
Understand who in your organization will be using Defender for IoT, and what their use cases are. While your security operations center (SOC) and IT personnel will be the most common users, you may have others in your organization who will need read-access to resources in Azure or on local resources. -- **In Azure**, user assignments are based on their Azure Active Directory and RBAC roles. If you're segmenting your network into multiple sites, decide which permissions you'll want to apply per site.
+- **In Azure**, user assignments are based on their Microsoft Entra ID and RBAC roles. If you're segmenting your network into multiple sites, decide which permissions you'll want to apply per site.
- **OT network sensors** support both local users and Active Directory synchronizations. If you'll be using Active Directory, make sure that you have the access details for the Active Directory server.
defender-for-iot Connect Sensors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/connect-sensors.md
For more information, see [What are virtual machine scale sets?](../../virtual-m
- For the upgrade mode, select **Automatic - instance will start upgrading** - Disable boot diagnostics
- - Clear the settings for **Identity** and **Azure AD**
+ - Clear the settings for **Identity** and **Microsoft Entra ID**
- Select **Overprovisioning** - Select **Enabled automatic OS upgrades**
If you don't configure these settings during deployment, you can also return and
> [!div class="step-by-step"] > [Control the OT traffic monitored by Microsoft Defender for IoT ┬╗](how-to-control-what-traffic-is-monitored.md)-
defender-for-iot Eiot Defender For Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/eiot-defender-for-endpoint.md
Make sure that you have:
|Identity management |Roles required | |||
- |**In Azure Active Directory** | [Global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) for your Microsoft 365 tenant |
+ |**In Microsoft Entra ID** | [Global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) for your Microsoft 365 tenant |
|**In Azure RBAC** | [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) for the Azure subscription that you'll be using for the integration | ## Onboard a Defender for IoT plan
defender-for-iot Send Cloud Data To Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/integrations/send-cloud-data-to-partners.md
Before you start, you'll need the **Microsoft Defender for IoT** data connector
Also check any prerequisites for each of the procedures linked in the steps below.
-## Register an application in Azure Active Directory
+<a name='register-an-application-in-azure-active-directory'></a>
-You'll need Azure Active Directory (Azure AD) defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need to create an Azure AD application with specific permissions.
+## Register an application in Microsoft Entra ID
-**To register an Azure AD application and define permissions**:
+You'll need Microsoft Entra ID defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need to create a Microsoft Entra application with specific permissions.
-1. In [Azure AD](../../../active-directory/index.yml), register a new application. On the **Certificates & secrets** page, add a new client secret for the service principal.
+**To register a Microsoft Entra application and define permissions**:
+
+1. In [Microsoft Entra ID](../../../active-directory/index.yml), register a new application. On the **Certificates & secrets** page, add a new client secret for the service principal.
For more information, see [Register an application with the Microsoft identity platform](../../../active-directory/develop/quickstart-register-app.md)
Create an Azure event hub to use as a bridge between Microsoft Sentinel and your
1. In your event hub namespace, select the **Access control (IAM)** page and add a new role assignment.
- Select to use the **Azure Event Hubs Data Receiver** role, and add the Azure AD service principle app that you'd created [earlier](#register-an-application-in-azure-active-directory) as a member.
+ Select to use the **Azure Event Hubs Data Receiver** role, and add the Microsoft Entra service principle app that you'd created [earlier](#register-an-application-in-azure-active-directory) as a member.
For more information, see: [Assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md).
defender-for-iot Manage Subscriptions Enterprise https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/manage-subscriptions-enterprise.md
Before performing the procedures in this article, make sure that you have:
- The following user roles:
- - **In Azure Active Directory**: [Global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) for your Microsoft 365 tenant
+ - **In Microsoft Entra ID**: [Global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) for your Microsoft 365 tenant
- **In Azure RBAC**: [Security admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner) for the Azure subscription that you'll be using for the integration
For more information, see:
- [Create an additional Azure subscription](../../cost-management-billing/manage/create-subscription.md) - [Upgrade your Azure subscription](../../cost-management-billing/manage/upgrade-azure-subscription.md)--
+-
defender-for-iot Manage Users Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/manage-users-overview.md
Microsoft Defender for IoT provides tools both in the Azure portal and on-premis
## Azure users for Defender for IoT
-In the Azure portal, users are managed at the subscription level with [Azure Active Directory](../../active-directory/index.yml) and [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md). Azure subscription users can have one or more user roles, which determine the data and actions they can access from the Azure portal, including in Defender for IoT.
+In the Azure portal, users are managed at the subscription level with [Microsoft Entra ID](../../active-directory/index.yml) and [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md). Azure subscription users can have one or more user roles, which determine the data and actions they can access from the Azure portal, including in Defender for IoT.
Use the [portal](../../role-based-access-control/quickstart-assign-role-user-portal.md) or [PowerShell](../../role-based-access-control/tutorial-role-assignments-group-powershell.md) to assign your Azure subscription users with the specific roles they'll need to view data and take action, such as whether they'll be viewing alert or device data, or managing pricing plans and sensors.
defender-for-iot Manage Users Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/manage-users-portal.md
Microsoft Defender for IoT provides tools both in the Azure portal and on-premises for managing user access across Defender for IoT resources.
-In the Azure portal, user management is managed at the *subscription* level with [Azure Active Directory](../../active-directory/index.yml) and [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md). Assign Azure Active Directory users with Azure roles at the subscription level so that they can add or update Defender for IoT pricing plans and access device data, manage sensors, and access device data across Defender for IoT.
+In the Azure portal, user management is managed at the *subscription* level with [Microsoft Entra ID](../../active-directory/index.yml) and [Azure role-based access control (RBAC)](../../role-based-access-control/overview.md). Assign Microsoft Entra users with Azure roles at the subscription level so that they can add or update Defender for IoT pricing plans and access device data, manage sensors, and access device data across Defender for IoT.
For OT network monitoring, Defender for IoT has the extra *site* level, which you can use to add granularity to your user management. For example, assign roles at the site level to apply different permissions for the same users across different sites.
defender-for-iot Track User Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/defender-for-iot/organizations/track-user-activity.md
After you've set up your user access for the [Azure portal](manage-users-portal.
## Audit Azure user activity
-Use Azure Active Directory user auditing resources to audit Azure user activity across Defender for IoT. For more information, see:
+Use Microsoft Entra user auditing resources to audit Azure user activity across Defender for IoT. For more information, see:
-- [Audit logs in Azure Active directory](../../active-directory/reports-monitoring/concept-audit-logs.md)-- [Azure AD audit activity reference](../../active-directory/reports-monitoring/reference-audit-activities.md)
+- [Audit logs in Microsoft Entra ID](../../active-directory/reports-monitoring/concept-audit-logs.md)
+- [Microsoft Entra audit activity reference](../../active-directory/reports-monitoring/reference-audit-activities.md)
## Audit user activity on an OT network sensor
deployment-environments How To Authenticate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-authenticate.md
Last updated 09/07/2023
> Before authenticating, ensure that the user or identity has the appropriate permissions to perform the desired action. For more information, see [configuring project admins](./how-to-configure-project-admin.md) and [configuring environment users](./how-to-configure-deployment-environments-user.md).
-## Using Azure AD authentication for REST APIs
+<a name='using-azure-ad-authentication-for-rest-apis'></a>
-Use the following procedures to authenticate with Azure AD. You can follow along in [Azure Cloud Shell](../../articles/cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine.
+## Using Microsoft Entra authentication for REST APIs
+
+Use the following procedures to authenticate with Microsoft Entra ID. You can follow along in [Azure Cloud Shell](../../articles/cloud-shell/quickstart.md), on an Azure virtual machine, or on your local machine.
### Sign in to the user's Azure subscription
-Start by authenticating with Azure AD by using the Azure CLI. This step isn't required in Azure Cloud Shell.
+Start by authenticating with Microsoft Entra ID by using the Azure CLI. This step isn't required in Azure Cloud Shell.
```azurecli az login ```
-The command opens a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password.
+The command opens a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password.
Next, set the correct subscription context. If you authenticate from an incorrect subscription or tenant you may receive unexpected 403 Forbidden errors.
az account set --subscription <subscription_id>
```
-### Retrieve the Azure AD access token
+<a name='retrieve-the-azure-ad-access-token'></a>
+
+### Retrieve the Microsoft Entra access token
-Use the Azure CLI to acquire an access token for the Azure AD authenticated user.
+Use the Azure CLI to acquire an access token for the Microsoft Entra authenticated user.
Note that the resource ID is different depending on if you are accessing administrator (control plane) APIs or developer (data plane) APIs. For administrator APIs, use the following command:
For developer APIs, use the following command:
az account get-access-token --resource https://devcenter.azure.com ```
-After authentication is successful, Azure AD returns an access token for current Azure subscription:
+After authentication is successful, Microsoft Entra ID returns an access token for current Azure subscription:
```json {
The token is a Base64 string. The token is valid for at least 5 minutes with the
To access REST APIs, you must set the Authorization header on your request. The header value should be the string `Bearer` followed by a space and the token you received in the previous step. ## Next steps-- Review [Azure Active Directory fundamentals](../../articles/active-directory/fundamentals/whatis.md).
+- Review [Microsoft Entra fundamentals](../../articles/active-directory/fundamentals/whatis.md).
deployment-environments How To Configure Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-managed-identity.md
# Configure a managed identity for a dev center
-A [managed identity](../active-directory/managed-identities-azure-resources/overview.md) adds elevated-privileges capabilities and secure authentication to any service that supports Azure Active Directory (Azure AD) authentication. Azure Deployment Environments uses identities to give development teams self-serve deployment capabilities without giving them access to the subscriptions in which Azure resources are created.
+A [managed identity](../active-directory/managed-identities-azure-resources/overview.md) adds elevated-privileges capabilities and secure authentication to any service that supports Microsoft Entra authentication. Azure Deployment Environments uses identities to give development teams self-serve deployment capabilities without giving them access to the subscriptions in which Azure resources are created.
The managed identity that's attached to a dev center should be [assigned the Owner role in the deployment subscriptions](how-to-configure-managed-identity.md#assign-a-subscription-role-assignment-to-the-managed-identity) for each environment type. When an environment deployment is requested, the service grants appropriate permissions to the deployment identities that are set up for the environment type to deploy on behalf of the user. The managed identity that's attached to a dev center also is used to add to a [catalog](how-to-configure-catalog.md) and access [environment definitions](configure-environment-definition.md) in the catalog.
deployment-environments How To Configure Project Environment Types https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/how-to-configure-project-environment-types.md
Add a new project environment type as follows:
|**Deployment subscription**| Select the target subscription in which the environment will be created.| |**Deployment identity** | Select either a system-assigned identity or a user-assigned managed identity that will be used to perform deployments on behalf of the user.| |**Permissions on environment resources** > **Environment Creator Role(s)**| Select the roles that will get access to the environment resources.|
- |**Permissions on environment resources** > **Additional access** | Select the users or Azure Active Directory groups that will be granted specific roles on the environment resources.|
+ |**Permissions on environment resources** > **Additional access** | Select the users or Microsoft Entra groups that will be granted specific roles on the environment resources.|
|**Tags** (optional) | Provide a name and value for tags that will be applied on all resources created as part of the environments.| :::image type="content" source="./media/configure-project-environment-types/add-project-environment-type-page.png" alt-text="Screenshot that shows adding details on the page for adding a project environment type.":::
deployment-environments Quickstart Create And Configure Projects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/quickstart-create-and-configure-projects.md
To configure a project, add a [project environment type](how-to-configure-projec
|**Deployment subscription**| Select the subscription in which the environment will be created.| |**Deployment identity** | Select either a system-assigned identity or a user-assigned managed identity that's used to perform deployments on behalf of the user.| |**Permissions on environment resources** > **Environment creator role(s)**| Select the roles to give access to the environment resources.|
- |**Permissions on environment resources** > **Additional access** | Select the users or Azure Active Directory groups to assign to specific roles on the environment resources.|
+ |**Permissions on environment resources** > **Additional access** | Select the users or Microsoft Entra groups to assign to specific roles on the environment resources.|
|**Tags** | Enter a tag name and a tag value. These tags are applied on all resources that are created as part of the environment.| :::image type="content" source="./media/quickstart-create-configure-projects/add-project-environment-type-page.png" alt-text="Screenshot that shows adding details in the Add project environment type pane.":::
deployment-environments Tutorial Deploy Environments In Cicd Github https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/deployment-environments/tutorial-deploy-environments-in-cicd-github.md
Create three environments: Dev, Test, and Prod to map to the project's environme
:::image type="content" source="media/tutorial-deploy-environments-in-cicd-github/github-secret.png" alt-text="Screenshot showing the Environment Configure Dev pane, with Add secret highlighted.":::
-1. For **Value**, enter the client ID (`appId`) for the **Dev** Azure AD app you created earlier (saved as the `$DEV_AZURE_CLIENT_ID` environment variable).
+1. For **Value**, enter the client ID (`appId`) for the **Dev** Microsoft Entra app you created earlier (saved as the `$DEV_AZURE_CLIENT_ID` environment variable).
:::image type="content" source="media/tutorial-deploy-environments-in-cicd-github/github-add-secret.png" alt-text="Screenshot of the Add secret box with the name AZURE CLIENT ID, the value set to an ID number, and add secret highlighted.":::
Return to the main environments page by selecting **Environments** in the left s
2. Under **Environment secrets**, select **Add Secret** and enter _AZURE_CLIENT_ID_ for **Name**.
-3. For **Value**, enter the client ID (`appId`) for the **Test** Azure AD app you created earlier (saved as the `$TEST_AZURE_CLIENT_ID` environment variable).
+3. For **Value**, enter the client ID (`appId`) for the **Test** Microsoft Entra app you created earlier (saved as the `$TEST_AZURE_CLIENT_ID` environment variable).
4. Select **Add secret**.
Once more, return to the main environments page by selecting **Environments** in
2. Under **Environment secrets**, select **Add Secret** and enter _AZURE_CLIENT_ID_ for **Name**.
-3. For **Value**, enter the client ID (`appId`) for the **Prod** Azure AD app you created earlier (saved as the `$PROD_AZURE_CLIENT_ID` environment variable).
+3. For **Value**, enter the client ID (`appId`) for the **Prod** Microsoft Entra app you created earlier (saved as the `$PROD_AZURE_CLIENT_ID` environment variable).
4. Select **Add secret**.
devtest-labs Configure Lab Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/configure-lab-identity.md
A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. Keeping the credentials secure is an important task. Ideally, the credentials never appear on developer workstations and aren't checked into source control. Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code must authenticate to Key Vault to retrieve them.
-The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solve this problem. The feature provides Azure services with an automatically managed identity in Azure AD. You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. Learn more about [managed identities on Azure](../active-directory/managed-identities-azure-resources/overview.md).
+The managed identities for Azure resources feature in Microsoft Entra solve this problem. The feature provides Azure services with an automatically managed identity in Microsoft Entra ID. You can use the identity to authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without any credentials in your code. Learn more about [managed identities on Azure](../active-directory/managed-identities-azure-resources/overview.md).
There are two types of managed identities: ## System-assigned managed identity
-A **system-assigned managed identity** is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The life cycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
+A **system-assigned managed identity** is enabled directly on an Azure service instance. When the identity is enabled, Azure creates an identity for the instance in the Microsoft Entra tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the instance. The life cycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. If the instance is deleted, Azure automatically cleans up the credentials and the identity in Microsoft Entra ID.
### Scenarios for using labΓÇÖs system assigned identity
This section demonstrates how to configure lab's identity policy.
## User-assigned managed identity
-A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The life cycle of a user-assigned identity is managed separately from the life cycle of the Azure service instances to which it's assigned.
+A user-assigned managed identity is created as a standalone Azure resource. Through a create process, Azure creates an identity in the Microsoft Entra tenant that's trusted by the subscription in use. After the identity is created, the identity can be assigned to one or more Azure service instances. The life cycle of a user-assigned identity is managed separately from the life cycle of the Azure service instances to which it's assigned.
DevTest Labs supports user assigned identities for both virtual machines and Azure Resource Manager based environments. For more information, see the following topics:
DevTest Labs supports user assigned identities for both virtual machines and Azu
## Next steps
-Review [Configure cost management](devtest-lab-configure-cost-management.md)
+Review [Configure cost management](devtest-lab-configure-cost-management.md)
devtest-labs Deliver Proof Concept https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/deliver-proof-concept.md
Common concerns for enterprises that migrate workloads to the cloud include:
For more information about the Azure credits for each MSDN offering, see [Monthly Azure credit for Visual Studio subscribers](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/).
-### Enroll all users in Azure AD
+<a name='enroll-all-users-in-azure-ad'></a>
-For management, such as adding users or adding lab owners, all lab users must belong to the [Azure Active Directory (Azure AD)](https://azure.microsoft.com/services/active-directory) tenant for the Azure subscription the pilot uses. Many enterprises set up [hybrid identity](../active-directory/hybrid/whatis-hybrid-identity.md) to enable users to use their on-premises identities in the cloud. You don't need a hybrid identity for a DevTest Labs proof of concept.
+### Enroll all users in Microsoft Entra ID
+
+For management, such as adding users or adding lab owners, all lab users must belong to the [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory) tenant for the Azure subscription the pilot uses. Many enterprises set up [hybrid identity](../active-directory/hybrid/whatis-hybrid-identity.md) to enable users to use their on-premises identities in the cloud. You don't need a hybrid identity for a DevTest Labs proof of concept.
## Scope the proof of concept
An enterprise plans to develop a new Azure DevTest Labs environment for vendors
The proof of concept has the following goals: -- A working end-to-end solution for vendors using Azure AD guest accounts to access an isolated Azure environment.
+- A working end-to-end solution for vendors using Microsoft Entra guest accounts to access an isolated Azure environment.
- A DevTest Labs environment with all the necessary resources for vendors to be productive. - Identification and understanding of any potential blocking issues that affect broader use and adoption. - Good understanding of all code and collateral by the individuals developing the solution.
The proof of concept has the following goals:
The solution has the following requirements: - Vendor teams can use a set of labs in Azure DevTest Labs.-- The vendors have access to the labs via Azure AD and role assignments.
+- The vendors have access to the labs via Microsoft Entra ID and role assignments.
- Vendors have a way to successfully connect to their resources, such as a site-to-site VPN that enables accessing VMs without using public IP addresses. - The labs connect to a network infrastructure that supports the requirements. - DevTest Labs installs the set of software artifacts that vendors need on the VMs.
The solution has the following requirements:
### Prerequisites - A subscription to use for the project-- An Azure AD tenant, and an Azure AD global administrator who can provide Azure AD help and guidance
+- A Microsoft Entra tenant, and a Microsoft Entra Global Administrator who can provide Microsoft Entra ID help and guidance
- Ways for project members to collaborate, such as: - Azure Repos for source code and scripts - Microsoft Teams or SharePoint for documents
The solution has the following requirements:
### Setup tasks - Decide what Azure region to use for the proof of concept.-- Decide whether to join lab VMs to the Azure AD domain, and whether to use Azure Active Directory Domain Services (Azure AD DS) or another method.
+- Decide whether to join lab VMs to the Microsoft Entra domain, and whether to use Microsoft Entra Domain Services or another method.
- Identify the vendors who will use the proof of concept environment. - Determine the required resources for the vendors, such as software available on the VMs. - Decide on the Azure services, other than VMs, that the vendors can use in DevTest Labs.
The solution has the following requirements:
## Next steps - [Scale up a DevTest Labs deployment](devtest-lab-guidance-orchestrate-implementation.md)-- [Orchestrate DevTest Labs implementation](devtest-lab-guidance-orchestrate-implementation.md)
+- [Orchestrate DevTest Labs implementation](devtest-lab-guidance-orchestrate-implementation.md)
devtest-labs Devtest Lab Add Devtest User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/devtest-lab-add-devtest-user.md
To add a member:
[!INCLUDE [updated-for-az](../../includes/updated-for-az.md)]
-You can add a DevTest Labs User to a lab by using the following Azure PowerShell script. The script requires the user to be in the Azure Active Directory (Azure AD). For information about adding an external user to Azure AD as a guest, see [Add a new guest user](../active-directory/fundamentals/add-users-azure-active-directory.md#add-a-new-guest-user). If the user isn't in Azure AD, use the portal procedure instead.
+You can add a DevTest Labs User to a lab by using the following Azure PowerShell script. The script requires the user to be in the Microsoft Entra ID. For information about adding an external user to Microsoft Entra ID as a guest, see [Add a new guest user](../active-directory/fundamentals/add-users-azure-active-directory.md#add-a-new-guest-user). If the user isn't in Microsoft Entra ID, use the portal procedure instead.
In the following script, update the parameter values under the `# Values to change` comment. You can get the `subscriptionId`, `labResourceGroup`, and `labName` values from the lab's main page in the Azure portal.
New-AzRoleAssignment -ObjectId $adObject.Id -RoleDefinitionName 'DevTest Labs Us
## Next steps - [Customize permissions with custom roles](devtest-lab-grant-user-permissions-to-specific-lab-policies.md)-- [Automate adding lab users](automate-add-lab-user.md)
+- [Automate adding lab users](automate-add-lab-user.md)
devtest-labs Devtest Lab Guidance Governance Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/devtest-lab-guidance-governance-resources.md
Business units and development groups that are associated with the same developm
You may also need to consider geographic boundaries. For example, developers in the north east United States (US) may use a lab provisioned in East US2. And, developers in Dallas, Texas, and Denver, Colorado may be directed to use a resource in US South Central. If there's a collaborative effort with an external third party, they could be assigned to a lab that isn't used by internal developers.
-You may also use a lab for a specific project within Azure DevOps Projects. Then, you apply security through a specified Azure Active Directory group, which allows access to both set of resources. The virtual network assigned to the lab can be another boundary to consolidate users.
+You may also use a lab for a specific project within Azure DevOps Projects. Then, you apply security through a specified Microsoft Entra group, which allows access to both set of resources. The virtual network assigned to the lab can be another boundary to consolidate users.
### Preventing the deletion of resources
The [public artifact repository](https://github.com/Azure/azure-devtestlab/tree/
As part of your organization's overall governance and configuration management strategy, we recommend that you use a centralized repository. When you use multiple repositories, they may become silos of unmanaged software over the time. With a central repository, multiple teams can consume artifacts from this repository for their projects. It enforces standardization, security, ease of management, and eliminates the duplication of efforts. As part of the centralization, the following actions are recommended practices for long-term management and sustainability: -- Associate the Azure Repos with the same Azure Active Directory tenant that the Azure subscription is using for authentication and authorization.-- Create a group named **All DevTest Labs Developers** in Azure Active Directory that is centrally managed. Any developer who contributes to artifact development should be placed in this group.-- The same Azure Active Directory group can be used to provide access to the Azure Repos repository and to the lab.
+- Associate the Azure Repos with the same Microsoft Entra tenant that the Azure subscription is using for authentication and authorization.
+- Create a group named **All DevTest Labs Developers** in Microsoft Entra ID that is centrally managed. Any developer who contributes to artifact development should be placed in this group.
+- The same Microsoft Entra group can be used to provide access to the Azure Repos repository and to the lab.
- In Azure Repos, branching or forking should be used to a separate an in-development repository from the primary production repository. Content is only added to the main branch with a pull request after a proper code review. Once the code reviewer approves the change, a lead developer, who is responsible for maintenance of the main branch, merges the updated code. ### Corporate security policies
Deploy your Resource Manager templates by using the steps in [Use Azure DevTest
This scenario may not be useful if you're using DevTest Labs to host development machines. Use this scenario to build a staging environment that's representative of production.
-The number of virtual machines per lab or per user option only limits the number of machines natively created in the lab itself. This option doesn't limit creation by any environments with Resource Manager templates.
+The number of virtual machines per lab or per user option only limits the number of machines natively created in the lab itself. This option doesn't limit creation by any environments with Resource Manager templates.
devtest-labs Devtest Lab Guidance Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/devtest-lab-guidance-scale.md
The first area of focus when deploying an Azure DevTest Labs solution is to esta
1. Define **initial IP address ranges** that are assigned to the DevTest Labs subscription in Azure. This step requires forecasting the expected usage in number of VMs so that you can provide a large enough block for future expansion. 2. Identify **methods of desired access** into the DevTest Labs (for example, external / internal access). A key point in this step is to determine whether virtual machines have public IP addresses (that is, accessible from the internet directly). 3. Identify and establish **methods of connectivity** with the rest of the Azure cloud environment and on-premises. If the forced routing with Express Route is enabled, itΓÇÖs likely that the virtual machines need appropriate proxy configurations to traverse the corporate firewall.
-4. If VMs are to be **domain joined**, determine whether they join a cloud-based domain (Entra Directory Services for example) or an on-premises domain. For on-premises, determine which organizational unit (OU) within active directory that the virtual machines join. In addition, confirm that users have access to join (or establish a service account that has the ability to create machine records in the domain)
+4. If VMs are to be **domain joined**, determine whether they join a cloud-based domain (Microsoft Entra Directory Services for example) or an on-premises domain. For on-premises, determine which organizational unit (OU) within active directory that the virtual machines join. In addition, confirm that users have access to join (or establish a service account that has the ability to create machine records in the domain)
### Milestone 2: Deploy the pilot lab Once the network topology is in place, the first/pilot lab can be created by taking the following the steps: 1. Create an initial DevTest Labs environment. 2. Determine allowable VM images and sizes for use with lab. Decide whether custom images can be uploaded into Azure for use with DevTest Labs.
-3. Secure access to the lab by creating initial Azure role-based access control (Azure RBAC) for the lab (lab owners and lab users). We recommend that you use synchronized active directory accounts with Azure Active Directory for identity with DevTest Labs.
+3. Secure access to the lab by creating initial Azure role-based access control (Azure RBAC) for the lab (lab owners and lab users). We recommend that you use synchronized active directory accounts with Microsoft Entra ID for identity with DevTest Labs.
4. Configure DevTest Labs to use policies such as schedules, cost management, claimable VMs, custom images, or formulas. 5. Establish an online repository such as Azure Repos/Git. 6. Decide on the use of public or private repositories or combination of both. Organize JSON Templates for deployments and long-term sustainment.
devtest-labs Devtest Lab Reference Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/devtest-lab-reference-architecture.md
On-premises, a [remote desktop gateway](/windows-server/remote/remote-desktop-se
### Networking components
-In this architecture, [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) provides identity and access management across all networks. Lab VMs usually have a local administrative account for access. If there's an Azure AD, on-premises, or [Azure AD Domain Services](../active-directory-domain-services/overview.md) domain available, you can join lab VMs to the domain. Users can then use their domain-based identities to connect to the VMs.
+In this architecture, [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) provides identity and access management across all networks. Lab VMs usually have a local administrative account for access. If there's a Microsoft Entra ID, on-premises, or [Microsoft Entra Domain Services](../active-directory-domain-services/overview.md) domain available, you can join lab VMs to the domain. Users can then use their domain-based identities to connect to the VMs.
[Azure networking topology](../networking/fundamentals/networking-overview.md) controls how lab resources access and communicate with on-premises networks and the internet. This architecture shows a common way that enterprises network DevTest Labs. The labs connect with [peered virtual networks](../virtual-network/virtual-network-peering-overview.md) in a [hub-spoke configuration](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke), through the ExpressRoute or site-to-site VPN connection, to the on-premises network.
devtest-labs Enable Managed Identities Lab Vms https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/enable-managed-identities-lab-vms.md
# Enable user-assigned managed identities on lab virtual machines in Azure DevTest Labs As a lab owner, you can enable user-assigned managed identities on your lab virtual machines (VMs) in Azure DevTest Labs.
-A managed identity can be used to authenticate to any service that supports Azure Active Directory (AD) authentication, including Key Vault, without passing any credentials in the code. For more information on managed identities, see [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
+A managed identity can be used to authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without passing any credentials in the code. For more information on managed identities, see [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
With this feature, lab users can share Azure resources such as Azure SQL Database in the context of the lab. The authentication to the resource is taken care by the identity itself. Once configured, every existing/newly created lab VM will be enabled with this identity. Lab users can access resources once logged in to their machines.
devtest-labs Image Factory Set Up Devops Lab https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/image-factory-set-up-devops-lab.md
To simplify the command-line parameters, encapsulate the key values that drive t
![Screenshot that shows Build variables.](./media/set-up-devops-lab/configure-build-variables.png) ## Connect to Azure
-The next step is to set up a service principal. A service principal is an identity in Azure Active Directory that enables the DevOps build agent to operate in Azure on the userΓÇÖs behalf. To set it up, start with adding you first Azure PowerShell Build Step.
+The next step is to set up a service principal. A service principal is an identity in Microsoft Entra ID that enables the DevOps build agent to operate in Azure on the userΓÇÖs behalf. To set it up, start with adding you first Azure PowerShell Build Step.
1. Select **Add Task**. 2. Search for **Azure PowerShell**.
devtest-labs Import Virtual Machines From Another Lab https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/import-virtual-machines-from-another-lab.md
When the import finishes, the process shuts down the source VM and starts the ne
There are several requirements and constraints for importing VMs from one lab to another: -- You can import VMs across subscriptions and across regions, but both subscriptions must be associated with the same Azure Active Directory tenant.
+- You can import VMs across subscriptions and across regions, but both subscriptions must be associated with the same Microsoft Entra tenant.
- VMs can't be in a claimable state in the source lab. - You must be the owner of the VM in the source lab, and the owner of the destination lab. - Currently, this feature is supported only through PowerShell and REST API.
devtest-labs Samples Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest-labs/samples-powershell.md
This script uses the following commands:
| Command | Notes | |||
-| [Get-AzADUser](/powershell/module/az.resources/get-azaduser) | Retries the user object from Azure active directory. |
+| [Get-AzADUser](/powershell/module/az.resources/get-azaduser) | Retries the user object from Microsoft Entra ID. |
| [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) | Assigns the specified role to the specified principal, at the specified scope. | ## Add a marketplace image to a lab
devtest Concepts Security Governance Devtest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest/offer/concepts-security-governance-devtest.md
Important tools within Azure Dev/Test Subscriptions help you create secure acces
- Azure Management Groups - Azure Lighthouse - Credits Monitoring -- Azure Active Directory
+- Microsoft Entra ID
## Azure Management Groups
-When enabling and setting up your Azure Dev/Test Subscriptions, Azure deploys a default resource hierarchy to manage identities and access to resources in a single Azure Active Directory domain. The resource hierarchy allows your organization to set up strong security perimeters for your resources and users.
+When enabling and setting up your Azure Dev/Test Subscriptions, Azure deploys a default resource hierarchy to manage identities and access to resources in a single Microsoft Entra domain. The resource hierarchy allows your organization to set up strong security perimeters for your resources and users.
![A screenshot of the Azure Management Groups](media/concepts-security-governance-devtest/access-management-groups.png "Azure default resource hierarchy.")
This security barrier has two components:
- Identity and access: You may need to segment access to specific resources - Data: Different subscriptions for resources that access personal information
-## Using Azure Active Directory Tenants
+<a name='using-azure-active-directory-tenants'></a>
-[A tenant](../../active-directory/develop/quickstart-create-new-tenant.md) is a dedicated instance of Azure AD that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft like signing up for Azure, Microsoft Intune, or Microsoft 365.
+## Using Microsoft Entra tenants
-Each Azure AD tenant is separate from other Azure AD tenants. Each Azure AD tenant has its own representation of work and school identities, consumer identities (if it's an Azure AD B2C tenant), and app registrations. An app registration inside your tenant can allow authentications from accounts only within your tenant or all tenants.
+[A tenant](../../active-directory/develop/quickstart-create-new-tenant.md) is a dedicated instance of Microsoft Entra ID that an organization or app developer receives when the organization or app developer creates a relationship with Microsoft like signing up for Azure, Microsoft Intune, or Microsoft 365.
+
+Each Microsoft Entra tenant is separate from other Microsoft Entra tenants. Each Microsoft Entra tenant has its own representation of work and school identities, consumer identities (if it's an Azure AD B2C tenant), and app registrations. An app registration inside your tenant can allow authentications from accounts only within your tenant or all tenants.
If you need to further separate your organizationΓÇÖs identity infrastructure beyond management groups within a single tenant, you can also create another tenants with its own resource hierarchy.
-An easy way to do separate resources and users is creating a new Azure AD tenant.
+An easy way to do separate resources and users is creating a new Microsoft Entra tenant.
+
+<a name='create-a-new-azure-ad-tenant'></a>
-### Create a new Azure AD tenant
+### Create a new Microsoft Entra tenant
-If you don't have an Azure AD tenant, or want to create a new one for development, see the [quick start guide](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) or follow the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory). You will have to provide the following info to create your new tenant:
+If you don't have a Microsoft Entra tenant, or want to create a new one for development, see the [quick start guide](../../active-directory/fundamentals/active-directory-access-create-new-tenant.md) or follow the [directory creation experience](https://portal.azure.com/#create/Microsoft.AzureActiveDirectory). You will have to provide the following info to create your new tenant:
- **Organization name** - **Initial domain**ΓÇ»- will be part of /*.onmicrosoft.com. You can customize the domain later. - **Country or region**
- [Learn more about creating and setting up Azure AD tenants](../../active-directory/develop/quickstart-create-new-tenant.md)
+ [Learn more about creating and setting up Microsoft Entra tenants](../../active-directory/develop/quickstart-create-new-tenant.md)
### Using Azure Lighthouse to manage multiple tenants Azure Lighthouse enables cross- and multi-tenant management, allowing for higher automation, scalability, and enhanced governance across resources and tenants. Service providers can deliver managed services using comprehensive and robust management tooling built into the Azure platform. Customers maintain control over who accesses their tenant, which resources they access, and what actions can be taken.
-A common scenario for Azure Lighthouse is managing resources in its customersΓÇÖ Azure Active Directory tenants. However, the capabilities of Azure Lighthouse can also be used to simplify cross-tenant management within an enterprise that uses multiple Azure AD tenants.
+A common scenario for Azure Lighthouse is managing resources in its customersΓÇÖ Microsoft Entra tenants. However, the capabilities of Azure Lighthouse can also be used to simplify cross-tenant management within an enterprise that uses multiple Microsoft Entra tenants.
-For most organizations, management is easier with a single Azure AD tenant. Having all resources within one tenant allows centralization of management tasks by designated users, user groups, or service principals within that tenant.
+For most organizations, management is easier with a single Microsoft Entra tenant. Having all resources within one tenant allows centralization of management tasks by designated users, user groups, or service principals within that tenant.
Where a multi-tenant architecture is required, Azure Lighthouse helps centralize and streamline management operations. By using Azure delegated resource management, users in one managing tenant can perform cross-tenant management functions in a centralized, scalable manner.
devtest How To Add Users Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest/offer/how-to-add-users-directory.md
# Add users to your Azure credit subscription
-To manage and access subscription resources, you must be a user within the directory. In the subscriptions themselves, the hierarchy is controlled by the Azure Active Directory (Azure AD) tenancies. Azure AD is a lightweight directory protocol (LDAP) that stores account names and passwords.
+To manage and access subscription resources, you must be a user within the directory. In the subscriptions themselves, the hierarchy is controlled by the Microsoft Entra tenancies. Microsoft Entra ID is a lightweight directory protocol (LDAP) that stores account names and passwords.
Before adding users, you need to determine your business hierarchy and what level of access they need within your subscription.
Step 1 is determining whether you need to add a new user to your subscription. H
## Where do I add users and their roles within my subscription?
-Within Azure AD access management is a critical function. [Azure role-based access control](../../role-based-access-control/overview.md) \(Azure RBAC\) is the authorization system that provides fine-grained access management of Azure resources.
+Within Microsoft Entra ID access management is a critical function. [Azure role-based access control](../../role-based-access-control/overview.md) \(Azure RBAC\) is the authorization system that provides fine-grained access management of Azure resources.
Once youΓÇÖve determined you need to add a user, you must understand where you're adding them and what resources they need access to. The set of resources that a user can access is referred to as scope.
However, if you're collaborating with another developer or a colleague, they may
Read through the [Azure RBAC overview](../../role-based-access-control/overview.md) to better understand how Azure RBAC works and the purpose it serves within your subscription.
-How to Add Users or delete users using Azure Active Directory
+How to Add Users or delete users using Microsoft Entra ID
-- [Add or delete users - Azure Active Directory | Microsoft Docs](../../active-directory/fundamentals/add-users-azure-active-directory.md)
+- [Add or delete users - Microsoft Entra ID | Microsoft Docs](../../active-directory/fundamentals/add-users-azure-active-directory.md)
- [Steps to assign an Azure role - Azure RBAC | Microsoft Docs](../../role-based-access-control/role-assignments-steps.md)
devtest How To Change Directory Tenants Visual Studio Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest/offer/how-to-change-directory-tenants-visual-studio-azure.md
# Change Directory Tenants with your Azure Subscriptions
-Organizations may have several Azure credit subscriptions. Each subscription an organization sets up is associated with an [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md). (Azure AD)
+Organizations may have several Azure credit subscriptions. Each subscription an organization sets up is associated with an [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md).
-Azure AD is MicrosoftΓÇÖs cloud-based identity and access management service that helps your employees sign in and access internal and external resources.
+Microsoft Entra ID is MicrosoftΓÇÖs cloud-based identity and access management service that helps your employees sign in and access internal and external resources.
You may need to change the Active Directory youΓÇÖre working in or [transfer your subscription to another Active Directory](../../role-based-access-control/transfer-subscription.md).
If the identity youΓÇÖre logged in as is associated with multiple directories, s
Your experience within the portal is highly dependent on the directory associated with the identity you used. To change directory tenants, an Admin will have to add your identity as a user within the target directory.
-## Importance of Changing Your Azure Active Directory Tenant
+<a name='importance-of-changing-your-azure-active-directory-tenant'></a>
+
+## Importance of Changing Your Microsoft Entra tenant
When you set up your Azure Credit Subscription through a Visual Studio license, you can use a work email or a personal email to create your identity.
devtest Quickstart Individual Credit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/devtest/offer/quickstart-individual-credit.md
When accessing your Azure Credit Subscription, you have two ways to sign in and
You have the opportunity to use a personal or corporate email address when signing in. > [!NOTE]
-> The email address you use for sign in dictates what Azure Active Directory (Azure AD) Tenant your subscription is associated with.
+> The email address you use for sign in dictates what Microsoft Entra tenant your subscription is associated with.
## Choose the email address
dms Howto Sql Server To Azure Sql Managed Instance Powershell Online https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/howto-sql-server-to-azure-sql-managed-instance-powershell-online.md
To complete these steps, you need:
* To ensure that the credentials used to connect to target SQL Managed Instance has the CONTROL DATABASE permission on the target SQL Managed Instance databases. > [!IMPORTANT]
- > For online migrations, you must already have set up your Azure Active Directory credentials. For more information, see the article [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
+ > For online migrations, you must already have set up your Microsoft Entra credentials. For more information, see the article [Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
## Create a resource group
$storageAccountResourceId = "/subscriptions/<subscriptionname>/resourceGroups/<r
```
-### Configure Azure Active Directory App
+<a name='configure-azure-active-directory-app'></a>
-Provide the required details for Azure Active Directory for an online SQL Managed Instance migration:
+### Configure Microsoft Entra App
+
+Provide the required details for Microsoft Entra ID for an online SQL Managed Instance migration:
```powershell # AAD properties
dms Migration Using Azure Data Studio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/migration-using-azure-data-studio.md
description: Learn how to use the Azure SQL Migration extension in Azure Data St
Previously updated : 09/28/2022 Last updated : 10/10/2023
For information about specific migration scenarios and Azure SQL targets, see th
||| SQL Server to Azure SQL Managed Instance| [Online](./tutorial-sql-server-managed-instance-online-ads.md) / [Offline](./tutorial-sql-server-managed-instance-offline-ads.md) SQL Server to SQL Server on an Azure virtual machine|[Online](./tutorial-sql-server-to-virtual-machine-online-ads.md) / [Offline](./tutorial-sql-server-to-virtual-machine-offline-ads.md)
-SQL Server to Azure SQL Database | [Offline](./tutorial-sql-server-azure-sql-database-offline-ads.md)
+SQL Server to Azure SQL Database | [Offline](./tutorial-sql-server-azure-sql-database-offline.md)
> [!IMPORTANT] > If your target is Azure SQL Database, make sure you deploy the database schema before you begin the migration. You can use tools like the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) for Azure Data Studio.
To monitor database migrations in the Azure portal:
- You can't use an existing self-hosted integration runtime that was created in Azure Data Factory for database migrations with Database Migration Service. Initially, create the self-hosted integration runtime by using the Azure SQL Migration extension for Azure Data Studio. You can reuse that self-hosted integration runtime in future database migrations. -- Azure Data Studio currently supports both Azure Active Directory (Azure AD)/Windows authentication and SQL logins for connecting to the source SQL Server instance. For the Azure SQL targets, only SQL logins are supported.
+- Azure Data Studio currently supports both Microsoft Entra ID/Windows authentication and SQL logins for connecting to the source SQL Server instance. For the Azure SQL targets, only SQL logins are supported.
## Pricing
dms Quickstart Create Data Migration Service Hybrid Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/quickstart-create-data-migration-service-hybrid-portal.md
Register the Microsoft.DataMigration resource provider before you create your fi
You need to create an Azure App registration ID that the on-premises hybrid worker can use to communicate with Azure Database Migration Service in the cloud.
-1. In the Azure portal, select **Azure Active Directory**, select **App registrations**, and then select **New registration**.
+1. In the Azure portal, select **Microsoft Entra ID**, select **App registrations**, and then select **New registration**.
2. Specify a name for the application, and then, under **Supported account types**, select the type of accounts to support to specify who can use the application. ![Azure Database Migration Service hybrid mode register application](media/quickstart-create-data-migration-service-hybrid-portal/dms-register-application.png)
dms Resource Custom Roles Sql Db Managed Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/resource-custom-roles-sql-db-managed-instance.md
# Custom roles for SQL Server to Azure SQL Managed Instance online migrations
-Azure Database Migration Service uses an APP ID to interact with Azure Services. The APP ID requires either the Contributor role at the Subscription level (which many Corporate security departments won't allow) or creation of custom roles that grant the specific permissions that Azure Database Migration Service requires. Since there's a limit of 2,000 custom roles in Azure Active Directory, you may want to combine all permissions required specifically by the APP ID into one or two custom roles, and then grant the APP ID the custom role on specific objects or resource groups (vs. at the subscription level). If the number of custom roles isn't a concern, you can split the custom roles by resource type, to create three custom roles in total as described below.
+Azure Database Migration Service uses an APP ID to interact with Azure Services. The APP ID requires either the Contributor role at the Subscription level (which many Corporate security departments won't allow) or creation of custom roles that grant the specific permissions that Azure Database Migration Service requires. Since there's a limit of 2,000 custom roles in Microsoft Entra ID, you may want to combine all permissions required specifically by the APP ID into one or two custom roles, and then grant the APP ID the custom role on specific objects or resource groups (vs. at the subscription level). If the number of custom roles isn't a concern, you can split the custom roles by resource type, to create three custom roles in total as described below.
The AssignableScopes section of the role definition json string allows you to control where the permissions appear in the **Add Role Assignment** UI in the portal. You'll likely want to define the role at the resource group or even resource level to avoid cluttering the UI with extra roles. Note that this doesn't perform the actual role assignment.
We currently recommend creating a minimum of two custom roles for the APP ID, on
> [!NOTE] > The last custom role requirement may eventually be removed, as new SQL Managed Instance code is deployed to Azure.
-**Custom Role for the APP ID**. This role is required for Azure Database Migration Service migration at the *resource* or *resource group* level that hosts the Azure Database Migration Service (for more information about the APP ID, see the article [Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)).
+**Custom Role for the APP ID**. This role is required for Azure Database Migration Service migration at the *resource* or *resource group* level that hosts the Azure Database Migration Service (for more information about the APP ID, see the article [Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md)).
```json {
After you create these custom roles, you must add role assignments to users and
## Expanded number of roles
-If the number of custom roles in your Azure Active Directory isn't a concern, we recommend you create a total of three roles. You'll still need the ΓÇ£DMS Role - App ID ΓÇô SubΓÇ¥ role, but the ΓÇ£DMS Role - App IDΓÇ¥ role above is split by resource type into two different roles.
+If the number of custom roles in your Microsoft Entra ID isn't a concern, we recommend you create a total of three roles. You'll still need the ΓÇ£DMS Role - App ID ΓÇô SubΓÇ¥ role, but the ΓÇ£DMS Role - App IDΓÇ¥ role above is split by resource type into two different roles.
**Custom role for the APP ID for SQL Managed Instance**
dms Tutorial Login Migration Ads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-login-migration-ads.md
description: Learn how to migrate on-premises SQL Server logins (preview) to Azu
Previously updated : 01/31/2023 Last updated : 10/10/2023
Before you begin the tutorial:
> > Nevertheless, the login migration process can be performed at any time, to update the user mapping synchronization for recently migrated databases. -- For Windows accounts, ensure that the target SQL managed instance has Azure Active Directory read access. This option can be configured via the Azure portal by a user with the Global Administrator role. For more information, see [Provision Azure AD admin (SQL Managed Instance)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
+- For Windows accounts, ensure that the target SQL managed instance has Microsoft Entra read access. This option can be configured via the Azure portal by a user with the Global Administrator role. For more information, see [Provision Microsoft Entra admin (SQL Managed Instance)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
- Domain federation between local Active Directory Domain Services (AD DS) and Azure Active Directory (Azure AD) has to be set up by an administrator. This configuration is required so that the on-premises Windows users can be synced with the company Azure AD. The login migrations process would then be able to create an external login for the corresponding Azure AD user in the target managed instance.
+ Domain federation between local Active Directory Domain Services (AD DS) and Microsoft Entra ID has to be set up by an administrator. This configuration is required so that the on-premises Windows users can be synced with the company Microsoft Entra ID. The login migrations process would then be able to create an external login for the corresponding Microsoft Entra user in the target managed instance.
- In case the domain federation hasn't been set up yet in your Azure Active Directory tenant, the administrator can refer to the following links to get started:
+ In case the domain federation hasn't been set up yet in your Microsoft Entra tenant, the administrator can refer to the following links to get started:
- [Tutorial: Basic Active Directory environment](../active-directory/cloud-sync/tutorial-basic-ad-azure.md)
- - [Tutorial: Integrate a single forest with a single Azure AD tenant](../active-directory/cloud-sync/tutorial-single-forest.md)
- - [Provision Azure AD admin (SQL Managed Instance)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
+ - [Tutorial: Integrate a single forest with a single Microsoft Entra tenant](../active-directory/cloud-sync/tutorial-single-forest.md)
+ - [Provision Microsoft Entra admin (SQL Managed Instance)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance)
-- Windows account migrations are supported **only for Azure SQL Managed Instance targets**. The Login Migration wizard will show you a prompt, where you have to enter the Azure AD domain name to convert the Windows users to their Azure AD versions.
+- Windows account migrations are supported **only for Azure SQL Managed Instance targets**. The Login Migration wizard will show you a prompt, where you have to enter the Microsoft Entra domain name to convert the Windows users to their Microsoft Entra versions.
- For example, if the Windows user is `contoso\username`, and the Azure AD domain name is `contoso.com`, then the converted Azure AD username will be `username@contoso.com`. For this conversion to happen correctly, the domain federation between the local Active Directory and Azure AD should be set up.
+ For example, if the Windows user is `contoso\username`, and the Microsoft Entra domain name is `contoso.com`, then the converted Microsoft Entra username will be `username@contoso.com`. For this conversion to happen correctly, the domain federation between the local Active Directory and Microsoft Entra ID should be set up.
> [!IMPORTANT] > For large number of logins, we recommend using automation. With PowerShell or Azure CLI you can use the `CSVFilePath` switch, that allows you to pass a CSV file type as a list of logins to be migrated.
To open the Login Migration wizard:
:::image type="content" source="media/tutorial-login-migration-ads/configuration-azure-target-database.png" alt-text="Screenshot that shows Azure SQL Managed Instance connectivity.":::
-1. In **Step 2: Select login(s) to migrate**, select the logins that you wish to migrate from the source SQL server to the Azure SQL target. For Windows accounts, you'll be prompted to enter the associated Azure Active Directory domain name. Then select **Migrate** to start the login migration process.
+1. In **Step 2: Select login(s) to migrate**, select the logins that you wish to migrate from the source SQL server to the Azure SQL target. For Windows accounts, you'll be prompted to enter the associated Microsoft Entra domain name. Then select **Migrate** to start the login migration process.
:::image type="content" source="media/tutorial-login-migration-ads/logins-to-migrate.png" alt-text="Screenshot that shows the source logins details.":::
The migration details page displays the different stages involved in the login m
You can verify by logging into the target Azure SQL using one of the logins migrated, by entering the same password as it had on the source SQL Server instance. -- If you have also migrated Windows accounts, make sure to check the option of **Azure Active Directory - Password** while logging into the target managed instance using the same password that the Windows account had on the source SQL Server.
+- If you have also migrated Windows accounts, make sure to check the option of **Microsoft Entra ID - Password** while logging into the target managed instance using the same password that the Windows account had on the source SQL Server.
- The username should be in the format of `username@contoso.com` (the Azure Active Directory domain name provided in Step 2 of the login migration wizard).
+ The username should be in the format of `username@contoso.com` (the Microsoft Entra domain name provided in Step 2 of the login migration wizard).
## Limitations
The following table describes the current status of the Login migration support
## Next steps - [Migrate databases with Azure SQL Migration extension for Azure Data Studio](./migration-using-azure-data-studio.md)-- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](./tutorial-sql-server-azure-sql-database-offline-ads.md)
+- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](./tutorial-sql-server-azure-sql-database-offline.md)
- [Tutorial: Migrate SQL Server to Azure SQL Managed Instance - Online](./tutorial-sql-server-managed-instance-online-ads.md) - [Tutorial: Migrate SQL Server to SQL Server On Azure Virtual Machines - Online](./tutorial-sql-server-to-virtual-machine-online-ads.md)
dms Tutorial Sql Server Azure Sql Database Offline Ads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-sql-server-azure-sql-database-offline-ads.md
- Title: "Tutorial: Migrate SQL Server to Azure SQL Database offline in Azure Data Studio"-
-description: Learn how to migrate on-premises SQL Server to Azure SQL Database offline by using Azure Data Studio and Azure Database Migration Service.
-- Previously updated : 06/07/2023---
- - seo-lt-2019
- - sql-migration-content
--
-# Tutorial: Migrate SQL Server to Azure SQL Database offline in Azure Data Studio
-
-You can use Azure Database Migration Service and the Azure SQL Migration extension for Azure Data Studio to migrate databases from an on-premises instance of SQL Server to Azure SQL Database offline and with minimal downtime.
-
-In this tutorial, learn how to migrate the example AdventureWorks2019 database from an on-premises instance of SQL Server to an instance of Azure SQL Database by using the Azure SQL Migration extension for Azure Data Studio. This tutorial uses offline migration mode, which considers an acceptable downtime during the migration process.
-
-In this tutorial, you learn how to:
-> [!div class="checklist"]
->
-> - Open the Migrate to Azure SQL wizard in Azure Data Studio
-> - Run an assessment of your source SQL Server databases
-> - Collect performance data from your source SQL Server instance
-> - Get a recommendation of the Azure SQL Database SKU that will work best for your workload
-> - Deploy your on-premises database schema to Azure SQL Database
-> - Create an instance of Azure Database Migration Service
-> - Start your migration and monitor progress to completion
--
-> [!IMPORTANT]
-> Currently, *online* migrations for Azure SQL Database targets aren't available.
-
-## Prerequisites
-
-Before you begin the tutorial:
--- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).-- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.-- Have an Azure account that's assigned to one of the following built-in roles:-
- - Contributor for the target instance of Azure SQL Database
- - Reader role for the Azure resource group that contains the target instance of Azure SQL Database
- - Owner or Contributor role for the Azure subscription (required if you create a new instance of Azure Database Migration Service)
-
- As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).
-
- > [!IMPORTANT]
- > An Azure account is required only when you configure the migration steps. An Azure account isn't required for the assessment or to view Azure recommendations in the migration wizard in Azure Data Studio.
--- Create a target instance of [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).--- Make sure that the SQL Server login that connects to the source SQL Server instance is a member of the db_datareader role and that the login for the target SQL Server instance is a member of the db_owner role.--- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.--- If you're using Azure Database Migration Service for the first time, make sure that the Microsoft.DataMigration [resource provider is registered in your subscription](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).-
-> [!NOTE]
-> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
->
-> If no tables exists on the Azure SQL Database target, or no tables are selected before starting the migration. The **Next** button isn't available to select to initiate the migration task.
->
-
-## Open the Migrate to Azure SQL wizard in Azure Data Studio
-
-To open the Migrate to Azure SQL wizard:
-
-1. In Azure Data Studio, go to **Connections**. Select and connect to your on-premises instance of SQL Server. You also can connect to SQL Server on an Azure virtual machine.
-
-1. Right-click the server connection and select **Manage**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-data-studio-manage-panel.png" alt-text="Screenshot that shows a server connection and the Manage option in Azure Data Studio." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-data-studio-manage-panel.png":::
-
-1. In the server menu under **General**, select **Azure SQL Migration**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/launch-migrate-to-azure-sql-wizard-1.png" alt-text="Screenshot that shows the Azure Data Studio server menu.":::
-
-1. In the Azure SQL Migration dashboard, select **Migrate to Azure SQL** to open the migration wizard.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/launch-migrate-to-azure-sql-wizard-2.png" alt-text="Screenshot that shows the Migrate to Azure SQL wizard.":::
-
-1. On the first page of the wizard, start a new session or resume a previously saved session.
-
-## Run database assessment, collect performance data, and get Azure recommendations
-
-1. In **Step 1: Databases for assessment** in the Migrate to Azure SQL wizard, select the databases you want to assess. Then, select **Next**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-database-selection.png" alt-text="Screenshot that shows selecting a database for assessment.":::
-
-1. In **Step 2: Assessment results and recommendations**, complete the following steps:
-
- 1. In **Choose your Azure SQL target**, select **Azure SQL Database**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-target-selection.png" alt-text="Screenshot that shows selecting the Azure SQL Database target.":::
-
- 1. Select **View/Select** to view the assessment results.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment.png" alt-text="Screenshot that shows view/select assessment results.":::
-
- 1. In the assessment results, select the database, and then review the assessment report to make sure no issues were found.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/assessment-issues-details.png" alt-text="Screenshot that shows assessment report.":::
-
- 1. Select **Get Azure recommendation** to open the recommendations pane.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation.png" alt-text="Screenshot that shows Azure recommendations.":::
-
- 1. Select **Collect performance data now**. Select a folder on your local computer to store the performance logs, and then select **Start**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-zoom.png" alt-text="Screenshot that shows performance data collection.":::
-
- Azure Data Studio collects performance data until you either stop data collection or you close Azure Data Studio.
-
- After 10 minutes, Azure Data Studio indicates that a recommendation is available for Azure SQL Database. After the first recommendation is generated, you can select **Restart data collection** to continue the data collection process and refine the SKU recommendation. An extended assessment is especially helpful if your usage patterns vary over time.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-collected.png" alt-text="Screenshot that shows performance data collected.":::
-
- 1. In the selected **Azure SQL Database** target, select **View details** to open the detailed SKU recommendation report:
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/get-azure-recommendation-view-details.png" alt-text="Screenshot that shows the View details link for the target database recommendations.":::
-
- 1. In **Review Azure SQL Database Recommendations**, review the recommendation. To save a copy of the recommendation, select **Save recommendation report**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/azure-sku-recommendation-zoom.png" alt-text="Screenshot that shows SKU recommendation details.":::
-
-1. Select **Close** to close the recommendations pane.
-
-1. Select **Next** to continue your database migration in the wizard.
-
-## Configure migration settings
-
-1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, complete these steps for your target Azure SQL Database instance:
-
- 1. Select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the Azure SQL Database deployment.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-account.png" alt-text="Screenshot that shows Azure account details.":::
-
- 1. For **Azure SQL Database Server**, select the target Azure SQL Database server (logical server). Enter a username and password for the target database deployment. Then, select **Connect**. Enter the credentials to verify connectivity to the target database.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-database.png" alt-text="Screenshot that shows Azure SQL Database details.":::
-
- 1. Next, map the source database and the target database for the migration. For **Target database**, select the Azure SQL Database target. Then, select **Next** to move to the next step in the migration wizard.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/configuration-azure-target-map.png" alt-text="Screenshot that shows source and target mapping.":::
-
-1. In **Step 4: Migration mode**, select **Offline migration**, and then select **Next**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-mode.png" alt-text="Screenshot that shows offline migrations selection.":::
-
-1. In **Step 5: Data source configuration**, complete the following steps:
-
- 1. Under **Source credentials**, enter the source SQL Server credentials.
-
- 1. Under **Select tables**, select the **Edit** pencil icon.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-source-credentials.png" alt-text="Screenshot that shows source SQL Server credentials.":::
-
- 1. In **Select tables for \<database-name\>**, select the tables to migrate to the target. The **Has rows** column indicates whether the target table has rows in the target database. You can select one or more tables. Then, select **Update**.
-
- You can update the list of selected tables anytime before you start the migration.
-
- In the following example, a text filter is applied to select only tables that contain the word **Employee**. Select a list of tables based on your migration needs.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-source-tables.png" alt-text="Screenshot that shows table selection.":::
-
-1. Review your table selections, and then select **Next** to move to the next step in the migration wizard.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/migration-target-tables.png" alt-text="Screenshot that shows selected tables to migrate.":::
-
-> [!NOTE]
-> If no tables are selected or if a username and password aren't entered, the **Next** button isn't available to select.
->
-> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
-
-## Create a Database Migration Service instance
-
-In **Step 6: Azure Database Migration Service** in the Migrate to Azure SQL wizard, create a new instance of Azure Database Migration Service or reuse an existing instance that you created earlier.
-
-> [!NOTE]
-> If you previously created a Database Migration Service instance by using the Azure portal, you can't reuse the instance in the migration wizard in Azure Data Studio. You can reuse an instance only if you created the instance by using Azure Data Studio.
-
-### Use an existing instance of Database Migration Service
-
-To use an existing instance of Database Migration Service:
-
-1. In **Resource group**, select the resource group that contains an existing instance of Database Migration Service.
-
-1. In **Azure Database Migration Service**, select an existing instance of Database Migration Service that's in the selected resource group.
-
-1. Select **Next**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms.png" alt-text="Screenshot that shows Database Migration Service selection.":::
-
-### Create a new instance of Database Migration Service
-
-To create a new instance of Database Migration Service:
-
-1. In **Resource group**, create a new resource group to contain a new instance of Database Migration Service.
-
-1. Under **Azure Database Migration Service**, select **Create new**.
-
-1. In **Create Azure Database Migration Service**, enter a name for your Database Migration Service instance, and then select **Create**.
-
-1. Under **Set up integration runtime**, complete the following steps:
-
- 1. Select the **Download and install integration runtime** link to open the download link in a web browser. Download the integration runtime, and then install it on a computer that meets the prerequisites to connect to the source SQL Server instance.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-download.png" alt-text="Screenshot that shows the Download and install integration runtime link.":::
-
- When installation is finished, Microsoft Integration Runtime Configuration Manager automatically opens to begin the registration process.
-
- 1. In the **Authentication key** table, copy one of the authentication keys that are provided in the wizard and paste it in Azure Data Studio.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-authentication-key.png" alt-text="Screenshot that highlights the authentication key table in the wizard.":::
-
- If the authentication key is valid, a green check icon appears in Integration Runtime Configuration Manager. A green check indicates that you can continue to **Register**.
-
- After you register the self-hosted integration runtime, close Microsoft Integration Runtime Configuration Manager.
-
- > [!NOTE]
- > For more information about how to use the self-hosted integration runtime, see [Create and configure a self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md).
-
-1. In **Create Azure Database Migration Service** in Azure Data Studio, select **Test connection** to validate that the newly created Database Migration Service instance is connected to the newly registered self-hosted integration runtime.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/create-dms-integration-runtime-connected.png" alt-text="Screenshot that shows IR connectivity test.":::
-
-1. Return to the migration wizard in Azure Data Studio.
-
-## Start the database migration
-
-In **Step 7: Summary** in the Migrate to Azure SQL wizard, review the configuration you created, and then select **Start migration** to start the database migration.
--
-## Monitor the database migration
-
-1. In Azure Data Studio, in the server menu under **General**, select **Azure SQL Migration** to go to the dashboard for your Azure SQL Database migrations.
-
- Under **Database migration status**, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard.png" alt-text="Screenshot that shows monitor migration dashboard." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard.png":::
-
-1. Select **Database migrations in progress** to view active migrations.
-
- To get more information about a specific migration, select the database name.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-details.png" alt-text="Screenshot that shows database migration details." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-details.png":::
-
- Database Migration Service returns the latest known migration status each time migration status refreshes. The following table describes possible statuses:
-
- | Status | Description |
- |--|-|
- |Preparing for copy| The service is disabling autostats, triggers, and indexes in the target table. |
- |Copying| Data is being copied from the source database to the target database. |
- |Copy finished| Data copy is finished. The service is waiting on other tables to finish copying to begin the final steps to return tables to their original schema. |
- |Rebuilding indexes| The service is rebuilding indexes on target tables. |
- |Succeeded| All data is copied and the indexes are rebuilt. |
-
-1. Check the migration details page to view the current status for each database.
-
- Here's an example of the AdventureWorks2019 database migration with the status **Creating**:
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-creating.png" alt-text="Screenshot that shows a creating migration status." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-creating.png":::
-
-1. In the menu bar, select **Refresh** to update the migration status.
-
- After migration status is refreshed, the updated status for the example AdventureWorks2019 database migration is **In progress**:
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-in-progress.png" alt-text="Screenshot that shows a migration in progress status." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-dashboard-in-progress.png":::
-
-1. Select a database name to open the table view. In this view, you see the current status of the migration, the number of tables that currently are in that status, and a detailed status of each table.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-in-progress.png" alt-text="Screenshot that shows monitoring table migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-in-progress.png":::
-
- When all table data is migrated to the Azure SQL Database target, Database Migration Service updates the migration status from **In progress** to **Succeeded**.
-
- :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-succeeded.png" alt-text="Screenshot that shows succeeded migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline-ads/monitor-migration-monitoring-panel-succeeded.png":::
-
-> [!NOTE]
-> Database Migration Service optimizes migration by skipping tables with no data (0 rows). Tables that don't have data don't appear in the list, even if you select the tables when you create the migration.
-
-You've completed the migration to Azure SQL Database. We encourage you to go through a series of post-migration tasks to ensure that everything functions smoothly and efficiently.
-
-> [!IMPORTANT]
-> Be sure to take advantage of the advanced cloud-based features of Azure SQL Database. The features include [built-in high availability](/azure/azure-sql/database/high-availability-sla), [threat detection](/azure/azure-sql/database/azure-defender-for-sql), and [monitoring and tuning your workload](/azure/azure-sql/database/monitor-tune-overview).
-
-## Limitations
--
-## Next steps
--- Complete a quickstart to [create an Azure SQL Database instance](/azure/azure-sql/database/single-database-create-quickstart).-- Learn more about [Azure SQL Database](/azure/azure-sql/database/sql-database-paas-overview).-- Learn how to [connect apps to Azure SQL Database](/azure/azure-sql/database/connect-query-content-reference-guide).-- To troubleshoot, review [Known issues](known-issues-azure-sql-migration-azure-data-studio.md).
dms Tutorial Sql Server Azure Sql Database Offline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-sql-server-azure-sql-database-offline.md
+
+ Title: "Tutorial: Migrate SQL Server to Azure SQL Database (offline)"
+
+description: Learn how to migrate on-premises SQL Server to Azure SQL Database offline by using Azure Database Migration Service.
+++ Last updated : 10/10/2023+++
+ - seo-lt-2019
+ - sql-migration-content
++
+# Tutorial: Migrate SQL Server to Azure SQL Database (offline)
+
+You can use Azure Database Migration Service via the Azure SQL Migration extension for Azure Data Studio, or the Azure portal, to migrate databases from an on-premises instance of SQL Server to Azure SQL Database (offline).
+
+In this tutorial, learn how to migrate the sample `AdventureWorks2019` database from an on-premises instance of SQL Server to an instance of Azure SQL Database, by using Database Migration Service. This tutorial uses offline migration mode, which considers an acceptable downtime during the migration process.
+
+In this tutorial, you learn how to:
+> [!div class="checklist"]
+> - Open the Migrate to Azure SQL wizard in Azure Data Studio
+> - Run an assessment of your source SQL Server databases
+> - Collect performance data from your source SQL Server instance
+> - Get a recommendation of the Azure SQL Database SKU that will work best for your workload
+> - Deploy your on-premises database schema to Azure SQL Database
+> - Create an instance of Azure Database Migration Service
+> - Start your migration and monitor progress to completion
++
+> [!IMPORTANT]
+> Currently, *online* migrations for Azure SQL Database targets aren't available.
+
+## Migration options
+
+The following section describes how to use Azure Database Migration Service with the Azure SQL Migration extension, or in the Azure portal.
+
+## [Migrate using Azure SQL Migration extension](#tab/azure-data-studio)
+
+### Prerequisites
+
+Before you begin the tutorial:
+
+- [Download and install Azure Data Studio](/sql/azure-data-studio/download-azure-data-studio).
+- [Install the Azure SQL Migration extension](/sql/azure-data-studio/extensions/azure-sql-migration-extension) from Azure Data Studio Marketplace.
+- Have an Azure account that's assigned to one of the following built-in roles:
+
+ - Contributor for the target instance of Azure SQL Database
+ - Reader role for the Azure resource group that contains the target instance of Azure SQL Database
+ - Owner or Contributor role for the Azure subscription (required if you create a new instance of Azure Database Migration Service)
+
+ As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).
+
+ > [!IMPORTANT]
+ > An Azure account is required only when you configure the migration steps. An Azure account isn't required for the assessment or to view Azure recommendations in the migration wizard in Azure Data Studio.
+
+- Create a target instance of [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).
+
+- Make sure that the SQL Server login that connects to the source SQL Server instance is a member of the db_datareader role and that the login for the target SQL Server instance is a member of the db_owner role.
+
+- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.
+
+- If you're using Database Migration Service for the first time, make sure that the Microsoft.DataMigration [resource provider is registered in your subscription](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).
+
+> [!NOTE]
+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
+>
+> If no tables exist on the Azure SQL Database target, or no tables are selected before starting the migration, the **Next** button isn't available to select to initiate the migration task.
+
+### Open the Migrate to Azure SQL wizard in Azure Data Studio
+
+To open the Migrate to Azure SQL wizard:
+
+1. In Azure Data Studio, go to **Connections**. Select and connect to your on-premises instance of SQL Server. You also can connect to SQL Server on an Azure virtual machine.
+
+1. Right-click the server connection and select **Manage**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/azure-data-studio-manage-panel.png" alt-text="Screenshot that shows a server connection and the Manage option in Azure Data Studio." lightbox="media/tutorial-sql-server-azure-sql-database-offline/azure-data-studio-manage-panel.png":::
+
+1. In the server menu under **General**, select **Azure SQL Migration**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/launch-migrate-to-azure-sql-wizard-1.png" alt-text="Screenshot that shows the Azure Data Studio server menu.":::
+
+1. In the Azure SQL Migration dashboard, select **Migrate to Azure SQL** to open the migration wizard.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/launch-migrate-to-azure-sql-wizard-2.png" alt-text="Screenshot that shows the Migrate to Azure SQL wizard.":::
+
+1. On the first page of the wizard, start a new session or resume a previously saved session.
+
+### Run database assessment, collect performance data, and get Azure recommendations
+
+1. In **Step 1: Databases for assessment** in the Migrate to Azure SQL wizard, select the databases you want to assess. Then, select **Next**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/assessment-database-selection.png" alt-text="Screenshot that shows selecting a database for assessment.":::
+
+1. In **Step 2: Assessment results and recommendations**, complete the following steps:
+
+ 1. In **Choose your Azure SQL target**, select **Azure SQL Database**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/assessment-target-selection.png" alt-text="Screenshot that shows selecting the Azure SQL Database target.":::
+
+ 1. Select **View/Select** to view the assessment results.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/assessment.png" alt-text="Screenshot that shows view/select assessment results.":::
+
+ 1. In the assessment results, select the database, and then review the assessment report to make sure no issues were found.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/assessment-issues-details.png" alt-text="Screenshot that shows the assessment report.":::
+
+ 1. Select **Get Azure recommendation** to open the recommendations pane.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/get-azure-recommendation.png" alt-text="Screenshot that shows Azure recommendations.":::
+
+ 1. Select **Collect performance data now**. Select a folder on your local computer to store the performance logs, and then select **Start**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/get-azure-recommendation-zoom.png" alt-text="Screenshot that shows performance data collection.":::
+
+ Azure Data Studio collects performance data until you either stop data collection or you close Azure Data Studio.
+
+ After 10 minutes, Azure Data Studio indicates that a recommendation is available for Azure SQL Database. After the first recommendation is generated, you can select **Restart data collection** to continue the data collection process and refine the SKU recommendation. An extended assessment is especially helpful if your usage patterns vary over time.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/get-azure-recommendation-collected.png" alt-text="Screenshot that shows performance data collected.":::
+
+ 1. In the selected **Azure SQL Database** target, select **View details** to open the detailed SKU recommendation report:
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/get-azure-recommendation-view-details.png" alt-text="Screenshot that shows the View details link for the target database recommendations.":::
+
+ 1. In **Review Azure SQL Database Recommendations**, review the recommendation. To save a copy of the recommendation, select **Save recommendation report**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/azure-sku-recommendation-zoom.png" alt-text="Screenshot that shows SKU recommendation details.":::
+
+1. Select **Close** to close the recommendations pane.
+
+1. Select **Next** to continue your database migration in the wizard.
+
+### Configure migration settings
+
+1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, complete these steps for your target Azure SQL Database instance:
+
+ 1. Select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the Azure SQL Database deployment.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/configuration-azure-target-account.png" alt-text="Screenshot that shows Azure account details.":::
+
+ 1. For **Azure SQL Database Server**, select the target Azure SQL Database server (logical server). Enter a username and password for the target database deployment. Then, select **Connect**. Enter the credentials to verify connectivity to the target database.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/configuration-azure-target-database.png" alt-text="Screenshot that shows Azure SQL Database details.":::
+
+ 1. Next, map the source database and the target database for the migration. For **Target database**, select the Azure SQL Database target. Then, select **Next** to move to the next step in the migration wizard.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/configuration-azure-target-map.png" alt-text="Screenshot that shows source and target mapping.":::
+
+1. In **Step 4: Migration mode**, select **Offline migration**, and then select **Next**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/migration-mode.png" alt-text="Screenshot that shows offline migrations selection.":::
+
+1. In **Step 5: Data source configuration**, complete the following steps:
+
+ 1. Under **Source credentials**, enter the source SQL Server credentials.
+
+ 1. Under **Select tables**, select the **Edit** pencil icon.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/migration-source-credentials.png" alt-text="Screenshot that shows source SQL Server credentials.":::
+
+ 1. In **Select tables for \<database-name\>**, select the tables to migrate to the target. The **Has rows** column indicates whether the target table has rows in the target database. You can select one or more tables. Then, select **Update**.
+
+ You can update the list of selected tables anytime before you start the migration.
+
+ In the following example, a text filter is applied to select tables that contain the word `Employee`. Select a list of tables based on your migration needs.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/migration-source-tables.png" alt-text="Screenshot that shows the table selection.":::
+
+1. Review your table selections, and then select **Next** to move to the next step in the migration wizard.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/migration-target-tables.png" alt-text="Screenshot that shows selected tables to migrate.":::
+
+> [!NOTE]
+> If no tables are selected or if a username and password aren't entered, the **Next** button isn't available to select.
+>
+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
+
+### Create a Database Migration Service instance
+
+In **Step 6: Azure Database Migration Service** in the Migrate to Azure SQL wizard, create a new instance of Database Migration Service, or reuse an existing instance that you created earlier.
+
+> [!NOTE]
+> If you previously created a Database Migration Service instance by using the Azure portal, you can't reuse the instance in the migration wizard in Azure Data Studio. You can reuse an instance only if you created the instance by using Azure Data Studio.
+
+#### Use an existing instance of Database Migration Service
+
+To use an existing instance of Database Migration Service:
+
+1. In **Resource group**, select the resource group that contains an existing instance of Database Migration Service.
+
+1. In **Azure Database Migration Service**, select an existing instance of Database Migration Service that's in the selected resource group.
+
+1. Select **Next**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/create-dms.png" alt-text="Screenshot that shows Database Migration Service selection.":::
+
+#### Create a new instance of Database Migration Service
+
+To create a new instance of Database Migration Service:
+
+1. In **Resource group**, create a new resource group to contain a new instance of Database Migration Service.
+
+1. Under **Azure Database Migration Service**, select **Create new**.
+
+1. In **Create Azure Database Migration Service**, enter a name for your Database Migration Service instance, and then select **Create**.
+
+1. Under **Set up integration runtime**, complete the following steps:
+
+ 1. Select the **Download and install integration runtime** link to open the download link in a web browser. Download the integration runtime, and then install it on a computer that meets the prerequisites for connecting to the source SQL Server instance.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/create-dms-integration-runtime-download.png" alt-text="Screenshot that shows the Download and install integration runtime link.":::
+
+ When installation is finished, Microsoft Integration Runtime Configuration Manager automatically opens to begin the registration process.
+
+ 1. In the **Authentication key** table, copy one of the authentication keys that are provided in the wizard and paste it in Azure Data Studio.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/create-dms-integration-runtime-authentication-key.png" alt-text="Screenshot that highlights the authentication key table in the wizard.":::
+
+ If the authentication key is valid, a green check icon appears in Integration Runtime Configuration Manager. A green check indicates that you can continue to **Register**.
+
+ After you register the self-hosted integration runtime, close Microsoft Integration Runtime Configuration Manager.
+
+ > [!NOTE]
+ > For more information about the self-hosted integration runtime, see [Create and configure a self-hosted integration runtime](../data-factory/create-self-hosted-integration-runtime.md).
+
+1. In **Create Azure Database Migration Service** in Azure Data Studio, select **Test connection** to validate that the newly created Database Migration Service instance is connected to the newly registered self-hosted integration runtime.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/create-dms-integration-runtime-connected.png" alt-text="Screenshot that shows IR connectivity test.":::
+
+1. Return to the migration wizard in Azure Data Studio.
+
+### Start the database migration
+
+In **Step 7: Summary** in the Migrate to Azure SQL wizard, review the configuration you created, and then select **Start migration** to start the database migration.
++
+### Monitor the database migration
+
+1. In Azure Data Studio, in the server menu under **General**, select **Azure SQL Migration** to go to the dashboard for your Azure SQL Database migrations.
+
+ Under **Database migration status**, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard.png" alt-text="Screenshot that shows monitor migration dashboard." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard.png":::
+
+1. Select **Database migrations in progress** to view active migrations.
+
+ To get more information about a specific migration, select the database name.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-details.png" alt-text="Screenshot that shows database migration details." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-details.png":::
+
+ Database Migration Service returns the latest known migration status each time migration status refreshes. The following table describes possible statuses:
+
+ | Status | Description |
+ | | |
+ | Preparing for copy | The service is disabling autostats, triggers, and indexes in the target table. |
+ | Copying | Data is being copied from the source database to the target database. |
+ | Copy finished | Data copy is finished. The service is waiting on other tables to finish copying to begin the final steps to return tables to their original schema. |
+ | Rebuilding indexes | The service is rebuilding indexes on target tables. |
+ | Succeeded | All data is copied and the indexes are rebuilt. |
+
+1. Check the migration details page to view the current status for each database.
+
+ Here's an example of the `AdventureWorks2019` database migration with the status **Creating**:
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-creating.png" alt-text="Screenshot that shows a creating migration status." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-creating.png":::
+
+1. In the menu bar, select **Refresh** to update the migration status.
+
+ After migration status is refreshed, the updated status for the example `AdventureWorks2019` database migration is **In progress**:
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-in-progress.png" alt-text="Screenshot that shows a migration in progress status." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-dashboard-in-progress.png":::
+
+1. Select a database name to open the table view. In this view, you see the current status of the migration, the number of tables that currently are in that status, and a detailed status of each table.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-monitoring-panel-in-progress.png" alt-text="Screenshot that shows monitoring table migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-monitoring-panel-in-progress.png":::
+
+ When all table data is migrated to the Azure SQL Database target, Database Migration Service updates the migration status from **In progress** to **Succeeded**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-monitoring-panel-succeeded.png" alt-text="Screenshot that shows succeeded migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline/monitor-migration-monitoring-panel-succeeded.png":::
+
+> [!NOTE]
+> Database Migration Service optimizes migration by skipping tables with no data (0 rows). Tables that don't have data don't appear in the list, even if you select the tables when you create the migration.
+
+You've completed the migration to Azure SQL Database. We encourage you to go through a series of post-migration tasks to ensure that everything functions smoothly and efficiently.
+
+> [!IMPORTANT]
+> Be sure to take advantage of the advanced cloud-based features of Azure SQL Database. The features include [built-in high availability](/azure/azure-sql/database/high-availability-sla), [threat detection](/azure/azure-sql/database/azure-defender-for-sql), and [monitoring and tuning your workload](/azure/azure-sql/database/monitor-tune-overview).
+
+## [Migrate using Azure portal](#tab/portal)
+
+### Prerequisites
+
+Before you begin the tutorial:
+
+- Ensure that you can access the [Azure portal](https://portal.azure.com)
+
+- Have an Azure account that's assigned to one of the following built-in roles:
+ - Contributor for the target instance of Azure SQL Database
+ - Reader role for the Azure resource group that contains the target instance of Azure SQL Database
+ - Owner or Contributor role for the Azure subscription (required if you create a new instance of Azure Database Migration Service)
+
+ As an alternative to using one of these built-in roles, you can [assign a custom role](resource-custom-roles-sql-database-ads.md).
+
+- Create a target instance of [Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).
+
+- Make sure that the SQL Server login that connects to the source SQL Server instance is a member of the **db_datareader** role, and that the login for the target SQL Server instance is a member of the **db_owner** role.
+
+- Migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio.
+
+- If you're using Database Migration Service for the first time, make sure that the `Microsoft.DataMigration` [resource provider is registered in your subscription](quickstart-create-data-migration-service-portal.md#register-the-resource-provider).
+
+> [!NOTE]
+> Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
+>
+> If no tables exists on the Azure SQL Database target, or no tables are selected before starting the migration. The **Next** button isn't available to select to initiate the migration task.
++
+### Start a new migration
+
+1. In **Step 2** to start a new migration using Database Migration Service from Azure portal, under **Azure Database Migration Services**, select an existing instance of Database Migration Service that you want to use, and then select either **New Migration** or **Start migrations**.
+
+1. Under **Select new migration** scenario, choose your source, target server type, migration mode and choose **Select**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-select-migration.png" alt-text="Screenshot that shows new migration scenario details.":::
+
+1. Now under Azure SQL Database Offline Migration wizard:
+
+ 1. Provide below details to **connect to source SQL server** and select Next:
+
+ - Source server name
+ - Authentication type
+ - User name and password
+ - Connection properties
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-connect.png" alt-text="Screenshot that shows source SQL server details." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-connect.png":::
+
+ 1. On next page, **select databases for migration**. This page might take some time to populate the list of databases from source.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-select-database.png" alt-text="Screenshot that shows list of databases from source.":::
+
+ 1. Assuming you have already provisioned the Target based upon the assessment results, provide the target details on **Connect to target Azure SQL Database** page, and select Next:
+
+ - Azure subscription
+ - Azure resource group
+ - Target Azure SQL Database server
+ - Authentication type
+ - User name and password
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-connect-target.png" alt-text="Screenshot that shows details for target.":::
+
+ 1. Under **Map source and target databases**, map the databases between source and target.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-map-target.png" alt-text="Screenshot that shows list of mapping between source and target.":::
+
+ 1. Before moving to this step, ensure to migrate the schema from source to target for all selected databases. Then, **Select database tables to migrate** for each selected database and select the table/s for which you want to migrate the data".
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-select-table.png" alt-text="Screenshot that shows list of tables select source database to migrate data to target." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-select-table.png":::
+
+ 1. Review all the inputs provided on **Database migration summary** page and select **Start migration** button to start the database migration.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-summary.png" alt-text="Screenshot that shows summary of the migration configuration." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-sql-database-summary.png":::
+
+ > [!NOTE]
+ > In an offline migration, application downtime starts when the migration starts.
+ >
+ > Make sure to migrate the database schema from source to target by using the [SQL Server dacpac extension](/sql/azure-data-studio/extensions/sql-server-dacpac-extension) or the [SQL Database Projects extension](/sql/azure-data-studio/extensions/sql-database-project-extension) in Azure Data Studio before selecting the list of tables to migrate.
+
+### Monitor the database migration
+
+1. In the Database Migration Service instance overview, select Monitor migrations to view the details of your database migrations.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-overview.png" alt-text="Screenshot that shows monitor migration dashboard." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-overview.png":::
+
+1. Under the **Migrations** tab, you can track migrations that are in progress, completed, and failed (if any), or you can view all database migrations. In the menu bar, select **Refresh** to update the migration status.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-in-progress.png" alt-text="Screenshot that shows database migration details." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-in-progress.png":::
+
+ Database Migration Service returns the latest known migration status each time migration status refreshes. The following table describes possible statuses:
+
+ | Status | Description |
+ | | |
+ | Preparing for copy | The service is disabling autostats, triggers, and indexes in the target table. |
+ | Copying | Data is being copied from the source database to the target database. |
+ | Copy finished | Data copy is finished. The service is waiting on other tables to finish copying to begin the final steps to return tables to their original schema. |
+ | Rebuilding indexes | The service is rebuilding indexes on target tables. |
+ | Succeeded | All data is copied and the indexes are rebuilt. |
+
+1. Under **Source name** , select a database name to open the table view. In this view, you see the current status of the migration, the number of tables that currently are in that status, and a detailed status of each table.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-copy.png" alt-text="Screenshot that shows a migration status." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-copy.png":::
+
+1. When all table data is migrated to the Azure SQL Database target, Database Migration Service updates the migration status from **In progress** to **Succeeded**.
+
+ :::image type="content" source="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-succeeded.png" alt-text="Screenshot that shows succeeded migration." lightbox="media/tutorial-sql-server-azure-sql-database-offline/dms-portal-monitor-succeeded.png":::
+
+> [!NOTE]
+> Database Migration Service optimizes migration by skipping tables with no data (0 rows). Tables that don't have data don't appear in the list, even if you select the tables when you create the migration.
+
+You've completed the migration to Azure SQL Database. We encourage you to go through a series of post-migration tasks to ensure that everything functions smoothly and efficiently.
+++
+## Limitations
++
+## Next steps
+
+- [Create an Azure SQL database](/azure/azure-sql/database/single-database-create-quickstart)
+- [Azure SQL Database overview](/azure/azure-sql/database/sql-database-paas-overview)
+- [Connect apps to Azure SQL Database](/azure/azure-sql/database/connect-query-content-reference-guide)
+- [Known issues](known-issues-azure-sql-migration-azure-data-studio.md)
dms Tutorial Sql Server Managed Instance Online https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-sql-server-managed-instance-online.md
To complete this tutorial, you need to:
* Provide an SMB network share that contains all your database full database backup files and subsequent transaction log backup files, which Azure Database Migration Service can use for database migration. * Ensure that the service account running the source SQL Server instance has write privileges on the network share that you created and that the computer account for the source server has read/write access to the same share. * Make a note of a Windows user (and password) that has full control privilege on the network share that you previously created. Azure Database Migration Service impersonates the user credential to upload the backup files to Azure Storage container for restore operation.
-* Create an Azure Active Directory Application ID that generates the Application ID key that Azure Database Migration Service can use to connect to target Azure SQL Managed Instance and Azure Storage Container. For more information, see the article [Use portal to create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
+* Create a Microsoft Entra Application ID that generates the Application ID key that Azure Database Migration Service can use to connect to target Azure SQL Managed Instance and Azure Storage Container. For more information, see the article [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
> [!NOTE] > The Application ID used by the Azure Database Migration Service supports secret (password-based) authentication for service principals. It does not support certificate-based authentication.
After an instance of the service is created, locate it within the Azure portal,
1. On the **Select target** screen, specify the **Application ID** and **Key** that the DMS instance can use to connect to the target instance of SQL Managed Instance and the Azure Storage Account.
- For more information, see the article [Use portal to create an Azure Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
+ For more information, see the article [Use portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md).
2. Select the **Subscription** containing the target instance of SQL Managed Instance, and then choose the target SQL Managed instance.
dms Tutorial Sql Server To Azure Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-sql-server-to-azure-sql.md
description: Learn to migrate from SQL Server to Azure SQL Database offline by u
Previously updated : 02/08/2023 Last updated : 10/10/2023
[!INCLUDE [Azure Database Migration Service (classic) - SQL scenarios retirement announcement](../../includes/deprecation-announcement-dms-classic-sql.md)] > [!NOTE]
-> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Database by using the [Azure SQL migration extension for Azure Data Studio](tutorial-sql-server-azure-sql-database-offline-ads.md).
+> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Database by using the [Azure SQL migration extension for Azure Data Studio](tutorial-sql-server-azure-sql-database-offline.md).
> > To compare features between versions, review [compare versions](dms-overview.md#compare-versions).
To complete this tutorial, you need to:
> > This configuration is necessary because Azure Database Migration Service lacks internet connectivity. >
- >If you donΓÇÖt have site-to-site connectivity between the on-premises network and Azure or if there is limited site-to-site connectivity bandwidth, consider using Azure Database Migration Service in hybrid mode (Preview). Hybrid mode leverages an on-premises migration worker together with an instance of Azure Database Migration Service running in the cloud. To create an instance of Azure Database Migration Service in hybrid mode, see the article [Create an instance of Azure Database Migration Service in hybrid mode using the Azure portal](./quickstart-create-data-migration-service-hybrid-portal.md).
+ >If you don't have site-to-site connectivity between the on-premises network and Azure or if there is limited site-to-site connectivity bandwidth, consider using Azure Database Migration Service in hybrid mode (Preview). Hybrid mode leverages an on-premises migration worker together with an instance of Azure Database Migration Service running in the cloud. To create an instance of Azure Database Migration Service in hybrid mode, see the article [Create an instance of Azure Database Migration Service in hybrid mode using the Azure portal](./quickstart-create-data-migration-service-hybrid-portal.md).
- Ensure that your virtual network Network Security Group outbound security rules don't block the outbound port 443 of ServiceTag for ServiceBus, Storage, and AzureMonitor. For more detail on Azure virtual network NSG traffic filtering, see the article [Filter network traffic with network security groups](../virtual-network/virtual-network-vnet-plan-design-arm.md). - Configure your [Windows Firewall for database engine access](/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access).-- Open your Windows firewall to allow Azure Database Migration Service to access the source SQL Server, which by default is TCP port 1433. If your default instance is listening on some other port, add that to the firewall.-- If you're running multiple named SQL Server instances using dynamic ports, you may wish to enable the SQL Browser Service and allow access to UDP port 1434 through your firewalls so that Azure Database Migration Service can connect to a named instance on your source server.-- When using a firewall appliance in front of your source database(s), you may need to add firewall rules to allow Azure Database Migration Service to access the source database(s) for migration.
+- Open your firewall on Windows to allow Azure Database Migration Service to access the source SQL Server, which by default is TCP port 1433. If your default instance is listening on some other port, add that to the firewall.
+- If you're running multiple named SQL Server instances using dynamic ports, you might wish to enable the SQL Browser Service and allow access to UDP port 1434 through your firewalls so that Azure Database Migration Service can connect to a named instance on your source server.
+- When using a firewall appliance in front of your source database(s), you might need to add firewall rules to allow Azure Database Migration Service to access the source database(s) for migration.
- Create a server-level IP [firewall rule](/azure/azure-sql/database/firewall-configure) for Azure SQL Database to allow Azure Database Migration Service access to the target databases. Provide the subnet range of the virtual network used for Azure Database Migration Service. - Ensure that the credentials used to connect to source SQL Server instance have [CONTROL SERVER](/sql/t-sql/statements/grant-server-permissions-transact-sql) permissions. - Ensure that the credentials used to connect to target Azure SQL Database instance have [CONTROL DATABASE](/sql/t-sql/statements/grant-database-permissions-transact-sql) permission on the target databases.
dms Tutorial Transparent Data Encryption Migration Ads https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/dms/tutorial-transparent-data-encryption-migration-ads.md
description: Learn how to migrate on-premises SQL Server TDE-enabled databases (
Previously updated : 02/03/2023 Last updated : 10/10/2023
# Tutorial: Migrate TDE-enabled databases (preview) to Azure SQL in Azure Data Studio
-For securing a SQL Server database, you can take precautions like designing a secure system, encrypting confidential assets, and building a firewall. However, physical theft of media like drives or tapes can still compromise the data.
+For securing a SQL Server database, you can take precautions like designing a secure system, encrypting confidential assets, and building a firewall. However, physical theft of media like drives or tapes can still compromise the data.
TDE provides a solution to this problem, with real-time I/O encryption/decryption of data at rest (data and log files) by using a symmetric database encryption key (DEK) secured by a certificate. For more information about migrating TDE certificates manually, see [Move a TDE Protected Database to Another SQL Server](/sql/relational-databases/security/encryption/move-a-tde-protected-database-to-another-sql-server).
-When you migrate a TDE-protected database, the certificate (asymmetric key) used to open the database encryption key (DEK) must also be moved along with the source database. Therefore, you need to recreate the server certificate in the `master` database of the target SQL Server for that instance to access the database files.
+When you migrate a TDE-protected database, the certificate (asymmetric key) used to open the database encryption key (DEK) must also be moved along with the source database. Therefore, you need to recreate the server certificate in the `master` database of the target SQL Server for that instance to access the database files.
You can use the [Azure SQL Migration extension for Azure Data Studio](/sql/azure-data-studio/extensions/azure-sql-migration-extension) to help you migrate TDE-enabled databases (preview) from an on-premises instance of SQL Server to Azure SQL. The TDE-enabled database migration process automates manual tasks such as backing up the database certificate keys (DEK), copying the certificate files from the on-premises SQL Server to the Azure SQL target, and then reconfiguring TDE for the target database again. > [!IMPORTANT]
- > Currently, only Azure SQL Managed Instance targets are supported.
+ > Currently, only Azure SQL Managed Instance targets are supported.
-In this tutorial, you learn how to migrate the example `AdventureWorksTDE` encrypted database from an on-premises instance of SQL Server to an Azure SQL managed instance.
+In this tutorial, you learn how to migrate the example `AdventureWorksTDE` encrypted database from an on-premises instance of SQL Server to an Azure SQL managed instance.
> [!div class="checklist"] >
To open the Migrate to Azure SQL wizard:
> [!IMPORTANT] > The **Info box** section describes the required permissions to export the DEK certificates.
- >
+ >
> You must ensure the SQL Server service account has write access to network share path you will use to backup the DEK certificates. Also, the current user should have administrator privileges on the computer where this network path exists. 1. Enter the **network path**.
To open the Migrate to Azure SQL wizard:
## Configure migration settings
-1. In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, complete these steps for your target managed instance:
+In **Step 3: Azure SQL target** in the Migrate to Azure SQL wizard, complete these steps for your target managed instance:
- 1. Select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the managed instance.
+1. Select your Azure account, Azure subscription, the Azure region or location, and the resource group that contains the managed instance.
:::image type="content" source="media/tutorial-transparent-data-encryption-migration-ads/configuration-azure-target.png" alt-text="Screenshot that shows Azure account details." lightbox="media/tutorial-transparent-data-encryption-migration-ads/configuration-azure-target.png":::
- 1. When you're ready, select **Migrate certificates** to start the TDE certificates migration.
+1. When you're ready, select **Migrate certificates** to start the TDE certificates migration.
## Start and monitor the TDE certificate migration
To open the Migrate to Azure SQL wizard:
1. You can monitor the process for each TDE certificate by selecting **Migrate certificates**.
-1. Select **Next** to continue the migration wizard until you complete the database migration.
+1. Select **Next** to continue the migration wizard until you complete the database migration.
:::image type="content" source="media/tutorial-transparent-data-encryption-migration-ads/database-migration-continue.png" alt-text="Screenshot that shows how to continue the database migration." lightbox="media/tutorial-transparent-data-encryption-migration-ads/database-migration-continue.png":::
To open the Migrate to Azure SQL wizard:
## Post-migration steps Your target managed instance should now have the databases, and their respective certificates migrated. To verify the current status of the recently migrated database, copy and paste the following example into a new query window on Azure Data Studio while connected to your managed instance target. Then, select **Run**.
-
-```sql
+
+```sql
USE master; GO
SELECT db_name(database_id),
FROM sys.dm_database_encryption_keys WHERE database_id = DB_ID('Your database name'); GO
-```
+```
The query returns the information about the database, the encryption status and the pending percent complete. In this case, it's zero because the TDE certificate has been already completed. :::image type="content" source="media/tutorial-transparent-data-encryption-migration-ads/tde-query.png" alt-text="Screenshot that shows the results returned by the TDE query provided in this section.":::
-
-For more information about encryption with SQL Server, see: [Transparent data encryption (TDE).](/sql/relational-databases/security/encryption/transparent-data-encryption)
+
+For more information about encryption with SQL Server, see [Transparent data encryption (TDE)](/sql/relational-databases/security/encryption/transparent-data-encryption).
## Limitations The following table describes the current status of the TDE-enabled database migrations support by Azure SQL target: | Target | Support | Status |
-| - | - |:-:|
+| | | :: |
| Azure SQL Database | No | |
-| Azure SQL Managed Instance | Yes | Preview |
+| Azure SQL Managed Instance | Yes | Preview |
| SQL Server on Azure VM | No | |
-## Next steps
+## Related content
-- [Migrate databases with Azure SQL Migration extension for Azure Data Studio](./migration-using-azure-data-studio.md)-- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](./tutorial-sql-server-azure-sql-database-offline-ads.md)-- [Tutorial: Migrate SQL Server to Azure SQL Managed Instance - Online](./tutorial-sql-server-managed-instance-online-ads.md)-- [Tutorial: Migrate SQL Server to SQL Server On Azure Virtual Machines - Online](./tutorial-sql-server-to-virtual-machine-online-ads.md)
+- [Migrate databases with Azure SQL Migration extension for Azure Data Studio](migration-using-azure-data-studio.md)
+- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](tutorial-sql-server-azure-sql-database-offline.md)
+- [Tutorial: Migrate SQL Server to Azure SQL Managed Instance - Online](tutorial-sql-server-managed-instance-online-ads.md)
+- [Tutorial: Migrate SQL Server to SQL Server On Azure Virtual Machines - Online](tutorial-sql-server-to-virtual-machine-online-ads.md)
energy-data-services How To Generate Refresh Token https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-generate-refresh-token.md
In this article, you will learn how to generate a refresh token. The following are the basic steps to use the OAuth 2.0 authorization code grant flow to get a refresh token from the Microsoft identity platform endpoint:
- 1. Register your app with Azure AD.
+ 1. Register your app with Microsoft Entra ID.
2. Get authorization. 3. Get a refresh token.
-## Register your app with Azure AD
+<a name='register-your-app-with-azure-ad'></a>
+
+## Register your app with Microsoft Entra ID
To use the Azure Data Manager for Energy platform endpoint, you must register your app using the [Azure app registration portal](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app. To configure an app to use the OAuth 2.0 authorization code grant flow, save the following values when registering the app:
To configure an app to use the OAuth 2.0 authorization code grant flow, save the
- The `Directory (tenant) ID` that will be used in place of `{Tenant ID}` - The `application (client) ID` assigned by the app registration portal, which will be used instead of `client_id`. - A `client (application) secret`, either a password or a public/private key pair (certificate). The client secret isn't required for native apps. This secret will be used instead of `{AppReg Secret}` later.-- A `redirect URI (or reply URL)` for your app to receive responses from Azure AD. If there's no redirect URIs specified, add a platform, select "Web", then add `http://localhost:8080`, and select save.
+- A `redirect URI (or reply URL)` for your app to receive responses from Microsoft Entra ID. If there's no redirect URIs specified, add a platform, select "Web", then add `http://localhost:8080`, and select save.
For steps on how to configure an app in the Azure portal, see [Register your app](../active-directory/develop/quickstart-register-app.md#register-an-application). ## Get authorization
-The first step to getting an access token for many OpenID Connect (OIDC) and OAuth 2.0 flows is to redirect the user to the Microsoft identity platform `/authorize` endpoint. Azure AD will sign the user in and request their consent for the permissions your app requests. In the authorization code grant flow, after consent is obtained, Azure AD will return an `authorization_code` to your app that it can redeem at the Microsoft identity platform `/token` endpoint for an access token.
+The first step to getting an access token for many OpenID Connect (OIDC) and OAuth 2.0 flows is to redirect the user to the Microsoft identity platform `/authorize` endpoint. Microsoft Entra ID will sign the user in and request their consent for the permissions your app requests. In the authorization code grant flow, after consent is obtained, Microsoft Entra ID will return an `authorization_code` to your app that it can redeem at the Microsoft identity platform `/token` endpoint for an access token.
### Authorization request
The following shows an example of an authorization request:
| Parameter | Required? | Description | | | | |
-|`{Tenant ID}`|Required|Name of your Azure AD tenant|
+|`{Tenant ID}`|Required|Name of your Microsoft Entra tenant|
| client_id |Required |The application ID assigned to your app in the [Azure portal](https://portal.azure.com). | | response_type |Required |The response type, which must include `code` for the authorization code flow. You can receive an ID token if you include it in the response type, such as `code+id_token`, and in this case, the scope needs to include `openid`.| | redirect_uri |Required |The redirect URI of your app, where authentication responses are sent and received by your app. It must exactly match one of the redirect URIs that you registered in the portal, except that it must be URL-encoded. |
Your app uses the authorization code received in the previous step to request an
|Parameter | Description | |||
-|token_type |Indicates the token type value. The only type that Azure AD supports is Bearer. |
+|token_type |Indicates the token type value. The only type that Microsoft Entra ID supports is Bearer. |
|scope |A space separated list of the Microsoft Graph permissions that the access_token is valid for. | |expires_in |How long the access token is valid (in seconds). | |access_token |The requested access token. Your app can use this token to call Microsoft Graph. |
energy-data-services How To Manage Audit Logs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-manage-audit-logs.md
The audit logs for Azure Data Manager for Energy service returns the following f
| Data partition ID | String | Data partition ID on which operation is performed. | | Action | String | Action refers to the type of operation that is, whether it's create, delete, update etc.| | ActionID | String | ID associated with operation. |
-| PuID | String | ObjectId of the user in Azure AD|
+| PuID | String | ObjectId of the user in Microsoft Entra ID|
| ResultType | String | Define success or failure of operation | | Operation Description | String | Provides specific details of the response. These details can include tracing information, such as the symptoms, of the result that are used for further analysis. | | RequestId | String | This is the unique ID associated to the request, which triggered the operation on data plane. |
OEPAuditLogs
Learn about Managed Identity: > [!div class="nextstepaction"] > [Managed Identity in Azure Data Manager for Energy](how-to-use-managed-identity.md)--
energy-data-services How To Manage Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-manage-users.md
Create an Azure Data Manager for Energy instance using the tutorial at [How to c
You will need to pass parameters for generating the access token, which you'll need to make valid calls to the Entitlements API of your Azure Data Manager for Energy instance. You will also need these parameters for different user management requests to the Entitlements API. Hence Keep the following values handy for these actions. #### Find `tenant-id`
-Navigate to the Azure Active Directory account for your organization. One way to do so is by searching for "Azure Active Directory" in the Azure portal's search bar. Once there, locate `tenant-id` under the basic information section in the *Overview* tab. Copy the `tenant-id` and paste in an editor to be used later.
+Navigate to the Microsoft Entra account for your organization. One way to do so is by searching for "Microsoft Entra ID" in the Azure portal's search bar. Once there, locate `tenant-id` under the basic information section in the *Overview* tab. Copy the `tenant-id` and paste in an editor to be used later.
:::image type="content" source="media/how-to-manage-users/tenant-id.png" alt-text="Screenshot of finding the tenant-id.":::
Copy the `access_token` value from the response. You'll need it to pass as one o
You can manage users' access to your Azure Data Manager for Energy instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first. If you are managing an application's access to your instance or data partition, then you must find and use the application ID (or client ID) instead of the OID.
-You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy Instance. `object-id` (OID) is the Azure Active Directory User Object ID.
+You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy Instance. `object-id` (OID) is the Microsoft Entra user Object ID.
:::image type="content" source="media/how-to-manage-users/profile-object-id.png" alt-text="Screenshot of finding the object-id from the profile.":::
energy-data-services How To Use Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/how-to-use-managed-identity.md
This article walks you through the five main steps for configuring Azure Functio
## Overview of managed identities
-A managed identity from Azure Active Directory (Azure AD) allows your application to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and doesn't require you to create or rotate any secrets. Any Azure service that wants to access Azure Data Manager for Energy control plane or data plane for any operation can use a managed identity to do so.
+A managed identity from Microsoft Entra ID allows your application to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform and doesn't require you to create or rotate any secrets. Any Azure service that wants to access Azure Data Manager for Energy control plane or data plane for any operation can use a managed identity to do so.
There are two types of managed identities:
To retrieve the object ID for the user-assigned identity that will access the Az
Retrieve the application ID of the user-assigned identity by using the object ID:
-1. In the Azure portal, go to **Azure Active Directory**.
+1. In the Azure portal, go to **Microsoft Entra ID**.
2. On the left menu, select **Enterprise applications**. 3. In the **Search by application name or object ID** box, enter the object ID. 4. For the application that appears in the results, note the **Application ID** value.
energy-data-services Overview Microsoft Energy Data Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/overview-microsoft-energy-data-services.md
Azure Data Manager for Energy conforms to the following principles:
Azure Data Manager for Energy is a first-party PaaS (Platform as a Service) offering where Microsoft manages the deployment, monitoring, management, scale, security, updates, and upgrades of the service so that the customers can focus on the value from the platform. Microsoft offers seamless upgrades to the latest OSDU&trade; milestone versions after testing and validation.
-Furthermore, Azure Data Manager for Energy provides security capabilities like encryption for data-in-transit and data-at-rest. The authentication and authorization are provided by Azure Active Directory. Microsoft also assumes the responsibility of providing regular security patches and updates.
+Furthermore, Azure Data Manager for Energy provides security capabilities like encryption for data-in-transit and data-at-rest. The authentication and authorization are provided by Microsoft Entra ID. Microsoft also assumes the responsibility of providing regular security patches and updates.
Azure Data Manager for Energy also supports multiple data partitions for every platform instance. More data partitions can also be created after creating an instance, as needed.
energy-data-services Quickstart Create Microsoft Energy Data Services Instance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/quickstart-create-microsoft-energy-data-services-instance.md
Azure Data Manager for Energy is a managed "Platform as a service (PaaS)" offeri
| Prerequisite | Details | | | - | Active Azure Subscription | You need the Azure subscription ID in which you want to install Azure Data Manager for Energy. You need to have appropriate permissions to create Azure resources in this subscription.
-Application ID | You need an [application ID](../active-directory/develop/application-model.md) (often referred to as "App ID" or a "client ID"). This application ID is used for authentication to Azure Active Directory and will be associated with your Azure Data Manager for Energy instance. You can [create an application ID](../active-directory/develop/quickstart-register-app.md) by navigating to Active directory and selecting *App registrations* > *New registration*.
+Application ID | You need an [application ID](../active-directory/develop/application-model.md) (often referred to as "App ID" or a "client ID"). This application ID is used for authentication to Microsoft Entra ID and will be associated with your Azure Data Manager for Energy instance. You can [create an application ID](../active-directory/develop/quickstart-register-app.md) by navigating to Active directory and selecting *App registrations* > *New registration*.
Client Secret | Sometimes called an application password, a client secret is a string value that your app can use in place of a certificate to identity itself. You can [create a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret) by selecting *Certificates & secrets* > *Client secrets* > *New client secret*. Record the secret's value for use in your client application code. This secret value is never displayed again after you leave this page. ## Create an Azure Data Manager for Energy instance
-1. Save your **Application (client) ID** and **client secret** from Azure Active Directory to refer to them later in this quickstart.
+1. Save your **Application (client) ID** and **client secret** from Microsoft Entra ID to refer to them later in this quickstart.
1. Sign in to [Microsoft Azure Marketplace](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/MarketplaceOffersBlade/selectedMenuItemId/home)
Deleting a Microsoft Energy Data instance also deletes any data that you've inge
1. Sign in to the Azure portal and delete the *resource group* in which these components are installed.
-2. This step is optional. Go to Azure Active Directory and delete the *app registration* that you linked to your Azure Data Manager for Energy instance.
+2. This step is optional. Go to Microsoft Entra ID and delete the *app registration* that you linked to your Azure Data Manager for Energy instance.
Any set locks at the resource group (RG) level must be removed before deleting any resource in the RG. Resources not deleted due to locks are considered active until the resource is successfully deleted.
energy-data-services Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/release-notes.md
This page is updated with the details about the upcoming release approximately a
## September 2023
-### General Availability Fixed Pricing for Azure Data Manager for Energy
+### Azure Data Manager for Energy in Brazil South Region
Azure Data Manager for Energy is now available in Brazil South Region. Both developer tier and standard tier are available in Brazil South region. You can now select Brazil South as your preferred region when creating Azure Data Manage for Energy resource, using the [Azure portal](https://ms.portal.azure.com/#create/Microsoft.AzureDataManagerforEnergy)".
+### Audit Logs for DDMS
+You can now access Audit Logs for create, read, update and delete events for Petrel Data Services, Seismic DMS, and Wellbore DMS Public APIs. This allows you to trace user actions, compile relevant metadata, and use this to run internal audits. [Learn More](./how-to-manage-audit-logs.md)
## August 2023
energy-data-services Tutorial Csv Ingestion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/tutorial-csv-ingestion.md
In this tutorial, you'll learn how to:
| Parameter | Value to use | Example | Where to find these values? | | | |-- |-- |
- | CLIENT_ID | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | App ID or Client_ID used when registering the application with the Microsoft Identity Platform. See [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) |
+ | CLIENT_ID | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | App ID or Client_ID used when registering the application with the Microsoft identity platform. See [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) |
| CLIENT_SECRET | Client secrets | _fl****************** | Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identity itself. See [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret)|
- | TENANT_ID | Directory (tenant) ID | 72f988bf-86f1-41af-91ab-xxxxxxxxxxxx | Hover over your account name in the Azure portal to get the directory or tenant ID. Alternately, search and select *Azure Active Directory > Properties > Tenant ID* in the Azure portal. |
+ | TENANT_ID | Directory (tenant) ID | 72f988bf-86f1-41af-91ab-xxxxxxxxxxxx | Hover over your account name in the Azure portal to get the directory or tenant ID. Alternately, search and select *Microsoft Entra ID > Properties > Tenant ID* in the Azure portal. |
| SCOPE | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | Same as App ID or Client_ID mentioned above | | refresh_token | Refresh Token value | 0.ATcA01-XWHdJ0ES-qDevC6r........... | Follow the [How to Generate a Refresh Token](how-to-generate-refresh-token.md) to create a refresh token and save it. This refresh token is required later to generate a user token. | | DNS | URI | `<instance>`.energy.Azure.com | Overview page of Azure Data Manager for Energy instance|
Using the given Postman collection, you could execute the following step to sear
## Next steps Advance to the next tutorial to learn how to do Manifest ingestion > [!div class="nextstepaction"]
-> [Tutorial: Sample steps to perform a manifest-based file ingestion](tutorial-manifest-ingestion.md)
+> [Tutorial: Sample steps to perform a manifest-based file ingestion](tutorial-manifest-ingestion.md)
energy-data-services Tutorial Manifest Ingestion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/energy-data-services/tutorial-manifest-ingestion.md
Before beginning this tutorial, the following prerequisites must be completed:
| Parameter | Value to use | Example | Where to find these values? | | | |-- |-- |
- | CLIENT_ID | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | App ID or Client_ID used when registering the application with the Microsoft Identity Platform. See [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) |
+ | CLIENT_ID | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | App ID or Client_ID used when registering the application with the Microsoft identity platform. See [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) |
| CLIENT_SECRET | Client secrets | _fl****************** | Sometimes called an *application password*, a client secret is a string value your app can use in place of a certificate to identity itself. See [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret)|
- | TENANT_ID | Directory (tenant) ID | 72f988bf-86f1-41af-91ab-xxxxxxxxxxxx | Hover over your account name in the Azure portal to get the directory or tenant ID. Alternately, search and select *Azure Active Directory > Properties > Tenant ID* in the Azure portal. |
+ | TENANT_ID | Directory (tenant) ID | 72f988bf-86f1-41af-91ab-xxxxxxxxxxxx | Hover over your account name in the Azure portal to get the directory or tenant ID. Alternately, search and select *Microsoft Entra ID > Properties > Tenant ID* in the Azure portal. |
| SCOPE | Application (client) ID | 3dbbbcc2-f28f-44b6-a5ab-xxxxxxxxxxxx | Same as App ID or Client_ID mentioned above | | refresh_token | Refresh Token value | 0.ATcA01-XWHdJ0ES-qDevC6r........... | Follow the [How to Generate a Refresh Token](how-to-generate-refresh-token.md) to create a refresh token and save it. This refresh token is required later to generate a user token. | | DNS | URI | `<instance>`.energy.Azure.com | Overview page of Azure Data Manager for Energy instance|
Before beginning this tutorial, the following prerequisites must be completed:
## Next steps - [Tutorial: Seismic store sdutil](tutorial-seismic-ddms-sdutil.md) - [OSDU Operator Data Loading Quick Start Guide](https://community.opengroup.org/groups/osdu/platform/data-flow/data-loading/-/wikis/home#osdu-operator-data-loading-quick-start-guide)-
event-grid Add Identity Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/add-identity-roles.md
Assign a system-assigned managed identity by using instructions from the followi
- [System topics](enable-identity-system-topics.md) ## Supported destinations and Azure roles
-After you enable identity for your event grid custom topic or domain, Azure automatically creates an identity in Azure Active Directory. Add this identity to appropriate Azure roles so that the custom topic or domain can forward events to supported destinations. For example, add the identity to the **Azure Event Hubs Data Sender** role for an Azure Event Hubs namespace so that the event grid custom topic can forward events to event hubs in that namespace.
+After you enable identity for your event grid custom topic or domain, Azure automatically creates an identity in Microsoft Entra ID. Add this identity to appropriate Azure roles so that the custom topic or domain can forward events to supported destinations. For example, add the identity to the **Azure Event Hubs Data Sender** role for an Azure Event Hubs namespace so that the event grid custom topic can forward events to event hubs in that namespace.
Currently, Azure event grid supports custom topics or domains configured with a system-assigned managed identity to forward events to the following destinations. This table also gives you the roles that the identity should be in so that the custom topic can forward the events.
event-grid Authenticate With Access Keys Shared Access Signatures https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/authenticate-with-access-keys-shared-access-signatures.md
Last updated 08/10/2021
This article provides information on authenticating clients that publish events to Azure Event Grid topics, domains, partner namespaces using **access key** or **Shared Access Signature (SAS)** token. > [!IMPORTANT]
-> - Authenticating and authorizing users or applications using Azure AD identities provides superior security and ease of use over key-based and shared access signatures (SAS) authentication. With Azure AD, there is no need to store secrets used for authentication in your code and risk potential security vulnerabilities. We strongly recommend you use Azure AD with your Azure Event Grid event publishing applications. For more information, see [Authenticate publishing clients using Azure Active Directory](authenticate-with-active-directory.md).
-> - Azure AD authentication isn't supported for namespace topics.
+> - Authenticating and authorizing users or applications using Microsoft Entra identities provides superior security and ease of use over key-based and shared access signatures (SAS) authentication. With Microsoft Entra ID, there is no need to store secrets used for authentication in your code and risk potential security vulnerabilities. We strongly recommend you use Microsoft Entra ID with your Azure Event Grid event publishing applications. For more information, see [Authenticate publishing clients using Microsoft Entra ID](authenticate-with-active-directory.md).
+> - Microsoft Entra authentication isn't supported for namespace topics.
## Authenticate using access key
event-grid Authenticate With Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/authenticate-with-active-directory.md
Title: Authenticate Event Grid publishing clients using Azure Active Directory
-description: This article describes how to authenticate Azure Event Grid publishing client using Azure Active Directory.
+ Title: Authenticate Event Grid publishing clients using Microsoft Entra ID
+description: This article describes how to authenticate Azure Event Grid publishing client using Microsoft Entra ID.
Last updated 08/17/2023
-# Authentication and authorization with Azure Active Directory
-This article describes how to authenticate Azure Event Grid publishing clients using Azure Active Directory (Azure AD).
+# Authentication and authorization with Microsoft Entra ID
+This article describes how to authenticate Azure Event Grid publishing clients using Microsoft Entra ID.
> [!IMPORTANT]
-> Azure AD authentication isn't supported for namespace topics.
+> Microsoft Entra authentication isn't supported for namespace topics.
## Overview
-The [Microsoft Identity](../active-directory/develop/v2-overview.md) platform provides an integrated authentication and access control management for resources and applications that use Azure Active Directory (Azure AD) as their identity provider. Use the Microsoft Identity platform to provide authentication and authorization support in your applications. It's based on open standards such as OAuth 2.0 and OpenID Connect and offers tools and open-source libraries that support many authentication scenarios. It provides advanced features such as [Conditional Access](../active-directory/conditional-access/overview.md) that allows you to set policies that require multifactor authentication or allow access from specific locations, for example.
+The [Microsoft Identity](../active-directory/develop/v2-overview.md) platform provides an integrated authentication and access control management for resources and applications that use Microsoft Entra ID as their identity provider. Use the Microsoft identity platform to provide authentication and authorization support in your applications. It's based on open standards such as OAuth 2.0 and OpenID Connect and offers tools and open-source libraries that support many authentication scenarios. It provides advanced features such as [Conditional Access](../active-directory/conditional-access/overview.md) that allows you to set policies that require multifactor authentication or allow access from specific locations, for example.
-An advantage that improves your security stance when using Azure AD is that you don't need to store credentials, such as authentication keys, in the code or repositories. Instead, you rely on the acquisition of OAuth 2.0 access tokens from the Microsoft Identity platform that your application presents when authenticating to a protected resource. You can register your event publishing application with Azure AD and obtain a service principal associated with your app that you manage and use. Instead, you can use [Managed Identities](../active-directory/managed-identities-azure-resources/overview.md), either system assigned or user assigned, for an even simpler identity management model as some aspects of the identity lifecycle are managed for you.
+An advantage that improves your security stance when using Microsoft Entra ID is that you don't need to store credentials, such as authentication keys, in the code or repositories. Instead, you rely on the acquisition of OAuth 2.0 access tokens from the Microsoft identity platform that your application presents when authenticating to a protected resource. You can register your event publishing application with Microsoft Entra ID and obtain a service principal associated with your app that you manage and use. Instead, you can use [Managed Identities](../active-directory/managed-identities-azure-resources/overview.md), either system assigned or user assigned, for an even simpler identity management model as some aspects of the identity lifecycle are managed for you.
[Role-based access control (RBAC)](../active-directory/develop/custom-rbac-for-developers.md) allows you to configure authorization in a way that certain security principals (identities for users, groups, or apps) have specific permissions to execute operations over Azure resources. This way, the security principal used by a client application that sends events to Event Grid must have the RBAC role **EventGrid Data Sender** associated with it.
An advantage that improves your security stance when using Azure AD is that you
There are two broad categories of security principals that are applicable when discussing authentication of an Event Grid publishing client: - **Managed identities**. A managed identity can be system assigned, which you enable on an Azure resource and is associated to only that resource, or user assigned, which you explicitly create and name. User assigned managed identities can be associated to more than one resource.-- **Application security principal**. It's a type of security principal that represents an application, which accesses resources protected by Azure AD.
+- **Application security principal**. It's a type of security principal that represents an application, which accesses resources protected by Microsoft Entra ID.
-Regardless of the security principal used, a managed identity or an application security principal, your client uses that identity to authenticate before Azure AD and obtain an [OAuth 2.0 access token](../active-directory/develop/access-tokens.md) that's sent with requests when sending events to Event Grid. That token is cryptographically signed and once Event Grid receives it, the token is validated. For example, the audience (the intended recipient of the token) is confirmed to be Event Grid (`https://eventgrid.azure.net`), among other things. The token contains information about the client identity. Event Grid takes that identity and validates that the client has the role **EventGrid Data Sender** assigned to it. More precisely, Event Grid validates that the identity has the ``Microsoft.EventGrid/events/send/action`` permission in an RBAC role associated to the identity before allowing the event publishing request to complete.
+Regardless of the security principal used, a managed identity or an application security principal, your client uses that identity to authenticate before Microsoft Entra ID and obtain an [OAuth 2.0 access token](../active-directory/develop/access-tokens.md) that's sent with requests when sending events to Event Grid. That token is cryptographically signed and once Event Grid receives it, the token is validated. For example, the audience (the intended recipient of the token) is confirmed to be Event Grid (`https://eventgrid.azure.net`), among other things. The token contains information about the client identity. Event Grid takes that identity and validates that the client has the role **EventGrid Data Sender** assigned to it. More precisely, Event Grid validates that the identity has the ``Microsoft.EventGrid/events/send/action`` permission in an RBAC role associated to the identity before allowing the event publishing request to complete.
If you're using the Event Grid SDK, you don't need to worry about the details on how to implement the acquisition of access tokens and how to include it with every request to Event Grid because the [Event Grid data plane SDKs](#publish-events-using-event-grids-client-sdks) do that for you.
-### Client configuration steps to use Azure AD authentication
-Perform the following steps to configure your client to use Azure AD authentication when sending events to a topic, domain, or partner namespace.
+<a name='client-configuration-steps-to-use-azure-ad-authentication'></a>
+
+### Client configuration steps to use Microsoft Entra authentication
+Perform the following steps to configure your client to use Microsoft Entra authentication when sending events to a topic, domain, or partner namespace.
1. Create or use a security principal you want to use to authenticate. You can use a [managed identity](#authenticate-using-a-managed-identity) or an [application security principal](#authenticate-using-a-security-principal-of-a-client-application). 2. [Grant permission to a security principal to publish events](#assign-permission-to-a-security-principal-to-publish-events) by assigning the **EventGrid Data Sender** role to the security principal.
Perform the following steps to configure your client to use Azure AD authenticat
## Authenticate using a managed identity
-Managed identities are identities associated with Azure resources. Managed identities provide an identity that applications use when using Azure resources that support Azure AD authentication. Applications may use the managed identity of the hosting resource like a virtual machine or Azure App service to obtain Azure AD tokens that are presented with the request when publishing events to Event Grid. When the application connects, Event Grid binds the managed entity's context to the client. Once it's associated with a managed identity, your Event Grid publishing client can do all authorized operations. Authorization is granted by associating a managed entity to an Event Grid RBAC role.
+Managed identities are identities associated with Azure resources. Managed identities provide an identity that applications use when using Azure resources that support Microsoft Entra authentication. Applications may use the managed identity of the hosting resource like a virtual machine or Azure App service to obtain Microsoft Entra tokens that are presented with the request when publishing events to Event Grid. When the application connects, Event Grid binds the managed entity's context to the client. Once it's associated with a managed identity, your Event Grid publishing client can do all authorized operations. Authorization is granted by associating a managed entity to an Event Grid RBAC role.
-Managed identity provides Azure services with an automatically managed identity in Azure AD. Contrasting to other authentication methods, you don't need to store and protect access keys or Shared Access Signatures (SAS) in your application code or configuration, either for the identity itself or for the resources you need to access.
+Managed identity provides Azure services with an automatically managed identity in Microsoft Entra ID. Contrasting to other authentication methods, you don't need to store and protect access keys or Shared Access Signatures (SAS) in your application code or configuration, either for the identity itself or for the resources you need to access.
To authenticate your event publishing client using managed identities, first decide on the hosting Azure service for your client application and then enable system assigned or user assigned managed identities on that Azure service instance. For example, you can enable managed identities on a [VM](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md), an [Azure App Service or Azure Functions](../app-service/overview-managed-identity.md?tabs=dotnet).
Once you have a managed identity configured in a hosting service, [assign the pe
## Authenticate using a security principal of a client application
-Besides managed identities, another identity option is to create a security principal for your client application. To that end, you need to register your application with Azure AD. Registering your application is a gesture through which you delegate identity and access management control to Azure AD. Follow the steps in section [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) and in section [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret). Make sure to review the [prerequisites](../active-directory/develop/quickstart-register-app.md#prerequisites) before starting.
+Besides managed identities, another identity option is to create a security principal for your client application. To that end, you need to register your application with Microsoft Entra ID. Registering your application is a gesture through which you delegate identity and access management control to Microsoft Entra ID. Follow the steps in section [Register an application](../active-directory/develop/quickstart-register-app.md#register-an-application) and in section [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret). Make sure to review the [prerequisites](../active-directory/develop/quickstart-register-app.md#prerequisites) before starting.
Once you have an application security principal and followed above steps, [assign the permission to publish events to that identity](#assign-permission-to-a-security-principal-to-publish-events).
With RBAC privileges taken care of, you can now [build your client application t
## Publish events using Event Grid's client SDKs
-Use [Event Grid's data plane SDK](https://devblogs.microsoft.com/azure-sdk/event-grid-ga/) to publish events to Event Grid. Event Grid's SDK support all authentication methods, including Azure AD authentication.
+Use [Event Grid's data plane SDK](https://devblogs.microsoft.com/azure-sdk/event-grid-ga/) to publish events to Event Grid. Event Grid's SDK support all authentication methods, including Microsoft Entra authentication.
Here's the sample code that publishes events to Event Grid using the .NET SDK. You can get the topic endpoint on the **Overview** page for your Event Grid topic in the Azure portal. It's in the format: `https://<TOPIC-NAME>.<REGION>-1.eventgrid.azure.net/api/events`.
Following are the prerequisites to authenticate to Event Grid.
- [Azure Identity client library for Python](/python/api/overview/azure/identity-readme) - A topic, domain, or partner namespace created to which your application sends events.
-### Publish events using Azure AD Authentication
+<a name='publish-events-using-azure-ad-authentication'></a>
+
+### Publish events using Microsoft Entra authentication
-To send events to a topic, domain, or partner namespace, you can build the client in the following way. The api version that first provided support for Azure AD authentication is ``2018-01-01``. Use that API version or a more recent version in your application.
+To send events to a topic, domain, or partner namespace, you can build the client in the following way. The api version that first provided support for Microsoft Entra authentication is ``2018-01-01``. Use that API version or a more recent version in your application.
Sample:
For more information, see the following articles:
## Disable key and shared access signature authentication
-Azure AD authentication provides a superior authentication support than that's offered by access key or Shared Access Signature (SAS) token authentication. With Azure AD authentication, the identity is validated against Azure AD identity provider. As a developer, you won't have to handle keys in your code if you use Azure AD authentication. You'll also benefit from all security features built into the Microsoft Identity platform, such as [Conditional Access](../active-directory/conditional-access/overview.md) that can help you improve your application's security stance.
+Microsoft Entra authentication provides a superior authentication support than that's offered by access key or Shared Access Signature (SAS) token authentication. With Microsoft Entra authentication, the identity is validated against Microsoft Entra identity provider. As a developer, you won't have to handle keys in your code if you use Microsoft Entra authentication. You'll also benefit from all security features built into the Microsoft identity platform, such as [Conditional Access](../active-directory/conditional-access/overview.md) that can help you improve your application's security stance.
-Once you decide to use Azure AD authentication, you can disable authentication based on access keys or SAS tokens.
+Once you decide to use Microsoft Entra authentication, you can disable authentication based on access keys or SAS tokens.
> [!NOTE]
-> Acess keys or SAS token authentication is a form of **local authentication**. you'll hear sometimes referring to "local auth" when discussing this category of authentication mechanisms that don't rely on Azure AD. The API parameter used to disable local authentication is called, appropriately so, ``disableLocalAuth``.
+> Acess keys or SAS token authentication is a form of **local authentication**. you'll hear sometimes referring to "local auth" when discussing this category of authentication mechanisms that don't rely on Microsoft Entra ID. The API parameter used to disable local authentication is called, appropriately so, ``disableLocalAuth``.
### Azure portal
New-AzResource -ResourceGroupName <ResourceGroupName> -ResourceType Microsoft.Ev
- Learn about [managed identities](../active-directory/managed-identities-azure-resources/overview.md) - Learn about [how to use managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md?tabs=dotnet) - Learn about [applications and service principals](../active-directory/develop/app-objects-and-service-principals.md)-- Learn about [registering an application with the Microsoft Identity platform](../active-directory/develop/quickstart-register-app.md).
+- Learn about [registering an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
- Learn about how [authorization](../role-based-access-control/overview.md) (RBAC access control) works. - Learn about Event Grid built-in RBAC roles including its [Event Grid Data Sender](../role-based-access-control/built-in-roles.md#eventgrid-data-sender) role. [Event Grid's roles list](security-authorization.md#built-in-roles). - Learn about [assigning RBAC roles](../role-based-access-control/role-assignments-portal.md?tabs=current) to identities. - Learn about how to define [custom RBAC roles](../role-based-access-control/custom-roles.md).-- Learn about [application and service principal objects in Azure AD](../active-directory/develop/app-objects-and-service-principals.md).-- Learn about [Microsoft Identity Platform access tokens](../active-directory/develop/access-tokens.md).-- Learn about [OAuth 2.0 authentication code flow and Microsoft Identity Platform](../active-directory/develop/v2-oauth2-auth-code-flow.md)
+- Learn about [application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md).
+- Learn about [Microsoft identity platform access tokens](../active-directory/develop/access-tokens.md).
+- Learn about [OAuth 2.0 authentication code flow and Microsoft identity platform](../active-directory/develop/v2-oauth2-auth-code-flow.md)
event-grid Authentication Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/authentication-overview.md
Last updated 01/05/2022
# Client authentication when publishing events to Event Grid Authentication for clients publishing events to Event Grid is supported using the following methods: -- Azure Active Directory (Azure AD)
+- Microsoft Entra ID
- Access key or shared access signature (SAS) > [!IMPORTANT]
-> Azure AD authentication isn't supported for namespace topics.
+> Microsoft Entra authentication isn't supported for namespace topics.
-## Authenticate using Azure Active Directory
-Azure AD integration for Event Grid resources provides Azure role-based access control (RBAC) for fine-grained control over a clientΓÇÖs access to resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. Azure AD authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access Event Grid resources (topics, domains, or partner namespaces). For detailed information, see [Authenticate and authorize with the Microsoft Identity platform](authenticate-with-active-directory.md).
+<a name='authenticate-using-azure-active-directory'></a>
+
+## Authenticate using Microsoft Entra ID
+Microsoft Entra integration for Event Grid resources provides Azure role-based access control (RBAC) for fine-grained control over a clientΓÇÖs access to resources. You can use Azure RBAC to grant permissions to a security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access Event Grid resources (topics, domains, or partner namespaces). For detailed information, see [Authenticate and authorize with the Microsoft identity platform](authenticate-with-active-directory.md).
> [!IMPORTANT]
-> Authenticating and authorizing users or applications using Azure AD identities provides superior security and ease of use over key-based and shared access signatures (SAS) authentication. With Azure AD, there is no need to store secrets used for authentication in your code and risk potential security vulnerabilities. We strongly recommend that you use Azure AD with your Azure Event Grid event publishing applications.
+> Authenticating and authorizing users or applications using Microsoft Entra identities provides superior security and ease of use over key-based and shared access signatures (SAS) authentication. With Microsoft Entra ID, there is no need to store secrets used for authentication in your code and risk potential security vulnerabilities. We strongly recommend that you use Microsoft Entra ID with your Azure Event Grid event publishing applications.
> [!NOTE]
-> Azure Event Grid on Kubernetes does not support Azure AD authentication yet.
+> Azure Event Grid on Kubernetes does not support Microsoft Entra authentication yet.
## Authenticate using access keys and shared access signatures You can authenticate clients that publish events to Azure Event Grid topics, domains, partner namespaces using **access key** or **Shared Access Signature (SAS)** token. For more information, see [Using access keys or using Shared Access Signatures (SAS)](authenticate-with-access-keys-shared-access-signatures.md).
event-grid Azure Active Directory Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/azure-active-directory-events.md
Title: Azure Active Directory events
-description: This article describes Azure AD event types and provides event samples.
+ Title: Microsoft Entra events
+description: This article describes Microsoft Entra event types and provides event samples.
Last updated 09/19/2023
-# Azure Active Directory events
+# Microsoft Entra events
-This article provides the properties and schema for Azure Active Directory (Azure AD) events, which are published by Microsoft Graph API. For an introduction to event schemas, see [CloudEvents schema](cloud-event-schema.md).
+This article provides the properties and schema for Microsoft Entra events, which are published by Microsoft Graph API. For an introduction to event schemas, see [CloudEvents schema](cloud-event-schema.md).
## Available event types
-These events are triggered when a [User](/graph/api/resources/user) or [Group](/graph/api/resources/group) is created, updated, or deleted in Azure AD or by operating over those resources using Microsoft Graph API.
+These events are triggered when a [User](/graph/api/resources/user) or [Group](/graph/api/resources/group) is created, updated, or deleted in Microsoft Entra ID or by operating over those resources using Microsoft Graph API.
| Event name | Description | | - | -- |
- | **Microsoft.Graph.UserUpdated** | Triggered when a user in Azure AD is created or updated. |
- | **Microsoft.Graph.UserDeleted** | Triggered when a user in Azure AD is permanently deleted. |
- | **Microsoft.Graph.GroupUpdated** | Triggered when a group in Azure AD is created or updated. |
- | **Microsoft.Graph.GroupDeleted** | Triggered when a group in Azure AD is permanently deleted. |
+ | **Microsoft.Graph.UserUpdated** | Triggered when a user in Microsoft Entra ID is created or updated. |
+ | **Microsoft.Graph.UserDeleted** | Triggered when a user in Microsoft Entra ID is permanently deleted. |
+ | **Microsoft.Graph.GroupUpdated** | Triggered when a group in Microsoft Entra ID is created or updated. |
+ | **Microsoft.Graph.GroupDeleted** | Triggered when a group in Microsoft Entra ID is permanently deleted. |
> [!NOTE] > By default, deleting a user or a group is only a soft delete operation, which means that the user or group is marked as deleted but the user or group object still exists. Microsoft Graph sends an updated event when users are soft deleted. To permanently delete a user, navigate to the **Delete users** page in the Azure portal and select **Delete permanently**. Steps to permanently delete a group are similar. ## Example event
-When an event is triggered, the Event Grid service sends data about that event to subscribing destinations. This section contains an example of what that data would look like for each Azure AD event.
+When an event is triggered, the Event Grid service sends data about that event to subscribing destinations. This section contains an example of what that data would look like for each Microsoft Entra event.
### Microsoft.Graph.UserUpdated event
The data object has the following properties:
| `@odata.type` | string | The Graph API change type. | | `@odata.id` | string | The Graph API resource identifier for which the event was raised. | | `id` | string | The resource identifier for which the event was raised. |
-| `organizationId` | string | The Azure AD tenant identifier. |
+| `organizationId` | string | The Microsoft Entra tenant identifier. |
| `eventTime` | string | The time when the resource state changed. | | `sequenceNumber` | string | A sequence number. | | `subscriptionExpirationDateTime` | string | The time in [RFC 3339](https://tools.ietf.org/html/rfc3339) format at which the Graph API subscription expires. | | `subscriptionId` | string | The Graph API subscription identifier. |
-| `tenantId` | string | The Azure AD tenant identifier. |
+| `tenantId` | string | The Microsoft Entra tenant identifier. |
## Next steps * For an introduction to Azure Event Grid's Partner Events, see [Partner Events overview](partner-events-overview.md)
-* For information on how to subscribe to Microsoft Graph API to receive Azure AD events, see [subscribe to Azure Graph API events](subscribe-to-graph-api-events.md).
+* For information on how to subscribe to Microsoft Graph API to receive Microsoft Entra events, see [subscribe to Azure Graph API events](subscribe-to-graph-api-events.md).
* For information about Azure Event Grid event handlers, see [event handlers](event-handlers.md). * For more information about creating an Azure Event Grid subscription, see [create event subscription](subscribe-through-portal.md#create-event-subscriptions) and [Event Grid subscription schema](subscription-creation-schema.md). * For information about how to configure an event subscription to select specific events to be delivered, see [event filtering](event-filtering.md). You may also want to refer to [filter events](how-to-filter-events.md).
event-grid Communication Services Advanced Messaging Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/communication-services-advanced-messaging-events.md
+
+ Title: Azure Communication Services - Advanced Messaging events
+description: This article describes how to use Azure Communication Services as an Event Grid event source for Advanced Messaging Events.
+ Last updated : 09/30/2022++++
+# Azure Communication Services - Advanced Messaging events
+
+This article provides the properties and schema for communication services advanced messaging events. For an introduction to event schemas, see [Azure Event Grid event schema](event-schema.md).
+
+## Event types
+
+Azure Communication Services emits the following Advanced Messaging event types:
+
+| Event type | Description |
+| -- | - |
+| Microsoft.Communication.AdvancedMessageReceived | Published when Communication Service receives a WhatsApp message. |
+| Microsoft.Communication.AdvancedMessageDeliveryStatusUpdated | Published when the WhatsApp sends status of message notification as sent/read/failed. |
+
+## Event responses
+
+When an event is triggered, the Event Grid service sends data about that event to subscribing endpoints.
+
+This section contains an example of what that data would look like for each event.
+
+### Microsoft.Communication.AdvancedMessageReceived event
+
+```json
+[{
+ "id": "fdc64eca-390d-4974-abd6-1a13ccbe3160",
+ "topic": "/subscriptions/{subscription-id}/resourcegroups/{resourcegroup-name}/providers/microsoft.communication/communicationservices/acsxplatmsg-test",
+ "subject": "advancedMessage/sender/{sender@id}/recipient/00000000-0000-0000-0000-000000000000",
+ "data": {
+ "content": "Hello",
+ "channelType": "whatsapp",
+ "from": "{sender@id}",
+ "to": "00000000-0000-0000-0000-000000000000",
+ "receivedTimestamp": "2023-07-06T18:30:19+00:00"
+ },
+ "eventType": "Microsoft.Communication.AdvancedMessageReceived",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2023-07-06T18:30:22.1921716Z"
+}]
+```
+
+### Microsoft.Communication.AdvancedMessageDeliveryStatusUpdated event
+
+```json
+[{
+ "id": "48cd6446-01dd-479f-939c-171c86c46700",
+ "topic": "/subscriptions/{subscription-id}/resourcegroups/{resourcegroup-name}/providers/microsoft.communication/communicationservices/acsxplatmsg-test",
+ "subject": "advancedMessage/00000000-0000-0000-0000-000000000000/status/Failed",
+ "data": {
+ "messageId": "00000000-0000-0000-0000-000000000000",
+ "status": "Sent",
+ "channelType": "whatsapp",
+ "from": "{sender@id}",
+ "to": "{receiver@id}",
+ "receivedTimestamp": "2023-07-06T18:42:28+00:00"
+ },
+ "eventType": "Microsoft.Communication.AdvancedMessageDeliveryStatusUpdated",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2023-07-06T18:42:28.8454662Z"
+}]
+```
+
+```json
+[{
+ "id": "48cd6446-01dd-479f-939c-171c86c46700",
+ "topic": "/subscriptions/{subscription-id}/resourcegroups/{resourcegroup-name}/providers/microsoft.communication/communicationservices/acsxplatmsg-test",
+ "subject": "advancedMessage/00000000-0000-0000-0000-000000000000/status/Failed",
+ "data": {
+ "messageId": "00000000-0000-0000-0000-000000000000",
+ "status": "Failed",
+ "channelType": "whatsapp",
+ "from": "{sender@id}",
+ "to": "{receiver@id}",
+ "receivedTimestamp": "2023-07-06T18:42:28+00:00",
+ "error": {
+ "channelCode": "131026",
+ "channelMessage": "Message Undeliverable."
+ }
+ },
+ "eventType": "Microsoft.Communication.AdvancedMessageDeliveryStatusUpdated",
+ "dataVersion": "1.0",
+ "metadataVersion": "1",
+ "eventTime": "2023-07-06T18:42:28.8454662Z"
+}]
+```
+
+> [!NOTE]
+> Possible values for `Status` are `Sent`, `Delivered`, `Read` and `Failed`.
++
+## Quickstart
+For a quickstart that shows how to subscribe for Advanced Messaging events using web hooks, see [Quickstart: Handle Advanced Messaging events](../communication-services/quickstarts/advanced-messaging/whatsapp/handle-advanced-messaging-events.md).
event-grid Create Custom Topic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/create-custom-topic.md
On the **Security** page of the **Create Topic** or **Create Event Grid Domain*
1. In the **Select user assigned identity** window, select the subscription that has the user-assigned identity, select the **user-assigned identity**, and then click **Select**. :::image type="content" source="./media/managed-service-identity/create-page-add-user-assigned-identity-link.png" alt-text="Screenshot of the Identity page with user assigned identity option selected." lightbox="./media/managed-service-identity/create-page-add-user-assigned-identity-link.png":::
-1. To disable local authentication, select **Disabled**. When you do it, the topic or domain can't be accessed using accesskey and SAS authentication, but only via Azure AD authentication.
+1. To disable local authentication, select **Disabled**. When you do it, the topic or domain can't be accessed using accesskey and SAS authentication, but only via Microsoft Entra authentication.
:::image type="content" source="./media/authenticate-with-active-directory/create-topic-disable-local-auth.png" alt-text="Screenshot showing the Advanced tab of Create Topic page when you can disable local authentication."::: 1. Select **Advanced** at the bottom of the page to switch to the **Advanced** page.
event-grid Delivery Properties https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/delivery-properties.md
This section gives you a few examples of using delivery properties.
### Setting the Authorization header with a bearer token (non-normative example)
-Set a value to an Authorization header to identify the request with your Webhook handler. An Authorization header can be set if you aren't [protecting your Webhook with Azure Active Directory](secure-webhook-delivery.md).
+Set a value to an Authorization header to identify the request with your Webhook handler. An Authorization header can be set if you aren't [protecting your Webhook with Microsoft Entra ID](secure-webhook-delivery.md).
| Header name | Header type | Header value | | :-- | :-- | :-- |
event-grid Handler Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/handler-functions.md
We recommend that you use the first approach (Event Grid trigger) as it has the
> [!NOTE] > - When you an Event Grid trigger to add an event subscription using an Azure function, Event Grid fetches the access key for the target function using Event Grid service principal's credentials. The permissions are granted to Event Grid when you register the Event Grid resource provider in their Azure subscription.
-> - If you protect your Azure function with an **Azure Active Directory** application, you'll have to take the generic webhook approach using the HTTP trigger. Use the Azure function endpoint as a webhook URL when adding the subscription.
+> - If you protect your Azure function with an **Microsoft Entra ID** application, you'll have to take the generic webhook approach using the HTTP trigger. Use the Azure function endpoint as a webhook URL when adding the subscription.
## Tutorials
You can use the [`az eventgrid event-subscription create`](/cli/azure/eventgrid/
You can use the [New-AzEventGridSubscription](/powershell/module/az.eventgrid/new-azeventgridsubscription) or [Update-AzEventGridSubscription](/powershell/module/az.eventgrid/update-azeventgridsubscription) cmdlet to configure batch-related settings using the following parameters: `-MaxEventsPerBatch` or `-PreferredBatchSizeInKiloBytes`. > [!NOTE]
-> When you use Event Grid Trigger, the Event Grid service fetches the client secret for the target Azure function, and uses it to deliver events to the Azure function. If you protect your azure function with an Azure Active Directory application, you have to take the generic web hook approach and use the HTTP Trigger.
+> When you use Event Grid Trigger, the Event Grid service fetches the client secret for the target Azure function, and uses it to deliver events to the Azure function. If you protect your azure function with a Microsoft Entra application, you have to take the generic web hook approach and use the HTTP Trigger.
## Next steps See the [Event handlers](event-handlers.md) article for a list of supported event handlers.
event-grid Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/kubernetes/features.md
Although Event Grid on Kubernetes and Azure Event Grid share many features and t
| [Azure Event Grid trigger for Azure Functions](../../azure-functions/functions-bindings-event-grid-trigger.md) | Γ£ÿ | Γ£ö | | Azure Relay's Hybrid Connections as a destination | Γ£ÿ | Γ£ö | | [Advanced filtering](filter-events.md) | Γ£ö*** | Γ£ö |
-| [Webhook AuthN/AuthZ with Azure AD](../secure-webhook-delivery.md) | Γ£ÿ | Γ£ö |
+| [Webhook AuthN/AuthZ with Microsoft Entra ID](../secure-webhook-delivery.md) | Γ£ÿ | Γ£ö |
| [Event delivery with resource identity](/rest/api/eventgrid/controlplane-preview/event-subscriptions/create-or-update) | Γ£ÿ | Γ£ö | | Same set of data plane SDKs | Γ£ö | Γ£ö | | Same set of management SDKs | Γ£ö | Γ£ö |
event-grid Monitor Push Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/monitor-push-reference.md
The possible values of `Outcome` are `NotFound`, `Aborted`, `TimedOut`, `Generic
| NetworkAccess | String | Allowed values are: <br>- `PublicAccess` - when connecting via public IP<br>- `PrivateAccess` - when connecting via private link | | ClientIpAddress | String | Source IP of incoming requests | | TlsVersion | String | The transport layer security (TLS) version used by the client connection. Possible values are: **1.0**, **1.1** and **1.2** |
-| Authentication/Type | String | The type of secret used for authentication when publishing messages. <br>-`Key` ΓÇô request uses the SAS key<br>- `SASToken` ΓÇô request uses a SAS token generated from SAS key<br>- `AADAccessToken` ΓÇô Azure Active Directory issued JSON Web Token (JWT) token<br>- `Unknown` ΓÇô None of the above authentication types. OPTIONS requests have this authentication type |
+| Authentication/Type | String | The type of secret used for authentication when publishing messages. <br>-`Key` ΓÇô request uses the SAS key<br>- `SASToken` ΓÇô request uses a SAS token generated from SAS key<br>- `AADAccessToken` ΓÇô Microsoft Entra ID issued JSON Web Token (JWT) token<br>- `Unknown` ΓÇô None of the above authentication types. OPTIONS requests have this authentication type |
| Authentication/ObjectId | String | ObjectId of the service principal used when the authentication type is set to `AADAccessToken` | | OperationResult | String | Result of the publish. Possible values are: <br>- Success<br>- Unauthorized<br>- Forbidden<br>- RequestEntityTooLarge<br>- BadRequest<br>- InternalServerError | | TotalOperations | String | These traces aren't emitted for each publish request. An aggregate for each unique combination of above values is emitted every minute |
event-grid Monitor Virtual Machine Changes Logic App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/monitor-virtual-machine-changes-logic-app.md
Now add the Azure Event Grid trigger, which you use to monitor the resource grou
![Screenshot that shows the workflow designer with the selected Azure Event Grid trigger.](./media/monitor-virtual-machine-changes-logic-app/logic-app-trigger.png)
-1. When prompted, sign in to Azure Event Grid with your Azure account credentials. In the **Tenant** list, which shows the Azure Active Directory tenant that's associated with your Azure subscription, check that the correct tenant appears, for example:
+1. When prompted, sign in to Azure Event Grid with your Azure account credentials. In the **Tenant** list, which shows the Microsoft Entra tenant that's associated with your Azure subscription, check that the correct tenant appears, for example:
![Screenshot that shows the workflow designer with the Azure sign-in prompt to connect to Azure Event Grid.](./media/monitor-virtual-machine-changes-logic-app/sign-in.png)
Now add the Azure Event Grid trigger, which you use to monitor the resource grou
> If you're signed in with a personal Microsoft account, such as @outlook.com or @hotmail.com, > the Azure Event Grid trigger might not appear correctly. As a workaround, select > [Connect with Service Principal](../active-directory/develop/howto-create-service-principal-portal.md),
- > or authenticate as a member of the Azure Active Directory that's associated with
+ > or authenticate as a member of the Microsoft Entra that's associated with
> your Azure subscription, for example, *user-name*@emailoutlook.onmicrosoft.com. 1. Now subscribe your logic app to events from the publisher. Provide the details about your event subscription as described in the following table, for example:
event-grid Mqtt Client Azure Ad Token And Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/mqtt-client-azure-ad-token-and-rbac.md
Title: Azure AD JWT authentication and RBAC authorization for clients with Azure AD identity
-description: Describes JWT authentication and RBAC roles to authorize clients with Azure AD identity to publish or subscribe MQTT messages
+ Title: Microsoft Entra JWT authentication and RBAC authorization for clients with Microsoft Entra identity
+description: Describes JWT authentication and RBAC roles to authorize clients with Microsoft Entra identity to publish or subscribe MQTT messages
Last updated 8/11/2023
-# Azure AD JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages
-You can authenticate MQTT clients with Azure AD JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Azure Active Directory identity, to publish or subscribe access to specific topic spaces.
+# Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages
+You can authenticate MQTT clients with Microsoft Entra JWT to connect to Event Grid namespace. You can use Azure role-based access control (Azure RBAC) to enable MQTT clients, with Microsoft Entra identity, to publish or subscribe access to specific topic spaces.
> [!IMPORTANT] > This feature is supported only when using MQTT v5
You can authenticate MQTT clients with Azure AD JWT to connect to Event Grid nam
- Review the process to [create a custom role](/azure/role-based-access-control/custom-roles-portal)
-## Authentication using Azure AD JWT
-You can use the MQTT v5 CONNECT packet to provide the Azure AD JWT token to authenticate your client, and you can use the MQTT v5 AUTH packet to refresh the token.
+<a name='authentication-using-azure-ad-jwt'></a>
+
+## Authentication using Microsoft Entra JWT
+You can use the MQTT v5 CONNECT packet to provide the Microsoft Entra JWT token to authenticate your client, and you can use the MQTT v5 AUTH packet to refresh the token.
In CONNECT packet, you can provide required values in the following fields:
Authenticate Reason Code with value 25 signifies reauthentication.
> Audience: ΓÇ£audΓÇ¥ claim must be set to "https://eventgrid.azure.net/". ## Authorization to grant access permissions
-A client using Azure AD based JWT authentication needs to be authorized to communicate with the Event Grid namespace. You can create custom roles to enable the client to communicate with Event Grid instances in your resource group, and then assign the roles to the client. You can use following two data actions to provide publish or subscribe permissions, to clients with Azure AD identities, on specific topic spaces.
+A client using Microsoft Entra ID based JWT authentication needs to be authorized to communicate with the Event Grid namespace. You can create custom roles to enable the client to communicate with Event Grid instances in your resource group, and then assign the roles to the client. You can use following two data actions to provide publish or subscribe permissions, to clients with Microsoft Entra identities, on specific topic spaces.
**Topic spaces publish** data action Microsoft.EventGrid/topicSpaces/publish/action
The following are sample role definitions that allow you to publish and subscrib
1. Select **Create** in Review + create tab to create the custom role. 1. Once the custom role is created, you can assign the role to an identity to provide the publish permission on the topic space. You can learn how to assign roles [here](/azure/role-based-access-control/role-assignments-portal).
-## Assign the custom role to your Azure AD identity
+<a name='assign-the-custom-role-to-your-azure-ad-identity'></a>
+
+## Assign the custom role to your Microsoft Entra identity
1. In the Azure portal, navigate to your Event Grid namespace 1. Navigate to the topic space to which you want to authorize access. 1. Go to the Access control (IAM) page of the topic space
The following are sample role definitions that allow you to publish and subscrib
## Next steps - See [Publish and subscribe to MQTT message using Event Grid](mqtt-publish-and-subscribe-portal.md) - To learn more about how Managed Identities work, you can refer to [How managed identities for Azure resources work with Azure virtual machines - Microsoft Entra](/azure/active-directory/managed-identities-azure-resources/how-managed-identities-work-vm) -- To learn more about how to obtain tokens from Azure AD, you can refer to [obtaining Azure AD tokens](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
+- To learn more about how to obtain tokens from Microsoft Entra ID, you can refer to [obtaining Microsoft Entra tokens](/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#get-a-token)
- To learn more about Azure Identity client library, you can refer to [using Azure Identity client library](/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-the-azure-identity-client-library) - To learn more about implementing an interface for credentials that can provide a token, you can refer to [TokenCredential Interface](/java/api/com.azure.core.credential.tokencredential) - To learn more about how to authenticate using Azure Identity, you can refer to [examples](https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples)
event-grid Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/overview.md
Your own service or application publishes events to Event Grid that subscriber a
A multi-tenant SaaS provider or platform can publish their events to Event Grid through a feature called [Partner Events](partner-events-overview.md). You can [subscribe to those events](subscribe-to-partner-events.md) and automate tasks, for example. Events from the following partners are currently available: - [Auth0](auth0-overview.md)-- [Microsoft Graph API](subscribe-to-graph-api-events.md). Through Microsoft Graph API you can get events from [Azure AD](azure-active-directory-events.md), [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), Conversations, security alerts, and Universal Print.
+- [Microsoft Graph API](subscribe-to-graph-api-events.md). Through Microsoft Graph API you can get events from [Microsoft Entra ID](azure-active-directory-events.md), [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), Conversations, security alerts, and Universal Print.
- [Tribal Group](subscribe-to-tribal-group-events.md) - [SAP](subscribe-to-sap-events.md)
event-grid Partner Events Graph Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/partner-events-graph-api.md
Last updated 06/09/2022
# Microsoft Graph API events
-Microsoft Graph API provides a unified programmable model that you can use to receive events about state changes of resources in Microsoft Outlook, Teams, SharePoint, Azure Active Directory, Microsoft Conversations, and security alerts. For every resource in the following table, events for create, update and delete state changes are supported.
+Microsoft Graph API provides a unified programmable model that you can use to receive events about state changes of resources in Microsoft Outlook, Teams, SharePoint, Microsoft Entra ID, Microsoft Conversations, and security alerts. For every resource in the following table, events for create, update and delete state changes are supported.
## Graph API event sources |Microsoft event source |Resource(s) | Available event types | |: | : | :-|
-|Azure Active Directory| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Azure AD event types](azure-active-directory-events.md) |
+|Microsoft Entra ID| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Microsoft Entra event types](azure-active-directory-events.md) |
|Microsoft Outlook|[Event](/graph/api/resources/event) (calendar meeting), [Message](/graph/api/resources/message) (email), [Contact](/graph/api/resources/contact) | [Microsoft Outlook event types](outlook-events.md) | |Microsoft Teams|[ChatMessage](/graph/api/resources/callrecords-callrecord), [CallRecord](/graph/api/resources/callrecords-callrecord) (meeting) | [Microsoft Teams event types](teams-events.md) | |Microsoft SharePoint and OneDrive| [DriveItem](/graph/api/resources/driveitem)| |
You create a Microsoft Graph API subscription to enable Graph API events to flow
## Next steps * [Partner Events overview](partner-events-overview.md).
-* [subscribe to partner events](subscribe-to-partner-events.md), which includes instructions on how to subscribe to Microsoft Graph API events.
+* [subscribe to partner events](subscribe-to-partner-events.md), which includes instructions on how to subscribe to Microsoft Graph API events.
event-grid Partner Events Overview For Partners https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/partner-events-overview-for-partners.md
Last updated 04/10/2023
# Partner Events overview for partners - Azure Event Grid
-Event Grid's **Partner Events** allows customers to **subscribe to events** that originate in a registered system using the same mechanism they would use for any other event source on Azure, such as an Azure service. Those registered systems integrate with Event Grid are known as "partners". This feature also enables customers to **send events** to partner systems that support receiving and routing events to customer's solutions/endpoints in their platform. Typically, partners are software-as-a-service (SaaS) or [ERP](https://en.wikipedia.org/wiki/Enterprise_resource_planning) providers, but they might be corporate platforms wishing to make their events available to internal teams. They purposely integrate with Event Grid to realize end-to-end customer use cases that end on Azure (customers subscribe to events sent by partner) or end on a partner system (customers subscribe to Microsoft events sent by Azure Event Grid). Customers bank on Azure Event Grid to send events published by a partner to supported destinations such as webhooks, Azure Functions, Azure Event Hubs, or Azure Service Bus, to name a few. Customers also rely on Azure Event Grid to route events that originate in Microsoft services, such as Azure Storage, Outlook, Teams, or Azure AD, to partner systems where customer's solutions can react to them. With Partner Events, customers can build event-driven solutions across platforms and network boundaries to receive or send events reliably, securely and at a scale.
+Event Grid's **Partner Events** allows customers to **subscribe to events** that originate in a registered system using the same mechanism they would use for any other event source on Azure, such as an Azure service. Those registered systems integrate with Event Grid are known as "partners". This feature also enables customers to **send events** to partner systems that support receiving and routing events to customer's solutions/endpoints in their platform. Typically, partners are software-as-a-service (SaaS) or [ERP](https://en.wikipedia.org/wiki/Enterprise_resource_planning) providers, but they might be corporate platforms wishing to make their events available to internal teams. They purposely integrate with Event Grid to realize end-to-end customer use cases that end on Azure (customers subscribe to events sent by partner) or end on a partner system (customers subscribe to Microsoft events sent by Azure Event Grid). Customers bank on Azure Event Grid to send events published by a partner to supported destinations such as webhooks, Azure Functions, Azure Event Hubs, or Azure Service Bus, to name a few. Customers also rely on Azure Event Grid to route events that originate in Microsoft services, such as Azure Storage, Outlook, Teams, or Microsoft Entra ID, to partner systems where customer's solutions can react to them. With Partner Events, customers can build event-driven solutions across platforms and network boundaries to receive or send events reliably, securely and at a scale.
> [!NOTE] > This is a conceptual article that's required reading before you decide to onboard as a partner to Azure Event Grid. For step-by-step instructions on how to onboard as an Event Grid partner using the Azure portal, see [How to onboard as an Event Grid partner (Azure portal)](onboard-partner.md).
event-grid Partner Events Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/partner-events-overview.md
This feature also enables customers to **send events** to partner systems that s
They purposely integrate with Event Grid to realize end-to-end customer use cases that end on Azure (customers subscribe to events sent by partner) or end on a partner system (customers subscribe to Microsoft events sent by Azure Event Grid). Customers bank on Azure Event Grid to send events published by a partner to supported destinations such as webhooks, Azure Functions, Azure Event Hubs, or Azure Service Bus, to name a few.
-Customers also rely on Azure Event Grid to route events that originate in Microsoft services, such as Azure Storage, Outlook, Teams, or Azure AD, to partner systems where customer's solutions can react to them.
+Customers also rely on Azure Event Grid to route events that originate in Microsoft services, such as Azure Storage, Outlook, Teams, or Microsoft Entra ID, to partner systems where customer's solutions can react to them.
With Partner Events, customers can build event-driven solutions across platforms and network boundaries to receive or send events reliably, securely and at a scale.
You may want to use the Partner Events feature if you've one or more of the foll
- You want to subscribe to events that originate in a [partner](#available-partners) system and route them to event handlers on Azure or to any application or service with a public endpoint. - You want to take advantage of the rich set Event Grid's [destinations/event handlers](overview.md#event-handlers) that react to events from partners.-- You want to forward events raised by your custom application on Azure, an Azure service, or a Microsoft service to your application or service hosted by the [partner](#available-partners) system. For example, you may want to send Azure AD, Teams, SharePoint, or Azure Storage events to a partner system on which you're a tenant for processing.
+- You want to forward events raised by your custom application on Azure, an Azure service, or a Microsoft service to your application or service hosted by the [partner](#available-partners) system. For example, you may want to send Microsoft Entra ID, Teams, SharePoint, or Azure Storage events to a partner system on which you're a tenant for processing.
- You need a resilient push delivery mechanism with send-retry support and at-least once semantics. - You want to use [Cloud Events 1.0](https://cloudevents.io/) schema for your events.
You may want to use the Partner Events feature if you've one or more of the foll
A partner must go through an [onboarding process](onboard-partner.md) before a customer can start receiving events from partners. Following is the list of available partners from which you can receive events via Event Grid. ### Microsoft Graph API
-Through Microsoft Graph API, you can get events from a diverse set of Microsoft services such as [Azure AD](azure-active-directory-events.md), [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), **SharePoint**, and so on. For a complete list of event sources, see [Microsoft Graph API's change notifications documentation](/graph/webhooks#supported-resources).
+Through Microsoft Graph API, you can get events from a diverse set of Microsoft services such as [Microsoft Entra ID](azure-active-directory-events.md), [Microsoft Outlook](outlook-events.md), [Teams](teams-events.md), **SharePoint**, and so on. For a complete list of event sources, see [Microsoft Graph API's change notifications documentation](/graph/webhooks#supported-resources).
### Auth0 [Auth0](https://auth0.com) is a managed authentication platform for businesses to authenticate, authorize, and secure access for applications, devices, and users. You can create an [Auth0 partner topic](auth0-overview.md) to connect your Auth0 and Azure accounts. This integration allows you to react to, log, and monitor Auth0 events in real time. To try it out, see [Integrate Azure Event Grid with Auth0](auth0-how-to.md).
event-grid Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/policy-reference.md
Title: Built-in policy definitions for Azure Event Grid description: Lists Azure Policy built-in policy definitions for Azure Event Grid. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
event-grid Post To Custom Topic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/post-to-custom-topic.md
This article describes how to post an event to a custom topic using an access ke
> [!NOTE]
-> Azure AD authentication provides a superior authentication support than that's offered by access key or Shared Access Signature (SAS) token authentication. With Azure AD authentication, the identity is validated against Azure AD identity provider. As a developer, you won't have to handle keys in your code if you use Azure AD authentication. you'll also benefit from all security features built into the Microsoft Identity platform, such as Conditional Access, that can help you improve your application's security stance. For more information, see [Authenticate publishing clients using Azure Active Directory](authenticate-with-active-directory.md).
+> Microsoft Entra authentication provides a superior authentication support than that's offered by access key or Shared Access Signature (SAS) token authentication. With Microsoft Entra authentication, the identity is validated against Microsoft Entra identity provider. As a developer, you won't have to handle keys in your code if you use Microsoft Entra authentication. you'll also benefit from all security features built into the Microsoft identity platform, such as Conditional Access, that can help you improve your application's security stance. For more information, see [Authenticate publishing clients using Microsoft Entra ID](authenticate-with-active-directory.md).
## Endpoint
event-grid Powershell Webhook Secure Delivery Azure Ad App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/scripts/powershell-webhook-secure-delivery-azure-ad-app.md
Title: Azure PowerShell - Secure WebHook delivery with Azure AD Application in Azure Event Grid
-description: Describes how to deliver events to HTTPS endpoints protected by Azure AD Application using Azure Event Grid
+ Title: Azure PowerShell - Secure WebHook delivery with Microsoft Entra Application in Azure Event Grid
+description: Describes how to deliver events to HTTPS endpoints protected by Microsoft Entra Application using Azure Event Grid
ms.devlang: powershell Last updated 10/14/2021
-# Secure WebHook delivery with Azure AD Application in Azure Event Grid
+# Secure WebHook delivery with Microsoft Entra Application in Azure Event Grid
-This script provides the configuration to deliver events to HTTPS endpoints protected by Azure AD Application using Azure Event Grid.
+This script provides the configuration to deliver events to HTTPS endpoints protected by Microsoft Entra Application using Azure Event Grid.
Here are the high level steps from the script: 1. Create a service principal for **Microsoft.EventGrid** if it doesn't already exist.
-1. Create a role named **AzureEventGridSecureWebhookSubscriber** in the **Azure AD app for your Webhook**.
+1. Create a role named **AzureEventGridSecureWebhookSubscriber** in the **Microsoft Entra app for your Webhook**.
1. Create a service principal for the **event subscription writer app** if it doesn't already exist.
-1. Add service principal of event subscription writer Azure AD app to the AzureEventGridSecureWebhookSubscriber role
+1. Add service principal of event subscription writer Microsoft Entra app to the AzureEventGridSecureWebhookSubscriber role
1. Add service principal of Microsoft.EventGrid to the AzureEventGridSecureWebhookSubscriber role as well ## Sample script - stable
catch {
## Script explanation
-For more details refer to [Secure WebHook delivery with Azure AD in Azure Event Grid](../secure-webhook-delivery.md)
+For more details refer to [Secure WebHook delivery with Microsoft Entra ID in Azure Event Grid](../secure-webhook-delivery.md)
event-grid Powershell Webhook Secure Delivery Azure Ad User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/scripts/powershell-webhook-secure-delivery-azure-ad-user.md
Title: Azure PowerShell - Secure WebHook delivery with Azure AD User in Azure Event Grid
-description: Describes how to deliver events to HTTPS endpoints protected by Azure AD User using Azure Event Grid
+ Title: Azure PowerShell - Secure WebHook delivery with Microsoft Entra user in Azure Event Grid
+description: Describes how to deliver events to HTTPS endpoints protected by Microsoft Entra user using Azure Event Grid
ms.devlang: powershell Last updated 09/29/2021
-# Secure WebHook delivery with Azure AD User in Azure Event Grid
+# Secure WebHook delivery with Microsoft Entra user in Azure Event Grid
-This script provides the configuration to deliver events to HTTPS endpoints protected by Azure AD User using Azure Event Grid.
+This script provides the configuration to deliver events to HTTPS endpoints protected by Microsoft Entra user using Azure Event Grid.
Here are the high level steps from the script: 1. Create a service principal for **Microsoft.EventGrid** if it doesn't already exist.
-1. Create a role named **AzureEventGridSecureWebhookSubscriber** in the **Azure AD app for your Webhook**.
+1. Create a role named **AzureEventGridSecureWebhookSubscriber** in the **Microsoft Entra app for your Webhook**.
1. Add service principal of user who will be creating the subscription to the AzureEventGridSecureWebhookSubscriber role. 1. Add service principal of Microsoft.EventGrid to the AzureEventGridSecureWebhookSubscriber.
catch {
## Script explanation
-For more details refer to [Secure WebHook delivery with Azure AD in Azure Event Grid](../secure-webhook-delivery.md)
+For more details refer to [Secure WebHook delivery with Microsoft Entra ID in Azure Event Grid](../secure-webhook-delivery.md)
event-grid Secure Webhook Delivery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/secure-webhook-delivery.md
Title: Secure WebHook delivery with Azure AD in Azure Event Grid
-description: Describes how to deliver events to HTTPS endpoints protected by Azure Active Directory using Azure Event Grid
+ Title: Secure WebHook delivery with Microsoft Entra ID in Azure Event Grid
+description: Describes how to deliver events to HTTPS endpoints protected by Microsoft Entra ID using Azure Event Grid
Last updated 10/12/2022
-# Deliver events to Azure Active Directory protected endpoints
-This article describes how to use Azure Active Directory (Azure AD) to secure the connection between your **event subscription** and your **webhook endpoint**. It uses the Azure portal for demonstration, however the feature can also be enabled using CLI, PowerShell, or the SDKs.
+# Deliver events to Microsoft Entra protected endpoints
+This article describes how to use Microsoft Entra ID to secure the connection between your **event subscription** and your **webhook endpoint**. It uses the Azure portal for demonstration, however the feature can also be enabled using CLI, PowerShell, or the SDKs.
> [!IMPORTANT]
-> Additional access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal. Reconfigure your Azure AD Application following the new instructions below.For an overview of Azure AD applications and service principals, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md).
+> Additional access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal. Reconfigure your Microsoft Entra Application following the new instructions below.For an overview of Microsoft Entra applications and service principals, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md).
## Scenarios This article explains how to implement the following two scenarios in detail: -- [Delivering events to a webhook that is in the same Azure AD tenant as the event subscription](#deliver-events-to-a-webhook-in-the-same-azure-ad-tenant). You can use either an Azure AD user or an Azure AD application as the event subscription writer in this scenario. -- [Delivering events to a webhook that is in a different Azure AD tenant from the event subscription](#deliver-events-to-a-webhook-in-a-different-azure-ad-tenant). You can only use an Azure AD application as an event subscription writer in this scenario.
+- [Delivering events to a webhook that is in the same Microsoft Entra tenant as the event subscription](#deliver-events-to-a-webhook-in-the-same-azure-ad-tenant). You can use either a Microsoft Entra user or a Microsoft Entra application as the event subscription writer in this scenario.
+- [Delivering events to a webhook that is in a different Microsoft Entra tenant from the event subscription](#deliver-events-to-a-webhook-in-a-different-azure-ad-tenant). You can only use a Microsoft Entra application as an event subscription writer in this scenario.
In the first scenario, you run all the steps or scripts in a single tenant that has both the event subscription and the webhook. And, in the second scenario, you run some steps in the tenant that has the event subscription and some steps in the tenant that has the webhook.
-## Deliver events to a Webhook in the same Azure AD tenant
+<a name='deliver-events-to-a-webhook-in-the-same-azure-ad-tenant'></a>
+
+## Deliver events to a Webhook in the same Microsoft Entra tenant
The following diagram depicts how Event Grid events are delivered to a webhook in the same tenant as the event subscription.
The following diagram depicts how Event Grid events are delivered to a webhook i
There are two subsections in this section. Read through both the scenarios or the one that you're interested in. -- [Configure the event subscription by using an Azure AD **user**](#configure-the-event-subscription-by-using-an-azure-ad-user)-- [Configure the event subscription by using an Azure AD **application**](#configure-the-event-subscription-by-using-an-azure-ad-application)
+- [Configure the event subscription by using a Microsoft Entra ID **user**](#configure-the-event-subscription-by-using-an-azure-ad-user)
+- [Configure the event subscription by using a Microsoft Entra ID **application**](#configure-the-event-subscription-by-using-an-azure-ad-application)
+
+<a name='configure-the-event-subscription-by-using-an-azure-ad-user'></a>
-### Configure the event subscription by using an Azure AD user
+### Configure the event subscription by using a Microsoft Entra user
-This section shows how to configure the event subscription by using an Azure AD user.
+This section shows how to configure the event subscription by using a Microsoft Entra user.
-1. Create an Azure AD application for the webhook configured to work with the Microsoft directory (single tenant).
+1. Create a Microsoft Entra application for the webhook configured to work with the Microsoft directory (single tenant).
2. Open the [Azure Shell](https://portal.azure.com/#cloudshell/) in the tenant and select the PowerShell environment.
This section shows how to configure the event subscription by using an Azure AD
4. Open the [following script](scripts/powershell-webhook-secure-delivery-azure-ad-user.md) and update the values of **$webhookAppObjectId** and **$eventSubscriptionWriterUserPrincipalName** with your identifiers, then continue to run the script. - Variables:
- - **$webhookAppObjectId**: Azure AD application ID created for the webhook
+ - **$webhookAppObjectId**: Microsoft Entra application ID created for the webhook
- **$eventSubscriptionWriterUserPrincipalName**: Azure user principal name of the user who creates event subscription > [!NOTE]
- > You don't need to modify the value of **$eventGridAppId**. In this script, **AzureEventGridSecureWebhookSubscriber** is set for the **$eventGridRoleName**. Remember, you must be a member of the [Azure AD Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Azure AD to execute this script.
+ > You don't need to modify the value of **$eventGridAppId**. In this script, **AzureEventGridSecureWebhookSubscriber** is set for the **$eventGridRoleName**. Remember, you must be a member of the [Microsoft Entra Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Microsoft Entra ID to execute this script.
If you see the following error message, you need to elevate to the service principal. An extra access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal.
This section shows how to configure the event subscription by using an Azure AD
![Select endpoint type webhook](./media/secure-webhook-delivery/select-webhook.png) 3. Select the **Additional features** tab at the top of the **Create Event Subscriptions** page. 4. On the **Additional features** tab, do these steps:
- 1. Select **Use AAD authentication**, and configure the tenant ID and application ID:
- 2. Copy the Azure AD tenant ID from the output of the script and enter it in the **AAD Tenant ID** field.
- 3. Copy the Azure AD application ID from the output of the script and enter it in the **AAD Application ID** field. You can use the Azure AD Application ID URI instead of using the application ID. For more information about application ID URI, see [this article](../app-service/configure-authentication-provider-aad.md).
+ 1. Select **Use Microsoft Entra authentication**, and configure the tenant ID and application ID:
+ 2. Copy the Microsoft Entra tenant ID from the output of the script and enter it in the **Microsoft Entra tenant ID** field.
+ 3. Copy the Microsoft Entra application ID from the output of the script and enter it in the **Microsoft Entra Application ID** field. You can use the Microsoft Entra Application ID URI instead of using the application ID. For more information about application ID URI, see [this article](../app-service/configure-authentication-provider-aad.md).
![Secure Webhook action](./media/secure-webhook-delivery/aad-configuration.png)
-### Configure the event subscription by using an Azure AD application
+<a name='configure-the-event-subscription-by-using-an-azure-ad-application'></a>
-This section shows how to configure the event subscription by using an Azure AD application.
+### Configure the event subscription by using a Microsoft Entra application
-1. Create an Azure AD application for the Event Grid subscription writer configured to work with the Microsoft directory (Single tenant).
+This section shows how to configure the event subscription by using a Microsoft Entra application.
-2. Create a secret for the Azure AD application and save the value (you need this value later).
+1. Create a Microsoft Entra application for the Event Grid subscription writer configured to work with the Microsoft directory (Single tenant).
-3. Go to the **Access control (IAM)** page for the Event Grid topic and assign **Event Grid Contributor** role to the Event Grid subscription writer app. This step allows you to have access to the Event Grid resource when you logged-in into Azure with the Azure AD application by using Azure CLI.
+2. Create a secret for the Microsoft Entra application and save the value (you need this value later).
-4. Create an Azure AD application for the webhook configured to work with the Microsoft directory (Single tenant).
+3. Go to the **Access control (IAM)** page for the Event Grid topic and assign **Event Grid Contributor** role to the Event Grid subscription writer app. This step allows you to have access to the Event Grid resource when you logged-in into Azure with the Microsoft Entra application by using Azure CLI.
+
+4. Create a Microsoft Entra application for the webhook configured to work with the Microsoft directory (Single tenant).
5. Open the [Azure Shell](https://portal.azure.com/#cloudshell/) in the tenant and select the PowerShell environment.
This section shows how to configure the event subscription by using an Azure AD
7. Open the [following script](scripts/powershell-webhook-secure-delivery-azure-ad-app.md) and update the values of **$webhookAppObjectId** and **$eventSubscriptionWriterAppId** with your identifiers, then continue to run the script. - Variables:
- - **$webhookAppObjectId**: Azure AD application ID created for the webhook
- - **$eventSubscriptionWriterAppId**: Azure AD application ID for Event Grid subscription writer app.
+ - **$webhookAppObjectId**: Microsoft Entra application ID created for the webhook
+ - **$eventSubscriptionWriterAppId**: Microsoft Entra application ID for Event Grid subscription writer app.
> [!NOTE]
- > You don't need to modify the value of **```$eventGridAppId```**. In this script, **AzureEventGridSecureWebhookSubscriber** as set for the **```$eventGridRoleName```**. Remember, you must be a member of the [Azure AD Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Azure AD to execute this script.
+ > You don't need to modify the value of **```$eventGridAppId```**. In this script, **AzureEventGridSecureWebhookSubscriber** as set for the **```$eventGridRoleName```**. Remember, you must be a member of the [Microsoft Entra Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Microsoft Entra ID to execute this script.
-8. Sign-in as the Event Grid subscription writer Azure AD Application by running the command.
+8. Sign-in as the Event Grid subscription writer Microsoft Entra Application by running the command.
```azurecli PS /home/user>az login --service-principal -u [REPLACE_WITH_EVENT_GRID_SUBSCRIPTION_WRITER_APP_ID] -p [REPLACE_WITH_EVENT_GRID_SUBSCRIPTION_WRITER_APP_SECRET_VALUE] --tenant [REPLACE_WITH_TENANT_ID]
This section shows how to configure the event subscription by using an Azure AD
10. If everything was correctly configured, you can successfully create the webhook subscription in your Event Grid topic. > [!NOTE]
- > At this point, Event Grid is now passing the Azure AD bearer token to the webhook client in every message. You'll need to validate the authorization token in your webhook.
+ > At this point, Event Grid is now passing the Microsoft Entra bearer token to the webhook client in every message. You'll need to validate the authorization token in your webhook.
+
+<a name='deliver-events-to-a-webhook-in-a-different-azure-ad-tenant'></a>
-## Deliver events to a Webhook in a different Azure AD tenant
+## Deliver events to a Webhook in a different Microsoft Entra tenant
-To secure the connection between your event subscription and your webhook endpoint that are in different Azure AD tenants, you need to use an Azure AD **application** as shown in this section. Currently, it's not possible to secure this connection by using an Azure AD **user** in the Azure portal.
+To secure the connection between your event subscription and your webhook endpoint that are in different Microsoft Entra tenants, you need to use a Microsoft Entra ID **application** as shown in this section. Currently, it's not possible to secure this connection by using a Microsoft Entra ID **user** in the Azure portal.
-![Multitenant events with Azure AD and Webhooks](./media/secure-webhook-delivery/multitenant-diagram.png)
+![Multitenant events with Microsoft Entra ID and Webhooks](./media/secure-webhook-delivery/multitenant-diagram.png)
Based on the diagram, follow next steps to configure both tenants.
Based on the diagram, follow next steps to configure both tenants.
Do the following steps in **Tenant A**:
-1. Create an Azure AD application for the Event Grid subscription writer configured to work with any Azure AD directory (Multi-tenant).
+1. Create a Microsoft Entra application for the Event Grid subscription writer configured to work with any Microsoft Entra directory (Multi-tenant).
-2. Create a secret for the Azure AD application, and save the value (you need this value later).
+2. Create a secret for the Microsoft Entra application, and save the value (you need this value later).
-3. Navigate to the **Access control (IAM)** page for the Event Grid topic. Assign the **Event Grid Contributor** role to Azure AD application of the Event Grid subscription writer. This step allows the application to have access to the Event Grid resource when you sign in into Azure with the Azure AD application by using Azure CLI.
+3. Navigate to the **Access control (IAM)** page for the Event Grid topic. Assign the **Event Grid Contributor** role to Microsoft Entra application of the Event Grid subscription writer. This step allows the application to have access to the Event Grid resource when you sign in into Azure with the Microsoft Entra application by using Azure CLI.
### Tenant B Do the following steps in **Tenant B**:
-1. Create an Azure AD Application for the webhook configured to work with the Microsoft directory (single tenant).
+1. Create a Microsoft Entra Application for the webhook configured to work with the Microsoft directory (single tenant).
5. Open the [Azure Shell](https://portal.azure.com/#cloudshell/), and select the PowerShell environment. 6. Modify the **$webhookAadTenantId** value to connect to the **Tenant B**. - Variables:
Do the following steps in **Tenant B**:
7. Open the [following script](scripts/powershell-webhook-secure-delivery-azure-ad-app.md), and update values of **$webhookAppObjectId** and **$eventSubscriptionWriterAppId** with your identifiers, then continue to run the script. - Variables:
- - **$webhookAppObjectId**: Azure AD application ID created for the webhook
- - **$eventSubscriptionWriterAppId**: Azure AD application ID for Event Grid subscription writer
+ - **$webhookAppObjectId**: Microsoft Entra application ID created for the webhook
+ - **$eventSubscriptionWriterAppId**: Microsoft Entra application ID for Event Grid subscription writer
> [!NOTE]
- > You don't need to modify the value of **```$eventGridAppId```**. In this script, **AzureEventGridSecureWebhookSubscriber** is set for **```$eventGridRoleName```**. Remember, you must be a member of the [Azure AD Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Azure AD to execute this script.
+ > You don't need to modify the value of **```$eventGridAppId```**. In this script, **AzureEventGridSecureWebhookSubscriber** is set for **```$eventGridRoleName```**. Remember, you must be a member of the [Microsoft Entra Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) or be an owner of the service principal of webhook app in Microsoft Entra ID to execute this script.
If you see the following error message, you need to elevate to the service principal. An extra access check has been introduced as part of create or update of event subscription on March 30, 2021 to address a security vulnerability. The subscriber client's service principal needs to be either an owner or have a role assigned on the destination application service principal.
Do the following steps in **Tenant B**:
Back in **Tenant A**, do the following steps:
-1. Open the [Azure Shell](https://portal.azure.com/#cloudshell/), and sign in as the Event Grid subscription writer Azure AD Application by running the command.
+1. Open the [Azure Shell](https://portal.azure.com/#cloudshell/), and sign in as the Event Grid subscription writer Microsoft Entra Application by running the command.
```azurecli PS /home/user>az login --service-principal -u [REPLACE_WITH_APP_ID] -p [REPLACE_WITH_SECRET_VALUE] --tenant [REPLACE_WITH_TENANT_ID]
Back in **Tenant A**, do the following steps:
3. If everything was correctly configured, you can successfully create the webhook subscription in your Event Grid topic. > [!NOTE]
- > At this point, Event Grid is now passing the Azure AD Bearer token to the webhook client in every message. You'll need to validate the Authorization token in your webhook.
+ > At this point, Event Grid is now passing the Microsoft Entra Bearer token to the webhook client in every message. You'll need to validate the Authorization token in your webhook.
## Next steps
event-grid Security Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/security-authentication.md
Azure Event Grid uses different authentication methods to deliver events to even
|--|--|--| Access key | - Event Hubs<br/>- Service Bus<br/>- Storage Queues<br/>- Relay Hybrid Connections<br/>- Azure Functions<br/>- Storage Blobs (Deadletter) | Access keys are fetched using Event Grid service principal's credentials. The permissions are granted to Event Grid when you register the Event Grid resource provider in their Azure subscription. | Managed System Identity <br/>&<br/> Role-based access control | - Event Hubs<br/>- Service Bus<br/>- Storage Queues<br/>- Storage  Blobs (Deadletter) | Enable managed system identity for the topic and add it to the appropriate role on the destination. For details, see [Use system-assigned identities for event delivery](#use-system-assigned-identities-for-event-delivery). |
-|Bearer token authentication with Microsoft Entra ID protected webhook | Webhook | See the [Authenticate event delivery to webhook endpoints](#authenticate-event-delivery-to-webhook-endpoints) section for details. |
+|Bearer token authentication with Microsoft Entra protected webhook | Webhook | See the [Authenticate event delivery to webhook endpoints](#authenticate-event-delivery-to-webhook-endpoints) section for details. |
Client secret as a query parameter | Webhook | See the [Using client secret as a query parameter](#using-client-secret-as-a-query-parameter) section for details. | > [!NOTE]
-> If you protect your Azure function with an Microsoft Entra ID app, you'll have to take the generic webhook approach using the HTTP trigger. Use the Azure function endpoint as a webhook URL when adding the subscription.
+> If you protect your Azure function with a Microsoft Entra app, you'll have to take the generic webhook approach using the HTTP trigger. Use the Azure function endpoint as a webhook URL when adding the subscription.
## Use system-assigned identities for event delivery You can enable a system-assigned managed identity for a topic or domain and use the identity to forward events to supported destinations such as Service Bus queues and topics, event hubs, and storage accounts.
The following sections describe how to authenticate event delivery to webhook en
### Using Microsoft Entra ID
-You can secure the webhook endpoint that's used to receive events from Event Grid by using Microsoft Entra ID. You need to create a Microsoft Entra ID application, create a role and a service principal in your application authorizing Event Grid, and configure the event subscription to use the Microsoft Entra ID application. Learn how to [Configure Microsoft Entra ID with Event Grid](secure-webhook-delivery.md).
+You can secure the webhook endpoint that's used to receive events from Event Grid by using Microsoft Entra ID. You need to create a Microsoft Entra application, create a role and a service principal in your application authorizing Event Grid, and configure the event subscription to use the Microsoft Entra application. Learn how to [Configure Microsoft Entra ID with Event Grid](secure-webhook-delivery.md).
### Using client secret as a query parameter You can also secure your webhook endpoint by adding query parameters to the webhook destination URL specified as part of creating an Event Subscription. Set one of the query parameters to be a client secret such as an [access token](https://en.wikipedia.org/wiki/Access_token) or a shared secret. Event Grid service includes all the query parameters in every event delivery request to the webhook. The webhook service can retrieve and validate the secret. If the client secret is updated, event subscription also needs to be updated. To avoid delivery failures during this secret rotation, make the webhook accept both old and new secrets for a limited duration before updating the event subscription with the new secret.
event-grid Subscribe To Graph Api Events https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/subscribe-to-graph-api-events.md
This article describes steps to subscribe to events published by Microsoft Graph
|Microsoft event source |Resource(s) | Available event types | |: | : | :-|
-|Azure Active Directory| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Azure AD event types](azure-active-directory-events.md) |
+|Microsoft Entra ID| [User](/graph/api/resources/user), [Group](/graph/api/resources/group) | [Microsoft Entra event types](azure-active-directory-events.md) |
|Microsoft Outlook|[Event](/graph/api/resources/event) (calendar meeting), [Message](/graph/api/resources/message) (email), [Contact](/graph/api/resources/contact) | [Microsoft Outlook event types](outlook-events.md) | |Microsoft Teams|[ChatMessage](/graph/api/resources/callrecords-callrecord), [CallRecord](/graph/api/resources/callrecords-callrecord) (meeting) | [Microsoft Teams event types](teams-events.md) | |Microsoft SharePoint and OneDrive| [DriveItem](/graph/api/resources/driveitem)| |
This article describes steps to subscribe to events published by Microsoft Graph
## Why should I use Microsoft Graph API as a destination? Besides the ability to subscribe to Microsoft Graph API events via Event Grid, you have [other options](/graph/webhooks#receiving-change-notifications) through which you can receive similar notifications (not events). Consider using Microsoft Graph API to deliver events to Event Grid if you have at least one of the following requirements: -- You're developing an event-driven solution that requires events from Azure Active Directory, Outlook, Teams, etc. to react to resource changes. You require the robust eventing model and publish-subscribe capabilities that Event Grid provides. For an overview of Event Grid, see [Event Grid concepts](concepts.md).
+- You're developing an event-driven solution that requires events from Microsoft Entra ID, Outlook, Teams, etc. to react to resource changes. You require the robust eventing model and publish-subscribe capabilities that Event Grid provides. For an overview of Event Grid, see [Event Grid concepts](concepts.md).
- You want to use Event Grid to route events to multiple destinations using a single Graph API subscription and you want to avoid managing multiple Graph API subscriptions. - You require to route events to different downstream applications, webhooks or Azure services depending on some of the properties in the event. For example, you may want to route event types such as `Microsoft.Graph.UserCreated` and `Microsoft.Graph.UserDeleted` to a specialized application that processes users' onboarding and off-boarding. You may also want to send `Microsoft.Graph.UserUpdated` events to another application that syncs contacts information, for example. You can achieve that using a single Graph API subscription when using Event Grid as a notification destination. For more information, see [event filtering](event-filtering.md) and [event handlers](event-handlers.md). - Interoperability is important to you. You want to forward and handle events in a standard way using CNCF's [CloudEvents](https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/spec.md) specification standard, to which Event Grid fully complies.
See the following articles:
- [Best practices for working with Microsoft Graph API](/graph/best-practices-concept) - [Microsoft Graph API SDKs](/graph/sdks/sdks-overview) - [Microsoft Graph API tutorials](/graph/tutorials), which shows how to use Graph API in different programming languages.This doesn't necessarily include examples for sending events to Event Grid.-
event-grid Webhook Event Delivery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-grid/webhook-event-delivery.md
And, follow one of these steps:
Imagine that you already have the validation implemented in your app because you created your own event subscriptions. Even if a hacker creates an event subscription with your app URL, your correct implementation of the validation request event checks for the `aeg-subscription-name` header in the request to ascertain that it's an event subscription that you recognize.
- Even after that correct handshake implementation, a hacker can flood your app (it already validated the event subscription) by replicating a request that seems to be coming from Event Grid. To prevent that, you must secure your webhook with AAD authentication. For more information, see [Deliver events to Azure Active Directory protected endpoints](secure-webhook-delivery.md).
+ Even after that correct handshake implementation, a hacker can flood your app (it already validated the event subscription) by replicating a request that seems to be coming from Event Grid. To prevent that, you must secure your webhook with Microsoft Entra authentication. For more information, see [Deliver events to Microsoft Entra protected endpoints](secure-webhook-delivery.md).
- Or, you can manually validate the subscription by sending a GET request to the validation URL. The event subscription stays in a pending state until validated. The validation Url uses **port 553**. If your firewall rules block port 553, you need to update rules for a successful manual handshake. In your validation of the subscription validation event, if you identify that it isn't an event subscription for which you're expecting events, you wouldn't return a 200 response or no response at all. Hence, the validation fails.
event-hubs Authenticate Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authenticate-application.md
Title: Authenticate an application to access Azure Event Hubs resources
-description: This article provides information about authenticating an application with Azure Active Directory to access Azure Event Hubs resources
+description: This article provides information about authenticating an application with Microsoft Entra ID to access Azure Event Hubs resources
Last updated 02/08/2023
-# Authenticate an application with Azure Active Directory to access Event Hubs resources
-Microsoft Azure provides integrated access control management for resources and applications based on Azure Active Directory (Azure AD). A key advantage of using Azure AD with Azure Event Hubs is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft Identity platform. The resource name to request a token is `https://eventhubs.azure.net/`, and it's the same for all clouds/tenants (For Kafka clients, the resource to request a token is `https://<namespace>.servicebus.windows.net`). Azure AD authenticates the security principal (a user, group, or service principal) running the application. If the authentication succeeds, Azure AD returns an access token to the application, and the application can then use the access token to authorize request to Azure Event Hubs resources.
+# Authenticate an application with Microsoft Entra ID to access Event Hubs resources
+Microsoft Azure provides integrated access control management for resources and applications based on Microsoft Entra ID. A key advantage of using Microsoft Entra ID with Azure Event Hubs is that you don't need to store your credentials in the code anymore. Instead, you can request an OAuth 2.0 access token from the Microsoft identity platform. The resource name to request a token is `https://eventhubs.azure.net/`, and it's the same for all clouds/tenants (For Kafka clients, the resource to request a token is `https://<namespace>.servicebus.windows.net`). Microsoft Entra authenticates the security principal (a user, group, or service principal) running the application. If the authentication succeeds, Microsoft Entra ID returns an access token to the application, and the application can then use the access token to authorize request to Azure Event Hubs resources.
-When a role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Azure AD security can assign roles to a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+When a role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Microsoft Entra security can assign roles to a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
> [!NOTE] > A role definition is a collection of permissions. Azure role-based access control (Azure RBAC) controls how these permissions are enforced through role assignment. A role assignment consists of three elements: security principal, role definition, and scope. For more information, see [Understanding the different roles](../role-based-access-control/overview.md). ## Built-in roles for Azure Event Hubs
-Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Azure AD and OAuth:
+Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Microsoft Entra ID and OAuth:
- [Azure Event Hubs Data Owner](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-owner): Use this role to give complete access to Event Hubs resources. - [Azure Event Hubs Data Sender](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-sender): Use this role to give access to Event Hubs resources.
For Schema Registry built-in roles, see [Schema Registry roles](schema-registry-
## Authenticate from an application
-A key advantage of using Azure AD with Event Hubs is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Azure AD authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Event Hubs.
+A key advantage of using Microsoft Entra ID with Event Hubs is that your credentials no longer need to be stored in your code. Instead, you can request an OAuth 2.0 access token from Microsoft identity platform. Microsoft Entra authenticates the security principal (a user, a group, or service principal) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Event Hubs.
The following sections show you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. For more information about Microsoft identity platform 2.0, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md).
-For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).
+For an overview of the OAuth 2.0 code grant flow, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).
-### Register your application with an Azure AD tenant
-The first step in using Azure AD to authorize Event Hubs resources is registering your client application with an Azure AD tenant from the [Azure portal](https://portal.azure.com/). Follow steps in the [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register an application in Azure AD that represents your application trying to access Event Hubs resources.
+<a name='register-your-application-with-an-azure-ad-tenant'></a>
-When you register your client application, you supply information about the application to AD. Azure AD then provides a client ID (also called an application ID) that you can use to associate your application with Azure AD runtime. To learn more about the client ID, see [Application and service principal objects in Azure Active Directory](../active-directory/develop/app-objects-and-service-principals.md).
+### Register your application with a Microsoft Entra tenant
+The first step in using Microsoft Entra ID to authorize Event Hubs resources is registering your client application with a Microsoft Entra tenant from the [Azure portal](https://portal.azure.com/). Follow steps in the [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register an application in Microsoft Entra ID that represents your application trying to access Event Hubs resources.
+
+When you register your client application, you supply information about the application to AD. Microsoft Entra ID then provides a client ID (also called an application ID) that you can use to associate your application with Microsoft Entra runtime. To learn more about the client ID, see [Application and service principal objects in Microsoft Entra ID](../active-directory/develop/app-objects-and-service-principals.md).
> [!Note]
After you've registered your application, you'll see the **Application (client)
### Create a client secret
-The application needs a client secret to prove its identity when requesting a token. Follow steps from [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret) to create a client secret for your app in Azure AD.
+The application needs a client secret to prove its identity when requesting a token. Follow steps from [Add a client secret](../active-directory/develop/quickstart-register-app.md#add-a-client-secret) to create a client secret for your app in Microsoft Entra ID.
## Assign Azure roles using the Azure portal
For scenarios where acquiring tokens is supported, see the [Scenarios](https://a
- [Add Azure role assignments using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md) See the following related articles:-- [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](authenticate-managed-identity.md)
+- [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
- [Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)-- [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)
+- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
- [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)
event-hubs Authenticate Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authenticate-managed-identity.md
Title: Authentication a managed identity with Azure Active Directory
-description: This article provides information about authenticating a managed identity with Azure Active Directory to access Azure Event Hubs resources
+ Title: Authentication a managed identity with Microsoft Entra ID
+description: This article provides information about authenticating a managed identity with Microsoft Entra ID to access Azure Event Hubs resources
Last updated 02/08/2023
-# Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources
-Azure Event Hubs supports Azure Active Directory (Azure AD) authentication with [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Event Hubs resources using Azure AD credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Azure AD authentication, you can avoid storing credentials with your applications that run in the cloud. This article shows how to authorize access to an event hub by using a managed identity from an Azure VM.
+# Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources
+Azure Event Hubs supports Microsoft Entra authentication with [managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md). Managed identities for Azure resources can authorize access to Event Hubs resources using Microsoft Entra credentials from applications running in Azure Virtual Machines (VMs), Function apps, Virtual Machine Scale Sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud. This article shows how to authorize access to an event hub by using a managed identity from an Azure VM.
## Enable managed identities on a VM Before you use managed identities for Azure resources to access Event Hubs resources from your VM, you must first enable managed identities for Azure Resources on the VM. To learn how to enable managed identities for Azure resources, see one of these articles:
Before you use managed identities for Azure resources to access Event Hubs resou
- [Azure Resource Manager template](../active-directory/managed-identities-azure-resources/qs-configure-template-windows-vm.md) - [Azure Resource Manager client libraries](../active-directory/managed-identities-azure-resources/qs-configure-sdk-windows-vm.md)
-## Grant permissions to a managed identity in Azure AD
-To authorize a request to Event Hubs service from a managed identity in your application, first configure Azure role-based access control (Azure RBAC) settings for that managed identity. Azure Event Hubs defines Azure roles that encompass permissions for sending and reading from Event Hubs. When the Azure role is assigned to a managed identity, the managed identity is granted access to Event Hubs data at the appropriate scope. For more information about assigning Azure roles, see [Authenticate with Azure Active Directory for access to Event Hubs resources](authorize-access-azure-active-directory.md).
+<a name='grant-permissions-to-a-managed-identity-in-azure-ad'></a>
+
+## Grant permissions to a managed identity in Microsoft Entra ID
+To authorize a request to Event Hubs service from a managed identity in your application, first configure Azure role-based access control (Azure RBAC) settings for that managed identity. Azure Event Hubs defines Azure roles that encompass permissions for sending and reading from Event Hubs. When the Azure role is assigned to a managed identity, the managed identity is granted access to Event Hubs data at the appropriate scope. For more information about assigning Azure roles, see [Authenticate with Microsoft Entra ID for access to Event Hubs resources](authorize-access-azure-active-directory.md).
## Use Event Hubs with managed identities To use Event Hubs with managed identities, assign an Event Hubs RBAC role at the appropriate scope to the identity. The procedure in this section uses a simple application that runs under a managed identity and accesses Event Hubs resources.
Once the application is created, follow these steps:
:::image type="content" source="./media/authenticate-managed-identity/identity-web-app.png" alt-text="Screenshot of the Identity page showing the status of system-assigned identity set to ON."::: 4. Select **Yes** on the information message.
- Once you've enabled this setting, a new service identity is created in your Azure Active Directory (Azure AD) and configured into the App Service host.
+ Once you've enabled this setting, a new service identity is created in your Microsoft Entra ID and configured into the App Service host.
Now, assign this service identity to a role in the required scope in your Event Hubs resources.
You can use Apache Kafka applications to send messages to and receive messages f
## Next steps - See the following article to learn about managed identities for Azure resources: [What is managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md) - See the following related articles:
- - [Authenticate requests to Azure Event Hubs from an application using Azure Active Directory](authenticate-application.md)
+ - [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
- [Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)
- - [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)
+ - [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
- [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)
event-hubs Authenticate Shared Access Signature https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authenticate-shared-access-signature.md
Shared access signature (SAS) gives you granular control over the type of access
This article covers authenticating the access to Event Hubs resources using SAS. To learn about **authorizing** access to Event Hubs resources using SAS, see [this article](authorize-access-shared-access-signature.md). > [!NOTE]
-> Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the shared access signatures, which can be more easily compromised. While you can continue to use shared access signatures (SAS) to grant fine-grained access to your Event Hubs resources, Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.
+> Microsoft recommends that you use Microsoft Entra credentials when possible as a security best practice, rather than using the shared access signatures, which can be more easily compromised. While you can continue to use shared access signatures (SAS) to grant fine-grained access to your Event Hubs resources, Microsoft Entra ID offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.
>
-> For more information about Azure AD integration in Azure Event Hubs, see [Authorize access to Event Hubs using Azure AD](authorize-access-azure-active-directory.md).
+> For more information about Microsoft Entra integration in Azure Event Hubs, see [Authorize access to Event Hubs using Microsoft Entra ID](authorize-access-azure-active-directory.md).
## Configuring for SAS authentication
For example, to define authorization rules scoped down to only sending/publishin
To authenticate back-end applications that consume from the data generated by Event Hubs producers, Event Hubs token authentication requires its clients to either have the **manage** rights or the **listen** privileges assigned to its Event Hubs namespace or event hub instance or topic. Data is consumed from Event Hubs using consumer groups. While SAS policy gives you granular scope, this scope is defined only at the entity level and not at the consumer level. It means that the privileges defined at the namespace level or the event hub instance or topic level will be applied to the consumer groups of that entity. ## Disabling Local/SAS Key authentication
-For certain organizational security requirements, you may have to disable local/SAS key authentication completely and rely on the Azure Active Directory (Azure AD) based authentication, which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template.
+For certain organizational security requirements, you may have to disable local/SAS key authentication completely and rely on the Microsoft Entra ID based authentication, which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template.
### Disabling Local/SAS Key authentication via the portal You can disable local/SAS key authentication for a given Event Hubs namespace using the Azure portal.
See the following articles:
See the following related articles: -- [Authenticate requests to Azure Event Hubs from an application using Azure Active Directory](authenticate-application.md)-- [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](authenticate-managed-identity.md)-- [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)
+- [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
+- [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
+- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
- [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)
event-hubs Authorize Access Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authorize-access-azure-active-directory.md
Title: Authorize access with Azure Active Directory
-description: This article provides information on authorizing access to Event Hubs resources using Azure Active Directory.
+ Title: Authorize access with Microsoft Entra ID
+description: This article provides information on authorizing access to Event Hubs resources using Microsoft Entra ID.
Last updated 10/25/2022
-# Authorize access to Event Hubs resources using Azure Active Directory
-Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
+# Authorize access to Event Hubs resources using Microsoft Entra ID
+Azure Event Hubs supports using Microsoft Entra ID to authorize requests to Event Hubs resources. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal. To learn more about roles and role assignments, see [Understanding the different roles](../role-based-access-control/overview.md).
## Overview
-When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Azure AD, access to a resource is a two-step process.
+When a security principal (a user, or an application) attempts to access an Event Hubs resource, the request must be authorized. With Microsoft Entra ID, access to a resource is a two-step process.
1. First, the security principalΓÇÖs identity is authenticated, and an OAuth 2.0 token is returned. The resource name to request a token is `https://eventhubs.azure.net/`, and it's the same for all clouds/tenants. For Kafka clients, the resource to request a token is `https://<namespace>.servicebus.windows.net`. 1. Next, the token is passed as part of a request to the Event Hubs service to authorize access to the specified resource.
-The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see [Authenticate access to Azure Event Hubs resources with Azure Active Directory and managed identities for Azure Resources](authenticate-managed-identity.md).
+The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Event Hubs service, see [Authenticate access to Azure Event Hubs resources with Microsoft Entra ID and managed identities for Azure Resources](authenticate-managed-identity.md).
The authorization step requires that one or more Azure roles be assigned to the security principal. Azure Event Hubs provides Azure roles that encompass sets of permissions for Event Hubs resources. The roles that are assigned to a security principal determine the permissions that the principal will have. For more information about Azure roles, see [Azure built-in roles for Azure Event Hubs](#azure-built-in-roles-for-azure-event-hubs).
-Native applications and web applications that make requests to Event Hubs can also authorize with Azure AD. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see [Authenticate access to Azure Event Hubs with Azure AD from an application](authenticate-application.md).
+Native applications and web applications that make requests to Event Hubs can also authorize with Microsoft Entra ID. To learn how to request an access token and use it to authorize requests for Event Hubs resources, see [Authenticate access to Azure Event Hubs with Microsoft Entra ID from an application](authenticate-application.md).
## Assign Azure roles for access rights
-Azure Active Directory (Azure AD) authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure Event Hubs defines a set of Azure built-in roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.
+Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure Event Hubs defines a set of Azure built-in roles that encompass common sets of permissions used to access event hub data and you can also define custom roles for accessing the data.
-When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. An Azure AD security principal may be a user, or an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of subscription, the resource group, the Event Hubs namespace, or any resource under it. A Microsoft Entra security principal may be a user, or an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
## Azure built-in roles for Azure Event Hubs
-Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Azure AD and OAuth:
+Azure provides the following Azure built-in roles for authorizing access to Event Hubs data using Microsoft Entra ID and OAuth:
| Role | Description | | - | -- |
For more information about how built-in roles are defined, see [Understand role
## Next steps-- Learn how to assign an Azure built-in role to a security principal, see [Authenticate access to Event Hubs resources using Azure Active Directory](authenticate-application.md).
+- Learn how to assign an Azure built-in role to a security principal, see [Authenticate access to Event Hubs resources using Microsoft Entra ID](authenticate-application.md).
- Learn [how to create custom roles with Azure RBAC](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac/CustomRole).-- Learn [how to use Azure Active Directory with EH](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac/AzureEventHubsSDK)
+- Learn [how to use Microsoft Entra ID with EH](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac/AzureEventHubsSDK)
See the following related articles: -- [Authenticate requests to Azure Event Hubs from an application using Azure Active Directory](authenticate-application.md)-- [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](authenticate-managed-identity.md)
+- [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
+- [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
- [Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md) - [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)
event-hubs Authorize Access Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authorize-access-event-hubs.md
Every time you publish or consume events from an event hub, your client is tryin
Azure Event Hubs offers the following options for authorizing access to secure resources: -- Azure Active Directory
+- Microsoft Entra ID
- Shared access signature > [!NOTE] > This article applies to both Event Hubs and [Apache Kafka](azure-event-hubs-kafka-overview.md) scenarios.
-## Azure Active Directory
-Azure Active Directory (Azure AD) integration with Event Hubs resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a client's access to resources. You can use Azure RBAC to grant permissions to security principal, which may be a user, a group, or an application service principal. Azure AD authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access an Event Hubs resource.
+<a name='azure-active-directory'></a>
-For more information about authenticating with Azure AD, see the following articles:
+## Microsoft Entra ID
+Microsoft Entra integration with Event Hubs resources provides Azure role-based access control (Azure RBAC) for fine-grained control over a client's access to resources. You can use Azure RBAC to grant permissions to security principal, which may be a user, a group, or an application service principal. Microsoft Entra authenticates the security principal and returns an OAuth 2.0 token. The token can be used to authorize a request to access an Event Hubs resource.
-- [Authenticate requests to Azure Event Hubs using Azure AD](authenticate-application.md)-- [Authorize access to Event Hubs resources using Azure AD](authorize-access-azure-active-directory.md).
+For more information about authenticating with Microsoft Entra ID, see the following articles:
+
+- [Authenticate requests to Azure Event Hubs using Microsoft Entra ID](authenticate-application.md)
+- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md).
## Shared access signatures Shared access signatures (SAS) for Event Hubs resources provide limited delegated access to Event Hubs resources. Adding constraints on time interval for which the signature is valid or on permissions it grants provides flexibility in managing resources. For more information, see [Authenticate using shared access signatures (SAS)](authenticate-shared-access-signature.md).
-Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there's no need to store the access tokens with your code and risk potential security vulnerabilities. While you can continue to use shared access signatures (SAS) to grant fine-grained access to Event Hubs resources, Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.
+Authorizing users or applications using an OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there's no need to store the access tokens with your code and risk potential security vulnerabilities. While you can continue to use shared access signatures (SAS) to grant fine-grained access to Event Hubs resources, Microsoft Entra ID offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.
-By default, all Event Hubs resources are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to Event Hubs resources. Microsoft recommends using Azure AD when possible for maximum security and ease of use.
+By default, all Event Hubs resources are secured, and are available only to the account owner. Although you can use any of the authorization strategies outlined above to grant clients access to Event Hubs resources. Microsoft recommends using Microsoft Entra ID when possible for maximum security and ease of use.
For more information about authorization using SAS, see [Authorizing access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md). ## Next steps - Review [Azure RBAC samples](https://github.com/Azure/azure-event-hubs/tree/master/samples/DotNet/Microsoft.Azure.EventHubs/Rbac) published in our GitHub repository. - See the following articles:
- - [Authenticate requests to Azure Event Hubs from an application using Azure Active Directory](authenticate-application.md)
- - [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](authenticate-managed-identity.md)
+ - [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
+ - [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
- [Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)
- - [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)
+ - [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
- [Authorize access to Event Hubs resources using Shared Access Signatures](authorize-access-shared-access-signature.md)-
event-hubs Authorize Access Shared Access Signature https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/authorize-access-shared-access-signature.md
A shared access signature (SAS) provides delegated access to Event Hubs resource
SAS is a claim-based authorization mechanism using simple tokens. When you use SAS, keys are never passed on the wire. Keys are used to cryptographically sign information that can later be verified by the service. SAS can be used similar to a username and password scheme where the client is in immediate possession of an authorization rule name and a matching key. SAS can be used similar to a federated security model, where the client receives a time-limited and signed access token from a security token service without ever coming into possession of the signing key. > [!NOTE]
-> Azure Event Hubs also supports authorizing to Event Hubs resources using Azure Active Directory (Azure AD). Authorizing users or applications using OAuth 2.0 token returned by Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there is no need to store the tokens in your code and risk potential security vulnerabilities.
+> Azure Event Hubs also supports authorizing to Event Hubs resources using Microsoft Entra ID. Authorizing users or applications using OAuth 2.0 token returned by Microsoft Entra ID provides superior security and ease of use over shared access signatures (SAS). With Microsoft Entra ID, there is no need to store the tokens in your code and risk potential security vulnerabilities.
>
-> Microsoft recommends using Azure AD with your Azure Event Hubs applications when possible. For more information, see [Authorize access to Azure Event Hubs resource using Azure Active Directory](authorize-access-azure-active-directory.md).
+> Microsoft recommends using Microsoft Entra ID with your Azure Event Hubs applications when possible. For more information, see [Authorize access to Azure Event Hubs resource using Microsoft Entra ID](authorize-access-azure-active-directory.md).
> [!IMPORTANT] > SAS (Shared Access Signatures) tokens are critical to protect your resources. While providing granularity, SAS grants clients access to your Event Hubs resources. They should not be shared publicly. When sharing, if required for troubleshooting reasons, consider using a reduced version of any log files or deleting the SAS tokens (if present) from the log files, and make sure the screenshots donΓÇÖt contain the SAS information either.
Share access signatures are useful for providing limited permissions to Event Hu
## Next steps See the following related articles: -- [Authenticate requests to Azure Event Hubs from an application using Azure Active Directory](authenticate-application.md)-- [Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources](authenticate-managed-identity.md)
+- [Authenticate requests to Azure Event Hubs from an application using Microsoft Entra ID](authenticate-application.md)
+- [Authenticate a managed identity with Microsoft Entra ID to access Event Hubs Resources](authenticate-managed-identity.md)
- [Authenticate requests to Azure Event Hubs using Shared Access Signatures](authenticate-shared-access-signature.md)-- [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)--
+- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
event-hubs Azure Event Hubs Kafka Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/azure-event-hubs-kafka-overview.md
Azure Event Hubs provides multiple options to authorize access to your secure re
- Shared access signature (SAS) ### OAuth 2.0
-Event Hubs integrates with Azure Active Directory (Azure AD), which provides an **OAuth 2.0** compliant centralized authorization server. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant fine grained permissions to your client identities. You can use this feature with your Kafka clients by specifying **SASL_SSL** for the protocol and **OAUTHBEARER** for the mechanism. For details about Azure roles and levels for scoping access, see [Authorize access with Azure AD](authorize-access-azure-active-directory.md).
+Event Hubs integrates with Microsoft Entra ID, which provides an **OAuth 2.0** compliant centralized authorization server. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant fine grained permissions to your client identities. You can use this feature with your Kafka clients by specifying **SASL_SSL** for the protocol and **OAUTHBEARER** for the mechanism. For details about Azure roles and levels for scoping access, see [Authorize access with Microsoft Entra ID](authorize-access-azure-active-directory.md).
```properties bootstrap.servers=NAMESPACENAME.servicebus.windows.net:9093
event-hubs Configure Customer Managed Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/configure-customer-managed-key.md
After you enable customer-managed keys, you need to associate the customer manag
## Managed identities There are two types of managed identities that you can assign to an Event Hubs namespace. -- **System-assigned**: You can enable a managed identity directly on an Event Hubs namespace. When you enable a system-assigned managed identity, an identity is created in Azure AD that's tied to the lifecycle of that Event Hubs namespace. So when the namespace is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource (namespace) can use this identity to request tokens from Azure AD.
+- **System-assigned**: You can enable a managed identity directly on an Event Hubs namespace. When you enable a system-assigned managed identity, an identity is created in Microsoft Entra that's tied to the lifecycle of that Event Hubs namespace. So when the namespace is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource (namespace) can use this identity to request tokens from Microsoft Entra ID.
- **User-assigned**: You may also create a managed identity as a standalone Azure resource, which is called user-assigned identity. You can create a user-assigned managed identity and assign it to one or more Event Hubs namespaces. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it. They are not tied to the lifecycle of the namespace. You can explicitly delete a user-assigned identity when you no longer need it. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
Setting diagnostic logs for BYOK enabled namespaces gives you the required infor
## Next steps See the following articles: - [Event Hubs overview](event-hubs-about.md)-- [Key Vault overview](../key-vault/general/overview.md)
+- [Key Vault overview](../key-vault/general/overview.md)
event-hubs Connect Event Hub https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/connect-event-hub.md
private static string createToken(string resourceUri, string keyName, string key
} ```
-## Connect using Azure AD application
+<a name='connect-using-azure-ad-application'></a>
-1. Create an Azure AD application.
-1. Assign application's service principal to the appropriate [role-based access control (RBAC) role](authorize-access-azure-active-directory.md#azure-built-in-roles-for-azure-event-hubs) (owner, sender, or receiver). For more information, see [Authorize access with Azure Active Directory](authorize-access-azure-active-directory.md).
+## Connect using Microsoft Entra application
+
+1. Create a Microsoft Entra application.
+1. Assign application's service principal to the appropriate [role-based access control (RBAC) role](authorize-access-azure-active-directory.md#azure-built-in-roles-for-azure-event-hubs) (owner, sender, or receiver). For more information, see [Authorize access with Microsoft Entra ID](authorize-access-azure-active-directory.md).
```csharp var clientSecretCredential = new ClientSecretCredential("TENANTID", "CLIENTID", "CLIENTSECRET");
event-hubs Event Hubs About https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-about.md
Last updated 10/09/2023
Azure Event Hubs is a cloud native data streaming service that can stream millions of events per second, with low latency, from any source to any destination. Event Hubs is compatible with Apache Kafka, and it enables you to run existing Kafka workloads without any code changes. Using Event Hubs to ingest and store streaming data, businesses can harness the power of streaming data to gain valuable insights, drive real-time analytics, and respond to events as they happen, enhancing overall efficiency and customer experience.
- :::image type="content" source="./media/event-hubs-about/event-streaming-platform.png" alt-text="Diagram that shows how Azure Event Hubs fits in an event streaming platform.":::
+ Azure Event Hubs is the preferred event ingestion layer of any event streaming solution that you build on top of Azure. It seamlessly integrates with data and analytics services inside and outside Azure to build your complete data streaming pipeline to serve following use cases. - [Real-time analytics with Azure Stream Analytics](./process-data-azure-stream-analytics.md) to generate real-time insights from streaming data. -- Analyze and explore streaming data with Azure Data Explorer.
+- [Analyze and explore streaming data with Azure Data Explorer](/azure/data-explorer/ingest-data-event-hub-overview).
- Create your own cloud native applications, functions, or microservices that run on streaming data from Event Hubs.-- Stream events with schema validation using a built-in schema registry to ensure quality and compatibility of streaming data.
+- [Stream events with schema validation using a built-in schema registry to ensure quality and compatibility of streaming data](schema-registry-overview.md).
+
+## Key capabilities
-## Key capabilities?
### Apache Kafka on Azure Event Hubs
-Azure Event Hubs is a multi-protocol event streaming engine that natively supports AMQP, Apache Kafka and HTTPs protocols. Since it supports Apache Kafka, you bring Kafka workloads to Azure Event Hubs without doing any code change. You don't need to set up, configure, and manage your own Kafka clusters or use some Kafka-as-a-Service offering not native to Azure.
+Azure Event Hubs is a multi-protocol event streaming engine that natively supports AMQP, Apache Kafka, and HTTPs protocols. Since it supports Apache Kafka, you bring Kafka workloads to Azure Event Hubs without doing any code change. You don't need to set up, configure, and manage your own Kafka clusters or use a Kafka-as-a-Service offering that's not native to Azure.
-Event Hubs is built from the ground up as a cloud native broker engine. Hence you can run Kafka workloads with better performance, better cost efficiency and with no operational overhead.
+Event Hubs is built from the ground up as a cloud native broker engine. Hence, you can run Kafka workloads with better performance, better cost efficiency and with no operational overhead.
+
+For more information, see [Azure Event Hubs for Apache Kafka](azure-event-hubs-kafka-overview.md).
### Schema Registry in Azure Event Hubs Azure Schema Registry in Event Hubs provides a centralized repository for managing schemas of events streaming applications. Azure Schema Registry comes free with every Event Hubs namespace, and it integrates seamlessly with your Kafka applications or Event Hubs SDK based applications. :::image type="content" source="./media/event-hubs-about/schema-registry.png" alt-text="Diagram that shows Schema Registry and Azure Event Hubs integration.":::
+It ensures data compatibility and consistency across event producers and consumers. Schema Registry enables seamless schema evolution, validation, and governance, and promoting efficient data exchange and interoperability.
+
+Schema Registry seamlessly integrates with your existing Kafka applications and it supports multiple schema formats including Avro and JSON Schemas.
-It ensures data compatibility and consistency across event producers and consumers. Schema Registry enables seamless schema evolution, validation, and governance, and promoting efficient data exchange and interoperability.
-Schema Registry seamlessly integrates with your existing Kafka applications and it supports multiple schema definitions formats including Avro and JSON Schemas.
+For more information, see [Azure Schema Registry in Event Hubs](schema-registry-overview.md).
-### Real-time event stream processing with Azure Stream Analytics
+### Real-time processing of streaming events with Azure Stream Analytics
Event Hubs integrates seamlessly with Azure Stream Analytics to enable real-time stream processing. With the built-in no-code editor, you can effortlessly develop a Stream Analytics job using drag-and-drop functionality, without writing any code. :::image type="content" source="../stream-analytics/media/filter-ingest-data-lake-storage-gen2/filter-data-lake-gen2-card-start.png" alt-text="Diagram that shows Stream Analytics no code editor templates."::: Alternatively, developers can use the SQL-based Stream Analytics query language to perform real-time stream processing and take advantage of a wide range of functions for analyzing streaming data.
+For more information, see articles in [the Azure Stream Analytics integration section](../stream-analytics/no-code-build-power-bi-dashboard.md) of the table of contents.
+ ### Exploring streaming data with Azure Data Explorer Azure Data Explorer is a fully managed platform for big data analytics that delivers high performance and allows for the analysis of large volumes of data in near real time. By integrating Event Hubs with Azure Data Explorer, you can easily perform near real-time analytics and exploration of streaming data. :::image type="content" source="./media/event-hubs-about/data-explorer-integration.png" alt-text="Diagram that shows Azure Data explorer query and output.":::
+For more information, see [Ingest data from an event hub into Azure Data Explorer](/azure/data-explorer/ingest-data-event-hub-overview) and articles in the same section.
+
+### Rich ecosystemΓÇô Azure functions, SDKs, and Kafka ecosystem
+Ingest, buffer, store, and process your stream in real time to get actionable insights. Event Hubs uses a partitioned consumer model, enabling multiple applications to process the stream concurrently and letting you control the speed of processing. Azure Event Hubs also integrates with Azure Functions for serverless architectures.
-### Rich ecosystemΓÇô Azure functions, SDKs and Kafka ecosystem
-Ingest, buffer, store, and process your stream in real time to get actionable insights. Event Hubs uses a partitioned consumer model, enabling multiple applications to process the stream concurrently and letting you control the speed of processing. Azure Event Hubs also integrates with Azure Functions for a serverless architecture.
With a broad ecosystem available for the industry-standard AMQP 1.0 protocol and SDKs available in various languages: .NET, Java, Python, JavaScript, you can easily start processing your streams from Event Hubs. All supported client languages provide low-level integration.
-The ecosystem also provides you with seamless integration Azure Functions, Azure Spring Apps, Kafka Connectors and other data analytics platforms and technologies such as Apache Spark and Apache Flink.
+The ecosystem also provides you with seamless integration Azure Functions, Azure Spring Apps, Kafka Connectors, and other data analytics platforms and technologies such as Apache Spark and Apache Flink.
### Flexible and cost-efficient event streaming You can experience flexible and cost-efficient event streaming through Event Hubs' diverse selection of tiers ΓÇô including Standard, Premium, and Dedicated. These options cater to data streaming needs ranging from a few MB/s to several GB/s, allowing you to choose the perfect match for your requirements. ### Scalable
-With Event Hubs, you can start with data streams in megabytes, and grow to gigabytes or terabytes. The [Autoinflate](event-hubs-auto-inflate.md) feature is one of the many options available to scale the number of throughput units or processing units to meet your usage needs.
+With Event Hubs, you can start with data streams in megabytes, and grow to gigabytes or terabytes. The [Auto inflate](event-hubs-auto-inflate.md) feature is one of the many options available to scale the number of throughput units or processing units to meet your usage needs.
### Capture streaming data for long term retention and batch analytics Capture your data in near-real time in an Azure Blob storage or Azure Data Lake Storage for long-term retention or micro-batch processing. You can achieve this behavior on the same stream you use for deriving real-time analytics. Setting up capture of event data is fast. + ## How it works? Event Hubs provides a unified event streaming platform with time retention buffer, decoupling event producers from event consumers. The producers and consumer applications can perform large scale data ingestion through multiple protocols. The following figure shows the key components of Event Hubs architecture:+ :::image type="content" source="./media/event-hubs-about/components.png" alt-text="Diagram that shows the main components of Event Hubs.":::+ The key functional components of Event Hubs include: -- **Event Hub/Kafka topic**: In Event Hubs, you can organize events into event hubs or Kafka topic. It's an append only distributed log, which can comprise of one or more partitions. -- **Partitions** are used to scale an event hub. They are like lanes in a freeway. If you need more streaming throughput, you need to add more partitions.+ - **Producer applications** can ingest data to an event hub using Event Hubs SDKs or any Kafka producer client. -- **Consumer applications** consume data by seeking through the event log and maintaining consumer offset. Consumers can be based on Kafka consumer clients or Event Hubs SDK as well. -- **Consumer Group** is a logical group of consumer instances that reads data from an event hub/Kafka topic. It enables multiple consumers to read the same streaming data in an event hub independently at their own pace and with their own offsets. - **Namespace** is the management container for one or more event hubs or Kafka topics. The management tasks such as allocating streaming capacity, configuring network security, enabling Geo Disaster recovery etc. are handled at the namespace level. -
+- **Event Hub/Kafka topic**: In Event Hubs, you can organize events into an event hub or a Kafka topic. It's an append only distributed log, which can comprise of one or more partitions.
+- **Partitions** are used to scale an event hub. They are like lanes in a freeway. If you need more streaming throughput, you need to add more partitions.
+- **Consumer applications** consume data by seeking through the event log and maintaining consumer offset. Consumers can be Kafka consumer clients or Event Hubs SDK clients.
+- **Consumer Group** is a logical group of consumer instances that reads data from an event hub/Kafka topic. It enables multiple consumers to read the same streaming data in an event hub independently at their own pace and with their own offsets.
## Next steps
event-hubs Event Hubs Capture Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-capture-managed-identity.md
The default authentication method is to use Shared Access Signature(SAS) to acce
With this approach, you can capture data to destinations resources that are in the same subscription only. ## Use Managed Identity
-With [managed identity](../active-directory/managed-identities-azure-resources/overview.md), users can seamlessly capture data to a preferred destination by using Azure Active Directory based authentication and authorization.
+With [managed identity](../active-directory/managed-identities-azure-resources/overview.md), users can seamlessly capture data to a preferred destination by using Microsoft Entra ID based authentication and authorization.
:::image type="content" source="./media/event-hubs-capture-overview/event-hubs-capture-msi.png" alt-text="Image showing capturing of Event Hubs data into Azure Storage or Azure Data Lake Storage using Managed Identity":::
For example, following ARM template can be used to create an event hub with capt
} ] ```-
event-hubs Event Hubs Dotnet Standard Getstarted Send https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-dotnet-standard-getstarted-send.md
In this quickstart, you use Azure Storage as the checkpoint store. Follow these
1. [Create an Azure Storage account](../storage/common/storage-account-create.md?tabs=azure-portal) 2. [Create a blob container](../storage/blobs/storage-quickstart-blobs-portal.md#create-a-container)
-3. Authenticate to the blob container using either Azure AD (passwordless) authentication or a connection string to the namespace.
+3. Authenticate to the blob container using either Microsoft Entra ID (passwordless) authentication or a connection string to the namespace.
[!INCLUDE [storage-checkpoint-store-recommendations](./includes/storage-checkpoint-store-recommendations.md)]
event-hubs Event Hubs Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-features.md
An Event Hubs namespace is a management container for event hubs (or topics, in
## Event publishers
-Any entity that sends data to an event hub is an *event publisher* (synonymously used with *event producer*). Event publishers can publish events using HTTPS or AMQP 1.0 or the Kafka protocol. Event publishers use Azure Active Directory based authorization with OAuth2-issued JWT tokens or an Event Hub-specific Shared Access Signature (SAS) token to gain publishing access.
+Any entity that sends data to an event hub is an *event publisher* (synonymously used with *event producer*). Event publishers can publish events using HTTPS or AMQP 1.0 or the Kafka protocol. Event publishers use Microsoft Entra ID based authorization with OAuth2-issued JWT tokens or an Event Hub-specific Shared Access Signature (SAS) token to gain publishing access.
### Publishing an event
Event data:
It's your responsibility to manage the offset. ## Application groups
-An application group is a collection of client applications that connect to an Event Hubs namespace sharing a unique identifying condition such as the security context - shared access policy or Azure Active Directory (Azure AD) application ID.
+An application group is a collection of client applications that connect to an Event Hubs namespace sharing a unique identifying condition such as the security context - shared access policy or Microsoft Entra application ID.
Azure Event Hubs enables you to define resource access policies such as throttling policies for a given application group and controls event streaming (publishing or consuming) between client applications and Event Hubs.
event-hubs Event Hubs Geo Dr https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-geo-dr.md
The Geo-Disaster recovery feature ensures that the entire configuration of a nam
> [!IMPORTANT] > - The feature enables instantaneous continuity of operations with the same configuration, but **does not replicate the event data**. Unless the disaster caused the loss of all zones, the event data that is preserved in the primary Event Hub after failover will be recoverable and the historic events can be obtained from there once access is restored. For replicating event data and operating corresponding namespaces in active/active configurations to cope with outages and disasters, don't lean on this Geo-disaster recovery feature set, but follow the [replication guidance](event-hubs-federation-overview.md).
-> - Azure Active Directory (Azure AD) role-based access control (RBAC) assignments to entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them.
+> - Microsoft Entra role-based access control (RBAC) assignments to entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them.
## Outages and disasters
Advantage of this approach is that failover can happen at the application layer
> For guidance on geo-disaster recovery of a virtual network, see [Virtual Network - Business Continuity](../virtual-network/virtual-network-disaster-recovery-guidance.md). ## Role-based access control
-Azure Active Directory (Azure AD) role-based access control (RBAC) assignments to entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them.
+Microsoft Entra role-based access control (RBAC) assignments to entities in the primary namespace aren't replicated to the secondary namespace. Create role assignments manually in the secondary namespace to secure access to them.
## Next steps Review the following samples or reference documentation.
event-hubs Event Hubs Ip Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-ip-filtering.md
The API version **2021-06-01-preview onwards** also introduces a new property na
For more information about these properties, see [Create or Update Network Rule Set](/rest/api/eventhub/controlplane-preview/namespaces-network-rule-set/create-or-update-network-rule-set) and [Create or Update Private Endpoint Connections](/rest/api/eventhub/controlplane-preview/private-endpoint-connections/create-or-update). > [!NOTE]
-> None of the above settings bypass validation of claims via SAS or Azure AD authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings.
+> None of the above settings bypass validation of claims via SAS or Microsoft Entra authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings.
### Azure portal
For constraining access to Event Hubs to Azure virtual networks, see the followi
[lnk-deploy]: ../azure-resource-manager/templates/deploy-powershell.md [lnk-vnet]: event-hubs-service-endpoints.md--
event-hubs Event Hubs Management Libraries https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-management-libraries.md
You can use the Azure Event Hubs management libraries to dynamically provision E
## Prerequisites
-To get started using the Event Hubs management libraries, you must authenticate with Azure Active Directory (Azure AD). Azure AD requires that you authenticate as a service principal, which provides access to your Azure resources. For information about creating a service principal, see one of these articles:
+To get started using the Event Hubs management libraries, you must authenticate with Microsoft Entra ID. Microsoft Entra ID requires that you authenticate as a service principal, which provides access to your Azure resources. For information about creating a service principal, see one of these articles:
* [Use the Azure portal to create Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md) * [Use Azure PowerShell to create a service principal to access resources](../active-directory/develop/howto-authenticate-service-principal-powershell.md) * [Use Azure CLI to create a service principal to access resources](/cli/azure/create-an-azure-service-principal-azure-cli)
-These tutorials provide you with an `AppId` (Client ID), `TenantId`, and `ClientSecret` (authentication key), all of which are used for authentication by the management libraries. The Azure AD application must be added to the **Azure Event Hubs Data Owner** role at the resource group level.
+These tutorials provide you with an `AppId` (Client ID), `TenantId`, and `ClientSecret` (authentication key), all of which are used for authentication by the management libraries. The Microsoft Entra application must be added to the **Azure Event Hubs Data Owner** role at the resource group level.
## Sample code The pattern to manipulate any Event Hubs resource follows a common protocol:
-1. Obtain a token from Azure AD using the `Microsoft.Identity.Client` library.
+1. Obtain a token from Microsoft Entra ID using the `Microsoft.Identity.Client` library.
1. Create the `EventHubManagementClient` object. 1. Then, use the client object to create an Event Hubs namespace and an event hub.
event-hubs Event Hubs Quickstart Kafka Enabled Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-quickstart-kafka-enabled-event-hubs.md
When you create an Event Hubs namespace, the Kafka endpoint for the namespace is
## Send and receive messages with Kafka in Event Hubs ### [Passwordless (Recommended)](#tab/passwordless)
-1. Enable a system-assigned managed identity for the virtual machine. For more information about configuring managed identity on a VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity). Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
+1. Enable a system-assigned managed identity for the virtual machine. For more information about configuring managed identity on a VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md#system-assigned-managed-identity). Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, without having credentials in your code.
:::image type="content" source="./media/event-hubs-quickstart-kafka-enabled-event-hubs/enable-identity-vm.png" alt-text="Screenshot of the Identity tab of a virtual machine page in the Azure portal."::: 1. Using the **Access control** page of the Event Hubs namespace you created, assign **Azure Event Hubs Data Owner** role to the VM's managed identity.
-Azure Event Hubs supports using Azure Active Directory (Azure AD) to authorize requests to Event Hubs resources. With Azure AD, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.
+Azure Event Hubs supports using Microsoft Entra ID to authorize requests to Event Hubs resources. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, or an application service principal.
1. In the Azure portal, navigate to your Event Hubs namespace. Go to "Access Control (IAM)" in the left navigation. 2. Select + Add and select `Add role assignment`.
event-hubs Event Hubs Service Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/event-hubs-service-endpoints.md
The API version **2021-06-01-preview onwards** also introduces a new property na
For more information about these properties, see [Create or Update Network Rule Set](/rest/api/eventhub/controlplane-preview/namespaces-network-rule-set/create-or-update-network-rule-set) and [Create or Update Private Endpoint Connections](/rest/api/eventhub/controlplane-preview/private-endpoint-connections/create-or-update). > [!NOTE]
-> None of the above settings bypass validation of claims via SAS or Azure AD authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings.
+> None of the above settings bypass validation of claims via SAS or Microsoft Entra authentication. The authentication check always runs after the service validates the network checks that are configured by `defaultAction`, `publicNetworkAccess`, `privateEndpointConnections` settings.
### Azure portal
event-hubs Monitor Event Hubs Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/monitor-event-hubs-reference.md
Name | Description
`Timestamp` | Aggregation time. `Status` | Status of the activity (success or failure). `Protocol` | Type of the protocol associated with the operation.
-`AuthType` | Type of authentication (Azure Active Directory or SAS Policy).
-`AuthKey` | Azure Active Directory application ID or SAS policy name that's used to authenticate to a resource.
+`AuthType` | Type of authentication (Microsoft Entra ID or SAS Policy).
+`AuthKey` | Microsoft Entra application ID or SAS policy name that's used to authenticate to a resource.
`NetworkType` | Type of the network access: `Public` or `Private`. `ClientIP` | IP address of the client application. `Count` | Total number of operations performed during the aggregated period of 1 minute.
event-hubs Passwordless Migration Event Hubs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/passwordless-migration-event-hubs.md
Title: Migrate applications to use passwordless authentication with Azure Event Hubs
-description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Azure AD and Azure RBAC for enhanced security with Azure Event Hubs.
+description: Learn to migrate existing applications away from Shared Key authorization with the account key to instead use Microsoft Entra ID and Azure RBAC for enhanced security with Azure Event Hubs.
Last updated 06/12/2023
After making these code changes, run your application locally. The new configura
## Configure the Azure hosting environment
-Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Event Hubs using a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities provide an automatically managed identity in Azure Active Directory (Azure AD) for applications to use when connecting to resources that support Azure AD authentication. Learn more about managed identities:
+Once your application is configured to use passwordless connections and runs locally, the same code can authenticate to Azure services after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure Event Hubs using a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview). Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Learn more about managed identities:
* [Passwordless Overview](/azure/developer/intro/passwordless-overview) * [Managed identity best practices](/azure/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations)
event-hubs Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/policy-reference.md
Title: Built-in policy definitions for Azure Event Hubs description: Lists Azure Policy built-in policy definitions for Azure Event Hubs. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
event-hubs Resource Governance Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/resource-governance-overview.md
Azure Event Hubs enables you to govern event streaming workloads of client appli
## Application groups
-An application group is a collection of one or more client applications that interact with the Event Hubs data plane. Each application group can be scoped to a single Event Hubs namespace or event hubs (entity) within a namespace and should use a uniquely identifying condition such as the security context - shared access signatures (SAS) or Azure Active Directory (Azure AD) application ID - of the client application.
+An application group is a collection of one or more client applications that interact with the Event Hubs data plane. Each application group can be scoped to a single Event Hubs namespace or event hubs (entity) within a namespace and should use a uniquely identifying condition such as the security context - shared access signatures (SAS) or Microsoft Entra application ID - of the client application.
-Event Hubs currently supports using security contexts for creating application groups. Therefore, each application group must have a unique SAS policy or Azure AD application ID associated with them. If preferred, you can use security context at event hub level to use an application group with a specific event hub within a namespace.
+Event Hubs currently supports using security contexts for creating application groups. Therefore, each application group must have a unique SAS policy or Microsoft Entra application ID associated with them. If preferred, you can use security context at event hub level to use an application group with a specific event hub within a namespace.
Application groups are logical entities that are created at the namespace level. Therefore, client applications interacting with event hubs don't need to be aware of the existence of an application group. Event Hubs can associate any client application to an application group by using the identifying condition.
These are the key attributes of an application group:
| Parameter | Description | | - | -- | | name | Unique name of an application group. |
-| clientAppGroupIdentifier | Associate an application group with a uniquely identifying condition (i.e security context such as SAS policy or Azure AD application ID). |
+| clientAppGroupIdentifier | Associate an application group with a uniquely identifying condition (i.e security context such as SAS policy or Microsoft Entra application ID). |
| policies | List of policies, such as throttling policies that control event streaming between client applications and the Event Hubs namespace| | isEnabled | Determine whether the client applications of an application group can access Event Hubs namespaces or not. |
event-hubs Resource Governance With App Groups https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/resource-governance-with-app-groups.md
You can create an application group using the Azure portal by following these st
1. On the **Add application group** page, follow these steps: 1. Specify a **name** for the application group. 1. Confirm that **Enabled** is selected. To have the application group in the disabled state first, clear the **Enabled** option. This flag determines whether the clients of an application group can access Event Hubs or not.
- 1. For **Security context type**, select **Namespace Shared access policy**, **event hub Shared Access Policy** or **AAD application**.Application group supports the selection of SAS key at either namespace or at entity (event hub) level. When you create the application group, you should associate with either a shared access signatures (SAS) or Azure Active Directory(Azure AD) application ID, which is used by client applications.
+ 1. For **Security context type**, select **Namespace Shared access policy**, **event hub Shared Access Policy** or **Microsoft Entra application**.Application group supports the selection of SAS key at either namespace or at entity (event hub) level. When you create the application group, you should associate with either a shared access signatures (SAS) or Microsoft Entra application ID, which is used by client applications.
1. If you selected **Namespace Shared access policy**: 1. For **SAS key name**, select the SAS policy that can be used as a security context for this application group.You can select **Add SAS Policy** to add a new policy and then associate with the application group.
You can create an application group using the Azure portal by following these st
:::image type="content" source="./media/resource-governance-with-app-groups/create-application-groups-with-event-hub-shared-access-key.png" alt-text="Screenshot of the Add application group page with event hub Shared access policy option selected.":::
- 1. If you selected **AAD application**:
- 1. For **AAD Application (client) ID**, specify the Azure Active Directory (Azure AD) application or client ID.
+ 1. If you selected **Microsoft Entra application**:
+ 1. For **Microsoft Entra Application (client) ID**, specify the Microsoft Entra application or client ID.
- :::image type="content" source="./media/resource-governance-with-app-groups/add-app-group-active-directory.png" alt-text="Screenshot of the Add application group page with Azure AD option.":::
+ :::image type="content" source="./media/resource-governance-with-app-groups/add-app-group-active-directory.png" alt-text="Screenshot of the Add application group page with Microsoft Entra option.":::
### [Supported Security Context type](#supported-security-context-type)
-Review the auto-generated **Client group ID**, which is the unique ID associated with the application group. The scope of application governance (namespace or entity level) would depend on the access level for the used Azure AD application ID. The following table shows auto generated Client Group ID for different security Context type:
+Review the auto-generated **Client group ID**, which is the unique ID associated with the application group. The scope of application governance (namespace or entity level) would depend on the access level for the used Microsoft Entra application ID. The following table shows auto generated Client Group ID for different security Context type:
| Security Context type | Auto-generated client group ID| | | | | Namespace shared access key | `NamespaceSASKeyName=<NamespaceLevelKeyName>` |
-| Azure AD Application | `AADAppID=<AppID>` |
+| Microsoft Entra Application | `AADAppID=<AppID>` |
| Event Hubs shared access key | `EntitySASKeyName=<EntityLevelKeyName>` | > [!NOTE]
Azure Event Hubs supports [Application Metric Logs ](monitor-event-hubs-referenc
6. Once you decide the threshold value, add a new throttling policy inside the application group. ## Publish or consume events
-Once you successfully add throttling policies to the application group, you can test the throttling behavior by either publishing or consuming events using client applications that are part of the `contosoAppGroup` application group. To test, you can use either an [AMQP client](event-hubs-dotnet-standard-getstarted-send.md) or a [Kafka client](event-hubs-quickstart-kafka-enabled-event-hubs.md) application and same SAS policy name or Azure AD application ID that's used to create the application group.
+Once you successfully add throttling policies to the application group, you can test the throttling behavior by either publishing or consuming events using client applications that are part of the `contosoAppGroup` application group. To test, you can use either an [AMQP client](event-hubs-dotnet-standard-getstarted-send.md) or a [Kafka client](event-hubs-quickstart-kafka-enabled-event-hubs.md) application and same SAS policy name or Microsoft Entra application ID that's used to create the application group.
> [!NOTE] > When your client applications are throttled, you should experience a slowness in publishing or consuming data.
event-hubs Schema Registry Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/schema-registry-concepts.md
For limits (for example: number of schema groups in a namespace) of Event Hubs,
## Azure role-based access control To access a schema registry programmatically, follow these steps:
-1. [Register your application in Azure Active Directory (Azure AD)](../active-directory/develop/quickstart-register-app.md)
+1. [Register your application in Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md)
1. Add the security principal of the application to one of the following Azure role-based access control (Azure RBAC) roles at the **namespace** level. | Role | Description |
To access a schema registry programmatically, follow these steps:
| [Schema Registry Reader](../role-based-access-control/built-in-roles.md#schema-registry-reader-preview) | Read and list Schema Registry groups and schemas. | | [Schema Registry Contributor](../role-based-access-control/built-in-roles.md#schema-registry-reader-preview) | Read, write, and delete Schema Registry groups and schemas. |
-For instructions on creating registering an application using the Azure portal, see [Register an app with Azure AD](../active-directory/develop/quickstart-register-app.md). Note down the client ID (application ID), tenant ID, and the secret to use in the code.
+For instructions on creating registering an application using the Azure portal, see [Register an app with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). Note down the client ID (application ID), tenant ID, and the secret to use in the code.
## Next steps
event-hubs Schema Registry Json Schema Kafka https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/schema-registry-json-schema-kafka.md
Follow instructions from [Create schemas using Schema Registry](create-schema-re
``` ## Register an application to access schema registry
-You can use Azure Active Directory to authorize your Kafka producer and consumer application to access Azure Schema Registry resources. To enable it, you need to register your client application with an Azure AD tenant from the Azure portal.
+You can use Microsoft Entra ID to authorize your Kafka producer and consumer application to access Azure Schema Registry resources. To enable it, you need to register your client application with a Microsoft Entra tenant from the Azure portal.
-To register an Azure Active Directory application named `example-app` see [Register your application with an Azure AD tenant](authenticate-application.md).
+To register a Microsoft Entra application named `example-app` see [Register your application with a Microsoft Entra tenant](authenticate-application.md).
- tenant.id - sets the tenant ID of the application - client.id - sets the client ID of the application
Add your user account to the **Schema Registry Reader** role at the namespace le
## Update client application configuration of Kafka applications
-You need to update the client configuration of the Kafka producer and consumer applications with the Azure Active directory application details and with the schema registry information.
+You need to update the client configuration of the Kafka producer and consumer applications with the Microsoft Entra application details and with the schema registry information.
To update the Kafka Producer configuration, navigate to *azure-schema-registry-for-kafka/tree/master/java/json/samples/kafka-producer*. 1. Update the configuration of the Kafka application in *src/main/resources/app.properties* by following [Kafka Quickstart guide for Event Hubs](event-hubs-quickstart-kafka-enabled-event-hubs.md).
-1. Update the configuration details for the producer in *src/main/resources/app.properties* using schema registry related configuration and Azure Active directory application that you created in the previous step as follows:
+1. Update the configuration details for the producer in *src/main/resources/app.properties* using schema registry related configuration and Microsoft Entra application that you created in the previous step as follows:
```xml schema.group=contoso-sg
To run the Kafka consumer application, navigate to *azure-schema-registry-for-ka
## Clean up resources Delete the Event Hubs namespace or delete the resource group that contains the namespace. -
event-hubs Schema Registry Kafka Java Send Receive Quickstart https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/schema-registry-kafka-java-send-receive-quickstart.md
Follow instructions from [Create schemas using Schema Registry](create-schema-re
``` ## Register an application to access schema registry
-You can use Azure Active Directory to authorize your Kafka producer and consumer application to access Azure Schema Registry resources by registering your client application with an Azure AD tenant from the Azure portal.
+You can use Microsoft Entra ID to authorize your Kafka producer and consumer application to access Azure Schema Registry resources by registering your client application with a Microsoft Entra tenant from the Azure portal.
-To register an Azure Active Directory application named `example-app` see [Register your application with an Azure AD tenant](authenticate-application.md).
+To register a Microsoft Entra application named `example-app` see [Register your application with a Microsoft Entra tenant](authenticate-application.md).
- tenant.id - sets the tenant ID of the application - client.id - sets the client ID of the application
Add your user account to the **Schema Registry Reader** role at the namespace le
## Update client application configuration of Kafka applications
-You need to update the client configuration of the Kafka producer and consumer applications with the configuration related to Azure Active directory application that we created and the schema registry information.
+You need to update the client configuration of the Kafka producer and consumer applications with the configuration related to Microsoft Entra application that we created and the schema registry information.
To update the Kafka Producer configuration, navigate to *azure-schema-registry-for-kafka/tree/master/java/avro/samples/kafka-producer*. 1. Update the configuration of the Kafka application in *src/main/resources/app.properties* by following [Kafka Quickstart guide for Event Hubs](event-hubs-quickstart-kafka-enabled-event-hubs.md).
-1. Update the configuration details for the producer in *src/main/resources/app.properties* using schema registry related configuration and Azure Active directory application that you created above as follows:
+1. Update the configuration details for the producer in *src/main/resources/app.properties* using schema registry related configuration and Microsoft Entra application that you created above as follows:
```xml schema.group=contoso-sg
event-hubs Send And Receive Events Using Data Generator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/send-and-receive-events-using-data-generator.md
You could follow the steps below to send events to Azure Event Hubs Data Generat
2. **Select Payload:** You could send custom payload to event hubs using User defined payload or make use of different pre-canned datasets available in data generator. 3. **Select Content-Type:** Based on the type of data youΓÇÖre sending; you could choose the Content-type Option. As of today, Data generator supports sending data in following content-type - JSON, XML, Text and Binary. 4. **Repeat send**:-If you want to send the same payload as multiple events, you can enter the number of repeat events that you wish to send. Repeat Send supports sending up to 100 repetitions.
- 5. **Authentication Type**: Under settings, you can choose from two different authentication type: Shared Access key or Azure Active Directory. Please make sure that you have Azure Event Hubs Data owner permission before using Azure Active Directory.
+ 5. **Authentication Type**: Under settings, you can choose from two different authentication type: Shared Access key or Microsoft Entra ID. Please make sure that you have Azure Event Hubs Data owner permission before using Microsoft Entra ID.
:::image type="content" source="media/send-and-receive-events-using-data-generator/highlighted-data-generator-landing.png" alt-text="Screenshot displaying landing page for data generator.":::
As soon as you select send, data generator would take care of sending the events
[Send and Receive events using Event Hubs SDKs(AMQP)](/azure/event-hubs/event-hubs-dotnet-standard-getstarted-send?tabs=passwordless%2Croles-azure-portal) [Send and Receive events using Apache Kafka](/azure/event-hubs/event-hubs-quickstart-kafka-enabled-event-hubs?tabs=passwordless)------------------------------------------------
event-hubs Transport Layer Security Enforce Minimum Version https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/transport-layer-security-enforce-minimum-version.md
Role assignments must be scoped to the level of the Event Hubs namespace or high
Be careful to restrict assignment of these roles only to those who require the ability to create an Event Hubs namespace or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md). > [!NOTE]
-> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Event Hubs namespaces. For more information, see [**Azure roles, Azure AD roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [**Owner**](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage Event Hubs namespaces. For more information, see [**Azure roles, Microsoft Entra roles, and classic subscription administrator roles**](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
## Network considerations
event-hubs Troubleshoot Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/event-hubs/troubleshoot-authentication-authorization.md
Last updated 09/20/2021
# Troubleshoot authentication and authorization issues - Azure Event Hubs The [Troubleshoot connectivity issues](troubleshooting-guide.md) article provides tips for troubleshooting connectivity issues with Azure Event Hubs. This article provides tips and recommendations for troubleshooting authentication and authorization issues with Azure Event Hubs.
-## If you are using Azure Active Directory
-If you are using Azure Active Directory (Azure AD) to authenticate and authorize with Azure Event Hubs, confirm that the identity accessing the event hub is a member of the right **Azure role** at the right **resource scope** (consumer group, event hub, namespace, resource group, or subscription).
+<a name='if-you-are-using-azure-active-directory'></a>
+
+## If you are using Microsoft Entra ID
+If you are using Microsoft Entra ID to authenticate and authorize with Azure Event Hubs, confirm that the identity accessing the event hub is a member of the right **Azure role** at the right **resource scope** (consumer group, event hub, namespace, resource group, or subscription).
### Azure roles - [Azure Event Hubs Data owner](../role-based-access-control/built-in-roles.md#azure-event-hubs-data-owner) for complete access to Event Hubs resources.
For Schema Registry built-in roles, see [Schema Registry roles](schema-registry-
For more information, see the following articles: -- [Authenticate an application with Azure Active Directory to access Event Hubs resources](authenticate-application.md)-- [Authorize access to Event Hubs resources using Azure Active Directory](authorize-access-azure-active-directory.md)
+- [Authenticate an application with Microsoft Entra ID to access Event Hubs resources](authenticate-application.md)
+- [Authorize access to Event Hubs resources using Microsoft Entra ID](authorize-access-azure-active-directory.md)
## If you are using Shared access signatures (SAS) If you are using [SAS](authenticate-shared-access-signature.md), follow these steps:
expressroute Circuit Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/circuit-migration.md
+
+ Title: Migrate to a new ExpressRoute circuit
+description: Learn how to migrate your ExpressRoute circuit from one circuit to another with minimum service interruption.
++++ Last updated : 10/06/2023+++
+# Migrate to a new ExpressRoute circuit
+
+If you want to switch from one ExpressRoute circuit to another, you might want to do it smoothly with minimum service interruption. This document helps you to follow the steps to migrate your production traffic without causing major disruptions or risks. You can use this method whether you're moving to a new or the same peering location.
+
+If you've got your ExpressRoute circuit through a Layer 3 service provider, create the new circuit under your subscription in the Azure portal. Work with your service provider to switch the traffic seamlessly to the new circuit. After the service provider has deprovisioned your old circuit, delete it from the Azure portal.
+
+The rest of the article applies to you if you've got your ExpressRoute circuit through a Layer 2 service provider or ExpressRoute direct ports.
+
+## Steps for seamless ExpressRoute circuit migration
++
+The diagram above illustrates the migration process from an existing ExpressRoute circuit, referred to as Circuit A, to a new ExpressRoute circuit, referred to as Circuit B. Circuit B can be in the same or a different peering location as Circuit A. The migration process consists of the following steps:
+
+1. **Deploy Circuit B in isolation:** While the traffic continues to flow over Circuit A, deploy a new Circuit B without affecting the production environment.
+
+1. **Block the production traffic flow over Circuit B:** Prevent any traffic from using Circuit B until it's fully tested and validated.
+
+1. **Complete and validate end-to-end connectivity of Circuit B:** Ensure that Circuit B can establish and maintain a stable and secure connection with all the required endpoints.
+
+1. **Switch over the traffic:** Redirect the traffic flow from Circuit A to Circuit B and block the traffic flow over Circuit A.
+
+1. **Decommission Circuit A:** Remove Circuit A from the network and release its resources.
+
+## Deploy new circuit in isolation
+
+Follow the steps in [Create a circuit with ExpressRoute](expressroute-howto-circuit-portal-resource-manager.md), to create your new ExpressRoute circuit (Circuit B) in the desired peering location. Then, follow the steps in [Tutorial: Configure peering for ExpressRoute circuit](expressroute-howto-routing-portal-resource-manager.md) to configure the required peering types: private and Microsoft.
+
+To prevent the private peering production traffic from using Circuit B before testing and validating it, don't link virtual network gateway that has production deployment to Circuit B. Similarly to avoid Microsoft peering production traffic from using Circuit B, don't associate a route filter to Circuit B.
+
+## Block the production traffic flow over the newly created circuit
+
+Prevent the route advertisement over the new peering(s) on the CE devices.
+
+For Cisco IOS, you can use a `route-map` and a `prefix-list` to filter the routes advertised over a BGP peering. The following example shows how to create and apply a `route-map` and a `prefix-list` for this purpose:
+
+```
+route-map BLOCK ADVERTISEMENTS deny 10
+ match ip address prefix-list BLOCK-ALL-PREFIXES
+
+ip prefix-list BLOCK-ALL-PREFIXES seq 10 deny 0.0.0.0/0 le 32
+
+router bgp <your_AS_number>
+ neighbor <neighbor_IP_address> route-map BLOCK-ADVERTISEMENTS out
+ neighbor <neighbor_IP_address> route-map BLOCK-ADVERTISEMENTS in
+```
+
+Use export/import policy to filter the routes advertised and received on the new peering(s) on the Junos devices. The following example shows how to configure export/import policy for this purpose:
+
+```
+user@router>show configuration policy-options policy-statement BLOCK-ALL-ROUTES
+
+term reject-all {
+
+ the reject;
+}
+
+protocols {
+ bgp {
+ group <your_group_name> {
+ neighbor <neighbor_IP_address> {
+ export [ BLOCK-ALL-ROUTES ];
+ import [ BLOCK-ALL-ROUTES ];
+ }
+ }
+ }
+}
+```
+## Validate the end-to-end connectivity of the newly created circuit
+
+### Private peering
+
+Follow the steps in [Connect a virtual network to an ExpressRoute circuit](expressroute-howto-linkvnet-portal-resource-manager.md) to link the new circuit to the gateway of a test virtual network and verify your private peering connectivity. After linking virtual networks to the circuit, examine the route table of the private peering of the circuit and verify that the address space of the virtual network is included in the table. The following example shows a route table of the private peering of an ExpressRoute circuit in the Azure Management portal:
++
+The following diagram illustrates a test VM configured in a test virtual network and a test device located on-premises for verifying the connectivity over the ExpressRoute private peering.
++
+Modify the route-map or the policy configuration that you have applied to filter the routes advertised and allow the specific IP address of the test device from on-premises. Similarly, allow the test virtual networkΓÇÖs address space from Azure.
+
+```
+route-map BLOCK ADVERTISEMENTS permit 5
+ match ip address prefix-list PERMIT-ROUTE
+
+route-map BLOCK ADVERTISEMENTS deny 10
+ match ip address prefix-list BLOCK-ALL-PREFIXES
+
+ip prefix-list PERMIT-ROUTE seq 10 permit 10.17.1.0/24
+ip prefix-list PERMIT-ROUTE seq 20 permit 10.1.18.10/32
+
+ip prefix-list BLOCK-ALL-PREFIXES seq 10 deny 0.0.0.0/0 le 32
++
+```
+
+To allow specific IP prefixes for test devices on Junos, configure a prefix-list. Then, configure the BGP import/export policy to allow these prefixes and reject everything else.
+
+```
+user@router>show configuration policy-options policy-statement BLOCK-ADVERTISEMENTS
+
+term PERMIT-ROUTES {
+ from {
+ prefix-list PERMIT-ROUTE;
+ }
+ then accept;
+}
+
+term reject-all {
+ then reject;
+}
+
+user@router>show configuration policy-options prefix-list PERMIT-ROUTE
+
+10.1.18.10/32;
+10.17.1.0/24;
+```
+
+Verify the end-to-end connectivity over the private peering. For example, you can ping the test VM in Azure from your on-premises test device and check the results. For step-by-step detailed validation, see [Verifying ExpressRoute connectivity](expressroute-troubleshooting-expressroute-overview.md).
+
+### Microsoft peering
+
+The verification of your Microsoft peering requires careful planning to avoid any effect on the production traffic. You need to use [distinct prefixes](expressroute-howto-routing-portal-resource-manager.md#to-create-microsoft-peering) for the Microsoft peering of Circuit B that are different from the ones used for Circuit A, to prevent any routing conflicts between the two circuits. You also need to link the Microsoft peering of Circuit B to a separate route filter than the one linked to Circuit A, following the steps in [configuring route filters for Microsoft peering](how-to-routefilter-portal.md). Additionally, you need to ensure that the route filters for both circuits don't have any common routes that are advertised to the on-premises network, to avoid asymmetrical routing between Circuit A and Circuit B. To achieve this, you can either:
+ - select a service or an Azure region for testing Circuit B that isn't used by the production traffic on Circuit A, or
+ - minimize the overlap between the two route filters and permit only more specific test public endpoints received through Circuit B
+
+Once you have linked a route filter, you need to check the routes that are advertised and received over the BGP peering on the CE device. To filter the routes that are advertised and allow only the on-premises prefixes of the Microsoft peering and the specific IP address of the selected Microsoft public endpoints for testing, you need to modify the route-map or the Junos policy configuration that you have applied.
+
+To test the connectivity to Microsoft 365 endpoints, follow the steps in [Implementing ExpressRoute for Microsoft 365 ΓÇô Build your test procedures](/microsoft-365/enterprise/implementing-expressroute#build-your-test-procedures). For Azure public endpoints, you could start with basic connectivity testing such as traceroute from on-premises and verify that the request goes over ExpressRoute endpoints. Beyond ExpressRoute endpoints, ICMP messages are suppressed over Microsoft network. You could also test the connectivity at the application level, in addition to basic ping tests. For instance, if you have an Azure VM with Azure public IP running a web server, you can try accessing the web server public IP from your on-premises network through the ExpressRoute connection. This helps you confirm that more complex traffic, such as HTTP requests, can reach Azure services.
+
+## Switch over the production traffic
+
+### Private peering
+
+1. Disconnect Circuit B from any test virtual network gateways that you have connected it to.
+1. Remove any exceptions that you have made to the Cisco route-maps or Junos policy.
+1. Follow the steps in [Connect a virtual network to an ExpressRoute circuit](expressroute-howto-linkvnet-portal-resource-manager.md) and connect Circuit B to production virtual network gateway(s).
+1. On the CE, make sure that you're ready to advertise all the routes that you're currently advertising over Circuit A, over Circuit B when you remove the route-map or policy applied to Circuit B interfaces on CE. This also includes ensuring that the interfaces of Circuit B are associated with the appropriate VRF or routing-instance, if any.
+1. Remove the route-maps or policy on Circuit B interfaces. Apply the route-maps or policy on Circuit A interfaces to block the route advertisement over Circuit A. This will switch the traffic flow over Circuit B.
+1. Verify the traffic flow over Circuit B. If the verification fails, undo the route-map or firewall association that you did in the previous step and switch the traffic flow back over Circuit A.
+1. If the verification of traffic flow over Circuit B is successful, delete Circuit A.
+
+### Microsoft peering
+
+1. Remove Circuit B from any test Azure route filter that you have linked it to.
+1. Remove any exceptions that you have made to the route-maps or policy.
+1. On CE, make sure that the interface of Circuit B is associated with the appropriate VRF or routing-instance.
+1. Validate and confirm the advertised prefix over the Microsoft peering.
+1. Associate Circuit B Microsoft peering to the Azure route filter that is currently associated to Circuit A.
+1. Remove the route-maps or export/import policy on Circuit B interfaces. Apply the route-maps or export/import policy on Circuit A interfaces to block the route advertisement over Circuit A. This will switch the traffic flow over Circuit B.
+1. Verify the traffic flow over Circuit B. If the verification fails, undo the route-map or policy association that you did in the previous step and switch the traffic flow back over Circuit A.
+1. If the verification of traffic flow over Circuit B is successful, delete Circuit A.
+
+## Next step
+
+For more information about router configuration, see [Router configuration samples to set up and manage routing](expressroute-config-samples-routing.md).
expressroute Cross Connections Api Development https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/cross-connections-api-development.md
In order to access the expressRouteCrossConnections API, the partner subscriptio
### 3. Set up authentication for Azure Resource Manager REST API calls
-Most Azure services require client code to authenticate with Resource Manager, using valid credentials, prior to calling service APIs. Authentication is coordinated between the various actors by Azure AD and provides the client with an access token as proof of authentication.
+Most Azure services require client code to authenticate with Resource Manager, using valid credentials, prior to calling service APIs. Authentication is coordinated between the various actors by Microsoft Entra ID and provides the client with an access token as proof of authentication.
The authentication process involves two main steps:
Once authentication has been successfully configured, you need to grant Network
2. Navigate to Access Control (IAM) 3. Add Role Assignment 4. Select the Network Contributor Role
-5. Assign Access to Azure AD User, Group, or Service Principal
+5. Assign Access to Microsoft Entra user, group, or service principal
6. Select your client application 7. Save changes
expressroute Expressroute Faqs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-faqs.md
If your ExpressRoute circuit is enabled for Azure Microsoft peering, you can acc
* [Microsoft 365](/microsoft-365/enterprise/azure-expressroute) * Power BI - Available via an Azure Regional Community, see [here](/power-bi/service-admin-where-is-my-tenant-located) for how to find out the region of your Power BI tenant.
-* Azure Active Directory
+* Microsoft Entra ID
* [Azure DevOps](https://blogs.msdn.microsoft.com/devops/2018/10/23/expressroute-for-azure-devops/) (Azure Global Services community) * [Microsoft PSTN services](./using-expressroute-for-microsoft-pstn.md) * Azure Public IP addresses for IaaS (Virtual Machines, Virtual Network Gateways, Load Balancers, etc.)
Yes. You can link up to 10 virtual networks in the same subscription as the circ
For more information, see [sharing an ExpressRoute circuit across multiple subscriptions](expressroute-howto-linkvnet-arm.md).
-### I have multiple Azure subscriptions associated to different Azure Active Directory tenants or Enterprise Agreement enrollments. Can I connect virtual networks that are in separate tenants and enrollments to a single ExpressRoute circuit not in the same tenant or enrollment?
+<a name='i-have-multiple-azure-subscriptions-associated-to-different-azure-active-directory-tenants-or-enterprise-agreement-enrollments-can-i-connect-virtual-networks-that-are-in-separate-tenants-and-enrollments-to-a-single-expressroute-circuit-not-in-the-same-tenant-or-enrollment'></a>
+
+### I have multiple Azure subscriptions associated to different Microsoft Entra tenants or Enterprise Agreement enrollments. Can I connect virtual networks that are in separate tenants and enrollments to a single ExpressRoute circuit not in the same tenant or enrollment?
Yes. ExpressRoute authorizations can span subscription, tenant, and enrollment boundaries with no extra configuration required. Connectivity and bandwidth charges for the dedicated circuit gets applied to the ExpressRoute circuit owner and all virtual networks share the same bandwidth.
expressroute Expressroute For Cloud Solution Providers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-for-cloud-solution-providers.md
In the connect-through model, the CSP creates a direct connection between your d
If your customer has other Azure subscriptions not managed by you, they would use the public Internet or their own private connection to connect to those services provisioned under the non-CSP subscription.
-For CSP managing Azure services, it's assumed that the CSP has a previously established customer identity store, which would then be replicated into Azure Active Directory for management of their CSP subscription through Administrate-On-Behalf-Of (AOBO). Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges that can't be satisfied by CSP alone. This model is illustrated in the following **figure**.
+For CSP managing Azure services, it's assumed that the CSP has a previously established customer identity store, which would then be replicated into Microsoft Entra ID for management of their CSP subscription through Administrate-On-Behalf-Of (AOBO). Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges that can't be satisfied by CSP alone. This model is illustrated in the following **figure**.
![Diagram that shows a detailed scenario for the "Connect-through" model.](./media/expressroute-for-cloud-solution-providers/connect-through-model.png)
In the Connect-To model, the service provider creates a direct connection betwee
> For ExpressRoute the customer would need to create and maintain the ExpressRoute circuit. >
-This connectivity scenario requires that the customer connects directly through a customer network to access CSP-managed Azure subscription, using a direct network connection that is created, owned, and managed either wholly or in part by the customer. For these customers, it's assumed that the provider doesn't currently have a customer identity store established, and the provider would assist the customer in replicating their current identify store into Azure Active Directory for management of their subscription through AOBO. Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently, or the partner has a desire to provide services that are based solely on Azure-hosted solutions without the need for an existing provider datacenter or infrastructure.
+This connectivity scenario requires that the customer connects directly through a customer network to access CSP-managed Azure subscription, using a direct network connection that is created, owned, and managed either wholly or in part by the customer. For these customers, it's assumed that the provider doesn't currently have a customer identity store established, and the provider would assist the customer in replicating their current identify store into Microsoft Entra ID for management of their subscription through AOBO. Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently, or the partner has a desire to provide services that are based solely on Azure-hosted solutions without the need for an existing provider datacenter or infrastructure.
![Diagram that shows a detailed scenario for the "Connect-To" model.](./media/expressroute-for-cloud-solution-providers/connect-to-model.png) The choices between these two options are based on your customerΓÇÖs needs and your current need to provide Azure services. The details of these models and the associated role-based access control, networking, and identity design patterns are covered in details in the following links:
-* **Azure role-based access control (Azure RBAC)** ΓÇô Azure RBAC is based on Azure Active Directory. For more information on Azure RBAC, see [here](../role-based-access-control/role-assignments-portal.md).
+* **Azure role-based access control (Azure RBAC)** ΓÇô Azure RBAC is based on Microsoft Entra ID. For more information on Azure RBAC, see [here](../role-based-access-control/role-assignments-portal.md).
* **Networking** ΓÇô Covers the various articles of networking in Microsoft Azure.
-* **Azure Active Directory (Azure AD)** ΓÇô Azure AD provides the identity management for Microsoft Azure and third-party SaaS applications. For more information about Azure AD, see [here](../active-directory/index.yml).
+* **Microsoft Entra ID** ΓÇô Microsoft Entra ID provides the identity management for Microsoft Azure and third-party SaaS applications. For more information about Microsoft Entra ID, see [here](../active-directory/index.yml).
## Network speeds ExpressRoute supports network speeds from 50 Mb/s to 10 Gb/s. This allows customers to purchase the amount of network bandwidth needed for their unique environment.
expressroute Expressroute Howto Erdirect https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-howto-erdirect.md
You can delete the ExpressRoute Direct resource by running the following command
The following scenario is in public preview:
-ExpressRoute Direct and ExpressRoute circuit(s) in different subscriptions or Azure Active Directory tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Azure Active Directory tenant.
+ExpressRoute Direct and ExpressRoute circuit(s) in different subscriptions or Microsoft Entra tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Microsoft Entra tenant.
### Enable ExpressRoute Direct and circuits in different subscriptions
ExpressRoute Direct and ExpressRoute circuit(s) in different subscriptions or Az
CircuitResourceUri :on ```
-1. Redeem the authorization to create the ExpressRoute Direct circuit in different subscription or Azure Active Directory tenant with the following command:
+1. Redeem the authorization to create the ExpressRoute Direct circuit in different subscription or Microsoft Entra tenant with the following command:
```powershell Select-AzSubscription -Subscription "<SubscriptionID or SubscriptionName>"
expressroute Expressroute Routing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/expressroute-routing.md
In addition to the BGP tag for each region, Microsoft also tags prefixes based o
| Skype For Business Online (2) and (3) | 12076:5030 | | CRM Online (4) |12076:5040 | | Azure Global Services (1) | 12076:5050 |
-| Azure Active Directory |12076:5060 |
+| Microsoft Entra ID |12076:5060 |
| Azure Resource Manager |12076:5070 | | Other Office 365 Online services (2) | 12076:5100 | | Microsoft Defender for Identity | 12076:5220 |
In addition to the BGP tag for each region, Microsoft also tags prefixes based o
| Exchange Online |12076:5110 | | SharePoint Online |12076:5120 | | Skype For Business Online |12076:5130 |
-| Azure Active Directory |12076:5160 |
+| Microsoft Entra ID |12076:5160 |
| Other Office 365 Online services |12076:5200 | * *Office 365 communities aren't supported over Microsoft Peering for Microsoft Azure operated by 21Vianet region.*
expressroute How To Custom Route Alert https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-custom-route-alert.md
Verify that you have met the following criteria before beginning your configurat
When you create an Automation account in the Azure portal, a Run As account is automatically created. This account takes following actions:
-* Creates an Azure Active Directory (Azure AD) application with a self-signed certificate. The Run As account itself has a certificate that needs to be renewed by default every year.
+* Creates a Microsoft Entra application with a self-signed certificate. The Run As account itself has a certificate that needs to be renewed by default every year.
-* Creates a service principal account for the application in Azure AD.
+* Creates a service principal account for the application in Microsoft Entra ID.
* Assigns itself the Contributor role (Azure RBAC) on the Azure Subscription in use. This role manages Azure Resource Manager resources using runbooks.
A logic app workflow accesses other apps, services, and the platform though conn
:::image type="content" source="./media/custom-route-alert-portal/create-job.png" alt-text="Create job":::
-3. Sign in using a service principal. You can use an existing service principal, or you can create a new one. To create a new service principal, see [How to use the portal to create an Azure AD service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Select **Connect with Service Principal**.
+3. Sign in using a service principal. You can use an existing service principal, or you can create a new one. To create a new service principal, see [How to use the portal to create a Microsoft Entra service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Select **Connect with Service Principal**.
:::image type="content" source="./media/custom-route-alert-portal/sign-in.png" alt-text="Screenshot that shows the 'Recurrence' section with the 'Connect with Service Principal' action highlighted.":::
expressroute How To Expressroute Direct Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/expressroute/how-to-expressroute-direct-portal.md
The following steps help you create an ExpressRoute circuit from the ExpressRout
The following scenario is in public preview:
-ExpressRoute Direct and ExpressRoute circuit(s) in a different subscription or Azure Active Directory tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Azure Active Directory tenant.
+ExpressRoute Direct and ExpressRoute circuit(s) in a different subscription or Microsoft Entra tenants. You'll create an authorization for your ExpressRoute Direct resource, and redeem the authorization to create an ExpressRoute circuit in a different subscription or Microsoft Entra tenant.
### Enable ExpressRoute Direct and circuits in a different subscription
ExpressRoute Direct and ExpressRoute circuit(s) in a different subscription or A
:::image type="content" source="./media/how-to-expressroute-direct-portal/authorization.png" alt-text="Screenshot of authorizations page.":::
-1. Create a new ExpressRoute circuit in a different subscription or Azure Active Directory tenant.
+1. Create a new ExpressRoute circuit in a different subscription or Microsoft Entra tenant.
1. Select **Direct** as the port type and check the box for **Redeem authorization**. Enter the resource URI of the ExpressRoute Direct resource and enter the authorization key generated in step 2.
external-attack-surface-management Deploying The Defender Easm Azure Resource https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/deploying-the-defender-easm-azure-resource.md
# Create a Defender EASM Azure resource
-This article explains how to create a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource by using the Azure portal.
+This article explains how to create a Microsoft Defender External Attack Surface Management (Defender EASM) Azure resource by using the Azure portal. Users can begin their usage of Defender EASM with a 30-day free trial. Once the trial is nearing expiration, you will be notified via banners and push notifications.
Creating the Defender EASM Azure resource involves two steps:
external-attack-surface-management Understanding Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/external-attack-surface-management/understanding-dashboards.md
Microsoft Defender External Attack Surface Management (Defender EASM) offers a s
Defender EASM provides five dashboards: - **Overview**: this dashboard is the default landing page when you access Defender EASM. It provides the key context that can help you familiarize yourself with your attack surface. -- **Attack surface summary**: this dashboard summarizes the key observations derived from your inventory. It provides a high-level overview of your Attack Surface and the asset types that comprise it, and surfaces potential vulnerabilities by severity (high, medium, low). This dashboard also provides key context on the infrastructure that comprises your Attack Surface, providing insight into cloud hosting, sensitive services, SSL certificate and domain expiry, and IP reputation.-- **Security posture**: this dashboard helps organizations understand the maturity and complexity of their security program based on the metadata derived from assets in your Approved inventory. It is comprised of technical and non-technical policies, processes and controls that mitigate risk of external threats. This dashboard provides insight on CVE exposure, domain administration and configuration, hosting and networking, open ports, and SSL certificate configuration.
+- **Attack surface summary**: this dashboard summarizes the key observations derived from your inventory. It provides a high-level overview of your Attack Surface and the asset types that comprise it, and surfaces potential vulnerabilities by severity (high, medium, low). This dashboard also provides key context on the infrastructure that comprises your Attack Surface. This context includes insight into cloud hosting, sensitive services, SSL certificate and domain expiry, and IP reputation.
+- **Security posture**: this dashboard helps organizations understand the maturity and complexity of their security program based on the metadata derived from assets in your Approved inventory. It is comprised of technical and nontechnical policies, processes and controls that mitigate risk of external threats. This dashboard provides insight on CVE exposure, domain administration and configuration, hosting and networking, open ports, and SSL certificate configuration.
- **GDPR compliance**: this dashboard surfaces key areas of compliance risk based on the General Data Protection Regulation (GDPR) requirements for online infrastructure thatΓÇÖs accessible to European nations. This dashboard provides insight on the status of your websites, SSL certificate issues, exposed personal identifiable information (PII), login protocols, and cookie compliance. - **OWASP Top 10**: this dashboard surfaces any assets that are vulnerable according to OWASPΓÇÖs list of the most critical web application security risks. On this dashboard, organizations can quickly identify assets with broken access control, cryptographic failures, injections, insecure designs, security misconfigurations and other critical risks as defined by OWASP.
To access your Defender EASM dashboards, first navigate to your Defender EASM in
## Downloading chart data
-The data underlying any dashboard chart can be exported to a CSV file. This is useful for those who wish to import Defender EASM data into third party tools, or work off a CSV file when remediating any issues. To download chart data, first select the specific chart segment that contains the data you wish to download. Note that chart exports currently support individual chart segments; to download multiple segments from the same chart, you will need to export each individual segment.
+The data underlying any dashboard chart can be exported to a CSV file. This export is useful for users who wish to import Defender EASM data into third party tools, or work off a CSV file when remediating any issues. To download chart data, first select the specific chart segment that contains the data you wish to download. Chart exports currently support individual chart segments; to download multiple segments from the same chart, you need to export each individual segment.
-Selecting an individual chart segment will open a drilldown view of the data, listing any assets that comprise the segment count. At the top of this page, select **Download CSV report** to begin your export. If you are exporting a small number of assets, this action will directly download the CSV file to your machine. If you are exporting a large number of assets, this action will create a task manager notification where you can track the status of your export.
+Selecting an individual chart segment opens a drilldown view of the data, listing any assets that comprise the segment count. At the top of this page, select **Download CSV report** to begin your export. If you are exporting a small number of assets, this action directly downloads the CSV file to your machine. If you are exporting a large number of assets, this action creates a task manager notification where you can track the status of your export.
Microsoft Excel enforces a character limit of 32,767 characters per cell. Some fields, like the "Last banner" column, may be improperly displayed due to this limitation. If you encounter an issue, try opening the file in another program that supports CSV files.
At the top of this dashboard, Defender EASM provides a list of security prioriti
Insight Priorities are determined by MicrosoftΓÇÖs assessment of the potential impact of each insight. For instance, high severity insights may include vulnerabilities that are new, exploited frequently, particularly damaging, or easily exploited by hackers with a lower skill level. Low severity insights may include use of deprecated technology that is no longer supported, infrastructure that will soon expire, or compliance issues that do not align with security best practices. Each insight contains suggested remediation actions to protect against potential exploits.
-Some insights will be flagged with "Potential" in the title. A "Potential" insight occurs when Defender EASM is unable to confirm that an asset is impacted by a vulnerability. This is common when our scanning system detects the presence of a specific service but cannot detect the version number; for example, some services enable administrators to hide version information. Vulnerabilities are often associated with specific versions of the software, so manual investigation is required to determine whether the asset is impacted. Other vulnerabilities can be remediated by steps that Defender EASM is unable to detect. For instance, users can make recommended changes to service configurations or run backported patches. If an insight is prefaced with "Potential", the system has reason to believe that the asset is impacted by the vulnerability but is unable to confirm it for one of the above listed reasons. To manually investigate, please click the insight name to review remediation guidance that can help you determine whether your assets are impacted.
+Insights that were recently added to the Defender EASM platform are flagged with a "NEW" label on this dashboard. When we add new insights that impact assets in your Confirmed Inventory, the system also delivers a push notification that routes you to a detailed view of this new insight with a list of the impacted assets.
+
+Some insights are flagged with "Potential" in the title. A "Potential" insight occurs when Defender EASM is unable to confirm that an asset is impacted by a vulnerability. This is common when our scanning system detects the presence of a specific service but cannot detect the version number. For example, some services enable administrators to hide version information. Vulnerabilities are often associated with specific versions of the software, so manual investigation is required to determine whether the asset is impacted. Other vulnerabilities can be remediated by steps that Defender EASM is unable to detect. For instance, users can make recommended changes to service configurations or run backported patches. If an insight is prefaced with "Potential", the system has reason to believe that the asset is impacted by the vulnerability but is unable to confirm it for one of the above listed reasons. To manually investigate, click the insight name to review remediation guidance that can help you determine whether your assets are impacted.
![Screenshot of attack surface priorities with clickable options highlighted.](media/Dashboards-2.png)
The Observations page features a list of all potential insights in the left-hand
![Screenshot of attack surface drilldown for medium severity priorities.](media/Dashboards-3.png)
-This detailed view for any observation will include the title of the issue, a description, and remediation guidance from the Defender EASM team. In this example, the description explains how expired SSL certificates can lead to critical business functions becoming unavailable, preventing customers or employees from accessing web content and thus damaging your organizationΓÇÖs brand. The Remediation section provides advice on how to swiftly fix the issue; in this example, Microsoft recommends that you review the certificates associated with the impacted host assets, update the coinciding SSL certificate(s), and update your internal procedures to ensure that SSL certificates are updated in a timely manner.
+This detailed view for any observation includes the title of the issue, a description, and remediation guidance from the Defender EASM team. In this example, the description explains how expired SSL certificates can lead to critical business functions becoming unavailable, preventing customers or employees from accessing web content and thus damaging your organizationΓÇÖs brand. The Remediation section provides advice on how to swiftly fix the issue; in this example, Microsoft recommends that you review the certificates associated with the impacted host assets, update the coinciding SSL certificate(s), and update your internal procedures to ensure that SSL certificates are updated in a timely manner.
-Finally, the Asset section lists any entities that have been impacted by this specific security concern. In this example, a user will want to investigate the impacted assets to learn more about the expired SSL Certificate. You can click on any asset name from this list to view the Asset Details page.
+Finally, the Asset section lists any entities that have been impacted by this specific security concern. In this example, a user wants to investigate the impacted assets to learn more about the expired SSL Certificate. You can click on any asset name from this list to view the Asset Details page.
From the Asset Details page, weΓÇÖll then click on the ΓÇ£SSL certificatesΓÇ¥ tab to view more information about the expired certificate. In this example, the listed certificate shows an ΓÇ£ExpiresΓÇ¥ date in the past, indicating that the certificate is currently expired and therefore likely inactive. This section also provides the name of the SSL certificate which you can then send to the appropriate team within your organization for swift remediation.
The following section provides a high-level summary of the composition of your A
![Screenshot of asset details view of same SSL certificate showing expiration highlighted.](media/Dashboards-5.png)
-Each value is clickable, routing users to their inventory list filtered to display only assets of the designated type. From this page, you can click on any asset to view more details, or you can add additional filters to narrow down the list according to your needs.
+Each value is clickable, routing users to their inventory list filtered to display only assets of the designated type. From this page, you can click on any asset to view more details, or you can add more filters to narrow down the list according to your needs.
### Securing the cloud
This section displays sensitive services detected on your Attack Surface that sh
![Screenshot of sensitive services chart.](media/Dashboards-7.png)
-The chart is organized by the name of each service; clicking on any individual bar will return a list of assets that are running that particular service. The chart below is empty, indicating that the organization is not currently running any services that are especially susceptible to attack.
+The chart is organized by the name of each service; clicking on any individual bar returns a list of assets that are running that particular service. The chart below is empty, indicating that the organization is not currently running any services that are especially susceptible to attack.
### SSL and domain expirations
The Security Posture dashboard helps organizations measure the maturity of their
### CVE exposure
-The first chart in the Security Posture dashboard relates to the management of an organizationΓÇÖs website portfolio. Microsoft analyzes website components such as frameworks, server software, and 3rd party plugins and then matches them to a current list of Common Vulnerability Exposures (CVEs) to identify vulnerability risks to your organization. The web components that comprise each website are inspected daily to ensure recency and accuracy.
+The first chart in the Security Posture dashboard relates to the management of an organizationΓÇÖs website portfolio. Microsoft analyzes website components such as frameworks, server software, and third party plugins and then matches them to a current list of Common Vulnerability Exposures (CVEs) to identify vulnerability risks to your organization. The web components that comprise each website are inspected daily to ensure recency and accuracy.
![Screenshot of CVE exposure chart.](media/Dashboards-11.png)
This chart organizes your websites by status code. Options include Active, Inact
### Live sites with cert issues
-This chart displays pages that are actively serving content and present users with a warning that the site is insecure. The user must manually accept the warning to view the content on these pages. This can occur for a variety of reasons; this chart organizes results by the specific reason for easy mitigation. Options include broken certificates, active certificate issues, requires authorization and browser certificate errors.
+This chart displays pages that are actively serving content and present users with a warning that the site is insecure. The user must manually accept the warning to view the content on these pages. This can occur for various reasons; this chart organizes results by the specific reason for easy mitigation. Options include broken certificates, active certificate issues, requires authorization and browser certificate errors.
![Screenshot of SSL certificate posture chart.](media/Dashboards-20.png)
This chart is organized by the detected expiry window, ranging from already expi
### Sites by certificate posture
-This section analysis the signature algorithms that power an SSL certificate. SSL certificates can be secured with a variety of cryptographic algorithms; certain newer algorithms are considered more reputable and secure than older algorithms, so companies are advised to retire older algorithms like SHA-1.
+This section analysis the signature algorithms that power an SSL certificate. SSL certificates can be secured with various cryptographic algorithms; certain newer algorithms are considered more reputable and secure than older algorithms, so companies are advised to retire older algorithms like SHA-1.
Users can click any segment of the pie chart to view a list of assets that comprise the selected value. SHA256 is considered secure, whereas organizations should update any certificates using the SHA1 algorithm.
This chart displays live PII sites by their usage of SSL certificates. By refere
![Screenshot of Live PII sites by certificate posture chart.](media/Dashboards-24.png)
-### Login websites by protcol
+### Login websites by protocol
A login page is a page on a website where a user has the option to enter a username and password to gain access to services hosted on that site. Login pages have specific requirements under GDPR, so Defender EASM references the DOM of all scanned pages to search for code that correlates to a login. For instance, login pages must be secure to be compliant. This first chart displays Login websites by protocol (HTTP or HTTPS) and the second by certificate posture.
A login page is a page on a website where a user has the option to enter a usern
### Cookie posture
-A cookie is information in the form of a very small text file that is placed on the hard drive of the computer running a web browser when browsing a site. Each time a website is visited, the browser sends the cookie back to the server to notify the website of your previous activity. GDPR has specific requirements for obtaining consent to issue a cookie, and different storage regulations for first- versus third-party cookies.
+A cookie is information in the form of a small text file that is placed on the hard drive of the computer running a web browser when browsing a site. Each time a website is visited, the browser sends the cookie back to the server to notify the website of your previous activity. GDPR has specific requirements for obtaining consent to issue a cookie, and different storage regulations for first- versus third-party cookies.
![Screenshot of Cookie posture chart.](media/Dashboards-27.png)
firewall-manager Deploy Trusted Security Partner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/deploy-trusted-security-partner.md
To set up tunnels to your virtual hubΓÇÖs VPN Gateway, third-party providers nee
### Create and authorize a service principal
-1. Create Azure Active Directory (AD) service principal: You can skip the redirect URL.
+1. Create Microsoft Entra service principal: You can skip the redirect URL.
- [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
+ [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
2. Add access rights and scope for the service principal.
- [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
+ [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
> [!NOTE] > You can limit access to only your resource group for more granular control. ### Visit partner portal
-1. Follow your partner provided instructions to complete the setup. This includes submitting AAD information to detect and connect to the hub, update the egress policies, and check connectivity status and logs.
+1. Follow your partner provided instructions to complete the setup. This includes submitting Microsoft Entra information to detect and connect to the hub, update the egress policies, and check connectivity status and logs.
- [Zscaler: Configure Microsoft Azure Virtual WAN integration](https://help.zscaler.com/zia/configuring-microsoft-azure-virtual-wan-integration). - [Check Point: Configure Microsoft Azure Virtual WAN integration](https://www.checkpoint.com/cloudguard/microsoft-azure-security/wan).
firewall-manager Rule Hierarchy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall-manager/rule-hierarchy.md
The high-level steps for this example are:
3. Define IT security-specific rules in the base policy. This adds a common set of rules to allow/deny traffic. 4. Create application team policies that inherit the base policy. 5. Define application team-specific rules in the policy. You can also migrate rules from pre-existing firewalls.
-6. Create Azure Active Directory custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope. In the following example, Sales team members can edit rule collection groups for the Sales teams Firewall Policy. The same applies to the Database and Engineering teams.
+6. Create Microsoft Entra custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope. In the following example, Sales team members can edit rule collection groups for the Sales teams Firewall Policy. The same applies to the Database and Engineering teams.
7. Associate the policy to the corresponding firewall. An Azure firewall can have only one assigned policy. This requires each application team to have their own firewall.
Security administrators can use base policy to enforce guardrails and block cert
## Next steps - [Learn more about Azure Firewall policy](policy-overview.md)-- [Learn more about Azure network security](../networking/security/index.yml)
+- [Learn more about Azure network security](../networking/security/index.yml)
firewall Firewall Sftp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/firewall-sftp.md
This article requires the latest Azure PowerShell modules. Run `Get-Module -List
First, set up some variables to use in the deployment. Replace the values with your own. > [!TIP]
-> You can use Azure Active Directory to find your user principal name.
+> You can use Microsoft Entra ID to find your user principal name.
```azurepowershell $rg = "<resource-group-name>"
firewall Protect Azure Virtual Desktop https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/firewall/protect-azure-virtual-desktop.md
Based on the Azure Virtual Desktop (AVD) [reference article](../virtual-desktop/
> [!NOTE]
-> Some deployments might not need DNS rules. For example, Azure Active Directory Domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
+> Some deployments might not need DNS rules. For example, Microsoft Entra Domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
Azure Virtual Desktop (AVD) official documentation reports the following Network rules as **optional** depending on the usage and scenario:
Admins can allow or deny user access to different website categories. Add a rule
## Next steps - Learn more about Azure Virtual Desktop: [What is Azure Virtual Desktop?](../virtual-desktop/overview.md)-
frontdoor Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/domain.md
If your key vault has network access restrictions enabled, you must configure yo
There are two ways you can configure access control on your key vault:
-* Azure Front Door can use a managed identity to access your key vault. You can use this approach when your key vault uses Azure Active Directory (Azure AD) authentication. For more information, see [Use managed identities with Azure Front Door Standard/Premium](managed-identity.md).
+* Azure Front Door can use a managed identity to access your key vault. You can use this approach when your key vault uses Microsoft Entra authentication. For more information, see [Use managed identities with Azure Front Door Standard/Premium](managed-identity.md).
* Alternatively you can grant Azure Front Door's service principal access to your key vault. You can use this approach when you use vault access policies. #### Add your custom certificate to Azure Front Door
frontdoor Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/endpoint.md
The endpoint domain is accessible when you associate it with a route.
When you delete and redeploy an endpoint, you might expect to get the same pseudorandom hash value, and therefore the same endpoint domain name. Front Door enables you to control how the pseudorandom hash values are reused on an endpoint-by-endpoint basis.
-An endpoint's domain can be reused within the same tenant, subscription, or resource group scope level. You can also choose to not allow the reuse of an endpoint domain. By default, Front Door allows reuse of the endpoint domain within the same Azure Active Directory tenant.
+An endpoint's domain can be reused within the same tenant, subscription, or resource group scope level. You can also choose to not allow the reuse of an endpoint domain. By default, Front Door allows reuse of the endpoint domain within the same Microsoft Entra tenant.
You can use Bicep, an Azure Resource Manager template (ARM template), the Azure CLI, or Azure PowerShell to configure the scope level of the endpoint's domain reuse behavior. You can also configure it for all Front Door endpoints in your whole organization by using Azure Policy. The Azure portal uses the scope level you define through the command line once it has been changed.
The following table lists the allowable values for the endpoint's domain reuse b
| Value | Description | |--|--|
-| `TenantReuse` | This is the default value. Endpoints with the same name in the same Azure Active Directory tenant receive the same domain label. |
+| `TenantReuse` | This is the default value. Endpoints with the same name in the same Microsoft Entra tenant receive the same domain label. |
| `SubscriptionReuse` | Endpoints with the same name in the same Azure subscription receive the same domain label. | | `ResourceGroupReuse` | Endpoints with the same name in the same resource group receives the same domain label. | | `NoReuse` | Endpoints always receive a new domain label. |
frontdoor Front Door Custom Domain Https https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/front-door-custom-domain-https.md
You can use your own certificate to enable the HTTPS feature. This process is do
#### Register Azure Front Door
-Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
+Register the service principal for Azure Front Door as an app in your Microsoft Entra ID by using Azure PowerShell or the Azure CLI.
> [!NOTE]
-> * This action requires at least Application Administrator role permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.
+> * This action requires at least Application Administrator role permissions in Microsoft Entra ID. The registration only needs to be performed **once per Microsoft Entra tenant**.
> * The application ID is assigned by Azure specifically for Azure Front Door (classic). > * Azure Front Door (classic) has a different *Application Id* than Azure Front Door Standard/Premium tier. > * The role assigned is only for the subscription selected unless you define a different scope.
The following table shows the operation progress that occurs when you disable HT
## Next steps
-To learn how to [set up a geo-filtering policy](front-door-geo-filtering.md) for your Front Door, continue to the next tutorial.
+To learn how to [set up a geo-filtering policy](front-door-geo-filtering.md) for your Front Door, continue to the next tutorial.
frontdoor Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/managed-identity.md
# Use managed identities to access Azure Key Vault certificates
-A managed identity generated by Azure Active Directory (Azure AD) allows your Azure Front Door instance to easily and securely access other Azure AD-protected resources, such as Azure Key Vault. Azure manages the identity resource, so you don't have to create or rotate any secrets. For more information about managed identities, seeΓÇ»[What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
+A managed identity generated by Microsoft Entra ID allows your Azure Front Door instance to easily and securely access other Microsoft Entra protected resources, such as Azure Key Vault. Azure manages the identity resource, so you don't have to create or rotate any secrets. For more information about managed identities, seeΓÇ»[What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md).
-Once you enable managed identity for Azure Front Door and grant proper permissions to access your Azure Key Vault, Front Door only uses managed identity to access the certificates. If you don't **add the managed identity permission to your Key Vault**, custom certificate autorotation and adding new certificates fails without permissions to Key Vault. If you disable managed identity, Azure Front Door falls back to using the original configured Azure Active Directory App. This solution isn't recommended and will be retired in the future.
+Once you enable managed identity for Azure Front Door and grant proper permissions to access your Azure Key Vault, Front Door only uses managed identity to access the certificates. If you don't **add the managed identity permission to your Key Vault**, custom certificate autorotation and adding new certificates fails without permissions to Key Vault. If you disable managed identity, Azure Front Door falls back to using the original configured Microsoft Entra App. This solution isn't recommended and will be retired in the future.
You can grant two types of identities to an Azure Front Door profile:
You can grant two types of identities to an Azure Front Door profile:
* A **user-assigned** identity is a standalone Azure resource that can be assigned to your service. The service can have **multiple** user-assigned identities.
-Managed identities are specific to the Azure AD tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you need to recreate and reconfigure the identity.
+Managed identities are specific to the Microsoft Entra tenant where your Azure subscription is hosted. They don't get updated if a subscription gets moved to a different directory. If a subscription gets moved, you need to recreate and reconfigure the identity.
## Prerequisites
Before you can set up managed identity for Azure Front Door, you must have an Az
:::image type="content" source="./media/managed-identity/system-assigned-confirm.png" alt-text="Screenshot of the system assigned managed identity confirmation message.":::
-1. Once the system assigned managed identity has been created and registered with Azure Active Directory, you can use the **Object (principal) ID** to grant Azure Front Door access to your Azure Key Vault.
+1. Once the system assigned managed identity has been created and registered with Microsoft Entra ID, you can use the **Object (principal) ID** to grant Azure Front Door access to your Azure Key Vault.
- :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Azure Active Directory.":::
+ :::image type="content" source="./media/managed-identity/system-assigned-created.png" alt-text="Screenshot of the system assigned managed identity registered with Microsoft Entra I D.":::
# [User assigned](#tab/user-assigned)
frontdoor Migrate Tier https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/migrate-tier.md
Azure Front Door Standard and Premium tier bring the latest cloud delivery netwo
> [!NOTE] > If you're not using your own certificate, enabling managed identities and granting access to the Key Vault is not required. You can skip to the [**Migrate**](#migrate) phase.
-If you're using your own certificate and you'll need to enable managed identity so Azure Front Door can access the certificate in your Azure Key Vault. Managed identity is a feature of Azure Active Directory that allows you to securely connect to other Azure services without having to manage credentials. For more information, see [What are managed identities for Azure resources?](..//active-directory/managed-identities-azure-resources/overview.md)
+If you're using your own certificate and you'll need to enable managed identity so Azure Front Door can access the certificate in your Azure Key Vault. Managed identity is a feature of Microsoft Entra ID that allows you to securely connect to other Azure services without having to manage credentials. For more information, see [What are managed identities for Azure resources?](..//active-directory/managed-identities-azure-resources/overview.md)
1. Select **Enable** and then select either **System assigned** or **User assigned** depending on the type of managed identities you want to use.
frontdoor How To Configure Https Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md
If you already have a certificate, you can upload it to your key vault. Otherwis
#### Register Azure Front Door
-Register the service principal for Azure Front Door as an app in your Azure Active Directory (Azure AD) by using Azure PowerShell or the Azure CLI.
+Register the service principal for Azure Front Door as an app in your Microsoft Entra ID by using Azure PowerShell or the Azure CLI.
> [!NOTE]
-> * This action requires you to have *Global Administrator* permissions in Azure AD. The registration only needs to be performed **once per Azure AD tenant**.
+> * This action requires you to have *Global Administrator* permissions in Microsoft Entra ID. The registration only needs to be performed **once per Microsoft Entra tenant**.
> * The application ID of **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8** and **d4631ece-daab-479b-be77-ccb713491fc0** is predefined by Azure for Front Door Standard and Premium across all Azure tenants and subscriptions. Azure Front Door (Classic) has a different application ID. # [Azure PowerShell](#tab/powershell)
governance Definition Structure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/concepts/definition-structure.md
Policy:
} ```
-### Effect
-
-Azure Policy supports the following types of effect:
--- **Append**: adds the defined set of fields to the request-- **Audit**: generates a warning event in activity log but doesn't fail the request-- **AuditIfNotExists**: generates a warning event in activity log if a related resource doesn't
- exist
-- **Deny**: generates an event in the activity log and fails the request-- **DeployIfNotExists**: deploys a related resource if it doesn't already exist-- **Disabled**: doesn't evaluate resources for compliance to the policy rule-- **Modify**: adds, updates, or removes the defined set of fields in the request-- **EnforceOPAConstraint** (deprecated): configures the Open Policy Agent admissions controller with
- Gatekeeper v3 for self-managed Kubernetes clusters on Azure
-- **EnforceRegoPolicy** (deprecated): configures the Open Policy Agent admissions controller with
- Gatekeeper v2 in Azure Kubernetes Service
-
-For complete details on each effect, order of evaluation, properties, and examples, see
-[Understanding Azure Policy Effects](effects.md).
- ### Policy functions Functions can be used to introduce additional logic into a policy rule. They are resolved within the [policy rule](#policy-rule) of a policy definition and within [parameter values assigned to policy definitions in an initiative](initiative-definition-structure.md#passing-a-parameter-value-to-a-policy-definition).
array element to a target value. When used with [count](#count) expression, it's
For more information and examples, see [Referencing array resource properties](../how-to/author-policies-for-arrays.md#referencing-array-resource-properties).
+### Effect
+
+Azure Policy supports the following types of effect:
+
+- **Append**: adds the defined set of fields to the request
+- **Audit**: generates a warning event in activity log but doesn't fail the request
+- **AuditIfNotExists**: generates a warning event in activity log if a related resource doesn't
+ exist
+- **Deny**: generates an event in the activity log and fails the request based on requested resource configuration
+- **DenyAction**: generates an event in the activity log and fails the request based on requested action
+- **DeployIfNotExists**: deploys a related resource if it doesn't already exist
+- **Disabled**: doesn't evaluate resources for compliance to the policy rule
+- **Modify**: adds, updates, or removes the defined set of fields in the request
+- **EnforceOPAConstraint** (deprecated): configures the Open Policy Agent admissions controller with
+ Gatekeeper v3 for self-managed Kubernetes clusters on Azure
+- **EnforceRegoPolicy** (deprecated): configures the Open Policy Agent admissions controller with
+ Gatekeeper v2 in Azure Kubernetes Service
+
+For complete details on each effect, order of evaluation, properties, and examples, see
+[Understanding Azure Policy Effects](effects.md).
+ ## Next steps - See the [initiative definition structure](./initiative-definition-structure.md)
governance Built In Initiatives https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-initiatives.md
Title: List of built-in policy initiatives description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Guest Configuration, and more. Previously updated : 09/19/2023 Last updated : 10/10/2023
governance Built In Policies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/governance/policy/samples/built-in-policies.md
Title: List of built-in policy definitions description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Guest Configuration, and more. Previously updated : 09/19/2023 Last updated : 10/10/2023
guides Azure Developer Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/guides/developer/azure-developer-guide.md
Azure provides several ways to use containers in your applications.
It's crucial to not only know who is using your applications, but also to prevent unauthorized access to your resources. Azure provides several ways to authenticate your app clients.
-* **Azure Active Directory (Azure AD)**: The Microsoft multitenant, cloud-based identity and access management service. You can add single-sign on (SSO) to your applications by integrating with Azure AD. You can access directory properties by using the Microsoft Graph API. You can integrate with Azure AD support for the OAuth2.0 authorization framework and Open ID Connect by using native HTTP/REST endpoints and the multiplatform Azure AD authentication libraries.
+* **Microsoft Entra ID**: The Microsoft multitenant, cloud-based identity and access management service. You can add single-sign on (SSO) to your applications by integrating with Microsoft Entra ID. You can access directory properties by using the Microsoft Graph API. You can integrate with Microsoft Entra ID support for the OAuth2.0 authorization framework and OpenID Connect by using native HTTP/REST endpoints and the multiplatform Microsoft Entra authentication libraries.
> **When to use**: When you want to provide an SSO experience, work with Graph-based data, or authenticate domain-based users. >
- > **Get started**: To learn more, see the [Azure Active Directory developer's guide](../../active-directory/develop/v2-overview.md).
+ > **Get started**: To learn more, see the [Microsoft Entra developer's guide](../../active-directory/develop/v2-overview.md).
-* **App Service Authentication**: When you choose App Service to host your app, you also get built-in authentication support for Azure AD, along with social identity providersΓÇöincluding Facebook, Google, Microsoft, and Twitter/X.
+* **App Service Authentication**: When you choose App Service to host your app, you also get built-in authentication support for Microsoft Entra ID, along with social identity providersΓÇöincluding Facebook, Google, Microsoft, and Twitter/X.
- > **When to use**: When you want to enable authentication in an App Service app by using Azure AD, social identity providers, or both.
+ > **When to use**: When you want to enable authentication in an App Service app by using Microsoft Entra ID, social identity providers, or both.
> > **Get started**: To learn more about authentication in App Service, see [Authentication and authorization in Azure App Service](../../app-service/overview-authentication-authorization.md).
As developers, we like to dive right into the code and try to get started as fas
### What is an Azure account?
-To create or work with an Azure subscription, you must have an Azure account. An Azure account is simply an identity in Azure AD or in some other directory, such as a work or school organization, that Azure AD trusts. If you don't belong to such an organization, you can always create a subscription by using your Microsoft Account, which is trusted by Azure AD. To learn more about integrating on-premises Windows Server Active Directory with Azure AD, see [Integrating your on-premises identities with Azure Active Directory](../../active-directory/hybrid/whatis-hybrid-identity.md).
+To create or work with an Azure subscription, you must have an Azure account. An Azure account is simply an identity in Microsoft Entra ID or in some other directory, such as a work or school organization, that Microsoft Entra ID trusts. If you don't belong to such an organization, you can always create a subscription by using your Microsoft Account, which is trusted by Microsoft Entra ID. To learn more about integrating on-premises Windows Server Active Directory with Microsoft Entra ID, see [Integrating your on-premises identities with Microsoft Entra ID](../../active-directory/hybrid/whatis-hybrid-identity.md).
-Every Azure subscription has a trust relationship with an Azure AD instance. This means the subscription delegates the task of authenticating users, services, and devices to that Azure AD instance. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. To learn more, see [How Azure subscriptions are associated with Azure Active Directory](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+Every Azure subscription has a trust relationship with a Microsoft Entra instance. This means the subscription delegates the task of authenticating users, services, and devices to that Microsoft Entra instance. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. To learn more, see [How Azure subscriptions are associated with Microsoft Entra ID](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
-As well as defining individual Azure account identities, also called *users*, you can define *groups* in Azure AD. Creating user groups is a good way to manage access to resources in a subscription by using role-based access control (RBAC). To learn how to create groups, see [Create a group in Azure Active Directory preview](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). You can also create and manage groups by [using PowerShell](../../active-directory/enterprise-users/groups-settings-v2-cmdlets.md).
+As well as defining individual Azure account identities, also called *users*, you can define *groups* in Microsoft Entra ID. Creating user groups is a good way to manage access to resources in a subscription by using role-based access control (RBAC). To learn how to create groups, see [Create a group in Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md). You can also create and manage groups by [using PowerShell](../../active-directory/enterprise-users/groups-settings-v2-cmdlets.md).
### Manage your subscriptions
guides Azure Operations Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/guides/operations/azure-operations-guide.md
Services for storing and managing data:
Services for building and operating applications: -- Azure Active Directory (Azure AD)
+- Microsoft Entra ID
- Azure Service Bus for connecting distributed systems
hdinsight-aks Flink Job Orchestration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight-aks/flink/flink-job-orchestration.md
Title: Azure data factory managed airflow - HDInsight on AKS
-description: Learn Flink job orchestration using Azure Data Factory managed airflow
+description: Learn how to perform Flink job orchestration using Azure Data Factory managed airflow
Previously updated : 09/23/2023 Last updated : 10/11/2023
-# Azure data factory managed airflow
+# Flink job orchestration using Azure Data Factory managed airflow
[!INCLUDE [feature-in-preview](../includes/feature-in-preview.md)]
hdinsight Apache Domain Joined Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-architecture.md
The standard Azure HDInsight cluster is a single-user cluster. It's suitable for
Many enterprises have moved toward a model in which IT teams manage clusters, and multiple application teams share clusters. These larger enterprises need multiuser access to each cluster in Azure HDInsight.
-HDInsight relies on a popular identity provider--Active Directory--in a managed way. By integrating HDInsight with [Azure Active Directory Domain Services (Azure AD DS)](../../active-directory-domain-services/overview.md), you can access the clusters by using your domain credentials.
+HDInsight relies on a popular identity provider--Active Directory--in a managed way. By integrating HDInsight with [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md), you can access the clusters by using your domain credentials.
The virtual machines (VMs) in HDInsight are domain joined to your provided domain. So, all the services running on HDInsight (Apache Ambari, Apache Hive server, Apache Ranger, Apache Spark thrift server, and others) work seamlessly for the authenticated user. Administrators can then create strong authorization policies by using Apache Ranger to provide role-based access control for resources in the cluster. ## Integrate HDInsight with Active Directory
-Open-source Apache Hadoop relies on the Kerberos protocol for authentication and security. Therefore, HDInsight cluster nodes with Enterprise Security Package (ESP) are joined to a domain that's managed by Azure AD DS. Kerberos security is configured for the Hadoop components on the cluster.
+Open-source Apache Hadoop relies on the Kerberos protocol for authentication and security. Therefore, HDInsight cluster nodes with Enterprise Security Package (ESP) are joined to a domain that's managed by Microsoft Entra Domain Services. Kerberos security is configured for the Hadoop components on the cluster.
The following things are created automatically:
The following things are created automatically:
To summarize, you need to set up an environment with: -- An Active Directory domain (managed by Azure AD DS). **The domain name must be 39 characters or less to work with Azure HDInsight.**-- Secure LDAP (LDAPS) enabled in Azure AD DS.-- Proper networking connectivity from the HDInsight virtual network to the Azure AD DS virtual network, if you choose separate virtual networks for them. A VM inside the HDInsight virtual network should have a line of sight to Azure AD DS through virtual network peering. If HDInsight and Azure AD DS are deployed in the same virtual network, the connectivity is automatically provided, and no further action is needed.
+- An Active Directory domain (managed by Microsoft Entra Domain Services). **The domain name must be 39 characters or less to work with Azure HDInsight.**
+- Secure LDAP (LDAPS) enabled in Microsoft Entra Domain Services.
+- Proper networking connectivity from the HDInsight virtual network to the Microsoft Entra Domain Services virtual network, if you choose separate virtual networks for them. A VM inside the HDInsight virtual network should have a line of sight to Microsoft Entra Domain Services through virtual network peering. If HDInsight and Microsoft Entra Domain Services are deployed in the same virtual network, the connectivity is automatically provided, and no further action is needed.
## Set up different domain controllers
-HDInsight currently supports only Azure AD DS as the main domain controller that the cluster uses for Kerberos communication. But other complex Active Directory setups are possible, as long as such a setup leads to enabling Azure AD DS for HDInsight access.
+HDInsight currently supports only Microsoft Entra Domain Services as the main domain controller that the cluster uses for Kerberos communication. But other complex Active Directory setups are possible, as long as such a setup leads to enabling Microsoft Entra Domain Services for HDInsight access.
-### Azure Active Directory Domain Services
+<a name='azure-active-directory-domain-services'></a>
-[Azure AD DS](../../active-directory-domain-services/overview.md) provides a managed domain that's fully compatible with Windows Server Active Directory. Microsoft takes care of managing, patching, and monitoring the domain in a highly available (HA) setup. You can deploy your cluster without worrying about maintaining domain controllers.
+### Microsoft Entra Domain Services
-Users, groups, and passwords are synchronized from Azure AD. The one-way sync from your Azure AD instance to Azure AD DS enables users to sign in to the cluster by using the same corporate credentials.
+[Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md) provides a managed domain that's fully compatible with Windows Server Active Directory. Microsoft takes care of managing, patching, and monitoring the domain in a highly available (HA) setup. You can deploy your cluster without worrying about maintaining domain controllers.
-For more information, see [Configure HDInsight clusters with ESP using Azure AD DS](./apache-domain-joined-configure-using-azure-adds.md).
+Users, groups, and passwords are synchronized from Microsoft Entra ID. The one-way sync from your Microsoft Entra instance to Microsoft Entra Domain Services enables users to sign in to the cluster by using the same corporate credentials.
+
+For more information, see [Configure HDInsight clusters with ESP using Microsoft Entra Domain Services](./apache-domain-joined-configure-using-azure-adds.md).
### On-premises Active Directory or Active Directory on IaaS VMs
-If you have an on-premises Active Directory instance or more complex Active Directory setups for your domain, you can sync those identities to Azure AD by using Azure AD Connect. You can then enable Azure AD DS on that Active Directory tenant.
+If you have an on-premises Active Directory instance or more complex Active Directory setups for your domain, you can sync those identities to Microsoft Entra ID by using Microsoft Entra Connect. You can then enable Microsoft Entra Domain Services on that Active Directory tenant.
-Because Kerberos relies on password hashes, you must [enable password hash sync on Azure AD DS](../../active-directory-domain-services/tutorial-create-instance.md).
+Because Kerberos relies on password hashes, you must [enable password hash sync on Microsoft Entra Domain Services](../../active-directory-domain-services/tutorial-create-instance.md).
-If you're using federation with Active Directory Federation Services (AD FS), you must enable password hash sync. (For a recommended setup, see [this video](https://youtu.be/qQruArbu2Ew).) Password hash sync helps with disaster recovery in case your AD FS infrastructure fails, and it also helps provide leaked-credential protection. For more information, see [Enable password hash sync with Azure AD Connect sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md).
+If you're using federation with Active Directory Federation Services (AD FS), you must enable password hash sync. (For a recommended setup, see [this video](https://youtu.be/qQruArbu2Ew).) Password hash sync helps with disaster recovery in case your AD FS infrastructure fails, and it also helps provide leaked-credential protection. For more information, see [Enable password hash sync with Microsoft Entra Connect Sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md).
-Using on-premises Active Directory or Active Directory on IaaS VMs alone, without Azure AD and Azure AD DS, isn't a supported configuration for HDInsight clusters with ESP.
+Using on-premises Active Directory or Active Directory on IaaS VMs alone, without Microsoft Entra ID and Microsoft Entra Domain Services, isn't a supported configuration for HDInsight clusters with ESP.
-If federation is being used and password hashes are synced correctly, but you're getting authentication failures, check if cloud password authentication is enabled for the PowerShell service principal. If not, you must set a [Home Realm Discovery (HRD) policy](../../active-directory/manage-apps/configure-authentication-for-federated-users-portal.md) for your Azure AD tenant. To check and set the HRD policy:
+If federation is being used and password hashes are synced correctly, but you're getting authentication failures, check if cloud password authentication is enabled for the PowerShell service principal. If not, you must set a [Home Realm Discovery (HRD) policy](../../active-directory/manage-apps/configure-authentication-for-federated-users-portal.md) for your Microsoft Entra tenant. To check and set the HRD policy:
1. Install the preview [Azure AD PowerShell module](/powershell/azure/active-directory/install-adv2).
hdinsight Apache Domain Joined Configure Using Azure Adds https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-configure-using-azure-adds.md
Title: Configure clusters for Azure Active Directory integration
+ Title: Configure clusters for Microsoft Entra integration
-description: Learn how to set up and configure an HDInsight cluster integrated with Active Directory by using Azure Active Directory Domain Services and the Enterprise Security Package feature.
+description: Learn how to set up and configure an HDInsight cluster integrated with Active Directory by using Microsoft Entra Domain Services and the Enterprise Security Package feature.
Last updated 09/21/2023
-# Configure HDInsight clusters for Azure Active Directory integration with Enterprise Security Package
+# Configure HDInsight clusters for Microsoft Entra integration with Enterprise Security Package
-This article provides a summary and overview of the process of creating and configuring an HDInsight cluster integrated with Azure Active Directory. This integration relies on a HDInsight feature called Enterprise Security Package (ESP), Azure Active Directory Domain Services (Azure AD-DS) and your pre-existing on-premises Active Directory.
+This article provides a summary and overview of the process of creating and configuring an HDInsight cluster integrated with Microsoft Entra ID. This integration relies on a HDInsight feature called Enterprise Security Package (ESP), Microsoft Entra Domain Services and your pre-existing on-premises Active Directory.
For a detailed, step-by-step tutorial on setting up and configuring a domain in Azure and creating an ESP enabled cluster and then syncing on-premises users, see [Create and configure Enterprise Security Package clusters in Azure HDInsight](apache-domain-joined-create-configure-enterprise-security-cluster.md).
Enterprise Security Package (ESP) provides Active Directory integration for Azur
There are a few prerequisites to complete before you can create an ESP-enabled HDInsight cluster: -- An existing on-premises Active Directory and Azure Active Directory.-- Enable Azure AD-DS.-- Check Azure AD-DS health status to ensure synchronization completed.
+- An existing on-premises Active Directory and Microsoft Entra ID.
+- Enable Microsoft Entra Domain Services.
+- Check Microsoft Entra Domain Services health status to ensure synchronization completed.
- Create and authorize a managed identity. - Complete Networking setup for DNS and related issues. Each of these items are discussed in details. For a walkthrough of completing all of these steps, see [Create and configure Enterprise Security Package clusters in Azure HDInsight](apache-domain-joined-create-configure-enterprise-security-cluster.md).
-### Enable Azure AD DS
+<a name='enable-azure-ad-ds'></a>
-Enabling Azure AD DS is a prerequisite before you can create an HDInsight cluster with ESP. For more information, see [Enable Azure Active Directory Domain Services by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md).
+### Enable Microsoft Entra Domain Services
-When Azure AD DS is enabled, all users and objects start synchronizing from Azure Active Directory (Azure AD) to Azure AD DS by default. The length of the sync operation depends on the number of objects in Azure AD. The sync might take a few days for hundreds of thousands of objects.
+Enabling Microsoft Entra Domain Services is a prerequisite before you can create an HDInsight cluster with ESP. For more information, see [Enable Microsoft Entra Domain Services by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md).
-The domain name that you use with Azure AD DS must be 39 characters or fewer, to work with HDInsight.
+When Microsoft Entra Domain Services is enabled, all users and objects start synchronizing from Microsoft Entra ID to Microsoft Entra Domain Services by default. The length of the sync operation depends on the number of objects in Microsoft Entra ID. The sync might take a few days for hundreds of thousands of objects.
-You can choose to sync only the groups that need access to the HDInsight clusters. This option of syncing only certain groups is called *scoped synchronization*. For instructions, see [Configure scoped synchronization from Azure AD to your managed domain](../../active-directory-domain-services/scoped-synchronization.md).
+The domain name that you use with Microsoft Entra Domain Services must be 39 characters or fewer, to work with HDInsight.
-When you're enabling secure LDAP, put the domain name in the subject name. And the subject alternative name in the certificate. If your domain name is *contoso100.onmicrosoft.com*, ensure the exact name exists in your certificate subject name and subject alternative name. For more information, see [Configure secure LDAP for an Azure AD DS managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md).
+You can choose to sync only the groups that need access to the HDInsight clusters. This option of syncing only certain groups is called *scoped synchronization*. For instructions, see [Configure scoped synchronization from Microsoft Entra ID to your managed domain](../../active-directory-domain-services/scoped-synchronization.md).
+
+When you're enabling secure LDAP, put the domain name in the subject name. And the subject alternative name in the certificate. If your domain name is *contoso100.onmicrosoft.com*, ensure the exact name exists in your certificate subject name and subject alternative name. For more information, see [Configure secure LDAP for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md).
The following example creates a self-signed certificate. The domain name *contoso100.onmicrosoft.com* is in both `Subject` (subject name) and `DnsName` (subject alternative name).
New-SelfSignedCertificate -Subject contoso100.onmicrosoft.com `
``` > [!NOTE]
-> Only tenant administrators have the privileges to enable Azure AD DS. If the cluster storage is Azure Data Lake Storage Gen1 or Gen2, you must disable Azure AD Multi-Factor Authentication only for users who will need to access the cluster by using basic Kerberos authentication. If your organization requires Multi-Factor Authentication, try using the [HDInsight ID Broker feature](identity-broker.md).
+> Only tenant administrators have the privileges to enable Microsoft Entra Domain Services. If the cluster storage is Azure Data Lake Storage Gen1 or Gen2, you must disable Microsoft Entra multifactor authentication only for users who will need to access the cluster by using basic Kerberos authentication. If your organization requires multifactor authentication, try using the [HDInsight ID Broker feature](identity-broker.md).
>
-> You can use [trusted IPs](../../active-directory/authentication/howto-mfa-mfasettings.md#trusted-ips) or [Conditional Access](../../active-directory/conditional-access/overview.md) to disable Multi-Factor Authentication for specific users *only* when they're accessing the IP range for the HDInsight cluster's virtual network.
+> You can use [trusted IPs](../../active-directory/authentication/howto-mfa-mfasettings.md#trusted-ips) or [Conditional Access](../../active-directory/conditional-access/overview.md) to disable multifactor authentication for specific users *only* when they're accessing the IP range for the HDInsight cluster's virtual network.
>
-> If the cluster storage is Azure Blob storage, do not disable Multi-Factor Authentication.
+> If the cluster storage is Azure Blob storage, do not disable multifactor authentication.
+
+<a name='check-azure-ad-ds-health-status'></a>
-### Check Azure AD DS health status
+### Check Microsoft Entra Domain Services health status
-View the health status of Azure Active Directory Domain Services by selecting **Health** in the **Manage** category. Make sure the status of Azure AD DS is green (running) and the synchronization is complete.
+View the health status of Microsoft Entra Domain Services by selecting **Health** in the **Manage** category. Make sure the status of Microsoft Entra Domain Services is green (running) and the synchronization is complete.
### Create and authorize a managed identity
Certain domain services operations, such as creating OUs and service principals,
To set up ESP clusters, create a user-assigned managed identity if you don't have one already. See [`Create, list, delete, or assign a role to a user-assigned managed identity by using the Azure portal`](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
-Next, assign the **HDInsight Domain Services Contributor** role to the managed identity in **Access control** for Azure AD DS. You need Azure AD DS admin privileges to make this role assignment.
+Next, assign the **HDInsight Domain Services Contributor** role to the managed identity in **Access control** for Microsoft Entra Domain Services. You need Microsoft Entra Domain Services admin privileges to make this role assignment.
-Assigning the **HDInsight Domain Services Contributor** role ensures that this identity has proper (`on behalf of`) access to do domain services operations on the Azure AD DS domain. These operations include creating and deleting OUs.
+Assigning the **HDInsight Domain Services Contributor** role ensures that this identity has proper (`on behalf of`) access to do domain services operations on the Microsoft Entra Domain Services domain. These operations include creating and deleting OUs.
-After the managed identity is given the role, the Azure AD DS admin manages who uses it. First, the admin selects the managed identity in the portal. Then selects **Access Control (IAM)** under **Overview**. The admin assigns the **Managed Identity Operator** role to users or groups that want to create ESP clusters.
+After the managed identity is given the role, the Microsoft Entra Domain Services admin manages who uses it. First, the admin selects the managed identity in the portal. Then selects **Access Control (IAM)** under **Overview**. The admin assigns the **Managed Identity Operator** role to users or groups that want to create ESP clusters.
-For example, the Azure AD DS admin can assign this role to the **MarketingTeam** group for the **sjmsi** managed identity. An example is shown in the following image. This assignment ensures the right people in the organization can use the managed identity to create ESP clusters.
+For example, the Microsoft Entra Domain Services admin can assign this role to the **MarketingTeam** group for the **sjmsi** managed identity. An example is shown in the following image. This assignment ensures the right people in the organization can use the managed identity to create ESP clusters.
:::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/hdinsight-managed-identity-operator-role-assignment.png" alt-text="HDInsight Managed Identity Operator Role Assignment" border="true"::: ### Network configuration > [!NOTE]
-> Azure AD DS must be deployed in an Azure Resource Manager-based virtual network. Classic virtual networks are not supported for Azure AD DS. For more information, see [Enable Azure Active Directory Domain Services by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance-advanced.md#create-and-configure-the-virtual-network).
+> Microsoft Entra Domain Services must be deployed in an Azure Resource Manager-based virtual network. Classic virtual networks are not supported for Microsoft Entra Domain Services. For more information, see [Enable Microsoft Entra Domain Services by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance-advanced.md#create-and-configure-the-virtual-network).
-Enable Azure AD DS. Then a local Domain Name System (DNS) server runs on the Active Directory virtual machines (VMs). Configure your Azure AD DS virtual network to use these custom DNS servers. To locate the right IP addresses, select **Properties** in the **Manage** category and look under **IP ADDRESS ON VIRTUAL NETWORK**.
+Enable Microsoft Entra Domain Services. Then a local Domain Name System (DNS) server runs on the Active Directory virtual machines (VMs). Configure your Microsoft Entra Domain Services virtual network to use these custom DNS servers. To locate the right IP addresses, select **Properties** in the **Manage** category and look under **IP ADDRESS ON VIRTUAL NETWORK**.
:::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/hdinsight-aadds-dns1.png" alt-text="Locate IP addresses for local DNS servers" border="true":::
-Change the configuration of the DNS servers in the Azure AD DS virtual network. To use these custom IPs, select **DNS servers** in the **Settings** category. Then select the **Custom** option, enter the first IP address in the text box, and select **Save**. Add more IP addresses by using the same steps.
+Change the configuration of the DNS servers in the Microsoft Entra Domain Services virtual network. To use these custom IPs, select **DNS servers** in the **Settings** category. Then select the **Custom** option, enter the first IP address in the text box, and select **Save**. Add more IP addresses by using the same steps.
:::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/hdinsight-aadds-vnet-configuration.png" alt-text="Updating the virtual network DNS configuration" border="true":::
-It's easier to place both the Azure AD DS instance and the HDInsight cluster in the same Azure virtual network. If you plan to use different virtual networks, you must peer those virtual networks so that the domain controller is visible to HDInsight VMs. For more information, see [Virtual network peering](../../virtual-network/virtual-network-peering-overview.md).
+It's easier to place both the Microsoft Entra Domain Services instance and the HDInsight cluster in the same Azure virtual network. If you plan to use different virtual networks, you must peer those virtual networks so that the domain controller is visible to HDInsight VMs. For more information, see [Virtual network peering](../../virtual-network/virtual-network-peering-overview.md).
-After the virtual networks are peered, configure the HDInsight virtual network to use a custom DNS server. And enter the Azure AD DS private IPs as the DNS server addresses. When both virtual networks use the same DNS servers, your custom domain name resolves to the right IP and it is reachable from HDInsight. For example, if your domain name is `contoso.com`, then after this step, `ping contoso.com` should resolve to the right Azure AD DS IP.
+After the virtual networks are peered, configure the HDInsight virtual network to use a custom DNS server. And enter the Microsoft Entra Domain Services private IPs as the DNS server addresses. When both virtual networks use the same DNS servers, your custom domain name resolves to the right IP and it is reachable from HDInsight. For example, if your domain name is `contoso.com`, then after this step, `ping contoso.com` should resolve to the right Microsoft Entra Domain Services IP.
:::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/hdinsight-aadds-peered-vnet-configuration.png" alt-text="Configuring custom DNS servers for a peered virtual network" border="true"::: If you're using network security group (NSG) rules in your HDInsight subnet, you should allow the [required IPs](../hdinsight-management-ip-addresses.md) for both inbound and outbound traffic.
-To test your network setup, join a Windows VM to the HDInsight virtual network/subnet and ping the domain name. (It should resolve to an IP.) Run **ldp.exe** to access the Azure AD DS domain. Then join this Windows VM to the domain to confirm that all the required RPC calls succeed between the client and server.
+To test your network setup, join a Windows VM to the HDInsight virtual network/subnet and ping the domain name. (It should resolve to an IP.) Run **ldp.exe** to access the Microsoft Entra Domain Services domain. Then join this Windows VM to the domain to confirm that all the required RPC calls succeed between the client and server.
-Use **nslookup** to confirm network access to your storage account. Or any external database that you might use (for example, external Hive metastore or Ranger DB). Ensure the [required ports](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)#communication-to-domain-controllers) are allowed in the Azure AD DS subnet's NSG rules, if an NSG secures Azure AD DS. If the domain joining of this Windows VM is successful, then you can continue to the next step and create ESP clusters.
+Use **nslookup** to confirm network access to your storage account. Or any external database that you might use (for example, external Hive metastore or Ranger DB). Ensure the [required ports](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)#communication-to-domain-controllers) are allowed in the Microsoft Entra Domain Services subnet's NSG rules, if an NSG secures Microsoft Entra Domain Services. If the domain joining of this Windows VM is successful, then you can continue to the next step and create ESP clusters.
## Create an HDInsight cluster with ESP After you've set up the previous steps correctly, the next step is to create the HDInsight cluster with ESP enabled. When you create an HDInsight cluster, you can enable Enterprise Security Package on the **Security + networking** tab. For an Azure Resource Manager template for deployment, use the portal experience once. Then download the prefilled template on the **Review + create** page for future reuse.
-You can also enable the [HDInsight ID Broker](identity-broker.md) feature during cluster creation. The ID Broker feature lets you sign in to Ambari by using Multi-Factor Authentication and get the required Kerberos tickets without needing password hashes in Azure AD DS.
+You can also enable the [HDInsight ID Broker](identity-broker.md) feature during cluster creation. The ID Broker feature lets you sign in to Ambari by using multifactor authentication and get the required Kerberos tickets without needing password hashes in Microsoft Entra Domain Services.
> [!NOTE] > The first six characters of the ESP cluster names must be unique in your environment. For example, if you have multiple ESP clusters in different virtual networks, choose a naming convention that ensures the first six characters on the cluster names are unique. :::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/azure-portal-cluster-security-networking-esp.png" alt-text="Domain validation for Azure HDInsight Enterprise Security Package" border="true":::
-After you enable ESP, common misconfigurations related to Azure AD DS are automatically detected and validated. After you fix these errors, you can continue with the next step.
+After you enable ESP, common misconfigurations related to Microsoft Entra Domain Services are automatically detected and validated. After you fix these errors, you can continue with the next step.
:::image type="content" source="./media/apache-domain-joined-configure-using-azure-adds/azure-portal-cluster-security-networking-esp-error.png" alt-text="Azure HDInsight Enterprise Security Package failed domain validation" border="true"::: When you create an HDInsight cluster with ESP, you must supply the following parameters:
-* **Cluster admin user**: Choose an admin for your cluster from your synced Azure AD DS instance. This domain account must be already synced and available in Azure AD DS.
+* **Cluster admin user**: Choose an admin for your cluster from your synced Microsoft Entra Domain Services instance. This domain account must be already synced and available in Microsoft Entra Domain Services.
-* **Cluster access groups**: The security groups whose users you want to sync and have access to the cluster should be available in Azure AD DS. An example is the HiveUsers group. For more information, see [Create a group and add members in Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
+* **Cluster access groups**: The security groups whose users you want to sync and have access to the cluster should be available in Microsoft Entra Domain Services. An example is the HiveUsers group. For more information, see [Create a group and add members in Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
* **LDAPS URL**: An example is `ldaps://contoso.com:636`.
hdinsight Apache Domain Joined Create Configure Enterprise Security Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster.md
This guide shows how to create an ESP-enabled Azure HDInsight cluster. It also s
The server you create will act as a replacement for your *actual* on-premises environment. You'll use it for the setup and configuration steps. Later you'll repeat the steps in your own environment.
-This guide will also help you create a hybrid identity environment by using password hash sync with Azure Active Directory (Azure AD). The guide complements [Use ESP in HDInsight](apache-domain-joined-architecture.md).
+This guide will also help you create a hybrid identity environment by using password hash sync with Microsoft Entra ID. The guide complements [Use ESP in HDInsight](apache-domain-joined-architecture.md).
Before you use this process in your own environment: * Set up Active Directory and DNS.
-* Enable Azure AD.
-* Sync on-premises user accounts to Azure AD.
+* Enable Microsoft Entra ID.
+* Sync on-premises user accounts to Microsoft Entra ID.
## Create an on-premises environment
In this section, you'll use an Azure Quickstart deployment template to create ne
Leave the remaining default values.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/create-azure-vm-ad-forest.png" alt-text="Template for Create an Azure VM with a new Azure AD Forest" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/create-azure-vm-ad-forest.png" alt-text="Template for Create an Azure VM with a new Microsoft Entra Forest" border="true":::
1. Review the **Terms and Conditions**, and then select **I agree to the terms and conditions stated above**. 1. Select **Purchase**, and monitor the deployment and wait for it to complete. The deployment takes about 30 minutes to complete.
In this section, you'll create the users that will have access to the HDInsight
You've now created your Active Directory environment. You've added two users and a user group that can access the HDInsight cluster.
-The users will be synchronized with Azure AD.
+The users will be synchronized with Microsoft Entra ID.
-### Create an Azure AD directory
+<a name='create-an-azure-ad-directory'></a>
+
+### Create a Microsoft Entra directory
1. Sign in to the Azure portal.
-1. Select **Create a resource** and type `directory`. Select **Azure Active Directory** > **Create**.
+1. Select **Create a resource** and type `directory`. Select **Microsoft Entra ID** > **Create**.
1. Under **Organization name**, enter `HDIFabrikam`. 1. Under **Initial domain name**, enter `HDIFabrikamoutlook`. 1. Select **Create**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/create-new-directory.png" alt-text="Create an Azure AD directory" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/create-new-directory.png" alt-text="Create a Microsoft Entra directory" border="true":::
### Create a custom domain
-1. From your new **Azure Active Directory**, under **Manage**, select **Custom domain names**.
+1. From your new **Microsoft Entra ID**, under **Manage**, select **Custom domain names**.
1. Select **+ Add custom domain**. 1. Under **Custom domain name**, enter `HDIFabrikam.com`, and then select **Add domain**. 1. Then complete [Add your DNS information to the domain registrar](../../active-directory/fundamentals/add-custom-domain.md#add-your-dns-information-to-the-domain-registrar).
The users will be synchronized with Azure AD.
### Create a group
-1. From your new **Azure Active Directory**, under **Manage**, select **Groups**.
+1. From your new **Microsoft Entra ID**, under **Manage**, select **Groups**.
1. Select **+ New group**. 1. In the **group name** text box, enter `AAD DC Administrators`. 1. Select **Create**.
-## Configure your Azure AD tenant
+<a name='configure-your-azure-ad-tenant'></a>
+
+## Configure your Microsoft Entra tenant
-Now you'll configure your Azure AD tenant so that you can synchronize users and groups from the on-premises Active Directory instance to the cloud.
+Now you'll configure your Microsoft Entra tenant so that you can synchronize users and groups from the on-premises Active Directory instance to the cloud.
Create an Active Directory tenant administrator.
-1. Sign in to the Azure portal and select your Azure AD tenant, **HDIFabrikam**.
+1. Sign in to the Azure portal and select your Microsoft Entra tenant, **HDIFabrikam**.
1. Navigate to **Manage** > **Users** > **New user**.
Create an Active Directory tenant administrator.
1. Select **0 groups selected**. 1. Select **AAD DC Administrators**, and then **Select**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/azure-ad-add-group-member.png" alt-text="The Azure AD Groups dialog box" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/azure-ad-add-group-member.png" alt-text="The Microsoft Entra groups dialog box" border="true":::
1. Select **User**. 1. Select **Global administrator**, and then **Select**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/azure-ad-add-role-member.png" alt-text="The Azure AD role dialog box" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/azure-ad-add-role-member.png" alt-text="The Microsoft Entra role dialog box" border="true":::
1. Select **Create**.
-1. Then have the new user sign in to the Azure portal where it will be prompted to change the password. You'll need to do this before configuring Microsoft Azure Active Directory Connect.
+1. Then have the new user sign in to the Azure portal where it will be prompted to change the password. You'll need to do this before configuring Microsoft Entra Connect.
+
+<a name='sync-on-premises-users-to-azure-ad'></a>
-## Sync on-premises users to Azure AD
+## Sync on-premises users to Microsoft Entra ID
-### Configure Microsoft Azure Active Directory Connect
+<a name='configure-microsoft-azure-active-directory-connect'></a>
-1. From the domain controller, download [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594).
+### Configure Microsoft Entra Connect
+
+1. From the domain controller, download [Microsoft Entra Connect](https://www.microsoft.com/download/details.aspx?id=47594).
1. Open the executable file that you downloaded, and agree to the license terms. Select **Continue**. 1. Select **Use express settings**.
-1. On the **Connect to Azure AD** page, enter the username and password of the global administrator for Azure AD. Use the username `fabrikamazureadmin@hdifabrikam.com` that you created when you configured your Active Directory tenant. Then select **Next**.
+1. On the **Connect to Microsoft Entra ID** page, enter the username and password of the global administrator for Microsoft Entra ID. Use the username `fabrikamazureadmin@hdifabrikam.com` that you created when you configured your Active Directory tenant. Then select **Next**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0058.png" alt-text="Connect to Azure A D" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0058.png" alt-text="Connect to Microsoft Entra ID" border="true":::
1. On the **Connect to Active Directory Domain Services** page, enter the username and password for an enterprise admin account. Use the username `HDIFabrikam\HDIFabrikamAdmin` and its password that you created earlier. Then select **Next**. :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0060.png" alt-text="Connect to A D D S page." border="true":::
-1. On the **Azure AD sign-in configuration** page, select **Next**.
+1. On the **Microsoft Entra sign-in configuration** page, select **Next**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0062.png" alt-text="Azure AD sign-in configuration page" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0062.png" alt-text="Microsoft Entra sign-in configuration page" border="true":::
1. On the **Ready to configure** page, select **Install**.
Create an Active Directory tenant administrator.
1. On the **Configuration complete** page, select **Exit**. :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0078.png" alt-text="Configuration complete page" border="true":::
-1. After the sync completes, confirm that the users you created on the IaaS directory are synced to Azure AD.
+1. After the sync completes, confirm that the users you created on the IaaS directory are synced to Microsoft Entra ID.
1. Sign in to the Azure portal.
- 1. Select **Azure Active Directory** > **HDIFabrikam** > **Users**.
+ 1. Select **Microsoft Entra ID** > **HDIFabrikam** > **Users**.
### Create a user-assigned managed identity
-Create a user-assigned managed identity that you can use to configure Azure AD Domain Services (Azure AD DS). For more information, see [Create, list, delete, or assign a role to a user-assigned managed identity by using the Azure portal](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
+Create a user-assigned managed identity that you can use to configure Microsoft Entra Domain Services. For more information, see [Create, list, delete, or assign a role to a user-assigned managed identity by using the Azure portal](../../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md).
1. Sign in to the Azure portal. 1. Select **Create a resource** and type `managed identity`. Select **User Assigned Managed Identity** > **Create**.
Create a user-assigned managed identity that you can use to configure Azure AD D
:::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0082.png" alt-text="Create a new user-assigned managed identity" border="true":::
-### Enable Azure AD DS
+<a name='enable-azure-ad-ds'></a>
+
+### Enable Microsoft Entra Domain Services
-Follow these steps to enable Azure AD DS. For more information, see [Enable Azure AD DS by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md).
+Follow these steps to enable Microsoft Entra Domain Services. For more information, see [Enable Microsoft Entra Domain Services by using the Azure portal](../../active-directory-domain-services/tutorial-create-instance.md).
-1. Create a virtual network to host Azure AD DS. Run the following PowerShell code.
+1. Create a virtual network to host Microsoft Entra Domain Services. Run the following PowerShell code.
```powershell # Sign in to your Azure subscription
Follow these steps to enable Azure AD DS. For more information, see [Enable Azur
``` 1. Sign in to the Azure portal.
-1. Select **Create resource**, enter `Domain services`, and select **Azure AD Domain Services** > **Create**.
+1. Select **Create resource**, enter `Domain services`, and select **Microsoft Entra Domain Services** > **Create**.
1. On the **Basics** page:
- 1. Under **Directory name**, select the Azure AD directory you created: **HDIFabrikam**.
+ 1. Under **Directory name**, select the Microsoft Entra directory you created: **HDIFabrikam**.
1. For **DNS domain name**, enter *HDIFabrikam.com*. 1. Select your subscription. 1. Specify the resource group **HDIFabrikam-CentralUS**. For **Location**, select **Central US**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0084.png" alt-text="Azure AD DS basic details" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0084.png" alt-text="Microsoft Entra Domain Services basic details" border="true":::
1. On the **Network** page, select the network (**HDIFabrikam-VNET**) and the subnet (**AADDS-subnet**) that you created by using the PowerShell script. Or choose **Create new** to create a virtual network now.
Follow these steps to enable Azure AD DS. For more information, see [Enable Azur
1. On the **Administrator group** page, you should see a notification that a group named **AAD DC Administrators** has already been created to administer this group. You can modify the membership of this group if you want to, but in this case you don't need to change it. Select **OK**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0088.png" alt-text="View the Azure AD administrator group" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0088.png" alt-text="View the Microsoft Entra administrator group" border="true":::
1. On the **Synchronization** page, enable complete synchronization by selecting **All** > **OK**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0090.png" alt-text="Enable Azure AD DS synchronization" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0090.png" alt-text="Enable Microsoft Entra Domain Services synchronization" border="true":::
+
+1. On the **Summary** page, verify the details for Microsoft Entra Domain Services and select **OK**.
-1. On the **Summary** page, verify the details for Azure AD DS and select **OK**.
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0092.png" alt-text="Enable Microsoft Entra Domain Services" border="true":::
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0092.png" alt-text="Enable Azure AD Domain Services" border="true":::
+After you enable Microsoft Entra Domain Services, a local DNS server runs on the Microsoft Entra VMs.
-After you enable Azure AD DS, a local DNS server runs on the Azure AD VMs.
+<a name='configure-your-azure-ad-ds-virtual-network'></a>
-### Configure your Azure AD DS virtual network
+### Configure your Microsoft Entra Domain Services virtual network
-Use the following steps to configure your Azure AD DS virtual network (**HDIFabrikam-AADDSVNET**) to use your custom DNS servers.
+Use the following steps to configure your Microsoft Entra Domain Services virtual network (**HDIFabrikam-AADDSVNET**) to use your custom DNS servers.
1. Locate the IP addresses of your custom DNS servers.
- 1. Select the `HDIFabrikam.com` Azure AD DS resource.
+ 1. Select the `HDIFabrikam.com` Microsoft Entra Domain Services resource.
1. Under **Manage**, select **Properties**. 1. Find the IP addresses under **IP address on virtual network**.
- :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0096.png" alt-text="Locate custom DNS IP addresses for Azure AD DS" border="true":::
+ :::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0096.png" alt-text="Locate custom DNS IP addresses for Microsoft Entra Domain Services" border="true":::
1. Configure **HDIFabrikam-AADDSVNET** to use custom IP addresses 10.0.0.4 and 10.0.0.5.
Use the following steps to configure your Azure AD DS virtual network (**HDIFabr
1. Select **Save**. 1. Repeat the steps to add the other IP address (*10.0.0.5*).
-In our scenario, we configured Azure AD DS to use IP addresses 10.0.0.4 and 10.0.0.5, setting the same IP address on the Azure AD DS virtual network:
+In our scenario, we configured Microsoft Entra Domain Services to use IP addresses 10.0.0.4 and 10.0.0.5, setting the same IP address on the Microsoft Entra Domain Services virtual network:
:::image type="content" source="./media/apache-domain-joined-create-configure-enterprise-security-cluster/hdinsight-image-0098.png" alt-text="The custom DNS servers page" border="true"::: ## Securing LDAP traffic
-Lightweight Directory Access Protocol (LDAP) is used to read from and write to Azure Active Directory. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate.
+Lightweight Directory Access Protocol (LDAP) is used to read from and write to Microsoft Entra ID. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate.
-For more information about secure LDAP, see [Configure LDAPS for an Azure AD DS managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md).
+For more information about secure LDAP, see [Configure LDAPS for a Microsoft Entra Domain Services managed domain](../../active-directory-domain-services/tutorial-configure-ldaps.md).
-In this section, you create a self-signed certificate, download the certificate, and configure LDAPS for the **HDIFabrikam** Azure AD DS managed domain.
+In this section, you create a self-signed certificate, download the certificate, and configure LDAPS for the **HDIFabrikam** Microsoft Entra Domain Services managed domain.
The following script creates a certificate for **HDIFabrikam**. The certificate is saved in the *LocalMachine* path.
Verify that the certificate is installed in the computer's **Personal** store:
1. On the **Export File Format** page, leave the default settings, and then select **Next**. 1. On the **Password** page, type a password for the private key. For **Encryption**, select **TripleDES-SHA1**. Then select **Next**. 1. On the **File to Export** page, type the path and the name for the exported certificate file, and then select **Next**. The file name has to have a .pfx extension. This file is configured in the Azure portal to establish a secure connection.
-1. Enable LDAPS for an Azure AD DS managed domain.
+1. Enable LDAPS for a Microsoft Entra Domain Services managed domain.
1. From the Azure portal, select the domain `HDIFabrikam.com`. 1. Under **Manage**, select **Secure LDAP**. 1. On the **Secure LDAP** page, under **Secure LDAP**, select **Enable**.
This step requires the following prerequisites:
$virtualNetwork | Set-AzVirtualNetwork ```
-1. Create a peer relationship between the virtual network that hosts Azure AD DS (`HDIFabrikam-AADDSVNET`) and the virtual network that will host the ESP-enabled HDInsight cluster (`HDIFabrikam-HDIVNet`). Use the following PowerShell code to peer the two virtual networks.
+1. Create a peer relationship between the virtual network that hosts Microsoft Entra Domain Services (`HDIFabrikam-AADDSVNET`) and the virtual network that will host the ESP-enabled HDInsight cluster (`HDIFabrikam-HDIVNet`). Use the following PowerShell code to peer the two virtual networks.
```powershell Add-AzVirtualNetworkPeering -Name 'HDIVNet-AADDSVNet' -RemoteVirtualNetworkId (Get-AzVirtualNetwork -ResourceGroupName 'HDIFabrikam-CentralUS').Id -VirtualNetwork (Get-AzVirtualNetwork -ResourceGroupName 'HDIFabrikam-WestUS')
hdinsight Apache Domain Joined Run Hbase https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-run-hbase.md
In this tutorial, you learn how to:
> [!NOTE] > Ranger credentials are not the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI.
-2. Sign in using your Azure Active Directory (AD) admin credentials. The Azure AD admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials.
+2. Sign in using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials.
## Create domain users
Create a Ranger policy for **sales_user1** and **marketing_user1**.
:::image type="content" source="./media/apache-domain-joined-run-hbase/apache-ranger-hbase-policy-create-sales.png" alt-text="Apache Ranger policy create sales" border="true"::: >[!NOTE]
- >Wait a few moments for Ranger to sync with Azure AD if a domain user is not automatically populated for **Select User**.
+ >Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user is not automatically populated for **Select User**.
4. Click **Add** to save the policy.
hdinsight Apache Domain Joined Run Kafka https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/apache-domain-joined-run-kafka.md
A [HDInsight Kafka cluster with Enterprise Security Package](./apache-domain-joi
1. From a browser, connect to the Ranger Admin user interface using the URL `https://ClusterName.azurehdinsight.net/Ranger/`. Remember to change `ClusterName` to the name of your Kafka cluster. Ranger credentials are not the same as Hadoop cluster credentials. To prevent browsers from using cached Hadoop credentials, use a new InPrivate browser window to connect to the Ranger Admin UI.
-2. Sign in using your Azure Active Directory (AD) admin credentials. The Azure AD admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials.
+2. Sign in using your Microsoft Entra admin credentials. The Microsoft Entra admin credentials aren't the same as HDInsight cluster credentials or Linux HDInsight node SSH credentials.
:::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-login.png" alt-text="HDInsight Apache Ranger Admin UI" border="true":::
Create a Ranger policy for **sales_user** and **marketing_user**.
:::image type="content" source="./media/apache-domain-joined-run-kafka/apache-ranger-admin-create-policy.png" alt-text="Apache Ranger Admin UI Create Policy1" border="true":::
- Wait a few moments for Ranger to sync with Azure AD if a domain user is not automatically populated for **Select User**.
+ Wait a few moments for Ranger to sync with Microsoft Entra ID if a domain user is not automatically populated for **Select User**.
4. Select **Add** to save the policy.
hdinsight Domain Joined Authentication Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/domain-joined-authentication-issues.md
Last updated 04/28/2023
This article describes troubleshooting steps and possible resolutions for issues when interacting with Azure HDInsight clusters.
-On secure clusters backed by Azure Data Lake (Gen1 or Gen2), when domain users sign in to the cluster services through HDI Gateway (like signing in to the Apache Ambari portal), HDI Gateway tries to obtain an OAuth token from Azure Active Directory (Azure AD) first, and then get a Kerberos ticket from Azure AD DS. Authentication can fail in either of these stages. This article is aimed at debugging some of those issues.
+On secure clusters backed by Azure Data Lake (Gen1 or Gen2), when domain users sign in to the cluster services through HDI Gateway (like signing in to the Apache Ambari portal), HDI Gateway tries to obtain an OAuth token from Microsoft Entra first, and then get a Kerberos ticket from Microsoft Entra Domain Services. Authentication can fail in either of these stages. This article is aimed at debugging some of those issues.
When the authentication fails, you gets prompted for credentials. If you cancel this dialog, the error message is printed. Here are some of the common error messages:
Reason: Bad Request, Detailed Response: {"error":"invalid_grant","error_descript
### Cause
-Azure AD error code 50126 means the `AllowCloudPasswordValidation` policy not set by the tenant.
+Microsoft Entra error code 50126 means the `AllowCloudPasswordValidation` policy not set by the tenant.
### Resolution
-The Global Administrator of the Azure AD tenant should enable Azure AD to use password hashes for ADFS backed users. Apply the `AllowCloudPasswordValidationPolicy` as shown in the article [Use Enterprise Security Package in HDInsight](../domain-joined/apache-domain-joined-architecture.md).
+The Global Administrator of the Microsoft Entra tenant should enable Microsoft Entra ID to use password hashes for ADFS backed users. Apply the `AllowCloudPasswordValidationPolicy` as shown in the article [Use Enterprise Security Package in HDInsight](../domain-joined/apache-domain-joined-architecture.md).
The conditional access policy or MFA is being applied to the user. Since interac
### Resolution
-Use conditional access policy and exempt the HDInsight clusters from MFA as shown in [Configure a HDInsight cluster with Enterprise Security Package by using Azure Active Directory Domain Services](./apache-domain-joined-configure-using-azure-adds.md).
+Use conditional access policy and exempt the HDInsight clusters from MFA as shown in [Configure a HDInsight cluster with Enterprise Security Package by using Microsoft Entra Domain Services](./apache-domain-joined-configure-using-azure-adds.md).
Sign in denied.
### Cause
-To get to this stage, your OAuth authentication isn't an issue, but Kerberos authentication is. If this cluster is backed by ADLS, OAuth sign in has succeeded before Kerberos auth is attempted. On WASB clusters, OAuth sign in isn't attempted. There could be many reasons for Kerberos failure - like password hashes are out of sync, user account locked out in Azure AD DS, and so on. Password hashes sync only when the user changes password. When you create the Azure AD DS instance, it will start syncing passwords that are changed after the creation. It can't retroactively sync passwords that were set before its inception.
+To get to this stage, your OAuth authentication isn't an issue, but Kerberos authentication is. If this cluster is backed by ADLS, OAuth sign in has succeeded before Kerberos auth is attempted. On WASB clusters, OAuth sign in isn't attempted. There could be many reasons for Kerberos failure - like password hashes are out of sync, user account locked out in Microsoft Entra Domain Services, and so on. Password hashes sync only when the user changes password. When you create the Microsoft Entra Domain Services instance, it will start syncing passwords that are changed after the creation. It can't retroactively sync passwords that were set before its inception.
### Resolution
hdinsight Encryption In Transit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/encryption-in-transit.md
az deployment group create --name HDInsightEnterpriseSecDeployment \
## Next steps * [Overview of enterprise security in Azure HDInsight](hdinsight-security-overview.md)
-* [Synchronize Azure Active Directory users to an HDInsight cluster](../disk-encryption.md).
+* [Synchronize Microsoft Entra users to an HDInsight cluster](../disk-encryption.md).
hdinsight General Guidelines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/general-guidelines.md
Use a new resource group for each cluster so that you can distinguish between cl
* Use firewall to handle outbound access policies. * Use the internal gateway that isn't open to the public internet.
-## Azure Active Directory
+<a name='azure-active-directory'></a>
-[Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) (Azure AD) is Microsoft's cloud-based identity and access management service.
+## Microsoft Entra ID
+
+[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) (Microsoft Entra ID) is Microsoft's cloud-based identity and access management service.
### Policies
-* Disable conditional access policy using the IP address based policy. This requires service endpoints to be enabled on the VNETs where the clusters are deployed. If you use an external service for MFA (something other than AAD), the IP address based policy won't work
+* Disable conditional access policy using the IP address based policy. This requires service endpoints to be enabled on the VNETs where the clusters are deployed. If you use an external service for MFA (something other than Microsoft Entra ID), the IP address based policy won't work
-* `AllowCloudPasswordValidation` policy is required for federated users. Since HDInsight uses the username / password directly to get tokens from Azure AD, this policy has to be enabled for all federated users.
+* `AllowCloudPasswordValidation` policy is required for federated users. Since HDInsight uses the username / password directly to get tokens from Microsoft Entra ID, this policy has to be enabled for all federated users.
* Enable service endpoints if you require conditional access bypass using Trusted IPs. ### Groups * Always deploy clusters with a group.
-* Use Azure AD to manage group memberships (easier than trying to manage the individual services in the cluster).
+* Use Microsoft Entra ID to manage group memberships (easier than trying to manage the individual services in the cluster).
### User accounts
Use a new resource group for each cluster so that you can distinguish between cl
* Use group-based Ranger policies instead of individual policies. * Have a plan on how to manage users who shouldn't have access to clusters anymore.
-## Azure Active Directory Domain Services
+<a name='azure-active-directory-domain-services'></a>
+
+## Microsoft Entra Domain Services
+
+[Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory.
-[Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md) (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory.
+Microsoft Entra Domain Services is required for secure clusters to join a domain.
+HDInsight can't depend on on-premises domain controllers or custom domain controllers, as it introduces too many fault points, credential sharing, DNS permissions, and so on. For more information, see [Microsoft Entra Domain Services FAQs](../../active-directory-domain-services/faqs.yml).
-Azure AD DS is required for secure clusters to join a domain.
-HDInsight can't depend on on-premises domain controllers or custom domain controllers, as it introduces too many fault points, credential sharing, DNS permissions, and so on. For more information, see [Azure AD DS FAQs](../../active-directory-domain-services/faqs.yml).
+<a name='choose-correct-azure-ad-ds-sku'></a>
-### Choose correct Azure AD DS SKU
+### Choose correct Microsoft Entra Domain Services SKU
-When creating your managed domain, [you can choose from different SKUs](/azure/active-directory-domain-services/administration-concepts#azure-ad-ds-skus) that offer varying levels of performance and features. The amount of ESP clusters and other applications that will be using the Azure AD-DS instance for authentication requests determines which SKU is appropriate for your organization. If you notice high CPU on your managed domain or your business requirements change, you can upgrade your SKU.
+When creating your managed domain, [you can choose from different SKUs](/azure/active-directory-domain-services/administration-concepts#azure-ad-ds-skus) that offer varying levels of performance and features. The amount of ESP clusters and other applications that will be using the Microsoft Entra Domain Services instance for authentication requests determines which SKU is appropriate for your organization. If you notice high CPU on your managed domain or your business requirements change, you can upgrade your SKU.
-### Azure AD DS instance
+<a name='azure-ad-ds-instance'></a>
+
+### Microsoft Entra Domain Services instance
* Create the instance with the `.onmicrosoft.com domain`. This way, there wonΓÇÖt be multiple DNS servers serving the domain.
-* Create a self-signed certificate for the LDAPS and upload it to Azure AD DS.
+* Create a self-signed certificate for the LDAPS and upload it to Microsoft Entra Domain Services.
* Use a peered virtual network for deploying clusters (when you have a number of teams deploying HDInsight ESP clusters, this will be helpful). This ensures that you don't need to open up ports (NSGs) on the virtual network with domain controller.
-* Configure the DNS for the virtual network properly (the Azure AD DS domain name should resolve without any hosts file entries).
+* Configure the DNS for the virtual network properly (the Microsoft Entra Domain Services domain name should resolve without any hosts file entries).
* If you're restricting outbound traffic, make sure that you have read through the [firewall support in HDInsight](../hdinsight-restrict-outbound-traffic.md)
-### Consider Azure AD DS replica sets
+<a name='consider-azure-ad-ds-replica-sets'></a>
+
+### Consider Microsoft Entra Domain Services replica sets
-When you create an Azure AD DS managed domain, you define a unique namespace, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. [Adding additional replica sets](/azure/active-directory-domain-services/tutorial-create-replica-set) will provide resiliency and ensure availability of authentication services, which is critical for Azure HDInsight clusters.
+When you create a Microsoft Entra Domain Services managed domain, you define a unique namespace, and two domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set. [Adding additional replica sets](/azure/active-directory-domain-services/tutorial-create-replica-set) will provide resiliency and ensure availability of authentication services, which is critical for Azure HDInsight clusters.
### Configure scoped user/group synchronization
-When you enable [Azure Active Directory Domain Services (Azure AD DS) for your ESP cluster](/azure/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster), you can choose to synchronize all users and groups from Azure AD or scoped groups and their members. We recommend that you choose "Scoped" synchronization for the best performance.
+When you enable [Microsoft Entra Domain Services for your ESP cluster](/azure/hdinsight/domain-joined/apache-domain-joined-create-configure-enterprise-security-cluster), you can choose to synchronize all users and groups from Microsoft Entra ID or scoped groups and their members. We recommend that you choose "Scoped" synchronization for the best performance.
+
+[Scoped synchronization](/azure/active-directory-domain-services/scoped-synchronization) can be modified with different group selections or converted to "All" users and groups if needed. You can't change the synchronization type from "All" to "Scoped" unless you delete and recreate the Microsoft Entra Domain Services instance.
-[Scoped synchronization](/azure/active-directory-domain-services/scoped-synchronization) can be modified with different group selections or converted to "All" users and groups if needed. You can't change the synchronization type from "All" to "Scoped" unless you delete and recreate the Azure AD DS instance.
+<a name='properties-synced-from-azure-ad-to-azure-ad-ds'></a>
-### Properties synced from Azure AD to Azure AD DS
+### Properties synced from Microsoft Entra ID to Microsoft Entra Domain Services
-* Azure AD connect syncs from on-premises to Azure AD.
-* Azure AD DS syncs from Azure AD.
+* Microsoft Entra Connect syncs from on-premises to Microsoft Entra ID.
+* Microsoft Entra Domain Services syncs from Microsoft Entra ID.
-Azure AD DS syncs objects from Azure AD periodically. The Azure AD DS blade on the Azure portal displays the sync status. During each stage of sync, unique properties may get into conflict and renamed. Pay attention to the property mapping from Azure AD to Azure AD DS.
+Microsoft Entra Domain Services syncs objects from Microsoft Entra ID periodically. The Microsoft Entra Domain Services blade on the Azure portal displays the sync status. During each stage of sync, unique properties may get into conflict and renamed. Pay attention to the property mapping from Microsoft Entra ID to Microsoft Entra Domain Services.
-For more information, see [Azure AD UserPrincipalName population](../../active-directory/hybrid/plan-connect-userprincipalname.md), and [How Azure AD DS synchronization works](../../active-directory-domain-services/synchronization.md).
+For more information, see [Microsoft Entra UserPrincipalName population](../../active-directory/hybrid/plan-connect-userprincipalname.md), and [How Microsoft Entra Domain Services synchronization works](../../active-directory-domain-services/synchronization.md).
### Password hash sync
-* Passwords are synced differently from other object types. Only non-reversible password hashes are synced in Azure AD and Azure AD DS
-* On-premises to Azure AD has to be enabled through AD Connect
-* Azure AD to Azure AD DS sync is automatic (latencies are under 20 minutes).
+* Passwords are synced differently from other object types. Only non-reversible password hashes are synced in Microsoft Entra ID and Microsoft Entra Domain Services
+* On-premises to Microsoft Entra ID has to be enabled through AD Connect
+* Microsoft Entra ID to Microsoft Entra Domain Services sync is automatic (latencies are under 20 minutes).
* Password hashes are synced only when there's a changed password. When you enable password hash sync, all existing passwords don't get synced automatically as they're stored irreversibly. When you change the password, password hashes get synced. ### Set Ambari LDAP sync to run daily
Most common reasons:
### User Principal Name (UPN) * Please use lowercase for all services - UPNs are not case sensitive in ESP clusters, but
-* The UPN prefix should match both SAMAccountName in Azure AD-DS. Matching with the mail field is not required.
+* The UPN prefix should match both SAMAccountName in Microsoft Entra Domain Services. Matching with the mail field is not required.
### LDAP properties in Ambari configuration
If your TenantName & DomainName are different, you need to add a SALT value usin
### LDAP certificate renewal
-HDInsight will automatically renew the certificates for the managed identities you use for clusters with the Enterprise Security Package (ESP). However, there is a limitation when different managed identities are used for Azure AD DS and ADLS Gen2 that could cause the renewal process to fail. Follow the 2 recommendations below to ensure we are able to renew your certificates successfully:
+HDInsight will automatically renew the certificates for the managed identities you use for clusters with the Enterprise Security Package (ESP). However, there is a limitation when different managed identities are used for Microsoft Entra Domain Services and ADLS Gen2 that could cause the renewal process to fail. Follow the 2 recommendations below to ensure we are able to renew your certificates successfully:
-- If you use different managed identities for ADLS Gen2 and Azure AD DS clusters, then both of them should have the **Storage blob data Owner** and **HDInsight Domain Services Contributor** roles assigned to them.
+- If you use different managed identities for ADLS Gen2 and Microsoft Entra Domain Services clusters, then both of them should have the **Storage blob data Owner** and **HDInsight Domain Services Contributor** roles assigned to them.
- HDInsight clusters require public IPs for certificate updates and other maintenance so **any policies that deny public IP on the cluster should be removed**. ## Next steps
-* [Enterprise Security Package configurations with Azure Active Directory Domain Services in HDInsight](./apache-domain-joined-configure-using-azure-adds.md)
+* [Enterprise Security Package configurations with Microsoft Entra Domain Services in HDInsight](./apache-domain-joined-configure-using-azure-adds.md)
-* [Synchronize Azure Active Directory users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md).
+* [Synchronize Microsoft Entra users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md).
hdinsight Hdinsight Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/hdinsight-security-overview.md
All clusters deployed in a VNET will also have a private endpoint. The endpoint
### Authentication
-[Enterprise Security Package](apache-domain-joined-architecture.md) from HDInsight provides Active Directory-based authentication, multi-user support, and role-based access control. The Active Directory integration is achieved through the use of [Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md). With these capabilities, you can create an HDInsight cluster joined to an Active Directory domain. Then configure a list of employees from the enterprise who can authenticate to the cluster.
+[Enterprise Security Package](apache-domain-joined-architecture.md) from HDInsight provides Active Directory-based authentication, multi-user support, and role-based access control. The Active Directory integration is achieved through the use of [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md). With these capabilities, you can create an HDInsight cluster joined to an Active Directory domain. Then configure a list of employees from the enterprise who can authenticate to the cluster.
With this setup, enterprise employees can sign in to the cluster nodes by using their domain credentials. They can also use their domain credentials to authenticate with other approved endpoints. Like Apache Ambari Views, ODBC, JDBC, PowerShell, and REST APIs to interact with the cluster.
The following table provides links to resources for each type of security soluti
| | Ensure that the [Encryption in transit](./encryption-in-transit.md) feature is enabled to use TLS and IPSec for intra-cluster communication. | Customer | | | Configure [customer-managed keys](../../storage/common/customer-managed-keys-configure-key-vault.md) for Azure Storage encryption | Customer | | | Control access to your data by Azure support using [Customer lockbox](../../security/fundamentals/customer-lockbox-overview.md) | Customer |
-| Application and middleware security | Integrate with AAD-DS and [Configure ESP](apache-domain-joined-configure-using-azure-adds.md) or use [HIB for OAuth Authentication](identity-broker.md)| Customer |
+| Application and middleware security | Integrate with Microsoft Entra Domain Services and [Configure ESP](apache-domain-joined-configure-using-azure-adds.md) or use [HIB for OAuth Authentication](identity-broker.md)| Customer |
| | Configure [Apache Ranger Authorization](apache-domain-joined-run-hive.md) policies | Customer | | | Use [Azure Monitor logs](../hdinsight-hadoop-oms-log-analytics-tutorial.md) | Customer | | Operating system security | Create clusters with most recent secure base image | Customer |
hdinsight Identity Broker https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/identity-broker.md
Last updated 06/05/2023
# Azure HDInsight ID Broker (HIB)
-This article describes how to set up and use the Azure HDInsight ID Broker feature. You can use this feature to get modern OAuth authentication to Apache Ambari while having multifactor authentication enforcement without needing legacy password hashes in Azure Active Directory Domain Services (Azure AD DS).
+This article describes how to set up and use the Azure HDInsight ID Broker feature. You can use this feature to get modern OAuth authentication to Apache Ambari while having multifactor authentication enforcement without needing legacy password hashes in Microsoft Entra Domain Services.
## Overview HDInsight ID Broker simplifies complex authentication setups in the following scenarios:
-* Your organization relies on federation to authenticate users for accessing cloud resources. Previously, to use HDInsight Enterprise Security Package clusters, you had to enable password hash sync from your on-premises environment to Azure Active Directory (Azure AD). This requirement might be difficult or undesirable for some organizations.
+* Your organization relies on federation to authenticate users for accessing cloud resources. Previously, to use HDInsight Enterprise Security Package clusters, you had to enable password hash sync from your on-premises environment to Microsoft Entra ID. This requirement might be difficult or undesirable for some organizations.
* Your organization wants to enforce multifactor authentication for web-based or HTTP-based access to Apache Ambari and other cluster resources.
-HDInsight ID Broker provides the authentication infrastructure that enables protocol transition from OAuth (modern) to Kerberos (legacy) without needing to sync password hashes to Azure AD DS. This infrastructure consists of components running on a Windows Server virtual machine (VM) with the HDInsight ID Broker node enabled, along with cluster gateway nodes.
+HDInsight ID Broker provides the authentication infrastructure that enables protocol transition from OAuth (modern) to Kerberos (legacy) without needing to sync password hashes to Microsoft Entra Domain Services. This infrastructure consists of components running on a Windows Server virtual machine (VM) with the HDInsight ID Broker node enabled, along with cluster gateway nodes.
Use the following table to determine the best authentication option based on your organization's needs. |Authentication options |HDInsight configuration | Factors to consider | ||||
-| Fully OAuth | Enterprise Security Package + HDInsight ID Broker | Most secure option. (Multifactor authentication is supported.) Pass hash sync isn't required. No ssh/kinit/keytab access for on-premises accounts, which don't have password hash in Azure AD DS. Cloud-only accounts can still ssh/kinit/keytab. Web-based access to Ambari through OAuth. Requires updating legacy apps (for example, JDBC/ODBC) to support OAuth.|
-| OAuth + Basic Auth | Enterprise Security Package + HDInsight ID Broker | Web-based access to Ambari through OAuth. Legacy apps continue to use basic auth. Multifactor authentication must be disabled for basic auth access. Pass hash sync isn't required. No ssh/kinit/keytab access for on-premises accounts, which don't have password hash in Azure AD DS. Cloud-only accounts can still ssh/kinit. |
-| Fully Basic Auth | Enterprise Security Package | Most similar to on-premises setups. Password hash sync to Azure AD DS is required. On-premises accounts can ssh/kinit or use keytab. Multifactor authentication must be disabled if the backing storage is Azure Data Lake Storage Gen2. |
+| Fully OAuth | Enterprise Security Package + HDInsight ID Broker | Most secure option. (Multifactor authentication is supported.) Pass hash sync isn't required. No ssh/kinit/keytab access for on-premises accounts, which don't have password hash in Microsoft Entra Domain Services. Cloud-only accounts can still ssh/kinit/keytab. Web-based access to Ambari through OAuth. Requires updating legacy apps (for example, JDBC/ODBC) to support OAuth.|
+| OAuth + Basic Auth | Enterprise Security Package + HDInsight ID Broker | Web-based access to Ambari through OAuth. Legacy apps continue to use basic auth. Multifactor authentication must be disabled for basic auth access. Pass hash sync isn't required. No ssh/kinit/keytab access for on-premises accounts, which don't have password hash in Microsoft Entra Domain Services. Cloud-only accounts can still ssh/kinit. |
+| Fully Basic Auth | Enterprise Security Package | Most similar to on-premises setups. Password hash sync to Microsoft Entra Domain Services is required. On-premises accounts can ssh/kinit or use keytab. Multifactor authentication must be disabled if the backing storage is Azure Data Lake Storage Gen2. |
The following diagram shows the modern OAuth-based authentication flow for all users, including federated users, after HDInsight ID Broker is enabled:
In this diagram, the client (that is, a browser or app) needs to acquire the OAu
There still might be many legacy applications that only support basic authentication (that is, username and password). For those scenarios, you can still use HTTP basic authentication to connect to the cluster gateways. In this set up, you must ensure network connectivity from the gateway nodes to the Active Directory Federation Services (AD FS) endpoint to ensure a direct line of sight from gateway nodes.
-The following diagram shows the basic authentication flow for federated users. First, the gateway attempts to complete the authentication by using [ROPC flow](../../active-directory/develop/v2-oauth-ropc.md). In case there's no password hashes synced to Azure AD, it falls back to discovering the AD FS endpoint and completes the authentication by accessing the AD FS endpoint.
+The following diagram shows the basic authentication flow for federated users. First, the gateway attempts to complete the authentication by using [ROPC flow](../../active-directory/develop/v2-oauth-ropc.md). In case there's no password hashes synced to Microsoft Entra ID, it falls back to discovering the AD FS endpoint and completes the authentication by accessing the AD FS endpoint.
:::image type="content" source="media/identity-broker/basic-authentication.png" alt-text="Diagram that shows architecture with basic authentication." border="false":::
To create an Enterprise Security Package cluster with HDInsight ID Broker enable
1. Follow the basic creation steps for an Enterprise Security Package cluster. For more information, see [Create an HDInsight cluster with Enterprise Security Package](apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp). 1. Select **Enable HDInsight ID Broker**.
-The HDInsight ID Broker feature adds one extra VM to the cluster. This VM is the HDInsight ID Broker node, and it includes server components to support authentication. The HDInsight ID Broker node is domain joined to the Azure AD DS domain.
+The HDInsight ID Broker feature adds one extra VM to the cluster. This VM is the HDInsight ID Broker node, and it includes server components to support authentication. The HDInsight ID Broker node is domain joined to the Microsoft Entra Domain Services domain.
:::image type="content" source="./media/identity-broker/identity-broker-enable.png" alt-text="Diagram that shows option to enable HDInsight ID Broker." border="true":::
To see a complete sample of an ARM template, see the template published [here](h
HDInsight tools are updated to natively support OAuth. Use these tools for modern OAuth-based access to the clusters. The HDInsight [IntelliJ plug-in](../spark/apache-spark-intellij-tool-plugin.md#integrate-with-hdinsight-identity-broker-hib) can be used for Java-based applications, such as Scala. [Spark and Hive Tools for Visual Studio Code](../hdinsight-for-vscode.md) can be used for PySpark and Hive jobs. The tools support both batch and interactive jobs.
-## SSH access without a password hash in Azure AD DS
+<a name='ssh-access-without-a-password-hash-in-azure-ad-ds'></a>
+
+## SSH access without a password hash in Microsoft Entra Domain Services
|SSH options |Factors to consider | ||| | Local VM account (for example, sshuser) | You provided this account at the cluster creation time. There's no Kerberos authentication for this account. |
-| Cloud-only account (for example, alice@contoso.onmicrosoft.com) | The password hash is available in Azure AD DS. Kerberos authentication is possible via SSH Kerberos. |
-| On-premises account (for example, alice@contoso.com) | SSH Kerberos authentication is only possible if a password hash is available in Azure AD DS. Otherwise, this user can't SSH to the cluster. |
+| Cloud-only account (for example, alice@contoso.onmicrosoft.com) | The password hash is available in Microsoft Entra Domain Services. Kerberos authentication is possible via SSH Kerberos. |
+| On-premises account (for example, alice@contoso.com) | SSH Kerberos authentication is only possible if a password hash is available in Microsoft Entra Domain Services. Otherwise, this user can't SSH to the cluster. |
-To SSH to a domain-joined VM or to run the `kinit` command, you must provide a password. SSH Kerberos authentication requires the hash to be available in Azure AD DS. If you want to use SSH for administrative scenarios only, you can create one cloud-only account and use it to SSH to the cluster. Other on-premises users can still use Ambari or HDInsight tools or HTTP basic auth without having the password hash available in Azure AD DS.
+To SSH to a domain-joined VM or to run the `kinit` command, you must provide a password. SSH Kerberos authentication requires the hash to be available in Microsoft Entra Domain Services. If you want to use SSH for administrative scenarios only, you can create one cloud-only account and use it to SSH to the cluster. Other on-premises users can still use Ambari or HDInsight tools or HTTP basic auth without having the password hash available in Microsoft Entra Domain Services.
-If your organization isn't syncing password hashes to Azure AD DS, as a best practice, create one cloud-only user in Azure AD. Then assign it as a cluster admin when you create the cluster, and use that for administration purposes. You can use it to get root access to the VMs via SSH.
+If your organization isn't syncing password hashes to Microsoft Entra Domain Services, as a best practice, create one cloud-only user in Microsoft Entra ID. Then assign it as a cluster admin when you create the cluster, and use that for administration purposes. You can use it to get root access to the VMs via SSH.
To troubleshoot authentication issues, see [this guide](./domain-joined-authentication-issues.md).
curl -k -v -H "Authorization: Bearer Access_TOKEN" -H "Content-Type: application
For using Beeline and Livy, you can also follow the samples codes provided [here](https://github.com/Azure-Samples/hdinsight-enterprise-security/tree/main/HIB/HIBSamples) to set up your client to use OAuth and connect to the cluster. ## FAQ
-### What app is created by HDInsight in Microsoft Azure Active Directory (Azure AD)?
-For each cluster, a third party application is registered in Microsoft Azure Active Directory (Azure AD) with the cluster uri as the identifierUri (like `https://clustername.azurehdinsight.net`).
+<a name='what-app-is-created-by-hdinsight-in-microsoft-azure-active-directory-azure-ad'></a>
+
+### What app is created by HDInsight in Microsoft Entra ID?
+For each cluster, a third party application is registered in Microsoft Entra ID with the cluster uri as the identifierUri (like `https://clustername.azurehdinsight.net`).
### Why are users prompted for consent before using HIB enabled clusters?
-In Microsoft Azure Active Directory (Azure AD), consent is required for all third party applications before it can authenticate users or access data.
+In Microsoft Entra ID, consent is required for all third party applications before it can authenticate users or access data.
### Can the consent be approved programatically? Microsoft Graph api allows you to automate the consent, see the [API documentation](/graph/api/resources/oauth2permissiongrant)
When the cluster is deleted, HDInsight delete the app, and there's no need to cl
## Next steps
-* [Configure an HDInsight cluster with Enterprise Security Package by using Azure Active Directory Domain Services](apache-domain-joined-configure-using-azure-adds.md)
-* [Synchronize Azure Active Directory users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
+* [Configure an HDInsight cluster with Enterprise Security Package by using Microsoft Entra Domain Services](apache-domain-joined-configure-using-azure-adds.md)
+* [Synchronize Microsoft Entra users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
* [Monitor cluster performance](../hdinsight-key-scenarios-to-monitor.md)
hdinsight Ldap Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/ldap-sync.md
HDInsight Enterprise Security Package (ESP) clusters use Ranger for authorizatio
## General guidelines * Always deploy clusters with one or more groups.
-* If you want to use more groups in the cluster, check whether it makes sense to update the group memberships in Azure Active Directory (Azure AD).
+* If you want to use more groups in the cluster, check whether it makes sense to update the group memberships in Microsoft Entra ID.
* If you want to change the cluster groups, you can change the sync filters by using Ambari.
-* All group membership changes in Azure AD are reflected in the cluster in subsequent syncs. The changes need to be synced to Azure AD Domain Services (Azure AD DS) first, and then to the clusters.
+* All group membership changes in Microsoft Entra ID are reflected in the cluster in subsequent syncs. The changes need to be synced to Microsoft Entra Domain Services first, and then to the clusters.
* HDInsight clusters use Samba/Winbind to project the group memberships on the cluster nodes. * Group members are synced transitively (all the subgroups and their members) to both Ambari and Ranger.
Ranger user sync can happen out of either of the headnodes. The logs are in `/va
## Next steps * [Authentication issues in Azure HDInsight](./domain-joined-authentication-issues.md)
-* [Synchronize Azure AD users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
+* [Synchronize Microsoft Entra users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
hdinsight Ssh Domain Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/domain-joined/ssh-domain-accounts.md
Title: Manage SSH access for domain accounts in Azure HDInsight
-description: Steps to manage SSH access for Azure AD accounts in HDInsight.
+description: Steps to manage SSH access for Microsoft Entra accounts in HDInsight.
Last updated 09/19/2023
Last updated 09/19/2023
# Manage SSH access for domain accounts in Azure HDInsight
-On secure clusters, by default, all domain users in [Azure AD DS](../../active-directory-domain-services/overview.md) are allowed to [SSH](../hdinsight-hadoop-linux-use-ssh-unix.md) into the head and edge nodes. These users are not part of the sudoers group and do not get root access. The SSH user created during cluster creation has root access.
+On secure clusters, by default, all domain users in [Microsoft Entra Domain Services](../../active-directory-domain-services/overview.md) are allowed to [SSH](../hdinsight-hadoop-linux-use-ssh-unix.md) into the head and edge nodes. These users are not part of the sudoers group and do not get root access. The SSH user created during cluster creation has root access.
## Manage access
hdinsight Enterprise Security Package https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/enterprise-security-package.md
Enterprise Security is an optional package that you can add on your HDInsight cl
* Integration with Active Directory for authentication.
- In the past, you created HDInsight clusters with local admin user and local SSH user. The local admin user can access all the files, folders, tables, and columns. With Enterprise Security Package, you enable Azure role-based access control by integrating HDInsight with your Azure Active Directory Domain Services.
+ In the past, you created HDInsight clusters with local admin user and local SSH user. The local admin user can access all the files, folders, tables, and columns. With Enterprise Security Package, you enable Azure role-based access control by integrating HDInsight with your Microsoft Entra Domain Services.
For more information, see:
Enterprise Security is an optional package that you can add on your HDInsight cl
* [Configure domain-joined sandbox environment](./domain-joined/apache-domain-joined-configure-using-azure-adds.md)
- * [Configure Domain-joined HDInsight clusters using Azure Active Directory Domain Services](./domain-joined/apache-domain-joined-configure-using-azure-adds.md)
+ * [Configure Domain-joined HDInsight clusters using Microsoft Entra Domain Services](./domain-joined/apache-domain-joined-configure-using-azure-adds.md)
* Authorization for data
hdinsight Apache Hadoop On Premises Migration Best Practices Security Devops https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-on-premises-migration-best-practices-security-devops.md
ESP is available on the following cluster types: Apache Hadoop, Apache Spark, Ap
Use the following steps to deploy the Domain-joined HDInsight cluster: -- Deploy Azure Active Directory (AAD) by passing the Domain name.-- Deploy Azure Active Directory Domain Services (AAD DS).
+- Deploy Microsoft Entra ID by passing the Domain name.
+- Deploy Microsoft Entra Domain Services.
- Create the required Virtual Network and subnet.-- Deploy a VM in the Virtual Network to manage AAD DS.
+- Deploy a VM in the Virtual Network to manage Microsoft Entra Domain Services.
- Join the VM to the domain. - Install AD and DNS tools.-- Have the AAD DS Administrator create an Organizational Unit (OU).-- Enable LDAPS for AAD DS.-- Create a service account in Azure Active Directory with delegated read & write admin permission to the OU, so that it can. This service account can then join machines to the domain and place machine principals within the OU. It can also create service principals within the OU that you specify during cluster creation.
+- Have the Microsoft Entra Domain Services Administrator create an Organizational Unit (OU).
+- Enable LDAPS for Microsoft Entra Domain Services.
+- Create a service account in Microsoft Entra ID with delegated read & write admin permission to the OU, so that it can. This service account can then join machines to the domain and place machine principals within the OU. It can also create service principals within the OU that you specify during cluster creation.
> [!Note] > The service account does not need to be AD domain admin account.
Use the following steps to deploy the Domain-joined HDInsight cluster:
|Parameter |Description | |||
- |Domain name|The domain name that's associated with Azure AD DS.|
- |Domain user name|The service account in the Azure AD DS DC-managed domain that you created in the previous section, for example: `hdiadmin@contoso.onmicrosoft.com`. This domain user will be the administrator of this HDInsight cluster.|
+ |Domain name|The domain name that's associated with Microsoft Entra Domain Services.|
+ |Domain user name|The service account in the Microsoft Entra Domain Services DC-managed domain that you created in the previous section, for example: `hdiadmin@contoso.onmicrosoft.com`. This domain user will be the administrator of this HDInsight cluster.|
|Domain password|The password of the service account.| |Organizational unit|The distinguished name of the OU that you want to use with the HDInsight cluster, for example: `OU=HDInsightOU,DC=contoso,DC=onmicrosoft,DC=com`. If this OU doesn't exist, the HDInsight cluster tries to create the OU using the privileges of the service account.| |LDAPS URL|for example, `ldaps://contoso.onmicrosoft.com:636`.|
For more information, see the following articles:
- [An introduction to Apache Hadoop security with domain-joined HDInsight clusters](../domain-joined/hdinsight-security-overview.md) - [Plan Azure domain-joined Apache Hadoop clusters in HDInsight](../domain-joined/apache-domain-joined-architecture.md)-- [Configure a domain-joined HDInsight cluster by using Azure Active Directory Domain Services](../domain-joined/apache-domain-joined-configure-using-azure-adds.md)-- [Synchronize Azure Active Directory users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
+- [Configure a domain-joined HDInsight cluster by using Microsoft Entra Domain Services](../domain-joined/apache-domain-joined-configure-using-azure-adds.md)
+- [Synchronize Microsoft Entra users to an HDInsight cluster](../hdinsight-sync-aad-users-to-cluster.md)
- [Configure Apache Hive policies in Domain-joined HDInsight](../domain-joined/apache-domain-joined-run-hive.md) - [Run Apache Oozie in domain-joined HDInsight Hadoop clusters](../domain-joined/hdinsight-use-oozie-domain-joined-clusters.md)
End to end enterprise security can be achieved using the following controls:
- Perimeter level Security can be achieved through Azure Virtual Networks, Network Security Groups, and Gateway service. **Authentication and authorization for data access**
- - Create Domain-joined HDInsight cluster using Azure Active Directory Domain Services. (Enterprise Security Package).
+ - Create Domain-joined HDInsight cluster using Microsoft Entra Domain Services. (Enterprise Security Package).
- Use Ambari to provide role-based access to cluster resources for AD users. - Use Apache Ranger to set access control policies for Hive at the table / column / row level. - SSH access to the cluster can be restricted only to the administrator.
hdinsight Apache Hadoop On Premises Migration Best Practices Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-on-premises-migration-best-practices-storage.md
For more information, see the following articles:
### Azure Data Lake Storage Gen1
-Azure Data Lake Storage Gen1 implements HDFS and POSIX style access control model. It provides first class integration with Azure AD for fine grained access control. There are no limits to the size of data that it can store, or its ability to run massively parallel analytics.
+Azure Data Lake Storage Gen1 implements HDFS and POSIX style access control model. It provides first class integration with Microsoft Entra ID for fine grained access control. There are no limits to the size of data that it can store, or its ability to run massively parallel analytics.
For more information, see the following articles:
hdinsight Apache Hadoop On Premises Migration Motivation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/apache-hadoop-on-premises-migration-motivation.md
Azure HDInsight is a cloud distribution of Hadoop components. Azure HDInsight ma
- **Global availability** - HDInsight is available in more [regions](https://azure.microsoft.com/regions/services/) than any other big data analytics offering. Azure HDInsight is also available in Azure Government, China, and Germany, which allows you to meet your enterprise needs in key sovereign areas. -- **Secure and compliant** - HDInsight enables you to protect your enterprise data assets with [Azure Virtual Network](../hdinsight-plan-virtual-network-deployment.md), [encryption](../hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage.md), and integration with [Azure Active Directory](../domain-joined/hdinsight-security-overview.md). HDInsight also meets the most popular industry and government [compliance standards](https://azure.microsoft.com/overview/trusted-cloud).
+- **Secure and compliant** - HDInsight enables you to protect your enterprise data assets with [Azure Virtual Network](../hdinsight-plan-virtual-network-deployment.md), [encryption](../hdinsight-hadoop-create-linux-clusters-with-secure-transfer-storage.md), and integration with [Microsoft Entra ID](../domain-joined/hdinsight-security-overview.md). HDInsight also meets the most popular industry and government [compliance standards](https://azure.microsoft.com/overview/trusted-cloud).
- **Simplified version management** - Azure HDInsight manages the version of Hadoop eco-system components and keeps them up to date. Software updates are usually a complex process for on-premises deployments.
hdinsight Connect Install Beeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/connect-install-beeline.md
Replace `<headnode-FQDN>` with the fully qualified domain name of a cluster head
### To HDInsight Enterprise Security Package (ESP) cluster using Kerberos
-When connecting from a client to an Enterprise Security Package (ESP) cluster joined to Azure Active Directory (AAD)-DS on a machine in same realm of the cluster, you must also specify the domain name `<AAD-Domain>` and the name of a domain user account with permissions to access the cluster `<username>`:
+When connecting from a client to an Enterprise Security Package (ESP) cluster joined to Microsoft Entra Domain Services on a machine in same realm of the cluster, you must also specify the domain name `<AAD-Domain>` and the name of a domain user account with permissions to access the cluster `<username>`:
```bash kinit <username> beeline -u 'jdbc:hive2://<headnode-FQDN>:10001/default;principal=hive/_HOST@<AAD-Domain>;auth-kerberos;transportMode=http' -n <username> ```
-Replace `<username>` with the name of an account on the domain with permissions to access the cluster. Replace `<AAD-DOMAIN>` with the name of the Azure Active Directory (AAD) that the cluster is joined to. Use an uppercase string for the `<AAD-DOMAIN>` value, otherwise the credential won't be found. Check `/etc/krb5.conf` for the realm names if needed.
+Replace `<username>` with the name of an account on the domain with permissions to access the cluster. Replace `<AAD-DOMAIN>` with the name of the Microsoft Entra ID that the cluster is joined to. Use an uppercase string for the `<AAD-DOMAIN>` value, otherwise the credential won't be found. Check `/etc/krb5.conf` for the realm names if needed.
To find the JDBC URL from Ambari:
hdinsight Hdinsight Troubleshoot Data Lake Files https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hadoop/hdinsight-troubleshoot-data-lake-files.md
The certificate provided for Service principal access might have expired.
at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext() ```
-1. Any other Azure Active Directory related errors/certificate related errors can be recognized by pinging the gateway url to get the OAuth token.
+1. Any other Microsoft Entra related errors/certificate related errors can be recognized by pinging the gateway url to get the OAuth token.
1. If you are getting following error when attempting to access ADLS from the HDI Cluster. Check if the Certificate has Expired by following the steps mentioned above.
hdinsight Hdinsight Authorize Users To Ambari https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-authorize-users-to-ambari.md
Last updated 06/08/2023
# Authorize users for Apache Ambari Views
-[Enterprise Security Package (ESP) enabled HDInsight clusters](./domain-joined/hdinsight-security-overview.md) provide enterprise-grade capabilities, including Azure Active Directory-based authentication. You can [synchronize new users](hdinsight-sync-aad-users-to-cluster.md) added to Azure AD groups that have been provided access to the cluster, allowing those specific users to perform certain actions. Working with users, groups, and permissions in [Apache Ambari](https://ambari.apache.org/) is supported for both ESP HDInsight clusters and standard HDInsight clusters.
+[Enterprise Security Package (ESP) enabled HDInsight clusters](./domain-joined/hdinsight-security-overview.md) provide enterprise-grade capabilities, including Microsoft Entra ID-based authentication. You can [synchronize new users](hdinsight-sync-aad-users-to-cluster.md) added to Microsoft Entra groups that have been provided access to the cluster, allowing those specific users to perform certain actions. Working with users, groups, and permissions in [Apache Ambari](https://ambari.apache.org/) is supported for both ESP HDInsight clusters and standard HDInsight clusters.
Active Directory users can sign in to the cluster nodes using their domain credentials. They can also use their domain credentials to authenticate cluster interactions with other approved endpoints like [Hue](https://gethue.com/), Ambari Views, ODBC, JDBC, PowerShell, and REST APIs.
The List view provides quick editing capabilities in two categories: Users and G
:::image type="content" source="./media/hdinsight-authorize-users-to-ambari/roles-list-view-users.png" alt-text="Apache Ambari roles list view - users":::
-* The Groups category of the List view displays all groups, and the role assigned to each group. In our example, the list of groups is synchronized from the Azure AD groups specified in the **Access user group** property of the cluster's Domain settings. See [Create a HDInsight cluster with ESP enabled](./domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp).
+* The Groups category of the List view displays all groups, and the role assigned to each group. In our example, the list of groups is synchronized from the Microsoft Entra groups specified in the **Access user group** property of the cluster's Domain settings. See [Create a HDInsight cluster with ESP enabled](./domain-joined/apache-domain-joined-configure-using-azure-adds.md#create-an-hdinsight-cluster-with-esp).
:::image type="content" source="./media/hdinsight-authorize-users-to-ambari/roles-list-view-groups.png" alt-text="Apache Ambari roles list view - groups":::
The List view provides quick editing capabilities in two categories: Users and G
## Log in to Ambari as a view-only user
-We have assigned our Azure AD domain user "hiveuser1" permissions to Hive and Tez views. When we launch the Ambari Web UI and enter this user's domain credentials (Azure AD user name in e-mail format, and password), the user is redirected to the Ambari Views page. From here, the user can select any accessible view. The user cannot visit any other part of the site, including the dashboard, services, hosts, alerts, or admin pages.
+We have assigned our Microsoft Entra domain user "hiveuser1" permissions to Hive and Tez views. When we launch the Ambari Web UI and enter this user's domain credentials (Microsoft Entra user name in e-mail format, and password), the user is redirected to the Ambari Views page. From here, the user can select any accessible view. The user cannot visit any other part of the site, including the dashboard, services, hosts, alerts, or admin pages.
:::image type="content" source="./media/hdinsight-authorize-users-to-ambari/ambari-user-views-only.png" alt-text="Apache Ambari user with views only"::: ## Log in to Ambari as a cluster user
-We have assigned our Azure AD domain user "hiveuser2" to the *Cluster User* role. This role is able to access the dashboard and all of the menu items. A cluster user has fewer permitted options than an administrator. For example, hiveuser2 can view configurations for each of the services, but cannot edit them.
+We have assigned our Microsoft Entra domain user "hiveuser2" to the *Cluster User* role. This role is able to access the dashboard and all of the menu items. A cluster user has fewer permitted options than an administrator. For example, hiveuser2 can view configurations for each of the services, but cannot edit them.
:::image type="content" source="./media/hdinsight-authorize-users-to-ambari/user-cluster-user-role.png" alt-text="Apache Ambari dashboard display":::
We have assigned our Azure AD domain user "hiveuser2" to the *Cluster User* role
* [Configure Apache Hive policies in HDInsight with ESP](./domain-joined/apache-domain-joined-run-hive.md) * [Manage ESP HDInsight clusters](./domain-joined/apache-domain-joined-manage.md) * [Use the Apache Hive View with Apache Hadoop in HDInsight](hadoop/apache-hadoop-use-hive-ambari-view.md)
-* [Synchronize Azure AD users to the cluster](hdinsight-sync-aad-users-to-cluster.md)
+* [Synchronize Microsoft Entra users to the cluster](hdinsight-sync-aad-users-to-cluster.md)
* [Manage HDInsight clusters by using the Apache Ambari REST API](./hdinsight-hadoop-manage-ambari-rest-api.md)
hdinsight Hdinsight Autoscale Clusters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-autoscale-clusters.md
Custom Script Actions are mostly used for customizing the nodes (i.e HeadNode /
Don't scale your cluster down to fewer than three nodes. Scaling your cluster to fewer than three nodes can result in it getting stuck in safe mode because of insufficient file replication. For more information, see [getting stuck in safe mode](hdinsight-scaling-best-practices.md#getting-stuck-in-safe-mode).
-### Azure Active Directory Domain Services (Azure AD DS) & Scaling Operations
+<a name='azure-active-directory-domain-services-azure-ad-ds--scaling-operations'></a>
-If you use an HDInsight cluster with Enterprise Security Package (ESP) that is joined to an Azure Active Directory Domain Services (Azure AD DS) managed domain, we recommend throttling load on the Azure AD DS. In complex directory structures [scoped sync](../active-directory-domain-services/scoped-synchronization.md) we recommend avoiding impact to scaling operations.
+### Microsoft Entra Domain Services & Scaling Operations
+
+If you use an HDInsight cluster with Enterprise Security Package (ESP) that is joined to a Microsoft Entra Domain Services managed domain, we recommend throttling load on the Microsoft Entra Domain Services. In complex directory structures [scoped sync](../active-directory-domain-services/scoped-synchronization.md) we recommend avoiding impact to scaling operations.
### Set the Hive configuration Maximum Total Concurrent Queries for the peak usage scenario
hdinsight Hdinsight Business Continuity Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-business-continuity-architecture.md
This article gives a few examples of business continuity architectures you might
## Apache Hive and Interactive Query
-[Hive Replication V2](https://cwiki.apache.org/confluence/display/Hive/HiveReplicationv2Development#HiveReplicationv2Development-REPLSTATUS) is recommended for business continuity in HDInsight Hive and Interactive query clusters. The persistent sections of a standalone Hive cluster that need to be replicated are the Storage Layer and the Hive metastore. Hive clusters in a multi-user scenario with Enterprise Security Package need Azure Active Directory Domain Services and Ranger Metastore.
+[Hive Replication V2](https://cwiki.apache.org/confluence/display/Hive/HiveReplicationv2Development#HiveReplicationv2Development-REPLSTATUS) is recommended for business continuity in HDInsight Hive and Interactive query clusters. The persistent sections of a standalone Hive cluster that need to be replicated are the Storage Layer and the Hive metastore. Hive clusters in a multi-user scenario with Enterprise Security Package need Microsoft Entra Domain Services and Ranger Metastore.
:::image type="content" source="./media/hdinsight-business-continuity-architecture/hive-interactive-query.png" alt-text="Hive and interactive query architecture":::
Disadvantages:
## HDInsight Enterprise Security Package
-This set up is used to enable multi-user functionality in both primary and secondary, as well as [Azure AD DS replica sets](../active-directory-domain-services/tutorial-create-replica-set.md) to ensure that users can authenticate to both clusters. During normal operations, Ranger policies need to be set up in the Secondary to ensure that users are restricted to Read operations. The below architecture explains how an ESP enabled Hive Active Primary ΓÇô Standby Secondary set up might look.
+This set up is used to enable multi-user functionality in both primary and secondary, as well as [Microsoft Entra Domain Services replica sets](../active-directory-domain-services/tutorial-create-replica-set.md) to ensure that users can authenticate to both clusters. During normal operations, Ranger policies need to be set up in the Secondary to ensure that users are restricted to Read operations. The below architecture explains how an ESP enabled Hive Active Primary ΓÇô Standby Secondary set up might look.
Ranger Metastore replication:
hdinsight Hdinsight Create Non Interactive Authentication Dotnet Applications https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-create-non-interactive-authentication-dotnet-applications.md
Run your Microsoft .NET Azure HDInsight application either under the application
From your non-interactive .NET application, you need: * Your Azure subscription tenant ID (also called a *directory ID*). See [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
-* The Azure Active Directory (Azure AD) application client ID. See [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and [Get an application ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
-* The Azure AD application secret key. See [Get application authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
+* The Microsoft Entra application client ID. See [Create a Microsoft Entra application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and [Get an application ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
+* The Microsoft Entra application secret key. See [Get application authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
## Prerequisites An HDInsight cluster. See the [getting started tutorial](hadoop/apache-hadoop-linux-tutorial-get-started.md).
-## Assign a role to the Azure AD application
+<a name='assign-a-role-to-the-azure-ad-application'></a>
-Assign your Azure AD application a [role](../role-based-access-control/built-in-roles.md), to grant it permissions to perform actions. You can set the scope at the level of the subscription, resource group, or resource. The permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means that the application can read the resource group and any resources in it. In this article, you set the scope at the resource group level. For more information, see [Assign Azure roles to manage access to your Azure subscription resources](../role-based-access-control/role-assignments-portal.md).
+## Assign a role to the Microsoft Entra application
-**To add the Owner role to the Azure AD application**
+Assign your Microsoft Entra application a [role](../role-based-access-control/built-in-roles.md), to grant it permissions to perform actions. You can set the scope at the level of the subscription, resource group, or resource. The permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means that the application can read the resource group and any resources in it. In this article, you set the scope at the resource group level. For more information, see [Assign Azure roles to manage access to your Azure subscription resources](../role-based-access-control/role-assignments-portal.md).
+
+**To add the Owner role to the Microsoft Entra application**
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Navigate to the resource group that has the HDInsight cluster on which you'll run your Hive query later in this article. If you have a large number of resource groups, you can use the filter to find the one you want. 1. On the resource group menu, select **Access control (IAM)**. 1. Select the **Role assignments** tab to see the current role assignments. 1. At the top of the page, select **+ Add**.
-1. Follow the instructions to add the Owner role to your Azure AD application. After you successfully add the role, the application is listed under the Owner role.
+1. Follow the instructions to add the Owner role to your Microsoft Entra application. After you successfully add the role, the application is listed under the Owner role.
## Develop an HDInsight client application
Assign your Azure AD application a [role](../role-based-access-control/built-in-
## Next steps
-* [Create an Azure Active Directory application and service principal in the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
+* [Create a Microsoft Entra application and service principal in the Azure portal](../active-directory/develop/howto-create-service-principal-portal.md).
* Learn how to [authenticate a service principal with Azure Resource Manager](../active-directory/develop/howto-authenticate-service-principal-powershell.md). * Learn about [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md).
hdinsight Hdinsight Hadoop Create Linux Clusters Adf https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-create-linux-clusters-adf.md
If you don't have an Azure subscription, [create a free account](https://azure.m
* The PowerShell [Az Module](/powershell/azure/install-azure-powershell) installed.
-* An Azure Active Directory service principal. Once you've created the service principal, be sure to retrieve the **application ID** and **authentication key** using the instructions in the linked article. You need these values later in this tutorial. Also, make sure the service principal is a member of the *Contributor* role of the subscription or the resource group in which the cluster is created. For instructions to retrieve the required values and assign the right roles, see [Create an Azure Active Directory service principal](../active-directory/develop/howto-create-service-principal-portal.md).
+* A Microsoft Entra service principal. Once you've created the service principal, be sure to retrieve the **application ID** and **authentication key** using the instructions in the linked article. You need these values later in this tutorial. Also, make sure the service principal is a member of the *Contributor* role of the subscription or the resource group in which the cluster is created. For instructions to retrieve the required values and assign the right roles, see [Create a Microsoft Entra service principal](../active-directory/develop/howto-create-service-principal-portal.md).
## Create preliminary Azure objects
In this section, you author two linked services within your data factory.
| Azure Storage Linked Service | Select `HDIStorageLinkedService`. | | Cluster type | Select **hadoop** | | Time to live | Provide the duration for which you want the HDInsight cluster to be available before being automatically deleted.|
- | Service principal ID | Provide the application ID of the Azure Active Directory service principal you created as part of the prerequisites. |
- | Service principal key | Provide the authentication key for the Azure Active Directory service principal. |
+ | Service principal ID | Provide the application ID of the Microsoft Entra service principal you created as part of the prerequisites. |
+ | Service principal key | Provide the authentication key for the Microsoft Entra service principal. |
| Cluster name prefix | Provide a value that will be prefixed to all the cluster types created by the data factory. | |Subscription |Select your subscription from the drop-down list.| | Select resource group | Select the resource group you created as part of the PowerShell script you used earlier.|
hdinsight Hdinsight Hadoop Create Linux Clusters Curl Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-create-linux-clusters-curl-rest.md
Follow the steps documented in [Get started with Azure CLI](/cli/azure/get-start
In the list, select the subscription that you want to use and note the **Subscription_ID** and __Tenant_ID__ columns. Save these values.
-2. Use the following command to create an application in Azure Active Directory.
+2. Use the following command to create an application in Microsoft Entra ID.
```azurecli az ad app create --display-name "exampleapp" --homepage "https://www.contoso.org" --identifier-uris "https://www.contoso.org/example" --password <Your password> --query 'appId'
hdinsight Hdinsight Hadoop Create Linux Clusters Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-create-linux-clusters-portal.md
Select **Next: Storage >>** to advance to the next tab.
## Storage > [!WARNING]
-> Starting June 15th, 2020 customers will not be able to create new service principal using HDInsight. See [Create Service Principal and Certificates](../active-directory/develop/howto-create-service-principal-portal.md) using Azure Active Directory.
+> Starting June 15th, 2020 customers will not be able to create new service principal using HDInsight. See [Create Service Principal and Certificates](../active-directory/develop/howto-create-service-principal-portal.md) using Microsoft Entra ID.
:::image type="content" source="./media/hdinsight-hadoop-create-linux-clusters-portal/azure-portal-cluster-storage.png" alt-text="HDInsight create cluster storage":::
From the **Security + networking** tab, provide the following information:
|Property |Description | |||
-|Enterprise security package|Optional: Select the check box to use **Enterprise Security Package**. For more information, see [Configure a HDInsight cluster with Enterprise Security Package by using Azure Active Directory Domain Services](./domain-joined/apache-domain-joined-configure-using-azure-adds.md).|
+|Enterprise security package|Optional: Select the check box to use **Enterprise Security Package**. For more information, see [Configure a HDInsight cluster with Enterprise Security Package by using Microsoft Entra Domain Services](./domain-joined/apache-domain-joined-configure-using-azure-adds.md).|
|TLS|Optional: Select a TLS version from the drop-down list. For more information, see [Transport Layer Security](./transport-layer-security.md).| |Virtual network|Optional: Select an existing virtual network and subnet from the drop-down list. For information, see [Plan a virtual network deployment for Azure HDInsight clusters](hdinsight-plan-virtual-network-deployment.md). The article includes specific configuration requirements for the virtual network.| |Disk encryption settings|Optional: Select the check box to use encryption. For more information, see [Customer-managed key disk encryption](./disk-encryption.md).|
hdinsight Hdinsight Hadoop Development Using Azure Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-development-using-azure-resource-manager.md
This section provides pointers to more information on how to perform certain tas
| How to... using the Resource Manager-based HDInsight SDK | Links | | | | | Azure HDInsight SDK for .NET|See [Azure HDInsight SDK for .NET](/dotnet/api/overview/azure/hdinsight) |
-| Authenticate applications interactively using Azure Active Directory with .NET SDK |See [Run Apache Hive queries using .NET SDK](hadoop/apache-hadoop-use-hive-dotnet-sdk.md). The code snippet in this article uses the interactive authentication approach. |
-| Authenticate applications non-interactively using Azure Active Directory with .NET SDK |See [Create non-interactive applications for HDInsight](hdinsight-create-non-interactive-authentication-dotnet-applications.md) |
+| Authenticate applications interactively using Microsoft Entra ID with .NET SDK |See [Run Apache Hive queries using .NET SDK](hadoop/apache-hadoop-use-hive-dotnet-sdk.md). The code snippet in this article uses the interactive authentication approach. |
+| Authenticate applications non-interactively using Microsoft Entra ID with .NET SDK |See [Create non-interactive applications for HDInsight](hdinsight-create-non-interactive-authentication-dotnet-applications.md) |
| Submit an Apache Hive job using .NET SDK |See [Submit Apache Hive jobs](hadoop/apache-hadoop-use-hive-dotnet-sdk.md) | | Submit an Apache Sqoop job using .NET SDK |See [Submit Apache Sqoop jobs](hadoop/apache-hadoop-use-sqoop-dotnet-sdk.md) | | List HDInsight clusters using .NET SDK |See [List HDInsight clusters](hdinsight-administer-use-dotnet-sdk.md#list-clusters) |
hdinsight Hdinsight Hadoop Linux Use Ssh Unix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-linux-use-ssh-unix.md
For information on changing the SSH user account password, see the __Change pass
## Authentication domain joined HDInsight
-If you're using a __domain-joined HDInsight cluster__, you must use the `kinit` command after connecting with SSH local user. This command prompts you for a domain user and password, and authenticates your session with the Azure Active Directory domain associated with the cluster.
+If you're using a __domain-joined HDInsight cluster__, you must use the `kinit` command after connecting with SSH local user. This command prompts you for a domain user and password, and authenticates your session with the Microsoft Entra domain associated with the cluster.
You can also enable Kerberos Authentication on each domain joined node (for example, head node, edge node) to ssh using the domain account. To do this edit sshd config file:
hdinsight Hdinsight Hadoop Provision Linux Clusters https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/hdinsight-hadoop-provision-linux-clusters.md
Ambari is used to monitor HDInsight clusters, make configuration changes, and st
### Enterprise security package
-For Hadoop, Spark, HBase, Kafka, and Interactive Query cluster types, you can choose to enable the **Enterprise Security Package**. This package provides option to have a more secure cluster setup by using Apache Ranger and integrating with Azure Active Directory. For more information, see [Overview of enterprise security in Azure HDInsight](./domain-joined/hdinsight-security-overview.md).
+For Hadoop, Spark, HBase, Kafka, and Interactive Query cluster types, you can choose to enable the **Enterprise Security Package**. This package provides option to have a more secure cluster setup by using Apache Ranger and integrating with Microsoft Entra ID. For more information, see [Overview of enterprise security in Azure HDInsight](./domain-joined/hdinsight-security-overview.md).
The Enterprise security package allows you to integrate HDInsight with Active Directory and Apache Ranger. Multiple users can be created using the Enterprise security package.
hdinsight Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hdinsight/policy-reference.md
Title: Built-in policy definitions for Azure HDInsight description: Lists Azure Policy built-in policy definitions for Azure HDInsight. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
healthcare-apis Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/azure-api-for-fhir/policy-reference.md
Title: Built-in policy definitions for Azure API for FHIR description: Lists Azure Policy built-in policy definitions for Azure API for FHIR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/27/2023 Last updated : 10/10/2023
healthcare-apis Api Versioning Dicom Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/api-versioning-dicom-service.md
Previously updated : 10/13/2022 Last updated : 10/11/2023 # API versioning for DICOM service
-This reference guide provides you with an overview of the API version policies for the DICOM service.
+This reference guide provides you with an overview of the API version policies for the DICOM&reg; service.
## Specifying version of REST API in requests
The version of the REST API must be explicitly specified in the request URL as i
`<service_url>/v<version>/studies`
-> [!NOTE]
-> Routes without a version are not supported.
+Routes without a version aren't supported.
## Supported versions
The OpenAPI Doc for the supported versions can be found at the following url:
`<service_url>/v<version>/api.yaml` ## DICOM Conformance Statement
-All versions of the DICOM APIs will always conform to the DICOMwebΓäó Standard specifications, but different versions may expose different APIs. See the specific version of the conformance statement for details:
+All versions of the DICOM APIs conform to the DICOMwebΓäó Standard specifications, but different versions might expose different APIs. See the specific version of the conformance statement for details:
* [DICOM Conformance Statement v1](dicom-services-conformance-statement.md) * [DICOM Conformance Statement v2](dicom-services-conformance-statement-v2.md)
All versions of the DICOM APIs will always conform to the DICOMwebΓäó Standard s
## Prerelease versions
-An API version with the label "prerelease" indicates that the version isn't ready for production, and it should only be used in testing environments. These endpoints may experience breaking changes without notice.
+An API version with the label "prerelease" indicates that the version isn't ready for production, and it should only be used in testing environments. These endpoints might experience breaking changes without notice.
## How versions are incremented We currently only increment the major version whenever there's a breaking change, which is considered to be not backwards compatible.
-Below are some examples of breaking changes (Major version is incremented):
+Here are some examples of breaking changes (Major version is incremented):
* Renaming or removing endpoints. * Removing parameters or adding mandatory parameters. * Changing status code.
-* Deleting a property in a response, or altering a response type at all, but it's okay to add properties to the response.
+* Deleting a property in a response, or altering a response type at all. It's okay to add properties to the response.
* Changing the type of a property. * Behavior when an API changes such as changes in business logic used to do foo, but it now does bar.
-Non-breaking changes (Version isn't incremented):
+Nonbreaking changes (Version isn't incremented):
* Addition of properties that are nullable or have a default value. * Addition of properties to a response model.
Non-breaking changes (Version isn't incremented):
## Header in response
-ReportApiVersions is turned on, which means we'll return the headers api-supported-versions and api-deprecated-versions when appropriate.
+ReportApiVersions is turned on, which means the system returns the headers api-supported-versions and api-deprecated-versions when appropriate.
-* api-supported-versions will list which versions are supported for the requested API. It's only returned when calling an endpoint annotated with `ApiVersion("<someVersion>")`.
+* api-supported-versions lists which versions are supported for the requested API. It's only returned when calling an endpoint annotated with `ApiVersion("<someVersion>")`.
-* api-deprecated-versions will list which versions have been deprecated for the requested API. It's only returned when calling an endpoint annotated with `ApiVersion("<someVersion>", Deprecated = true)`.
+* api-deprecated-versions lists which versions have been deprecated for the requested API. It's only returned when calling an endpoint annotated with `ApiVersion("<someVersion>", Deprecated = true)`.
Example:
Example:
[ ![Screenshot of the API supported and deprecated versions.](media/api-supported-deprecated-versions.png) ](media/api-supported-deprecated-versions.png#lightbox)
-## Next steps
-
-In this article, you learned about the API version policies for the DICOM service. For more information about the DICOM service, see
-
->[!div class="nextstepaction"]
->[Overview of the DICOM service](dicom-services-overview.md)
healthcare-apis Configure Cross Origin Resource Sharing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/configure-cross-origin-resource-sharing.md
Title: Configure cross-origin resource sharing in DICOM service in Azure Health
description: This article describes how to configure cross-origin resource sharing in DICOM service in Azure Health Data Services Previously updated : 06/14/2022 Last updated : 10/09/2023
-# Configure cross-origin resource sharing in DICOM service in Azure Health Data Services
+# Configure cross-origin resource sharing
-## What is cross-origin resource sharing in DICOM service in Azure Health Data Services?
-
-DICOM service in Azure Health Data Services (hereby called DICOM service) supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.
+The DICOM&reg; service in Azure Health Data Services supports [cross-origin resource sharing (CORS)](https://wikipedia.org/wiki/Cross-Origin_Resource_Sharing). CORS allows you to configure settings so that applications from one domain (origin) can access resources from a different domain, known as a cross-domain request.
CORS is often used in a single-page app that must call a RESTful API to a different domain.
To configure a CORS setting in the DICOM service, specify the following settings
- **Origins (Access-Control-Allow-Origin)**. A list of domains allowed to make cross-origin requests to the DICOM service. Each domain (origin) must be entered in a separate line. You can enter an asterisk (*) to allow calls from any domain, but we don't recommend it because it's a security risk.
+> [!NOTE]
+> You can't specify different settings for different domain origins. All settings (**Headers**, **Methods**, **Max age**, and **Allow credentials**) apply to all origins specified in the Origins setting.
+ - **Headers (Access-Control-Allow-Headers)**. A list of headers that the origin request will contain. To allow all headers, enter an asterisk (*). - **Methods (Access-Control-Allow-Methods)**. The allowed methods (PUT, GET, POST, and so on) in an API call. Choose **Select all** for all methods.
To configure a CORS setting in the DICOM service, specify the following settings
:::image type="content" source="media/dicom-cors-settings.png" alt-text="Screenshot of DICOM cross origin resource settings." lightbox="./media/dicom-cors-settings.png":::
-> [!NOTE]
-> You can't specify different settings for different domain origins. All settings (**Headers**, **Methods**, **Max age**, and **Allow credentials**) apply to all origins specified in the Origins setting.
-
-## Next steps
-
-For more information about DICOM service, see
-
-> [!div class="nextstepaction"]
-> [Overview of the DICOM service](./dicom-services-overview.md)
healthcare-apis Deploy Dicom Services In Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/deploy-dicom-services-in-azure.md
-# Deploy the DICOM service using Azure portal
+# Deploy the DICOM service
-In this quickstart, you'll learn how to deploy DICOM Service using the Azure portal.
+In this quickstart, you'll learn how to deploy the DICOM&reg; service using the Azure portal.
Once deployment is complete, you can use the Azure portal to navigate to the newly created DICOM service to see the details including your service URL. The service URL to access your DICOM service will be: ```https://<workspacename-dicomservicename>.dicom.azurehealthcareapis.com```. Make sure to specify the version as part of the url when making requests. More information can be found in the [API Versioning for DICOM service documentation](api-versioning-dicom-service.md).
-## Prerequisite
+## Prerequisites
-To deploy DICOM service, you must have a workspace created in the Azure portal. For more information about creating a workspace, see **Deploy workspace in the Azure portal**.
+To deploy the DICOM service, you need a workspace created in the Azure portal. For more information, see [Deploy a workspace in the Azure portal](../healthcare-apis-quickstart.md).
## Deploying DICOM service
To deploy DICOM service, you must have a workspace created in the Azure portal.
## Next steps
-In this quickstart, you learned how to deploy DICOM service using the Azure portal. For information about assigning roles for the DICOM service, see
+[Assign roles for the DICOM service](../configure-azure-rbac.md#assign-roles-for-the-dicom-service)
->[!div class="nextstepaction"]
->[Assign roles for the DICOM service](../configure-azure-rbac.md#assign-roles-for-the-dicom-service)
+[Use DICOMweb Standard APIs with DICOM services](dicomweb-standard-apis-with-dicom-services.md)
-For more information about how to use the DICOMweb&trade; Standard APIs with the DICOM service, see
-
->[!div class="nextstepaction"]
->[Using DICOMweb&trade;Standard APIs with DICOM services](dicomweb-standard-apis-with-dicom-services.md)
healthcare-apis Dicom Change Feed Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-change-feed-overview.md
Title: Overview of DICOM Change Feed - Azure Health Data Services
-description: In this article, you'll learn the concepts of DICOM Change Feed.
+ Title: Overview of DICOM change feed - Azure Health Data Services
+description: In this article, you'll learn the concepts of DICOM change feed.
Previously updated : 03/01/2022 Last updated : 10/9/2023
-# Change Feed Overview
+# Change feed overview
-The Change Feed provides logs of all the changes that occur in DICOM service. The Change Feed provides ordered, guaranteed, immutable, and read-only logs of these changes. The Change Feed offers the ability to go through the history of DICOM service and acts upon the creates and deletes in the service.
+The change feed provides logs of all the changes that occur in the DICOM&reg; service. The change feed provides ordered, guaranteed, immutable, and read-only logs of these changes. The change feed offers the ability to go through the history of DICOM service and acts upon the creates and deletes in the service.
-Client applications can read these logs at any time in batches of any size. The Change Feed enables you to build efficient and scalable solutions that process change events that occur in your DICOM service.
+Client applications can read these logs at any time in batches of any size. The change feed enables you to build efficient and scalable solutions that process change events that occur in your DICOM service.
-You can process these change events asynchronously, incrementally or in-full. Any number of client applications can independently read the Change Feed, in parallel, and at their own pace.
+You can process these change events asynchronously, incrementally or in-full. Any number of client applications can independently read the change feed, in parallel, and at their own pace.
-As of v2 of the API, the Change Feed can be queried for a particular time window.
+As of v2 of the API, the change feed can be queried for a particular time window.
Make sure to specify the version as part of the URL when making requests. More information can be found in the [API Versioning for DICOM service Documentation](api-versioning-dicom-service.md). ## API Design
-The API exposes two `GET` endpoints for interacting with the Change Feed. A typical flow for consuming the Change Feed is [provided below](#usage).
+The API exposes two `GET` endpoints for interacting with the change feed. A typical flow for consuming the change feed is [provided below](#usage).
Verb | Route | Returns | Description : | :-- | :- | :
-GET | /changefeed | JSON Array | [Read the Change Feed](#change-feed)
-GET | /changefeed/latest | JSON Object | [Read the latest entry in the Change Feed](#latest-change-feed)
+GET | /changefeed | JSON Array | [Read the change feed](#change-feed)
+GET | /changefeed/latest | JSON Object | [Read the latest entry in the change feed](#latest-change-feed)
### Object model
current | This instance is the current version.
replaced | This instance has been replaced by a new version. deleted | This instance has been deleted and is no longer available in the service.
-## Change Feed
+## Change feed
-The Change Feed resource is a collection of events that have occurred within the DICOM server.
+The change feed resource is a collection of events that have occurred within the DICOM server.
### Version 2
offset | long | The exclusive starting sequence number for events |
limit | int | The maximum value of the sequence number relative to the offset. For example, if the offset is 10 and the limit is 5, then the maximum sequence number returned will be 15. | `10` | `1` | `100` | includeMetadata | bool | Indicates whether or not to include the DICOM metadata | `true` | | |
-## Latest Change Feed
-The latest Change Feed resource represents the latest event that has occurred within the DICOM Server.
+## Latest change feed
+The latest change feed resource represents the latest event that has occurred within the DICOM Server.
### Request ```http
includeMetadata | bool | Indicates whether or not to include the metadata | `tru
#### Version 2
-1. An application regularly queries the Change Feed on some time interval
- * For example, if querying every hour, a query for the Change Feed may look like `/changefeed?startTime=2023-05-10T16:00:00Z&endTime=2023-05-10T17:00:00Z`
- * If starting from the beginning, the Change Feed query may omit the `startTime` to read all of the changes up to, but excluding, the `endTime`
+1. An application regularly queries the change feed on some time interval
+ * For example, if querying every hour, a query for the change feed may look like `/changefeed?startTime=2023-05-10T16:00:00Z&endTime=2023-05-10T17:00:00Z`
+ * If starting from the beginning, the change feed query may omit the `startTime` to read all of the changes up to, but excluding, the `endTime`
* E.g. `/changefeed?endTime=2023-05-10T17:00:00Z` 2. Based on the `limit` (if provided), an application continues to query for additional pages of change events if the number of returned events is equal to the `limit` (or default) by updating the offset on each subsequent query * For example, if the `limit` is `100`, and 100 events are returned, then the subsequent query would include `offset=100` to fetch the next "page" of results. The below queries demonstrate the pattern:
includeMetadata | bool | Indicates whether or not to include the metadata | `tru
### Other potential usage patterns
-Change Feed support is well suited for scenarios that process data based on objects that have changed. For example, it can be used to:
+Change feed support is well suited for scenarios that process data based on objects that have changed. For example, it can be used to:
* Build connected application pipelines like ML that react to change events or schedule executions based on created or deleted instance. * Extract business analytics insights and metrics, based on changes that occur to your objects.
-* Poll the Change Feed to create an event source for push notifications.
-
-## Summary
-
-In this article, we reviewed the REST API design of Change Feed and potential usage scenarios. For information on Change Feed, see [Pull changes from Change Feed](pull-dicom-changes-from-change-feed.md).
+* Poll the change feed to create an event source for push notifications.
## Next steps
->[!div class="nextstepaction"]
->[Overview of the DICOM service](dicom-services-overview.md)
+[Pull changes from the change feed](pull-dicom-changes-from-change-feed.md)
healthcare-apis Dicom Configure Azure Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-configure-azure-rbac.md
+
+ Title: Configure Azure RBAC for the DICOM service - Azure Health Data Services
+description: This article describes how to configure Azure RBAC for the DICOM service
+++ Last updated : 10/09/2023+++
+# Configure Azure RBAC for the DICOM service
+
+In this article, you'll learn how to use [Azure role-based access control (Azure RBAC)](../../role-based-access-control/index.yml) to assign access to the DICOM&reg; service.
+
+## Assign roles
+
+To grant users, service principals, or groups access to the DICOM data plane, select the **Access control (IAM)** blade. Select the **Role assignments** tab, and select **+ Add**.
+
+[ ![Screenshot of DICOM access control.](media/dicom-access-control.png) ](media/dicom-access-control.png#lightbox)
++
+In the **Role** selection, search for one of the built-in roles for the DICOM data plane:
+
+[ ![Screenshot of add RBAC role assignment.](media/rbac-add-role-assignment.png) ](media/rbac-add-role-assignment.png#lightbox)
+
+You can choose between:
+
+* DICOM Data Owner: Full access to DICOM data.
+* DICOM Data Reader: Read and search DICOM data.
+
+If these roles aren't sufficient for your need, you can use PowerShell to create custom roles. For information about creating custom roles, see [Create a custom role using Azure PowerShell](../../role-based-access-control/tutorial-custom-role-powershell.md).
+
+In the **Select** box, search for a user, service principal, or group that you want to assign the role to.
+
+## Caching behavior
+
+The DICOM service will cache decisions for up to five minutes. If you grant a user access to the DICOM service by adding them to the list of allowed object IDs, or you remove them from the list, you should expect it to take up to five minutes for changes in permissions to propagate.
+
healthcare-apis Dicom Digital Pathology https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-digital-pathology.md
Previously updated : 02/09/2023 Last updated : 10/9/2023
-# Digital pathology using DICOM service
+# Digital pathology using the DICOM service
- ## Overview
+Pathology is a branch of medical science primarily concerning the cause, origin, and nature of disease. It involves the examination of tissues, organs, bodily fluids, and autopsies in order to study and diagnose disease.
-`Pathology` is a branch of medical science primarily concerning the cause, origin, and nature of disease. It involves the examination of tissues, organs, bodily fluids, and autopsies in order to study and diagnose disease.
-Historically biopsies of tissues are stored in glass slides and investigated under microscope. This creates challenges when clinicians and pathologists need to share information for consultations and diagnosis as well as for research.
+Historically, biopsies of tissues are stored in glass slides and investigated under microscope. This creates challenges when clinicians and pathologists need to share information for consultations and diagnosis as well as for research.
Digital imaging is becoming increasingly popular in the field of pathology as a way to support sharing images outside the lab, training AI/ML models, and for long term storage. This transformation is fueled by the commercial availability of instruments for digitizing microscope slides.
-Today, digital pathology scanners generally output imaging into proprietary formats. This complicates sharing and AI/ML model training, blunting many of the advantages of digitization. To ease this transformation, many organizations are beginning to convert [Whole Slide Imaging (WSI)](https://dicom.nema.org/Dicom/DICOMWSI/) digital slides to DICOM-standard format. Once these images are in DICOM format, these images can be stored in commercially available PACS systems, where they can be managed using tools and processes that have been perfected over decades by radiologists.
+Today, digital pathology scanners generally output imaging into proprietary formats. This complicates sharing and AI/ML model training, blunting many of the advantages of digitization. To ease this transformation, many organizations are beginning to convert [Whole Slide Imaging (WSI)](https://dicom.nema.org/Dicom/DICOMWSI/) digital slides to DICOM-standard format. Once these images are in DICOM&reg; format, these images can be stored in commercially available PACS systems, where they can be managed using tools and processes that have been perfected over decades by radiologists.
## DICOM service for digital pathology
-DICOM service supports unique digital pathology requirements like:
+The DICOM service supports unique digital pathology requirements like:
1. Scale and performance needed to upload pathology DICOM instances that are multiple GBs in size. 2. Fast frame access to allow the web viewer to pan and zoom DICOM pathology images smoothly with no lags or blurriness.
-3. A cost effective way to store images long-term post diagnosis for archival and research use.
+3. A cost-effective way to store images long-term post diagnosis for archival and research use.
+
-## End to End reference solution
:::image type="content" source="media/dicom-digital-pathology.png" alt-text="Diagram showing whole-slide imaging digitization and cloud storage." lightbox="media/dicom-digital-pathology.png"::: ### Digitization
curl -X POST \
We have tested supporting **tens of GBs upload in few seconds**.
-### Retrieving
+### Retrieval
Viewers retrieve tiles that are stored as frames in a DICOM instance. Each DICOM instance can contain multiple frames. We recommend using parallel single part GET frame for better performance.
We have tested supporting **download of 60Kb tile in around 60-70ms** from clien
We recommend using any WSI Viewer that can be configured with a DICOMWeb service and OIDC Authentication.
-Sample Open source viewer
+Sample open-source viewer
- [Slim (MGB)](https://github.com/herrmannlab/slim) Follow the [CORS guidelines](configure-cross-origin-resource-sharing.md) if the Viewer directly interacts with the DICOM service
-## Recommended ISVs
+## Find an ISV partner
-Reach out to dicom-support@microsoft.com if you want to work with our partner ISVs that provides E2E solution and support.
+Reach out to dicom-support@microsoft.com if you want to work with our partner ISVs that provide end-to-end solutions and support.
## Next steps
-For more information about DICOM service, see
+[Deploy the DICOM service in Azure](deploy-dicom-services-in-azure.md)
->[!div class="nextstepaction"]
->[Deploy DICOM service to Azure](deploy-dicom-services-in-azure.md)
+[Use DICOMweb APIs with the DICOM service](dicomweb-standard-apis-with-dicom-services.md)
->[!div class="nextstepaction"]
->[Using DICOMweb&trade;Standard APIs with DICOM service](dicomweb-standard-apis-with-dicom-services.md)
healthcare-apis Dicom Extended Query Tags Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-extended-query-tags-overview.md
Previously updated : 03/21/2022 Last updated : 10/9/2023 # Extended query tags
-## Overview
-
-By default, the DICOM service supports querying on the DICOM tags specified in the [conformance statement](dicom-services-conformance-statement-v2.md#searchable-attributes). By enabling extended query tags, the list of tags can easily be expanded based on the application's needs.
+By default, the DICOM&reg; service supports querying on the DICOM tags specified in the [conformance statement](dicom-services-conformance-statement-v2.md#searchable-attributes). By enabling extended query tags, the list of tags can easily be expanded based on the application's needs.
Using the APIs listed below, users can index their DICOM studies, series, and instances on both standard and private DICOM tags such that they can be specified in QIDO-RS queries.
This conceptual article provided you with an overview of the Extended Query Tag
## Next steps
-For more information about deploying the DICOM service, see
+[Deploy the DICOM service to Azure](deploy-dicom-services-in-azure.md)
->[!div class="nextstepaction"]
->[Deploy DICOM service to Azure](deploy-dicom-services-in-azure.md)
+[Use DICOMweb APIs with the DICOM service](dicomweb-standard-apis-with-dicom-services.md)
->[!div class="nextstepaction"]
->[Using DICOMweb&trade;Standard APIs with DICOM service](dicomweb-standard-apis-with-dicom-services.md)
healthcare-apis Dicom Register Application https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicom-register-application.md
Last updated 09/02/2022
-# Register a client application for the DICOM service in Azure Active Directory
+# Register a client application for the DICOM service
-In this article, you'll learn how to register a client application for the DICOM service. You can find more information on [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).
+In this article, you'll learn how to register a client application for the DICOM&reg; service. You can find more information on [Register an application with the Microsoft identity platform](../../active-directory/develop/quickstart-register-app.md).
## Register a new application
The following steps are required for the DICOM service. In addition, user access
Your application registration is now complete.
-## Next steps
-
-In this article, you learned how to register a client application for the DICOM service in the Azure AD. Additionally, you learned how to add a secret and API permissions to Azure Health Data Services. For more information about DICOM service, see
-
->[!div class="nextstepaction"]
->[Overview of the DICOM service](dicom-services-overview.md)
healthcare-apis Dicomweb Standard Apis With Dicom Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/healthcare-apis/dicom/dicomweb-standard-apis-with-dicom-services.md
Last updated 10/13/2022
-# Using DICOMweb&trade;Standard APIs with DICOM services
+# Access DICOMweb APIs with the DICOM service
-This tutorial provides an overview of how to use DICOMweb&trade; Standard APIs with the DICOM service.
+The DICOM&reg; service allows you to store, review, search, and delete DICOM objects using a subset of DICOMweb APIs, which are web-based services that follow the DICOM standard. By using these APIs, you can access and manage your organization's DICOM data in the cloud without requiring complex protocols or formats.
-The DICOM service supports a subset of DICOMweb&trade; Standard that includes:
+The supported services are:
-* [Store (STOW-RS)](dicom-services-conformance-statement-v2.md#store-stow-rs)
-* [Retrieve (WADO-RS)](dicom-services-conformance-statement-v2.md#retrieve-wado-rs)
-* [Search (QIDO-RS)](dicom-services-conformance-statement-v2.md#search-qido-rs)
-* [Delete](dicom-services-conformance-statement-v2.md#delete)
+* [Store (STOW-RS)](dicom-services-conformance-statement-v2.md#store-stow-rs): Upload DICOM objects to the server.
+* [Retrieve (WADO-RS)](dicom-services-conformance-statement-v2.md#retrieve-wado-rs): Download DICOM objects from the server.
+* [Search (QIDO-RS)](dicom-services-conformance-statement-v2.md#search-qido-rs): Find DICOM objects on the server based on criteria.
+* [Delete](dicom-services-conformance-statement-v2.md#delete): Remove DICOM objects from the server.
-Additionally, the following non-standard API(s) are supported:
+In addition to the subset of DICOMweb APIs, the DICOM service supports two custom APIs that are unique to Microsoft:
-* [Change Feed](dicom-change-feed-overview.md)
-* [Extended Query Tags](dicom-extended-query-tags-overview.md)
-
-To learn more about our support of DICOM Web Standard APIs, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md) reference document.
+* [Change feed](dicom-change-feed-overview.md): Track changes to DICOM data over time.
+* [Extended query tags](dicom-extended-query-tags-overview.md): Define custom tags for querying DICOM data.
## Prerequisites
-To use DICOMweb&trade; Standard APIs, you must have an instance of DICOM service deployed. If you haven't already deployed an instance of DICOM service, see [Deploy DICOM service using the Azure portal](deploy-dicom-services-in-azure.md).
+- **Deploy an instance of the DICOM service**. For more information, see [Deploy the DICOM service using Azure portal](deploy-dicom-services-in-azure.md).
+
+- **Find your Service URL**. Use Azure portal to navigate to the instance of the DICOM service to find the Service URL. The Service URL to access your DICOM service uses this format: ```https://<workspacename-dicomservicename>.dicom.azurehealthcareapis.com```. Make sure to specify the version as part of the URL when making requests. For more information, see [API versioning for the DICOM service](api-versioning-dicom-service.md).
+
+## Use REST API methods to interact with the DICOM service
+
+The DICOM service provides a web-based interface that follows REST (representational state transfer) principles. The REST API allows different applications or systems to communicate with each other using standard methods like GET, POST, PUT, and DELETE. Use any programming language that supports HTTP requests and responses to interact with the DICOM service.
-Once deployment is complete, you can use the Azure portal to navigate to the newly created DICOM service to see the details including your Service URL. The Service URL to access your DICOM service will be: ```https://<workspacename-dicomservicename>.dicom.azurehealthcareapis.com```. Make sure to specify the version as part of the url when making requests. More information can be found in the [API Versioning for DICOM service Documentation](api-versioning-dicom-service.md).
-## Overview of various methods to use with DICOM service
-Because DICOM service is exposed as a REST API, you can access it using any modern development language. For language-agnostic information on working with the service, see [DICOM Services Conformance Statement](dicom-services-conformance-statement-v2.md).
To see language-specific examples, refer to the examples below. You can view Postman collection examples in several languages including:
This tutorial provided an overview of the APIs supported by DICOM service. Get s
- [Using DICOMWebΓäó Standard APIs with Python](dicomweb-standard-apis-python.md) - [Use DICOMWebΓäó Standard APIs with Postman Example Collection](https://github.com/microsoft/dicom-server/blob/main/docs/resources/Conformance-as-Postman.postman_collection.json)
-### Next Steps
+### Next steps
-For more information, see
+To learn more about our support of DICOM Web Standard APIs, see the [DICOM Conformance Statement](dicom-services-conformance-statement-v2.md) reference document.
->[!div class="nextstepaction"]
->[Overview of the DICOM service](dicom-services-overview.md)
+For language-agnostic information on working with the service, see [DICOM Services Conformance Statement](dicom-services-conformance-statement-v2.md).
hpc-cache Directory Services https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/hpc-cache/directory-services.md
You might need to enable **Extended groups** if your workflow includes NFS stora
After you click the button to enable extended groups, you must choose the source that Azure HPC Cache will use to get user and group credentials.
-* [Active Directory](#configure-active-directory) - Get credentials from an external Active Directory server. You can't use Azure Active Directory for this task.
+* [Active Directory](#configure-active-directory) - Get credentials from an external Active Directory server. You can't use Microsoft Entra ID for this task.
* [Flat file](#configure-file-download) - Download `/etc/group` and `/etc/passwd` files from a network location. * [LDAP](#configure-ldap) - Get credentials from a Lightweight Directory Access Protocol (LDAP)-compatible source.
industrial-iot Tutorial Configure Industrial Iot Components https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industrial-iot/tutorial-configure-industrial-iot-components.md
Here are some of the more relevant customization settings for the components.
* Secrets: Manage platform settings. * Access policies: Manage which applications and users may access the data in the key vault and which operations (for example, read, write, list, delete) they are allowed to perform on the network, firewall, virtual network, and private endpoints.
-### Azure Active Directory app registrations
+<a name='azure-active-directory-app-registrations'></a>
-* <APP_NAME>-web (authentication): Manage reply URIs, which are the lists of URIs that can be used as landing pages after authentication succeeds. The deployment script might be unable to configure this automatically under certain scenarios, such as lack of Azure Active Directory (Azure AD) administrator rights. You might want to add or modify URIs when you're changing the hostname of the web app (for example, the port number that's used by the localhost for debugging).
+### Microsoft Entra app registrations
+
+* <APP_NAME>-web (authentication): Manage reply URIs, which are the lists of URIs that can be used as landing pages after authentication succeeds. The deployment script might be unable to configure this automatically under certain scenarios, such as lack of Microsoft Entra administrator rights. You might want to add or modify URIs when you're changing the hostname of the web app (for example, the port number that's used by the localhost for debugging).
### Azure App Service
industrial-iot Tutorial Deploy Industrial Iot Platform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industrial-iot/tutorial-deploy-industrial-iot-platform.md
In this tutorial, you learn:
- An Azure subscription must be created - Download [Git](https://git-scm.com/downloads)-- The Microsoft Azure Active Directory (Azure AD) app registrations used for authentication require Global Administrator, Application
+- The Microsoft Entra app registrations used for authentication require Global Administrator, Application
Administrator, or Cloud Application Administrator rights to provide tenant-wide admin consent (see below for further options) - The supported operating systems for deployment are Windows, Linux and Mac - IoT Edge supports Windows 10 IoT Enterprise LTSC and Ubuntu Linux 16.08/18.04 LTS Linux
The deployment script allows to select which set of components to deploy.
- [Key Vault](https://azure.microsoft.com/services/key-vault/) to manage secrets and certificates - [Storage](https://azure.microsoft.com/product-categories/storage/) for Event Hubs checkpointing - Standard dependencies: Minimum +
- - [SignalR Service](https://azure.microsoft.com/services/signalr-service/) used to scale out asynchronous API notifications, Azure AD app registrations,
+ - [SignalR Service](https://azure.microsoft.com/services/signalr-service/) used to scale out asynchronous API notifications, Microsoft Entra app registrations,
- [Device Provisioning Service](../iot-dps/index.yml) used for deploying and provisioning the simulation gateways - [Time Series Insights](https://azure.microsoft.com/services/time-series-insights/) - Workbook, Log Analytics, [Application Insights](https://azure.microsoft.com/services/monitor/) for operations monitoring
The deployment script allows to select which set of components to deploy.
- `app`: Services and UI - `all` (default): App and simulation
-3. The microservices and the UI are web applications that require authentication, this requires three app registrations in the Azure AD. If the required rights are missing, there are two possible solutions:
+3. The microservices and the UI are web applications that require authentication, this requires three app registrations in the Microsoft Entra ID. If the required rights are missing, there are two possible solutions:
- - Ask the Azure AD admin to grant tenant-wide admin consent for the application
- - An Azure AD admin can create the Azure AD applications. The deploy/scripts folder contains the aad-register.ps1 script to perform the Azure AD registration separately from the deployment. The output of the script is a file containing the relevant information to be used as part of deployment and must be passed to the deploy.ps1 script in the same folder using the `-aadConfig` argument.
+ - Ask the Microsoft Entra admin to grant tenant-wide admin consent for the application
+ - A Microsoft Entra admin can create the Microsoft Entra applications. The deploy/scripts folder contains the aad-register.ps1 script to perform the Microsoft Entra registration separately from the deployment. The output of the script is a file containing the relevant information to be used as part of deployment and must be passed to the deploy.ps1 script in the same folder using the `-aadConfig` argument.
```bash cd deploy/scripts ./aad-register.ps1 -Name <application-name> -Output aad.json
industry Get Sensor Data From Sensor Partner https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/get-sensor-data-from-sensor-partner.md
Follow the below steps to generate the above information:
2. **If you are on FarmBeats version 1.2.7 or later, skip steps a, b and c, and go to step 3.** You can check FarmBeats version by selecting the **Settings** icon on the top-right corner of the FarmBeats UI.
- a. Go to **Azure Active Directory** > **App Registrations**
+ a. Go to **Microsoft Entra ID** > **App Registrations**
b. Select the **App Registration** that was created as part of your FarmBeats deployment. It will have the same name as your FarmBeats datahub.
Follow the below steps to generate the above information:
cd ```
-6. Run the following command. This connects an authenticated account to use for Azure AD requests
+6. Run the following command. This connects an authenticated account to use for Microsoft Entra ID requests
```azurepowershell-interactive Connect-AzureAD
Follow the below steps to generate the above information:
```
-8. Run the following script. The script asks for the Tenant ID, which can be obtained from **Azure Active Directory** > **Overview** page.
+8. Run the following script. The script asks for the Tenant ID, which can be obtained from **Microsoft Entra ID** > **Overview** page.
```azurepowershell-interactive
industry Imagery Partner Integration In Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/imagery-partner-integration-in-azure-farmbeats.md
The APIs contain Swagger technical documentation.
## Authentication
-FarmBeats uses Microsoft Azure [Active Directory](../../app-service/overview-authentication-authorization.md) (Azure AD). Azure App Service provides built-in authentication and authorization support.ΓÇ»
+FarmBeats uses [Microsoft Entra ID](../../app-service/overview-authentication-authorization.md). Azure App Service provides built-in authentication and authorization support.ΓÇ»
-For more information about Azure AD, see [Azure Active Directory](../../app-service/overview-authentication-authorization.md).   
+For more information, see [Microsoft Entra ID](../../app-service/overview-authentication-authorization.md).   
FarmBeats Datahub uses bearer authentication, which needs the following credentials:
industry Ingest Historical Telemetry Data In Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/ingest-historical-telemetry-data-in-azure-farmbeats.md
Follow these steps:
2. **If you are on FarmBeats version 1.2.7 or later, skip steps a, b and c, and go to step 3.** You can check FarmBeats version by selecting the **Settings** icon on the top-right corner of the FarmBeats UI.
- a. Go to **Azure Active Directory** > **App Registrations**
+ a. Go to **Microsoft Entra ID** > **App Registrations**
b. Select the **App Registration** that was created as part of your FarmBeats deployment. It will have the same name as your FarmBeats datahub.
Follow these steps:
cd ```
-6. Run the following command. This connects an authenticated account to use for Azure AD requests
+6. Run the following command. This connects an authenticated account to use for Microsoft Entra ID requests
```azurepowershell-interactive Connect-AzureAD
Follow these steps:
```
-8. Run the following script. The script asks for the Tenant ID, which can be obtained from **Azure Active Directory** > **Overview** page.
+8. Run the following script. The script asks for the Tenant ID, which can be obtained from **Microsoft Entra ID** > **Overview** page.
```azurepowershell-interactive
industry Install Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/install-azure-farmbeats.md
You'll need to complete the following steps before you start the actual installa
You'll need the following permissions in the Azure tenant to install Azure FarmBeats: -- Tenant - Azure AD app creator
+- Tenant - Microsoft Entra app creator
- Subscription - Owner - Resource Group in which FarmBeats is being installed - Owner
-The first two permissions are needed for [creating the Azure AD application](#create-an-aad-application) step. If needed, you can get someone with the appropriate permissions to create the Azure AD application.
+The first two permissions are needed for [creating the Microsoft Entra application](#create-an-aad-application) step. If needed, you can get someone with the appropriate permissions to create the Microsoft Entra application.
The person running the FarmBeats install from marketplace needs to be an owner of the Resource Group in which FarmBeats is being installed. For subscription owners, this happens automatically when Resource Group is created. For others, please pre-create the Resource Group and ask the Subscription owner to make you an owner of the Resource Group.
You'll need the Azure subscription ID and the region where you want to install A
Make a note of the **Azure Subscription ID** and the **Azure Region**.
-### Create an AAD application
+<a name='create-an-aad-application'></a>
-Azure FarmBeats require Azure Active Directory application creation and registration. To successfully run the Azure AD creation script, the following permissions are needed:
+### Create a Microsoft Entra application
-- Tenant - Azure AD app creator
+Azure FarmBeats require Microsoft Entra application creation and registration. To successfully run the Microsoft Entra creation script, the following permissions are needed:
+
+- Tenant - Microsoft Entra app creator
- Subscription - Owner Run the following steps in a Cloud Shell instance using the PowerShell environment. First-time users will be prompted to select a subscription and create a storage account. Complete the setup as instructed.
-1. Download the Azure AD app generator script
+1. Download the Microsoft Entra app generator script
```azurepowershell-interactive wget -q https://aka.ms/FarmBeatsAADScript -O ./create_aad_script.ps1
Run the following steps in a Cloud Shell instance using the PowerShell environme
cd ```
-3. Run the Azure AD script
+3. Run the Microsoft Entra ID script
```azurepowershell-interactive ./create_aad_script.ps1
Run the following steps in a Cloud Shell instance using the PowerShell environme
- **Subscription ID**: This is the ID of the subscription in which you want to install Azure FarmBeats
-5. The Azure AD script takes around 2 minutes to run and outputs values on screen as well as to a json file in the same directory. If you had someone else run the script, ask them to share this output with you.
+5. The Microsoft Entra ID script takes around 2 minutes to run and outputs values on screen as well as to a json file in the same directory. If you had someone else run the script, ask them to share this output with you.
### Create Sentinel account
Your registration process is complete. Make a note of your **Sentinel Username**
You're now ready to install FarmBeats. Follow the steps below to start the installation:
-1. Sign in to the Azure portal. Select your account in the top-right corner and switch to the Azure AD tenant where you want to install Azure FarmBeats.
+1. Sign in to the Azure portal. Select your account in the top-right corner and switch to the Microsoft Entra tenant where you want to install Azure FarmBeats.
2. Go to Azure Marketplace within the portal and search for **Azure FarmBeats** in the Marketplace.
You're now ready to install FarmBeats. Follow the steps below to start the insta
![Basics Tab](./media/install-azure-farmbeats/create-azure-farmbeats-basics.png)
-6. Copy the individual entries from the output of [Azure AD script](#create-an-aad-application) to the inputs in the Azure AD application section.
+6. Copy the individual entries from the output of [Microsoft Entra ID script](#create-an-aad-application) to the inputs in the Microsoft Entra application section.
7. Enter the [Sentinel account](#create-sentinel-account) user name and password in the Sentinel Account section. Select **Next** to move to the **Review + Create** tab.
To uninstall Azure FarmBeats Data hub or Accelerator, complete the following ste
1. Log in to the Azure portal and **delete the resource groups** in which these components are installed.
-2. Go to Azure Active Directory & **delete the Azure AD application** linked to the Azure FarmBeats installation.
+2. Go to Microsoft Entra ID and **delete the Microsoft Entra application** linked to the Azure FarmBeats installation.
## Next steps
industry Manage Users In Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/manage-users-in-azure-farmbeats.md
# Manage users
-Azure FarmBeats includes user management for people who are part of your Azure Active Directory (Azure AD) instance. You can add users to your Azure FarmBeats instance to access the APIs, view the generated maps, and access sensor telemetry from the farm.
+Azure FarmBeats includes user management for people who are part of your Microsoft Entra instance. You can add users to your Azure FarmBeats instance to access the APIs, view the generated maps, and access sensor telemetry from the farm.
## Prerequisites
Azure FarmBeats includes user management for people who are part of your Azure A
## Manage Azure FarmBeats users
-Azure FarmBeats uses Azure AD for authentication, access control, and roles. You can add users in the Azure AD tenant as users in Azure FarmBeats.
+Azure FarmBeats uses Microsoft Entra ID for authentication, access control, and roles. You can add users in the Microsoft Entra tenant as users in Azure FarmBeats.
> [!NOTE]
-> If a user is not an Azure AD tenant user, follow the instructions in the **Add Azure AD users** section to complete the setup.
+> If a user is not a Microsoft Entra tenant user, follow the instructions in the **Add Microsoft Entra users** section to complete the setup.
Azure FarmBeats supports two types of user roles:
To remove users from the Azure FarmBeats system:
![Azure FarmBeats confirmation message](./media/create-farms-in-azure-farmbeats/manage-users-2.png)
-## Add Azure AD users
+<a name='add-azure-ad-users'></a>
+
+## Add Microsoft Entra users
> [!NOTE]
-> Azure FarmBeats users need to exist in the Azure AD tenant before you assign them to applications and roles. If a user doesn't exist in the Azure AD tenant, follow the instructions in this section. Skip the instructions, if a user already exists in the Azure AD tenant.
+> Azure FarmBeats users need to exist in the Microsoft Entra tenant before you assign them to applications and roles. If a user doesn't exist in the Microsoft Entra tenant, follow the instructions in this section. Skip the instructions, if a user already exists in the Microsoft Entra tenant.
-Follow the steps to add users to Azure AD:
+Follow the steps to add users to Microsoft Entra ID:
1. Sign in to the [Azure portal](https://portal.azure.com/).
-2. At the top right, select your account, and then switch to the Azure AD tenant that's associated with FarmBeats.
-3. Select **Azure Active Directory** > **Users**.
+2. At the top right, select your account, and then switch to the Microsoft Entra tenant that's associated with FarmBeats.
+3. Select **Microsoft Entra ID** > **Users**.
- A list of Azure AD users is displayed.
+ A list of Microsoft Entra users is displayed.
4. To add a user to the directory, select **New user**. To add an external user, select **New guest user**.
Follow the steps to add users to Azure AD:
5. Select the new user's name, and then complete the required fields for that user. 6. Select **Create**.
-For information about managing Azure AD users, see [Add or delete users in Azure AD](../../active-directory/fundamentals/add-users-azure-active-directory.md).
+For information about managing Microsoft Entra users, see [Add or delete users in Microsoft Entra ID](../../active-directory/fundamentals/add-users-azure-active-directory.md).
## Next steps
-You have successfully added users to your Azure FarmBeats instance. Now, learn how to [create and manage farms](manage-farms-in-azure-farmbeats.md#create-farms).
+You have successfully added users to your Azure FarmBeats instance. Now, learn how to [create and manage farms](manage-farms-in-azure-farmbeats.md#create-farms).
industry Rest Api In Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/rest-api-in-azure-farmbeats.md
JSON is a common language-independent data format that provides a simple text re
## Authentication and authorization
-HTTP requests to the REST API are protected with Azure Active Directory (Azure AD).
-To make an authenticated request to the REST APIs, client code requires authentication with valid credentials before you can call the API. Authentication is coordinated between the various actors by Azure AD. It provides your client with an access token as proof of the authentication. The token is then sent in the HTTP Authorization header of REST API requests. To learn more about Azure AD authentication, see [Azure Active Directory](https://portal.azure.com) for developers.
+HTTP requests to the REST API are protected with Microsoft Entra ID.
+To make an authenticated request to the REST APIs, client code requires authentication with valid credentials before you can call the API. Authentication is coordinated between the various actors by Microsoft Entra ID. It provides your client with an access token as proof of the authentication. The token is then sent in the HTTP Authorization header of REST API requests. To learn more about Microsoft Entra authentication, see [Microsoft Entra ID](https://portal.azure.com) for developers.
The access token must be sent in subsequent API requests, in the header section, as:
In this example, when a farm was created, the mandatory field "Name" wasn't spec
} ```
-## Add users or app registrations to Azure Active Directory
+<a name='add-users-or-app-registrations-to-azure-active-directory'></a>
-Azure FarmBeats APIs can be accessed by a user or an app registration in Azure Active Directory. To create an app registration in Azure Active Directory, follow these steps:
+## Add users or app registrations to Microsoft Entra ID
-1. Go to the [Azure portal](https://portal.azure.com), and select **Azure Active Directory** > **App registrations** > **New registration**. Alternatively, you can use an existing account.
+Azure FarmBeats APIs can be accessed by a user or an app registration in Microsoft Entra ID. To create an app registration in Microsoft Entra ID, follow these steps:
+
+1. Go to the [Azure portal](https://portal.azure.com), and select **Microsoft Entra ID** > **App registrations** > **New registration**. Alternatively, you can use an existing account.
2. For a new account, do the following: - Enter a name.
Azure FarmBeats APIs can be accessed by a user or an app registration in Azure A
``` > [!NOTE]
- > For more information on how to add users and Active Directory registration, see [Azure Active Directory](../../active-directory/develop/howto-create-service-principal-portal.md).
+ > For more information on how to add users and Active Directory registration, see [Microsoft Entra ID](../../active-directory/develop/howto-create-service-principal-portal.md).
After you finish the previous steps, your app registration (client) can call the Azure FarmBeats APIs by using an access token via bearer authentication.
industry Sensor Partner Integration In Azure Farmbeats https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/industry/agriculture/sensor-partner-integration-in-azure-farmbeats.md
The APIs contain Swagger technical documentation.
**Authentication**
-FarmBeats uses Microsoft Azure Active Directory authentication. Azure App Service provides built-in authentication and authorization support.
+FarmBeats uses Microsoft Entra authentication. Azure App Service provides built-in authentication and authorization support.
-For more information, see [Azure Active Directory](../../app-service/overview-authentication-authorization.md).
+For more information, see [Microsoft Entra ID](../../app-service/overview-authentication-authorization.md).
FarmBeats Datahub uses bearer authentication, which needs the following credentials: - Client ID
iot-dps Concepts Control Access Dps Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/concepts-control-access-dps-azure-ad.md
Title: Access control and security for DPS with Azure AD
+ Title: Access control and security for DPS with Microsoft Entra ID
-description: Control access to Azure IoT Hub Device Provisioning Service (DPS) for back-end apps. Includes information about Azure Active Directory and RBAC.
+description: Control access to Azure IoT Hub Device Provisioning Service (DPS) for back-end apps. Includes information about Microsoft Entra ID and RBAC.
Last updated 02/07/2022
-# Control access to Azure IoT Hub Device Provisioning Service (DPS) by using Azure Active Directory (preview)
+# Control access to Azure IoT Hub Device Provisioning Service (DPS) by using Microsoft Entra ID (preview)
-You can use Azure Active Directory (Azure AD) to authenticate requests to Azure IoT Hub Device Provisioning Service (DPS) APIs, like create device identity and invoke direct method. You can also use Azure role-based access control (Azure RBAC) to authorize those same service APIs. By using these technologies together, you can grant permissions to access Azure IoT Hub Device Provisioning Service (DPS) APIs to an Azure AD security principal. This security principal could be a user, group, or application service principal.
+You can use Microsoft Entra ID to authenticate requests to Azure IoT Hub Device Provisioning Service (DPS) APIs, like create device identity and invoke direct method. You can also use Azure role-based access control (Azure RBAC) to authorize those same service APIs. By using these technologies together, you can grant permissions to access Azure IoT Hub Device Provisioning Service (DPS) APIs to a Microsoft Entra security principal. This security principal could be a user, group, or application service principal.
-Authenticating access by using Azure AD and controlling permissions by using Azure RBAC provides improved security and ease of use over [security tokens](how-to-control-access.md). To minimize potential security issues inherent in security tokens, we recommend that you use Azure AD with your Azure IoT Hub Device Provisioning Service (DPS) whenever possible.
+Authenticating access by using Microsoft Entra ID and controlling permissions by using Azure RBAC provides improved security and ease of use over [security tokens](how-to-control-access.md). To minimize potential security issues inherent in security tokens, we recommend that you use Microsoft Entra ID with your Azure IoT Hub Device Provisioning Service (DPS) whenever possible.
> [!NOTE]
-> Authentication with Azure AD isn't supported for the Azure IoT Hub Device Provisioning Service (DPS) *device APIs* (like register device or device registration status lookup). Use [symmetric keys](concepts-symmetric-key-attestation.md), [X.509](concepts-x509-attestation.md) or [TPM](concepts-tpm-attestation.md) to authenticate devices to Azure IoT Hub Device Provisioning Service (DPS).
+> Authentication with Microsoft Entra ID isn't supported for the Azure IoT Hub Device Provisioning Service (DPS) *device APIs* (like register device or device registration status lookup). Use [symmetric keys](concepts-symmetric-key-attestation.md), [X.509](concepts-x509-attestation.md) or [TPM](concepts-tpm-attestation.md) to authenticate devices to Azure IoT Hub Device Provisioning Service (DPS).
## Authentication and authorization
-When an Azure AD security principal requests access to an Azure IoT Hub Device Provisioning Service (DPS) API, the principal's identity is first *authenticated*. For authentication, the request needs to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is `https://azure-devices-provisioning.net`. If the application runs in an Azure resource like an Azure VM, Azure Functions app, or Azure App Service app, it can be represented as a [managed identity](../active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md).
+When a Microsoft Entra security principal requests access to an Azure IoT Hub Device Provisioning Service (DPS) API, the principal's identity is first *authenticated*. For authentication, the request needs to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is `https://azure-devices-provisioning.net`. If the application runs in an Azure resource like an Azure VM, Azure Functions app, or Azure App Service app, it can be represented as a [managed identity](../active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md).
-After the Azure AD principal is authenticated, the next step is *authorization*. In this step, Azure IoT Hub Device Provisioning Service (DPS) uses the Azure AD role assignment service to determine what permissions the principal has. If the principal's permissions match the requested resource or API, Azure IoT Hub Device Provisioning Service (DPS) authorizes the request. So this step requires one or more Azure roles to be assigned to the security principal. Azure IoT Hub Device Provisioning Service (DPS) provides some built-in roles that have common groups of permissions.
+After the Microsoft Entra principal is authenticated, the next step is *authorization*. In this step, Azure IoT Hub Device Provisioning Service (DPS) uses the Microsoft Entra role assignment service to determine what permissions the principal has. If the principal's permissions match the requested resource or API, Azure IoT Hub Device Provisioning Service (DPS) authorizes the request. So this step requires one or more Azure roles to be assigned to the security principal. Azure IoT Hub Device Provisioning Service (DPS) provides some built-in roles that have common groups of permissions.
## Manage access to Azure IoT Hub Device Provisioning Service (DPS) by using Azure RBAC role assignment
-With Azure AD and RBAC, Azure IoT Hub Device Provisioning Service (DPS) requires the principal requesting the API to have the appropriate level of permission for authorization. To give the principal the permission, give it a role assignment.
+With Microsoft Entra ID and RBAC, Azure IoT Hub Device Provisioning Service (DPS) requires the principal requesting the API to have the appropriate level of permission for authorization. To give the principal the permission, give it a role assignment.
- If the principal is a user, group, or application service principal, follow the guidance in [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.md). - If the principal is a managed identity, follow the guidance in [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). To ensure least privilege, always assign the appropriate role at the lowest possible [resource scope](#resource-scope), which is probably the Azure IoT Hub Device Provisioning Service (DPS) scope.
-Azure IoT Hub Device Provisioning Service (DPS) provides the following Azure built-in roles for authorizing access to DPS APIs by using Azure AD and RBAC:
+Azure IoT Hub Device Provisioning Service (DPS) provides the following Azure built-in roles for authorizing access to DPS APIs by using Microsoft Entra ID and RBAC:
| Role | Description | | - | -- |
The following table describes the permissions available for Azure IoT Hub Device
## Azure IoT extension for Azure CLI
-Most commands against Azure IoT Hub Device Provisioning Service (DPS) support Azure AD authentication. You can control the type of authentication used to run commands by using the `--auth-type` parameter, which accepts `key` or `login` values. The `key` value is the default.
+Most commands against Azure IoT Hub Device Provisioning Service (DPS) support Microsoft Entra authentication. You can control the type of authentication used to run commands by using the `--auth-type` parameter, which accepts `key` or `login` values. The `key` value is the default.
- When `--auth-type` has the `key` value, the CLI automatically discovers a suitable policy when it interacts with Azure IoT Hub Device Provisioning Service (DPS).
For more information, see the [Azure IoT extension for Azure CLI release page](h
- [Sample](https://github.com/Azure/azure-iot-sdk-java/tree/preview/provisioning/provisioning-service-client-samples) - [ΓÇó Microsoft Azure IoT SDKs for .NET Preview Release](https://aka.ms/IoTDPScsharpSDKRBAC)
-## Azure AD access from the Azure portal
+<a name='azure-ad-access-from-the-azure-portal'></a>
+
+## Microsoft Entra ID access from the Azure portal
>[!NOTE]
->Azure AD access from the Azure portal is currently not available during preview.
+>Microsoft Entra ID access from the Azure portal is currently not available during preview.
## Next steps -- For more information on the advantages of using Azure AD in your application, see [Integrating with Azure Active Directory](../active-directory/develop/how-to-integrate.md).-- For more information on requesting access tokens from Azure AD for users and service principals, see [Authentication scenarios for Azure AD](../active-directory/develop/authentication-vs-authorization.md).
+- For more information on the advantages of using Microsoft Entra ID in your application, see [Integrating with Microsoft Entra ID](../active-directory/develop/how-to-integrate.md).
+- For more information on requesting access tokens from Microsoft Entra ID for users and service principals, see [Authentication scenarios for Microsoft Entra ID](../active-directory/develop/authentication-vs-authorization.md).
iot-dps Concepts Control Access Dps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/concepts-control-access-dps.md
Title: Access control and security for Azure DPS
-description: Overview on controlling access to Azure IoT Hub Device Provisioning Service, links to articles on Azure Active Directory integration and SAS options.
+description: Overview on controlling access to Azure IoT Hub Device Provisioning Service, links to articles on Microsoft Entra integration and SAS options.
This article describes the available options for securing your Azure IoT Hub Dev
There are two different ways for controlling access to DPS: - **Shared access signatures** lets you group permissions and grant them to applications using access keys and signed security tokens. To learn more, see [Control access to DPS with shared access signatures and security tokens](how-to-control-access.md).-- **Azure Active Directory (Azure AD) integration (public preview)** for service APIs. Azure provides identity-based authentication with Azure Active Directory and fine-grained authorization with Azure role-based access control (Azure RBAC). Azure AD and RBAC integration is supported for DPS service APIs only. To learn more, see [Control access to DPS with Azure Active Directory (Public Preview)](concepts-control-access-dps-azure-ad.md).
+- **Microsoft Entra integration (public preview)** for service APIs. Azure provides identity-based authentication with Microsoft Entra ID and fine-grained authorization with Azure role-based access control (Azure RBAC). Microsoft Entra ID and RBAC integration is supported for DPS service APIs only. To learn more, see [Control access to DPS with Microsoft Entra ID (Public Preview)](concepts-control-access-dps-azure-ad.md).
## Next steps - [Control access to DPS with shared access signatures and security tokens](how-to-control-access.md)-- [Control access to DPS with Azure Active Directory (public preview)](concepts-control-access-dps-azure-ad.md)
+- [Control access to DPS with Microsoft Entra ID (public preview)](concepts-control-access-dps-azure-ad.md)
iot-dps Tutorial Automation Github Actions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-dps/tutorial-automation-github-actions.md
Workflows are YAML files that are located in the `.github/workflows/` directory
``` > [!NOTE]
- > This job and others use the parameter `--auth-type login` in some commands to indicate that the operation should use the service principal from the current Azure AD session. The alternative, `--auth-type key` doesn't require the service principal configuration, but is less secure.
+ > This job and others use the parameter `--auth-type login` in some commands to indicate that the operation should use the service principal from the current Microsoft Entra session. The alternative, `--auth-type key` doesn't require the service principal configuration, but is less secure.
For more information about the commands run in this job, see:
iot-hub-device-update Device Update Configuration File https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-configuration-file.md
Title: Understand Device Update for Azure IoT Hub Configuration File
description: Understand Device Update for Azure IoT Hub Configuration File. Previously updated : 08/27/2022 Last updated : 10/11/2023
When installing Debian agent on an IoT Device with a Linux OS, modify the `/etc/
| aduc_manufacturer | Reported by the **AzureDeviceUpdateCore:4.ClientMetadata:4** interface to classify the device for targeting the update deployment. | | aduc_model | Reported by the **AzureDeviceUpdateCore:4.ClientMetadata:4** interface to classify the device for targeting the update deployment. | | iotHubProtocol| Accepted values are `mqtt` or `mqtt/ws` to change the protocol used to connect with IoT hub. Default value is 'mqtt' |
-| compatPropertyNames | These properties are used to check for compatibility of the device to target the update deployment|
-| additionalProperties | Optional field. Additional device reported properties can be set and used for comaptibility checking . Limited to five device properties |
+| compatPropertyNames | These properties are used to check for compatibility of the device to target the update deployment. For all the properties specified to be used for compatabiity, the values must be in lower case only |
+| additionalProperties | Optional field. Additional device reported properties can be set and used for comaptibility checking . Limited to five device properties. These properties should be in lower case only. |
| connectionType | Accepted values are `string` or `AIS`. Use `string` when connecting the device to IoT Hub manually for testing purposes. For production scenarios, use `AIS` when using the IoT Identity Service to connect the device to IoT Hub. For more information, see [understand IoT Identity Service configurations](https://azure.github.io/iot-identity-service/configuration.html). | | connectionData |If connectionType = "string", add your IoT device's device or module connection string here. If connectionType = "AIS", set the connectionData to empty string (`"connectionData": ""`). | | manufacturer | Reported by the Device Update agent as part of the **DeviceInformation** interface. |
When installing Debian agent on an IoT Device with a Linux OS, modify the `/etc/
"do" ], "iotHubProtocol": "mqtt",
- "compatPropertyNames":"manufacturer,model,location,language",
+ "compatPropertyNames":"manufacturer,model,location,language" <The property values must be in lower case only>,
"manufacturer": <Place your device info manufacturer here>, "model": <Place your device info model here>, "agents": [
When installing Debian agent on an IoT Device with a Linux OS, modify the `/etc/
"manufacturer": <Place your device property manufacturer here>, "model": <Place your device property model here>, "additionalDeviceProperties": {
- "location": "USA",
+ "location": "usa",
"environment": "development" } }
iot-hub-device-update Device Update Control Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub-device-update/device-update-control-access.md
The permission can be set from IoT Hub Access Control (IAM). Refer to [Configure
## Authenticate to Device Update REST APIs
-Device Update uses Azure Active Directory (AD) for authentication to its REST APIs. To get started, you need to create and configure a client application.
+Device Update uses Microsoft Entra ID for authentication to its REST APIs. To get started, you need to create and configure a client application.
-### Create client Azure AD app
+<a name='create-client-azure-ad-app'></a>
-To integrate an application or service with Azure AD, first [register a client application with Azure AD](../active-directory/develop/quickstart-register-app.md). Client application setup will vary depending on the authorization flow you'll need (users, applications or managed identities). For example, to call Device Update from:
+### Create client Microsoft Entra app
+
+To integrate an application or service with Microsoft Entra ID, first [register a client application with Microsoft Entra ID](../active-directory/develop/quickstart-register-app.md). Client application setup will vary depending on the authorization flow you'll need (users, applications or managed identities). For example, to call Device Update from:
* Mobile or desktop application, add **Mobile and desktop applications** platform with `https://login.microsoftonline.com/common/oauth2/nativeclient` for the Redirect URI. * Website with implicit sign-on, add **Web** platform and select **Access tokens (used for implicit flows)**.
Get-MsalToken -ClientId $clientId -TenantId $tenantId -Authority $authority -Sco
## Support for managed identities
-Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. This eliminates the needs for developers having to manage credentials by providing an identity. Device Update for IoT Hub supports system-assigned managed identities.
+Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. This eliminates the needs for developers having to manage credentials by providing an identity. Device Update for IoT Hub supports system-assigned managed identities.
### System-assigned managed identity
iot-hub Authenticate Authorize Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/authenticate-authorize-azure-ad.md
Title: Control access with Azure Active Directory
+ Title: Control access with Microsoft Entra ID
-description: Understand how Azure IoT Hub uses Azure Active Directory to authenticate identities and authorize access to IoT hubs and devices.
+description: Understand how Azure IoT Hub uses Microsoft Entra ID to authenticate identities and authorize access to IoT hubs and devices.
Last updated 09/01/2023
-# Control access to IoT Hub by using Azure Active Directory
+# Control access to IoT Hub by using Microsoft Entra ID
-You can use Azure Active Directory (Azure AD) to authenticate requests to Azure IoT Hub service APIs, like **create device identity** and **invoke direct method**. You can also use Azure role-based access control (Azure RBAC) to authorize those same service APIs. By using these technologies together, you can grant permissions to access IoT Hub service APIs to an Azure AD security principal. This security principal could be a user, group, or application service principal.
+You can use Microsoft Entra ID to authenticate requests to Azure IoT Hub service APIs, like **create device identity** and **invoke direct method**. You can also use Azure role-based access control (Azure RBAC) to authorize those same service APIs. By using these technologies together, you can grant permissions to access IoT Hub service APIs to a Microsoft Entra security principal. This security principal could be a user, group, or application service principal.
-Authenticating access by using Azure AD and controlling permissions by using Azure RBAC provides improved security and ease of use over security tokens. To minimize potential security issues inherent in security tokens, we recommend that you [enforce Azure AD authentication whenever possible](#enforce-azure-ad-authentication).
+Authenticating access by using Microsoft Entra ID and controlling permissions by using Azure RBAC provides improved security and ease of use over security tokens. To minimize potential security issues inherent in security tokens, we recommend that you [enforce Microsoft Entra authentication whenever possible](#enforce-azure-ad-authentication).
> [!NOTE]
-> Authentication with Azure AD isn't supported for the IoT Hub *device APIs* (like device-to-cloud messages and update reported properties). Use [symmetric keys](authenticate-authorize-sas.md) or [X.509](authenticate-authorize-x509.md) to authenticate devices to IoT Hub.
+> Authentication with Microsoft Entra ID isn't supported for the IoT Hub *device APIs* (like device-to-cloud messages and update reported properties). Use [symmetric keys](authenticate-authorize-sas.md) or [X.509](authenticate-authorize-x509.md) to authenticate devices to IoT Hub.
## Authentication and authorization *Authentication* is the process of proving that you are who you say you are. Authentication verifies the identity of a user or device to IoT Hub. It's sometimes shortened to *AuthN*. *Authorization* is the process of confirming permissions for an authenticated user or device on IoT Hub. It specifies what resources and commands you're allowed to access, and what you can do with those resources and commands. Authorization is sometimes shortened to *AuthZ*.
-When an Azure AD security principal requests access to an IoT Hub service API, the principal's identity is first *authenticated*. For authentication, the request needs to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is `https://iothubs.azure.net`. If the application runs in an Azure resource like an Azure VM, Azure Functions app, or Azure App Service app, it can be represented as a [managed identity](../active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md).
+When a Microsoft Entra security principal requests access to an IoT Hub service API, the principal's identity is first *authenticated*. For authentication, the request needs to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is `https://iothubs.azure.net`. If the application runs in an Azure resource like an Azure VM, Azure Functions app, or Azure App Service app, it can be represented as a [managed identity](../active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md).
-After the Azure AD principal is authenticated, the next step is *authorization*. In this step, IoT Hub uses the Azure AD role assignment service to determine what permissions the principal has. If the principal's permissions match the requested resource or API, IoT Hub authorizes the request. So this step requires one or more Azure roles to be assigned to the security principal. IoT Hub provides some built-in roles that have common groups of permissions.
+After the Microsoft Entra principal is authenticated, the next step is *authorization*. In this step, IoT Hub uses the Microsoft Entra role assignment service to determine what permissions the principal has. If the principal's permissions match the requested resource or API, IoT Hub authorizes the request. So this step requires one or more Azure roles to be assigned to the security principal. IoT Hub provides some built-in roles that have common groups of permissions.
## Manage access to IoT Hub by using Azure RBAC role assignment
-With Azure AD and RBAC, IoT Hub requires the principal requesting the API to have the appropriate level of permission for authorization. To give the principal the permission, give it a role assignment.
+With Microsoft Entra ID and RBAC, IoT Hub requires the principal requesting the API to have the appropriate level of permission for authorization. To give the principal the permission, give it a role assignment.
- If the principal is a user, group, or application service principal, follow the guidance in [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.md). - If the principal is a managed identity, follow the guidance in [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). To ensure least privilege, always assign the appropriate role at the lowest possible [resource scope](#resource-scope), which is probably the IoT Hub scope.
-IoT Hub provides the following Azure built-in roles for authorizing access to IoT Hub service APIs by using Azure AD and RBAC:
+IoT Hub provides the following Azure built-in roles for authorizing access to IoT Hub service APIs by using Microsoft Entra ID and RBAC:
| Role | Description | | - | -- |
The following table describes the permissions available for IoT Hub service API
> - Both [Invoke Component Command](/rest/api/iothub/service/digitaltwin/invokecomponentcommand) and [Invoke Root Level Command](/rest/api/iothub/service/digitaltwin/invokerootlevelcommand) require `Microsoft.Devices/IotHubs/directMethods/invoke/action`. > [!NOTE]
-> To get data from IoT Hub by using Azure AD, [set up routing to a separate event hub](iot-hub-devguide-messages-d2c.md#event-hubs-as-a-routing-endpoint). To access the [the built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md), use the connection string (shared access key) method as before.
+> To get data from IoT Hub by using Microsoft Entra ID, [set up routing to a separate event hub](iot-hub-devguide-messages-d2c.md#event-hubs-as-a-routing-endpoint). To access the [the built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md), use the connection string (shared access key) method as before.
-## Enforce Azure AD authentication
+<a name='enforce-azure-ad-authentication'></a>
-By default, IoT Hub supports service API access through both Azure AD and [shared access policies and security tokens](authenticate-authorize-sas.md). To minimize potential security vulnerabilities inherent in security tokens, you can disable access with shared access policies.
+## Enforce Microsoft Entra authentication
+
+By default, IoT Hub supports service API access through both Microsoft Entra ID and [shared access policies and security tokens](authenticate-authorize-sas.md). To minimize potential security vulnerabilities inherent in security tokens, you can disable access with shared access policies.
> [!WARNING]
- > By denying connections using shared access policies, all users and services that connect using this method lose access immediately. Notably, since Device Provisioning Service (DPS) only supports linking IoT hubs using shared access policies, all device provisioning flows will fail with "unauthorized" error. Proceed carefully and plan to replace access with Azure AD role based access. **Do not proceed if you use DPS**.
+ > By denying connections using shared access policies, all users and services that connect using this method lose access immediately. Notably, since Device Provisioning Service (DPS) only supports linking IoT hubs using shared access policies, all device provisioning flows will fail with "unauthorized" error. Proceed carefully and plan to replace access with Microsoft Entra role based access. **Do not proceed if you use DPS**.
1. Ensure that your service clients and users have [sufficient access](#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment) to your IoT hub. Follow the [principle of least privilege](../security/fundamentals/identity-management-best-practices.md). 1. In the [Azure portal](https://portal.azure.com), go to your IoT hub.
By default, IoT Hub supports service API access through both Azure AD and [share
1. Under **Connect using shared access policies**, select **Deny**, and review the warning. :::image type="content" source="media/iot-hub-dev-guide-azure-ad-rbac/disable-local-auth.png" alt-text="Screenshot that shows how to turn off IoT Hub shared access policies." border="true":::
-Your IoT Hub service APIs can now be accessed only through Azure AD and RBAC.
+Your IoT Hub service APIs can now be accessed only through Microsoft Entra ID and RBAC.
+
+<a name='azure-ad-access-from-the-azure-portal'></a>
-## Azure AD access from the Azure portal
+## Microsoft Entra ID access from the Azure portal
-You can provide access to IoT Hub from the Azure portal with either shared access policies or Azure AD permissions.
+You can provide access to IoT Hub from the Azure portal with either shared access policies or Microsoft Entra permissions.
-When you try to access IoT Hub from the Azure portal, the Azure portal first checks whether you've been assigned an Azure role with `Microsoft.Devices/iotHubs/listkeys/action`. If you have, the Azure portal uses the keys from shared access policies to access IoT Hub. If not, the Azure portal tries to access data by using your Azure AD account.
+When you try to access IoT Hub from the Azure portal, the Azure portal first checks whether you've been assigned an Azure role with `Microsoft.Devices/iotHubs/listkeys/action`. If you have, the Azure portal uses the keys from shared access policies to access IoT Hub. If not, the Azure portal tries to access data by using your Microsoft Entra account.
-To access IoT Hub from the Azure portal by using your Azure AD account, you need permissions to access IoT Hub data resources (like devices and twins). You also need permissions to go to the IoT Hub resource in the Azure portal. The built-in roles provided by IoT Hub grant access to resources like devices and twin but they don't grant access to the IoT Hub resource. So access to the portal also requires the assignment of an Azure Resource Manager role like [Reader](../role-based-access-control/built-in-roles.md#reader). The reader role is a good choice because it's the most restricted role that lets you navigate the portal. It doesn't include the `Microsoft.Devices/iotHubs/listkeys/action` permission (which provides access to all IoT Hub data resources via shared access policies).
+To access IoT Hub from the Azure portal by using your Microsoft Entra account, you need permissions to access IoT Hub data resources (like devices and twins). You also need permissions to go to the IoT Hub resource in the Azure portal. The built-in roles provided by IoT Hub grant access to resources like devices and twin but they don't grant access to the IoT Hub resource. So access to the portal also requires the assignment of an Azure Resource Manager role like [Reader](../role-based-access-control/built-in-roles.md#reader). The reader role is a good choice because it's the most restricted role that lets you navigate the portal. It doesn't include the `Microsoft.Devices/iotHubs/listkeys/action` permission (which provides access to all IoT Hub data resources via shared access policies).
To ensure an account doesn't have access outside of the assigned permissions, don't include the `Microsoft.Devices/iotHubs/listkeys/action` permission when you create a custom role. For example, to create a custom role that can read device identities but can't create or delete devices, create a custom role that:
To ensure an account doesn't have access outside of the assigned permissions, do
Then, make sure the account doesn't have any other roles that have the `Microsoft.Devices/iotHubs/listkeys/action` permission, like [Owner](../role-based-access-control/built-in-roles.md#owner) or [Contributor](../role-based-access-control/built-in-roles.md#contributor). To allow the account to have resource access and navigate the portal, assign [Reader](../role-based-access-control/built-in-roles.md#reader).
-## Azure AD access from Azure CLI
+<a name='azure-ad-access-from-azure-cli'></a>
+
+## Microsoft Entra ID access from Azure CLI
-Most commands against IoT Hub support Azure AD authentication. You can control the type of authentication used to run commands by using the `--auth-type` parameter, which accepts `key` or `login` values. The `key` value is the default.
+Most commands against IoT Hub support Microsoft Entra authentication. You can control the type of authentication used to run commands by using the `--auth-type` parameter, which accepts `key` or `login` values. The `key` value is the default.
- When `--auth-type` has the `key` value, as before, the CLI automatically discovers a suitable policy when it interacts with IoT Hub.
For more information, see the [Azure IoT extension for Azure CLI release page](h
## Next steps -- For more information on the advantages of using Azure AD in your application, see [Integrating with Azure Active Directory](../active-directory/develop/how-to-integrate.md).-- For more information on requesting access tokens from Azure AD for users and service principals, see [Authentication scenarios for Azure AD](../active-directory/develop/authentication-vs-authorization.md).
+- For more information on the advantages of using Microsoft Entra ID in your application, see [Integrating with Microsoft Entra ID](../active-directory/develop/how-to-integrate.md).
+- For more information on requesting access tokens from Microsoft Entra ID for users and service principals, see [Authentication scenarios for Microsoft Entra ID](../active-directory/develop/authentication-vs-authorization.md).
Use the Device Provisioning Service to [Provision multiple X.509 devices using enrollment groups](../iot-dps/tutorial-custom-hsm-enrollment-group-x509.md).
iot-hub Authenticate Authorize Sas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/authenticate-authorize-sas.md
The result, which grants access to read all device identities in the identity re
For more examples, see [Generate SAS tokens](#generate-sas-tokens).
-For services, SAS tokens only grant permissions at the IoT Hub level. That is, a service authenticating with a token based on the **service** policy will be able to perform all the operations granted by the **ServiceConnect** permission. These operations include receiving device-to-cloud messages, sending cloud-to-device messages, and so on. If you want to grant more granular access to your services, for example, limiting a service to only sending cloud-to-device messages, you can use Azure Active Directory. To learn more, see [Authenticate with Azure AD](authenticate-authorize-azure-ad.md).
+For services, SAS tokens only grant permissions at the IoT Hub level. That is, a service authenticating with a token based on the **service** policy will be able to perform all the operations granted by the **ServiceConnect** permission. These operations include receiving device-to-cloud messages, sending cloud-to-device messages, and so on. If you want to grant more granular access to your services, for example, limiting a service to only sending cloud-to-device messages, you can use Microsoft Entra ID. To learn more, see [Authenticate with Microsoft Entra ID](authenticate-authorize-azure-ad.md).
## Use SAS tokens from devices
iot-hub Authenticate Authorize X509 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/authenticate-authorize-x509.md
The X.509 CA feature enables device authentication to IoT Hub using a certificat
This article describes authentication using **X.509 certificates**. You can use any X.509 certificate to authenticate a device with IoT Hub by uploading either a certificate thumbprint or a certificate authority (CA) to Azure IoT Hub.
-X.509 certificates are used for authentication in IoT Hub, not authorization. Unlike with Azure Active Directory and shared access signatures, you can't customize permissions with X.509 certificates.
+X.509 certificates are used for authentication in IoT Hub, not authorization. Unlike with Microsoft Entra ID and shared access signatures, you can't customize permissions with X.509 certificates.
## Enforce X.509 authentication
Use the Device Provisioning Service to [Provision multiple X.509 devices using e
To learn more about the fields that make up an X.509 certificate, see [X.509 certificates](reference-x509-certificates.md).
-If you have a root CA certificate or subordinate CA certificate and you want to upload it to your IoT hub, you must verify that you own that certificate. For more information, see [Tutorial: Create and upload certificates for testing](tutorial-x509-test-certs.md).
+If you have a root CA certificate or subordinate CA certificate and you want to upload it to your IoT hub, you must verify that you own that certificate. For more information, see [Tutorial: Create and upload certificates for testing](tutorial-x509-test-certs.md).
iot-hub Iot Hub Configure File Upload Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-configure-file-upload-cli.md
The configuration requires the following values:
* **File notification lock duration**: The lock duration for the file notification queue. Set to 60 seconds by default.
-* **Authentication type**: The type of authentication for IoT Hub to use with Azure Storage. This setting determines how your IoT hub authenticates and authorizes with Azure Storage. The default is key-based authentication; however, system-assigned and user-assigned managed identities can also be used. Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. To learn how to configure managed identities on your IoT hub and Azure Storage account, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). Once configured, you can set one of your managed identities to use for authentication with Azure storage.
+* **Authentication type**: The type of authentication for IoT Hub to use with Azure Storage. This setting determines how your IoT hub authenticates and authorizes with Azure Storage. The default is key-based authentication; however, system-assigned and user-assigned managed identities can also be used. Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. To learn how to configure managed identities on your IoT hub and Azure Storage account, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). Once configured, you can set one of your managed identities to use for authentication with Azure storage.
> [!NOTE] > The authentication type setting configures how your IoT hub authenticates with your Azure Storage account. Devices always authenticate with Azure Storage using the SAS URI that they get from the IoT hub.
iot-hub Iot Hub Configure File Upload Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-configure-file-upload-powershell.md
Set-AzIotHub `
``` > [!NOTE]
-> By default, IoT Hub authenticates with Azure Storage using the account key in the connection string. Authentication using either system-assigned or user-assigned managed identities is also available. Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. To learn more, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). Currently, there are not parameters on the **Set-AzIotHub** command to set the authentication type. Instead, you can use either the [Azure portal](./iot-hub-configure-file-upload.md) or [Azure CLI](./iot-hub-configure-file-upload-cli.md).
+> By default, IoT Hub authenticates with Azure Storage using the account key in the connection string. Authentication using either system-assigned or user-assigned managed identities is also available. Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. To learn more, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). Currently, there are not parameters on the **Set-AzIotHub** command to set the authentication type. Instead, you can use either the [Azure portal](./iot-hub-configure-file-upload.md) or [Azure CLI](./iot-hub-configure-file-upload-cli.md).
## Next steps * [Upload files from a device overview](iot-hub-devguide-file-upload.md) * [IoT Hub support for managed identities](./iot-hub-managed-identity.md)
-* [File upload how-to guides](./file-upload-dotnet.md)
+* [File upload how-to guides](./file-upload-dotnet.md)
iot-hub Iot Hub Configure File Upload https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-configure-file-upload.md
To use the [file upload functionality in IoT Hub](iot-hub-devguide-file-upload.m
* **File notification maximum delivery count**: The number of times the IoT Hub attempts to deliver a file upload notification. Set to 10 by default but can be customized to other values using the slider.
- * **Authentication type**: By default, Azure IoT Hub uses key-based authentication to connect and authorize with Azure Storage. You can also configure user-assigned or system-assigned managed identities to authenticate Azure IoT Hub with Azure Storage. Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. To learn how to configure managed identities, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). After you've configured one or more managed identities on your Azure Storage account and IoT hub, you can select one for authentication with Azure storage with the **System-assigned** or **User-assigned** buttons.
+ * **Authentication type**: By default, Azure IoT Hub uses key-based authentication to connect and authorize with Azure Storage. You can also configure user-assigned or system-assigned managed identities to authenticate Azure IoT Hub with Azure Storage. Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. To learn how to configure managed identities, see [IoT Hub support for managed identities](./iot-hub-managed-identity.md). After you've configured one or more managed identities on your Azure Storage account and IoT hub, you can select one for authentication with Azure storage with the **System-assigned** or **User-assigned** buttons.
> [!NOTE] > The authentication type setting configures how your IoT hub authenticates with your Azure Storage account. Devices always authenticate with Azure Storage using the SAS URI that they get from the IoT hub.
iot-hub Iot Hub Devguide File Upload https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-devguide-file-upload.md
IoT Hub imposes throttling limits on the number of file uploads that it can init
You must associate an Azure storage account and blob container with your IoT hub to use file upload features. All file uploads from devices registered with your IoT hub will go to this container. To configure a storage account and blob container on your IoT hub, see [Configure IoT Hub file uploads using the Azure portal](iot-hub-configure-file-upload.md), [Configure IoT Hub file uploads using Azure CLI](iot-hub-configure-file-upload-cli.md), or [Configure IoT Hub file uploads using PowerShell](iot-hub-configure-file-upload-powershell.md). You can also use the IoT Hub management APIs to configure file uploads programmatically.
-If you use the portal, you can create a storage account and container during configuration. Otherwise, to create a storage account, see [Create a storage account](../storage/common/storage-account-create.md) in the Azure storage documentation. Once you have a storage account, you can see how to create a blob container in the [Azure Blob Storage quickstarts](../storage/blobs/storage-quickstart-blobs-portal.md). By default, Azure IoT Hub uses key-based authentication to connect and authorize with Azure Storage. You can also configure user-assigned or system-assigned managed identities to authenticate Azure IoT Hub with Azure Storage. Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. To learn how to configure managed identities, see the [Configure file upload with managed identities](iot-hub-managed-identity.md#configure-file-upload-with-managed-identities) section of [IoT Hub support for managed identities](iot-hub-managed-identity.md).
+If you use the portal, you can create a storage account and container during configuration. Otherwise, to create a storage account, see [Create a storage account](../storage/common/storage-account-create.md) in the Azure storage documentation. Once you have a storage account, you can see how to create a blob container in the [Azure Blob Storage quickstarts](../storage/blobs/storage-quickstart-blobs-portal.md). By default, Azure IoT Hub uses key-based authentication to connect and authorize with Azure Storage. You can also configure user-assigned or system-assigned managed identities to authenticate Azure IoT Hub with Azure Storage. Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. To learn how to configure managed identities, see the [Configure file upload with managed identities](iot-hub-managed-identity.md#configure-file-upload-with-managed-identities) section of [IoT Hub support for managed identities](iot-hub-managed-identity.md).
File upload is subject to [Azure Storage's firewall settings](../storage/common/storage-network-security.md). Based on your authentication configuration, you'll need to ensure your devices can communicate with Azure storage.
iot-hub Iot Hub Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/iot-hub-managed-identity.md
# IoT Hub support for managed identities
-Managed identities provide Azure services with an automatically managed identity in Azure AD in a secure manner. This eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. IoT Hub supports both.
+Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. This eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. IoT Hub supports both.
In IoT Hub, managed identities can be used for egress connectivity from IoT Hub to other Azure services for features such as [message routing](iot-hub-devguide-messages-d2c.md), [file upload](iot-hub-devguide-file-upload.md), and [bulk device import/export](iot-hub-bulk-identity-mgmt.md). In this article, you learn how to use system-assigned and user-assigned managed identities in your IoT hub for different functionalities.
iot-hub Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot-hub/policy-reference.md
Title: Built-in policy definitions for Azure IoT Hub description: Lists Azure Policy built-in policy definitions for Azure IoT Hub. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
iot Iot Overview Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-overview-security.md
Microsoft Defender for IoT can automatically monitor some of the recommendations
- **Protect cloud credentials**: An attacker can use the cloud authentication credentials you use to configure and operate your IoT deployment to gain access to and compromise your IoT system. Protect the credentials by changing the password frequently, and don't use these credentials on public machines. -- **Define access controls for your IoT hub**: Understand and define the type of access that each component in your IoT Hub solution needs based on the required functionality. There are two ways you can grant permissions for the service APIs to connect to your IoT hub: [Azure Active Directory](../iot-hub/iot-hub-dev-guide-azure-ad-rbac.md) or [Shared Access signatures](../iot-hub/iot-hub-dev-guide-sas.md).
+- **Define access controls for your IoT hub**: Understand and define the type of access that each component in your IoT Hub solution needs based on the required functionality. There are two ways you can grant permissions for the service APIs to connect to your IoT hub: [Microsoft Entra ID](../iot-hub/iot-hub-dev-guide-azure-ad-rbac.md) or [Shared Access signatures](../iot-hub/iot-hub-dev-guide-sas.md).
- **Define access controls for your IoT Central application**: Understand and define the type of access that you enable for your IoT Central application. To learn more, see:
iot Iot Security Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/iot/iot-security-architecture.md
The following table shows example mitigations to these threats. The values in th
| Component | Threat | Mitigation | Risk | Implementation | | | | | | |
-| Device |S |Assigning identity to the device and authenticating the device |Replacing device or part of the device with some other device. How do you know you're talking to the right device? |Authenticating the device, using Transport Layer Security (TLS) or IPSec. Infrastructure should support using preshared key (PSK) on those devices that can't handle full asymmetric cryptography. Use Azure AD, [OAuth](https://www.rfc-editor.org/pdfrfc/rfc6755.txt.pdf). |
+| Device |S |Assigning identity to the device and authenticating the device |Replacing device or part of the device with some other device. How do you know you're talking to the right device? |Authenticating the device, using Transport Layer Security (TLS) or IPSec. Infrastructure should support using preshared key (PSK) on those devices that can't handle full asymmetric cryptography. Use Microsoft Entra ID, [OAuth](https://www.rfc-editor.org/pdfrfc/rfc6755.txt.pdf). |
|| TRID |Apply tamperproof mechanisms to the device, for example, by making it hard to impossible to extract keys and other cryptographic material from the device. |The risk is if someone is tampering the device (physical interference). How are you sure, that device hasn't been tampered with. |The most effective mitigation is a trusted platform module (TPM). A TPM stores keys in special on-chip circuitry from which the keys can't be read, but can only be used for cryptographic operations that use the key. Memory encryption of the device. Key management for the device. Signing the code. | || E |Having access control of the device. Authorization scheme. |If the device allows for individual actions to be performed based on commands from an outside source, or even compromised sensors, it allows the attack to perform operations not otherwise accessible. |Having authorization scheme for the device. | | Field Gateway |S |Authenticating the Field gateway to Cloud Gateway (such as cert based, PSK, or Claim based.) |If someone can spoof Field Gateway, then it can present itself as any device. |TLS RSA/PSK, IPSec, [RFC 4279](https://tools.ietf.org/html/rfc4279). All the same key storage and attestation concerns of devices in general ΓÇô best case is use TPM. 6LowPAN extension for IPSec to support Wireless Sensor Networks (WSN). |
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/certificates/quick-create-python.md
This quickstart uses the Azure Identity library with Azure CLI or Azure PowerShe
1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments)
-1. Install the Azure Active Directory identity library:
+1. Install the Microsoft Entra identity library:
```terminal pip install azure.identity
Remove-AzResourceGroup -Name myResourceGroup
- [Secure access to a key vault](../general/security-features.md) - [Azure Key Vault developer's guide](../general/developers-guide.md) - [Key Vault security overview](../general/security-features.md)-- [Authenticate with Key Vault](../general/authentication.md)
+- [Authenticate with Key Vault](../general/authentication.md)
key-vault About Keys Secrets Certificates https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/about-keys-secrets-certificates.md
Refer to the JOSE specifications for relevant data types for keys, encryption, a
- **signature-value** - output of a signature algorithm, encoded using Base64URL - **base64URL** - a Base64URL [RFC4648] encoded binary value - **boolean** - either true or false -- **Identity** - an identity from Azure Active Directory (Azure AD).
+- **Identity** - an identity from Microsoft Entra ID.
- **IntDate** - a JSON decimal value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time. See RFC3339 for details regarding date/times, in general and UTC in particular. ## Objects, identifiers, and versioning
key-vault Access Behind Firewall https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/access-behind-firewall.md
To access a key vault, your key vault client application has to access multiple endpoints for various functionalities:
-* Authentication via Azure Active Directory (Azure AD).
+* Authentication via Microsoft Entra ID.
* Management of Azure Key Vault. This includes creating, reading, updating, deleting, and setting access policies through Azure Resource Manager. * Accessing and managing objects (keys and secrets) stored in Key Vault itself, going through the Key Vault-specific endpoint (for example, `https://yourvaultname.vault.azure.net`).
All traffic to a key vault for all three functions (authentication, management,
## Authentication
-Key vault client applications will need to access Azure Active Directory endpoints for authentication. The endpoint used depends on the Azure AD tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.
+Key vault client applications will need to access Microsoft Entra endpoints for authentication. The endpoint used depends on the Microsoft Entra tenant configuration, the type of principal (user principal or service principal), and the type of account--for example, a Microsoft account or a work or school account.
| Principal type | Endpoint:port | | | | | User using Microsoft account<br> (for example, user@hotmail.com) |**Global:**<br> login.microsoftonline.com:443<br><br> **Microsoft Azure operated by 21Vianet:**<br> login.chinacloudapi.cn:443<br><br>**Azure US Government:**<br> login.microsoftonline.us:443<br><br>**Azure Germany:**<br> login.microsoftonline.de:443<br><br> and <br>login.live.com:443 |
-| User or service principal using a work or school account with Azure AD (for example, user@contoso.com) |**Global:**<br> login.microsoftonline.com:443<br><br> **Microsoft Azure operated by 21Vianet:**<br> login.chinacloudapi.cn:443<br><br>**Azure US Government:**<br> login.microsoftonline.us:443<br><br>**Azure Germany:**<br> login.microsoftonline.de:443 |
+| User or service principal using a work or school account with Microsoft Entra ID (for example, user@contoso.com) |**Global:**<br> login.microsoftonline.com:443<br><br> **Microsoft Azure operated by 21Vianet:**<br> login.chinacloudapi.cn:443<br><br>**Azure US Government:**<br> login.microsoftonline.us:443<br><br>**Azure Germany:**<br> login.microsoftonline.de:443 |
| User or service principal using a work or school account, plus Active Directory Federation Services (AD FS) or other federated endpoint (for example, user@contoso.com) |All endpoints for a work or school account, plus AD FS or other federated endpoints |
-There are other possible complex scenarios. Refer to [Azure Active Directory Authentication Flow](../../active-directory/develop/authentication-vs-authorization.md), [Integrating Applications with Azure Active Directory](../../active-directory/develop/how-to-integrate.md), and [Active Directory Authentication Protocols](/previous-versions/azure/dn151124(v=azure.100)) for additional information.
+There are other possible complex scenarios. Refer to [Microsoft Entra authentication Flow](../../active-directory/develop/authentication-vs-authorization.md), [Integrating Applications with Microsoft Entra ID](../../active-directory/develop/how-to-integrate.md), and [Active Directory Authentication Protocols](/previous-versions/azure/dn151124(v=azure.100)) for additional information.
## Key Vault management
The Key Vault service uses other Azure resources like PaaS infrastructure. So it
* [Germany](https://www.microsoft.com/en-us/download/details.aspx?id=57064) * [China](https://www.microsoft.com/en-us/download/details.aspx?id=57062)
-Authentication and Identity (Azure Active Directory) is a global service and may fail over to other regions or move traffic without notice. In this scenario, all of the IP ranges listed in [Authentication and Identity IP Addresses](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_identity_ip) should be added to the firewall.
+Authentication and Identity (Microsoft Entra ID) is a global service and may fail over to other regions or move traffic without notice. In this scenario, all of the IP ranges listed in [Authentication and Identity IP Addresses](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_identity_ip) should be added to the firewall.
## Next steps
key-vault Assign Access Policy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/assign-access-policy.md
A Key Vault access policy determines whether a given security principal, namely
# [Azure CLI](#tab/azure-cli)
-For more information on creating groups in Azure Active Directory using the Azure CLI, see [az ad group create](/cli/azure/ad/group#az-ad-group-create) and [az ad group member add](/cli/azure/ad/group/member#az-ad-group-member-add).
+For more information on creating groups in Microsoft Entra ID using the Azure CLI, see [az ad group create](/cli/azure/ad/group#az-ad-group-create) and [az ad group member add](/cli/azure/ad/group/member#az-ad-group-member-add).
## Configure the Azure CLI and sign in
You need only include `--secret-permissions`, `--key-permissions`, and `--certif
# [Azure PowerShell](#tab/azure-powershell)
-For more information on creating groups in Azure Active Directory using Azure PowerShell, see [New-AzureADGroup](/powershell/module/azuread/new-azureadgroup) and [Add-AzADGroupMember](/powershell/module/az.resources/add-azadgroupmember).
+For more information on creating groups in Microsoft Entra ID using Azure PowerShell, see [New-AzureADGroup](/powershell/module/azuread/new-azureadgroup) and [Add-AzADGroupMember](/powershell/module/az.resources/add-azadgroupmember).
## Configure PowerShell and sign-in
key-vault Authentication Requests And Responses https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/authentication-requests-and-responses.md
This topic covers specifics for the Azure Key Vault service. For general informa
``` ## Authentication
- All requests to Azure Key Vault MUST be authenticated. Azure Key Vault supports Azure Active Directory access tokens that may be obtained using OAuth2 [[RFC6749](https://tools.ietf.org/html/rfc6749)].
+ All requests to Azure Key Vault MUST be authenticated. Azure Key Vault supports Microsoft Entra access tokens that may be obtained using OAuth2 [[RFC6749](https://tools.ietf.org/html/rfc6749)].
- For more information on registering your application and authenticating to use Azure Key Vault, see [Register your client application with Azure AD](/rest/api/azure/index#register-your-client-application-with-azure-ad).
+ For more information on registering your application and authenticating to use Azure Key Vault, see [Register your client application with Microsoft Entra ID](/rest/api/azure/index#register-your-client-application-with-azure-ad).
Access tokens must be sent to the service using the HTTP Authorization header:
key-vault Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/authentication.md
# Authentication in Azure Key Vault
-Authentication with Key Vault works in conjunction with [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md), which is responsible for authenticating the identity of any given **security principal**.
+Authentication with Key Vault works in conjunction with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md), which is responsible for authenticating the identity of any given **security principal**.
A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources. Azure assigns a unique **object ID** to every security principal.
-* A **user** security principal identifies an individual who has a profile in Azure Active Directory.
+* A **user** security principal identifies an individual who has a profile in Microsoft Entra ID.
-* A **group** security principal identifies a set of users created in Azure Active Directory. Any roles or permissions assigned to the group are granted to all of the users within the group.
+* A **group** security principal identifies a set of users created in Microsoft Entra ID. Any roles or permissions assigned to the group are granted to all of the users within the group.
* A **service principal** is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID acts like its username; the service principal's **client secret** acts like its password.
For applications, there are two ways to obtain a service principal:
For more information, see the [Managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md). Also see [Azure services that support managed identity](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md), which links to articles that describe how to enable managed identity for specific services (such as App Service, Azure Functions, Virtual Machines, etc.).
-* If you cannot use managed identity, you instead **register** the application with your Azure AD tenant, as described on [Quickstart: Register an application with the Azure identity platform](../../active-directory/develop/quickstart-register-app.md). Registration also creates a second application object that identifies the app across all tenants.
+* If you cannot use managed identity, you instead **register** the application with your Microsoft Entra tenant, as described on [Quickstart: Register an application with the Azure identity platform](../../active-directory/develop/quickstart-register-app.md). Registration also creates a second application object that identifies the app across all tenants.
## Configure the Key Vault firewall
For more information, see [Access Azure Key Vault behind a firewall](./access-be
Key Vault authentication occurs as part of every request operation on Key Vault. Once token is retrieved, it can be reused for subsequent calls. Authentication flow example:
-1. A token requests to authenticate with Azure AD, for example:
+1. A token requests to authenticate with Microsoft Entra ID, for example:
* An Azure resource such as a virtual machine or App Service application with a managed identity contacts the REST endpoint to get an access token. * A user logs into the Azure portal using a username and password.
-1. If authentication with Azure AD is successful, the security principal is granted an OAuth token.
+1. If authentication with Microsoft Entra ID is successful, the security principal is granted an OAuth token.
1. A call to the Key Vault REST API through the Key Vault's endpoint (URI).
Key Vault authentication occurs as part of every request operation on Key Vault.
* The caller is listed in the firewall by IP address, virtual network, or service endpoint. * The caller can reach Key Vault over a configured private link connection.
-1. If the firewall allows the call, Key Vault calls Azure AD to validate the security principalΓÇÖs access token.
+1. If the firewall allows the call, Key Vault calls Microsoft Entra ID to validate the security principalΓÇÖs access token.
1. Key Vault checks if the security principal has the necessary permission for requested operation. If not, Key Vault returns a forbidden response.
key-vault Basic Concepts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/basic-concepts.md
Here are other important terms:
- **Security principal**: An Azure security principal is a security identity that user-created apps, services, and automation tools use to access specific Azure resources. Think of it as a "user identity" (username and password or certificate) with a specific role, and tightly controlled permissions. A security principal should only need to do specific things, unlike a general user identity. It improves security if you grant it only the minimum permission level that it needs to perform its management tasks. A security principal used with an application or service is called a **service principal**. -- [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md): Azure AD is the Active Directory service for a tenant. Each directory has one or more domains. A directory can have many subscriptions associated with it, but only one tenant.
+- [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md): Microsoft Entra ID is the Active Directory service for a tenant. Each directory has one or more domains. A directory can have many subscriptions associated with it, but only one tenant.
-- **Azure tenant ID**: A tenant ID is a unique way to identify an Azure AD instance within an Azure subscription.
+- **Azure tenant ID**: A tenant ID is a unique way to identify a Microsoft Entra instance within an Azure subscription.
-- **Managed identities**: Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Using a managed identity makes solving this problem simpler by giving Azure services an automatically managed identity in Azure AD. You can use this identity to authenticate to Key Vault or any service that supports Azure AD authentication, without having any credentials in your code. For more information, see the following image and the [overview of managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
+- **Managed identities**: Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Using a managed identity makes solving this problem simpler by giving Azure services an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to Key Vault or any service that supports Microsoft Entra authentication, without having any credentials in your code. For more information, see the following image and the [overview of managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md).
## Authentication To do any operations with Key Vault, you first need to authenticate to it. There are three ways to authenticate to Key Vault:
key-vault Common Parameters And Headers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/common-parameters-and-headers.md
-
+ Title: Common parameters and headers description: The parameters and headers common to all operations that you might perform on Key Vault resources.
The following information is common to all operations that you might perform on
- Replace `{resource-group-name}` with the resource group. For more information, see Using Resource groups to manage your Azure resources. - Replace `{vault-name}` with your key vault name in the URI. - Set the Content-Type header to application/json.-- Set the Authorization header to a JSON Web Token that you obtain from Azure Active Directory (Azure AD). For more information, see [Authenticating Azure Resource Manager](authentication-requests-and-responses.md) requests.
+- Set the Authorization header to a JSON Web Token that you obtain from Microsoft Entra ID. For more information, see [Authenticating Azure Resource Manager](authentication-requests-and-responses.md) requests.
## Common error response The service will use HTTP status codes to indicate success or failure. In addition, failures contain a response in the following format:
key-vault Developers Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/developers-guide.md
For installation packages and source code, see [Client libraries](client-librari
## Authenticate to Key Vault in code
-Key Vault uses Azure Active Directory (Azure AD) authentication, which requires an Azure AD security principal to grant access. An Azure AD security principal can be a user, an application service principal, a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md), or a group of any of these types.
+Key Vault uses Microsoft Entra authentication, which requires a Microsoft Entra security principal to grant access. A Microsoft Entra security principal can be a user, an application service principal, a [managed identity for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md), or a group of any of these types.
### Authentication best practices
key-vault Logging https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/logging.md
The following table lists the **operationName** values and corresponding REST AP
| operationName | REST API command | | | |
-| **Authentication** |Authenticate via Azure Active Directory endpoint |
+| **Authentication** |Authenticate via Microsoft Entra endpoint |
| **VaultGet** |[Get information about a key vault](/rest/api/keyvault/keyvault/vaults) | | **VaultPut** |[Create or update a key vault](/rest/api/keyvault/keyvault/vaults) | | **VaultDelete** |[Delete a key vault](/rest/api/keyvault/keyvault/vaults) |
key-vault Manage With Cli2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/manage-with-cli2.md
This article covers how to get started working with Azure Key Vault using the Az
- How to create a hardened container (a vault) in Azure - Adding a key, secret, or certificate to the key vault-- Registering an application with Azure Active Directory
+- Registering an application with Microsoft Entra ID
- Authorizing an application to use a key or secret - Setting key vault advanced access policies - Working with Hardware security modules (HSMs)
az keyvault secret list --vault-name "ContosoKeyVault"
az keyvault certificate list --vault-name "ContosoKeyVault" ```
-## Registering an application with Azure Active Directory
+<a name='registering-an-application-with-azure-active-directory'></a>
+
+## Registering an application with Microsoft Entra ID
This step would usually be done by a developer, on a separate computer. It isn't specific to Azure Key Vault but is included here, for awareness. To complete the app registration, your account, the vault, and the application need to be in the same Azure directory.
-Applications that use a key vault must authenticate by using a token from Azure Active Directory. The owner of the application must register it in Azure Active Directory first. At the end of registration, the application owner gets the following values:
+Applications that use a key vault must authenticate by using a token from Microsoft Entra ID. The owner of the application must register it in Microsoft Entra first. At the end of registration, the application owner gets the following values:
-- An **Application ID** (also known as the AAD Client ID or appID)
+- An **Application ID** (also known as the Microsoft Entra Client ID or appID)
- An **authentication key** (also known as the shared secret).
-The application must present both these values to Azure Active Directory, to get a token. How an application is configured to get a token will depend on the application. For the [Key Vault sample application](https://www.microsoft.com/download/details.aspx?id=45343), the application owner sets these values in the app.config file.
+The application must present both these values to Microsoft Entra ID, to get a token. How an application is configured to get a token will depend on the application. For the [Key Vault sample application](https://www.microsoft.com/download/details.aspx?id=45343), the application owner sets these values in the app.config file.
-For detailed steps on registering an application with Azure Active Directory you should review the articles titled [Integrating applications with Azure Active Directory](../../active-directory/develop/quickstart-register-app.md), [Use portal to create an Azure Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md), and [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
+For detailed steps on registering an application with Microsoft Entra ID you should review the articles titled [Integrating applications with Microsoft Entra ID](../../active-directory/develop/quickstart-register-app.md), [Use portal to create a Microsoft Entra application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md), and [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
-To register an application in Azure Active Directory:
+To register an application in Microsoft Entra ID:
```azurecli az ad sp create-for-rbac -n "MyApp" --password "hVFkk965BuUv" --role Contributor --scopes /subscriptions/<subscription id>
key-vault Move Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/move-subscription.md
> Make sure you understand the impact of this change and follow the guidance in this article carefully before deciding to move key vault to a new subscription. > If you are using Managed Service Identities (MSI) please read the post-move instructions at the end of the document.
-[Azure Key Vault](overview.md) is automatically tied to the default [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) tenant ID for the subscription in which it is created. You can find tenant ID associated with your subscription by following this [guide](/azure/active-directory-b2c/tenant-management-read-tenant-name). All access policy entries and roles assignments are also tied to this tenant ID. If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to:
+[Azure Key Vault](overview.md) is automatically tied to the default [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) tenant ID for the subscription in which it is created. You can find tenant ID associated with your subscription by following this [guide](/azure/active-directory-b2c/tenant-management-read-tenant-name). All access policy entries and roles assignments are also tied to this tenant ID. If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to:
> [!NOTE] > If Key Vault is created through [Azure Lighthouse](../../lighthouse/overview.md), it is tied to managing tenant id instead. Azure Lighthouse is only supported by vault access policy permission model.
* Remove all existing access policy entries. * Add new access policy entries associated with tenant B.
-For more information about Azure Key Vault and Azure Active Directory, see
+For more information about Azure Key Vault and Microsoft Entra ID, see
- [About Azure Key Vault](overview.md)-- [What is Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md)
+- [What is Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md)
- [How to find tenant ID](/azure/active-directory-b2c/tenant-management-read-tenant-name) ## Limitations
For adding role assignments, see:
### Update managed identities
-If you are transferring entire subscription and using a managed identity for Azure resources, you will need to update it to the new Azure Active Directory tenant as well. For more information on managed identities, [Managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md).
+If you are transferring entire subscription and using a managed identity for Azure resources, you will need to update it to the new Microsoft Entra tenant as well. For more information on managed identities, [Managed identity overview](../../active-directory/managed-identities-azure-resources/overview.md).
-If you are using managed identity, you'll also have to update the identity because the old identity will no longer be in the correct Azure Active Directory tenant. See the following documents to help resolve this issue.
+If you are using managed identity, you'll also have to update the identity because the old identity will no longer be in the correct Microsoft Entra tenant. See the following documents to help resolve this issue.
* [Updating MSI](../../active-directory/managed-identities-azure-resources/known-issues.md#transferring-a-subscription-between-azure-ad-directories) * [Transfer Subscription to New Directory](../../role-based-access-control/transfer-subscription.md)
key-vault Network Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/network-security.md
This section will cover the different ways that an Azure Key Vault firewall can
### Key Vault Firewall Disabled (Default)
-By default, when you create a new key vault, the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. This configuration doesn't mean that any user will be able to perform operations on your key vault. The key vault still restricts access to secrets, keys, and certificates stored in key vault by requiring Azure Active Directory authentication and access policy permissions. To understand key vault authentication in more detail, see [Authentication in Azure Key Vault](authentication.md). For more information, see [Access Azure Key Vault behind a firewall](access-behind-firewall.md).
+By default, when you create a new key vault, the Azure Key Vault firewall is disabled. All applications and Azure services can access the key vault and send requests to the key vault. This configuration doesn't mean that any user will be able to perform operations on your key vault. The key vault still restricts access to secrets, keys, and certificates stored in key vault by requiring Microsoft Entra authentication and access policy permissions. To understand key vault authentication in more detail, see [Authentication in Azure Key Vault](authentication.md). For more information, see [Access Azure Key Vault behind a firewall](access-behind-firewall.md).
### Key Vault Firewall Enabled (Trusted Services Only)
key-vault Overview Throttling https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/overview-throttling.md
Key Vault was originally created with the limits specified in [Azure Key Vault s
1. Cache the secrets you retrieve from Azure Key Vault in memory, and reuse from memory whenever possible. Re-read from Azure Key Vault only when the cached copy stops working (e.g. because it got rotated at the source). 1. Key Vault is designed for your own services secrets. If you are storing your customers' secrets (especially for high-throughput key storage scenarios), consider putting the keys in a database or storage account with encryption, and storing just the primary key in Azure Key Vault. 1. Encrypt, wrap, and verify public-key operations can be performed with no access to Key Vault, which not only reduces risk of throttling, but also improves reliability (as long as you properly cache the public key material).
-1. If you use Key Vault to store credentials for a service, check if that service supports Azure AD Authentication to authenticate directly. This reduces the load on Key Vault, improves reliability and simplifies your code since Key Vault can now use the Azure AD token. Many services have moved to using Azure AD Auth. See the current list at [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).
+1. If you use Key Vault to store credentials for a service, check if that service supports Microsoft Entra authentication to authenticate directly. This reduces the load on Key Vault, improves reliability and simplifies your code since Key Vault can now use the Microsoft Entra token. Many services have moved to using Microsoft Entra auth. See the current list at [Services that support managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources).
1. Consider staggering your load/deployment over a longer period of time to stay under the current RPS limits. 1. If your app comprises multiple nodes that need to read the same secret(s), then consider using a fan-out pattern, where one entity reads the secret from Key Vault, and fans out to all nodes. Cache the retrieved secrets only in memory.
key-vault Overview Vnet Service Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/overview-vnet-service-endpoints.md
The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network. The endpoints also allow you to restrict access to a list of IPv4 (internet protocol version 4) address ranges. Any user connecting to your key vault from outside those sources is denied access.
-There is one important exception to this restriction. If a user has opted-in to allow trusted Microsoft services, connections from those services are let through the firewall. For example, these services include Office 365 Exchange Online, Office 365 SharePoint Online, Azure compute, Azure Resource Manager, and Azure Backup. Such users still need to present a valid Azure Active Directory token, and must have permissions (configured as access policies) to perform the requested operation. For more information, see [Virtual network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).
+There is one important exception to this restriction. If a user has opted-in to allow trusted Microsoft services, connections from those services are let through the firewall. For example, these services include Office 365 Exchange Online, Office 365 SharePoint Online, Azure compute, Azure Resource Manager, and Azure Backup. Such users still need to present a valid Microsoft Entra token, and must have permissions (configured as access policies) to perform the requested operation. For more information, see [Virtual network service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md).
## Usage scenarios
key-vault Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/overview.md
Your applications can securely access the information they need by using URIs. T
Access to a key vault requires proper authentication and authorization before a caller (user or application) can get access. Authentication establishes the identity of the caller, while authorization determines the operations that they're allowed to perform.
-Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
+Authentication is done via Microsoft Entra ID. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
Azure Key Vaults may be either software-protected or, with the Azure Key Vault Premium tier, hardware-protected by hardware security modules (HSMs). Software-protected keys, secrets, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. For situations where you require added assurance, you can import or generate keys in HSMs that never leave the HSM boundary. Azure Key Vault uses nCipher HSMs, which are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. You can use nCipher tools to move a key from your HSM to Azure Key Vault.
key-vault Rest Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/rest-error-codes.md
There is a limited list of "Azure Trusted Services". Azure Web Sites are **not**
You must add the IP address of the Azure Web Site to the Key Vault in order for it to work.
-If due to access policy: find the object ID for the request and ensure that the object ID matches the object to which the user is trying to assign the access policy. There will often be multiple objects in Azure AD, which have the same name, so choosing the correct one is important. By deleting and readding the access policy, it is possible to see if multiple objects exist with the same name.
+If due to access policy: find the object ID for the request and ensure that the object ID matches the object to which the user is trying to assign the access policy. There will often be multiple objects in Microsoft Entra ID, which have the same name, so choosing the correct one is important. By deleting and readding the access policy, it is possible to see if multiple objects exist with the same name.
In addition, most access policies do not require the use of the "Authorized application" as shown in the portal. Authorized applications are used for "on-behalf-of" authentication scenarios, which are rare.
key-vault Security Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/security-features.md
Azure Private Link Service enables you to access Azure Key Vault and Azure hoste
- The Key Vault front end (data plane) is a multi-tenant server. This means that key vaults from different customers can share the same public IP address. In order to achieve isolation, each HTTP request is authenticated and authorized independently of other requests. - You may identify older versions of TLS to report vulnerabilities but because the public IP address is shared, it is not possible for key vault service team to disable old versions of TLS for individual key vaults at transport level.-- The HTTPS protocol allows the client to participate in TLS negotiation. **Clients can enforce the version of TLS**, and whenever a client does so, the entire connection will use the corresponding level protection. Applications that are communicating with or authenticating against Azure Active Directory might not work as expected if they are NOT able to use TLS 1.2 to communicate.
+- The HTTPS protocol allows the client to participate in TLS negotiation. **Clients can enforce the version of TLS**, and whenever a client does so, the entire connection will use the corresponding level protection. Applications that are communicating with or authenticating against Microsoft Entra ID might not work as expected if they are NOT able to use TLS 1.2 to communicate.
- Despite known vulnerabilities in TLS protocol, there is no known attack that would allow a malicious agent to extract any information from your key vault when the attacker initiates a connection with a TLS version that has vulnerabilities. The attacker would still need to authenticate and authorize itself, and as long as legitimate clients always connect with TLS 1.2 version, there is no way that credentials could have been leaked from vulnerabilities at old TLS versions. > [!NOTE] > For Azure Key Vault, ensure that the application accessing the Keyvault service should be running on a platform that supports TLS 1.2. If the application is dependent on .NET Framework, it should be updated as well. You can also make the registry changes mentioned in [this article](/troubleshoot/azure/active-directory/enable-support-tls-environment) to explicitly enable the use of TLS 1.2 at OS level and for .NET Framework. To meet with compliance obligations and to improve security posture, Key Vault connections via TLS 1.0 & 1.1 are considered a security risk, and any connections using old TLS protocols will be disallowed starting June 2023. You can monitor TLS version used by clients by monitoring Key Vault logs with sample Kusto query [here](monitor-key-vault.md#sample-kusto-queries). > [!WARNING]
-> TLS 1.0 and 1.1 is deprecated by Azure Active Directory and tokens to access key vault may not longer be issued for users or services requesting them with deprecated protocols. This may lead to loss of access to Key vaults. More information on AAD TLS support can be found in [Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment/#why-this-change-is-being-made)
+> TLS 1.0 and 1.1 is deprecated by Microsoft Entra ID and tokens to access key vault may not longer be issued for users or services requesting them with deprecated protocols. This may lead to loss of access to Key vaults. More information on Microsoft Entra TLS support can be found in [Microsoft Entra TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment/#why-this-change-is-being-made)
## Key Vault authentication options
-When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. All callers in both planes must register in this tenant and authenticate to access the key vault. In both cases, applications can access Key Vault in three ways:
+When you create a key vault in an Azure subscription, it's automatically associated with the Microsoft Entra tenant of the subscription. All callers in both planes must register in this tenant and authenticate to access the key vault. In both cases, applications can access Key Vault in three ways:
- **Application-only**: The application represents a service principal or managed identity. This identity is the most common scenario for applications that periodically need to access certificates, keys, or secrets from the key vault. For this scenario to work, the `objectId` of the application must be specified in the access policy and the `applicationId` must _not_ be specified or must be `null`. - **User-only**: The user accesses the key vault from any application registered in the tenant. Examples of this type of access include Azure PowerShell and the Azure portal. For this scenario to work, the `objectId` of the user must be specified in the access policy and the `applicationId` must _not_ be specified or must be `null`. - **Application-plus-user** (sometimes referred as _compound identity_): The user is required to access the key vault from a specific application _and_ the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. For this scenario to work, both `applicationId` and `objectId` must be specified in the access policy. The `applicationId` identifies the required application and the `objectId` identifies the user. Currently, this option isn't available for data plane Azure RBAC.
-In all types of access, the application authenticates with Azure AD. The application uses any [supported authentication method](../../active-directory/develop/authentication-vs-authorization.md) based on the application type. The application acquires a token for a resource in the plane to grant access. The resource is an endpoint in the management or data plane, based on the Azure environment. The application uses the token and sends a REST API request to Key Vault. To learn more, review the [whole authentication flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).
+In all types of access, the application authenticates with Microsoft Entra ID. The application uses any [supported authentication method](../../active-directory/develop/authentication-vs-authorization.md) based on the application type. The application acquires a token for a resource in the plane to grant access. The resource is an endpoint in the management or data plane, based on the Azure environment. The application uses the token and sends a REST API request to Key Vault. To learn more, review the [whole authentication flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).
The model of a single mechanism for authentication to both planes has several benefits: - Organizations can control access centrally to all key vaults in their organization. - If a user leaves, they instantly lose access to all key vaults in the organization.-- Organizations can customize authentication by using the options in Azure AD, such as to enable multi-factor authentication for added security.
+- Organizations can customize authentication by using the options in Microsoft Entra ID, such as to enable multi-factor authentication for added security.
For more information, see [Key Vault authentication fundamentals](authentication.md).
For more information, see [Key Vault authentication fundamentals](authentication
Access to a key vault is controlled through two interfaces: the **management plane** and the **data plane**. The management plane is where you manage Key Vault itself. Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies. The data plane is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
-Both planes use [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md) for authentication. For authorization, the management plane uses [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and the data plane uses a [Key Vault access policy](./assign-access-policy-portal.md) and [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
+Both planes use [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) for authentication. For authorization, the management plane uses [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md) and the data plane uses a [Key Vault access policy](./assign-access-policy-portal.md) and [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
-To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication establishes the identity of the caller. Authorization determines which operations the caller can execute. Authentication with Key Vault works in conjunction with [Azure Active Directory (Azure AD)](../../active-directory/fundamentals/active-directory-whatis.md), which is responsible for authenticating the identity of any given **security principal**.
+To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication establishes the identity of the caller. Authorization determines which operations the caller can execute. Authentication with Key Vault works in conjunction with [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md), which is responsible for authenticating the identity of any given **security principal**.
A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources. Azure assigns a unique **object ID** to every security principal. -- A **user** security principal identifies an individual who has a profile in Azure Active Directory.-- A **group** security principal identifies a set of users created in Azure Active Directory. Any roles or permissions assigned to the group are granted to all of the users within the group.
+- A **user** security principal identifies an individual who has a profile in Microsoft Entra ID.
+- A **group** security principal identifies a set of users created in Microsoft Entra ID. Any roles or permissions assigned to the group are granted to all of the users within the group.
- A **service principal** is a type of security principal that identifies an application or service, which is to say, a piece of code rather than a user or group. A service principal's object ID is known as its **client ID** and acts like its username. The service principal's **client secret** or **certificate** acts like its password. Many Azure Services supports assigning [Managed Identity](../../active-directory/managed-identities-azure-resources/overview.md) with automated management of **client ID** and **certificate**. Managed identity is the most secure and recommended option for authenticating within Azure. For more information about authentication to Key Vault, see [Authenticate to Azure Key Vault](authentication.md). ## Conditional access
-Key Vault provides support for Azure Active Directory Conditional Access policies. By using Conditional Access policies, you can apply the right access controls to Key Vault when needed to keep your organization secure and stay out of your user's way when not needed.
+Key Vault provides support for Microsoft Entra Conditional Access policies. By using Conditional Access policies, you can apply the right access controls to Key Vault when needed to keep your organization secure and stay out of your user's way when not needed.
For more information, see [Conditional Access overview](../../active-directory/conditional-access/overview.md)
The following table shows the endpoints for the management and data planes.
### Managing administrative access to Key Vault
-When you create a key vault in a resource group, you manage access by using Azure AD. You grant users or groups the ability to manage the key vaults in a resource group. You can grant access at a specific scope level by assigning the appropriate Azure roles. To grant access to a user to manage key vaults, you assign a predefined `key vault Contributor` role to the user at a specific scope. The following scopes levels can be assigned to an Azure role:
+When you create a key vault in a resource group, you manage access by using Microsoft Entra ID. You grant users or groups the ability to manage the key vaults in a resource group. You can grant access at a specific scope level by assigning the appropriate Azure roles. To grant access to a user to manage key vaults, you assign a predefined `key vault Contributor` role to the user at a specific scope. The following scopes levels can be assigned to an Azure role:
- **Subscription**: An Azure role assigned at the subscription level applies to all resource groups and resources within that subscription. - **Resource group**: An Azure role assigned at the resource group level applies to all resources in that resource group.
key-vault Troubleshooting Access Issues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/troubleshooting-access-issues.md
As you start to scale your service, the number of requests sent to your key vaul
### I'm not able to modify access policy, how can it be enabled?
-The user needs to have sufficient Azure AD permissions to modify access policy. In this case, the user would need to have higher contributor role.
+The user needs to have sufficient Microsoft Entra permissions to modify access policy. In this case, the user would need to have higher contributor role.
### I'm seeing 'Unknown Policy' error. What does that mean?
If you're creating an on-premises application, doing local development, or other
Give the AD group permissions to your key vault using the Azure CLI `az keyvault set-policy` command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. See [Assign an access policy - CLI](assign-access-policy-cli.md) and [Assign an access policy - PowerShell](assign-access-policy-powershell.md).
-The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Azure AD Groups with Managed Identities may require up to eight hours to refresh tokens and become effective.
+The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Microsoft Entra groups with Managed Identities may require up to eight hours to refresh tokens and become effective.
### How can I redeploy Key Vault with ARM template without deleting existing access policies?
key-vault Tutorial Net Create Vault Azure Web App https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/general/tutorial-net-create-vault-azure-web-app.md
# Tutorial: Use a managed identity to connect Key Vault to an Azure web app in .NET
-[Azure Key Vault](./overview.md) provides a way to store credentials and other secrets with increased security. But your code needs to authenticate to Key Vault to retrieve them. [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md) help to solve this problem by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having to display credentials in your code.
+[Azure Key Vault](./overview.md) provides a way to store credentials and other secrets with increased security. But your code needs to authenticate to Key Vault to retrieve them. [Managed identities for Azure resources](../../active-directory/managed-identities-azure-resources/overview.md) help to solve this problem by giving Azure services an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service that supports Microsoft Entra authentication, including Key Vault, without having to display credentials in your code.
In this tutorial, you'll create and deploy Azure web application to [Azure App Service](../../app-service/overview.md). You'll use a managed identity to authenticate your Azure web app with an Azure key vault using [Azure Key Vault secret client library for .NET](/dotnet/api/overview/azure/key-vault) and the [Azure CLI](/cli/azure/get-started-with-azure-cli). The same basic principles apply when you use the development language of your choice, Azure PowerShell, and/or the Azure portal.
key-vault Javascript Developer Guide Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/javascript-developer-guide-get-started.md
This article shows you how to connect to Azure Key Vault by using the Azure Key
npm install @azure/keyvault-keys ```
-1. If you want to use passwordless connections using Azure AD, install the Azure Identity client library for JavaScript:
+1. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript:
```bash npm install @azure/identity
This article shows you how to connect to Azure Key Vault by using the Azure Key
## Authorize access and connect to Key Vault
-Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any keys stored in the code.
+Microsoft Entra ID provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any keys stored in the code.
Before programmatically authenticating to Azure to use Azure Key Vault keys, make sure you set up your environment.
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/keys/quick-create-python.md
This quickstart is using the Azure Identity library with Azure CLI or Azure Powe
1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment?tabs=cmd#use-python-virtual-environments).
-1. Install the Azure Active Directory identity library:
+1. Install the Microsoft Entra identity library:
```terminal pip install azure-identity
Remove-AzResourceGroup -Name myResourceGroup
- [Secure access to a key vault](../general/security-features.md) - [Azure Key Vault developer's guide](../general/developers-guide.md) - [Key Vault security overview](../general/security-features.md)-- [Authenticate with Key Vault](../general/authentication.md)
+- [Authenticate with Key Vault](../general/authentication.md)
key-vault Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/access-control.md
On the management plane, you manage the HSM itself. Operations in this plane inc
On the data plane, you work with the data that's stored in a managed HSM. That is, you work with the HSM-backed encryption keys. You can add, delete, modify, and use keys to perform cryptographic operations, manage role assignments to control access to the keys, create a full HSM backup, restore a full backup, and manage the security domain from the data plane interface.
-To access a managed HSM in either plane, all callers must have proper authentication and authorization. *Authentication* establishes the identity of the caller. *Authorization* determines which operations the caller can execute. A caller can be any one of the [security principals](../../role-based-access-control/overview.md#security-principal) that are defined in Azure Active Directory: user, group, service principal, or managed identity.
+To access a managed HSM in either plane, all callers must have proper authentication and authorization. *Authentication* establishes the identity of the caller. *Authorization* determines which operations the caller can execute. A caller can be any one of the [security principals](../../role-based-access-control/overview.md#security-principal) that are defined in Microsoft Entra ID: user, group, service principal, or managed identity.
-Both planes use Azure Active Directory for authentication. For authorization, they use different systems:
+Both planes use Microsoft Entra ID for authentication. For authorization, they use different systems:
- The management plane uses Azure role-based access control (Azure RBAC), an authorization system that's built on Azure Resource Manager. - The data plane uses a managed HSM-level RBAC (Managed HSM local RBAC), an authorization system that's implemented and enforced at the managed HSM level.
The permissions models for both planes use the same syntax, but they're enforced
> [!IMPORTANT] > Granting management plane access to a security principal does *not* grant the security principal data plane access. For example, a security principal with management plane access doesn't automatically have access to keys or data plane role assignments. This isolation is by design, to prevent inadvertent expansion of privileges that affect access to keys that are stored in Managed HSM. >
-> But there's an exception: Members of the Azure Active Directory Global Administrator role can always add users to the Managed HSM Administrator role for recovery purposes, such as when there are no longer any valid Managed HSM Administrator accounts. For more information, see [Azure Active Directory best practices for securing the Global Adminstrator role](../../active-directory/roles/best-practices.md#5-limit-the-number-of-global-administrators-to-less-than-5).
+> But there's an exception: Members of the Microsoft Entra Global Administrator role can always add users to the Managed HSM Administrator role for recovery purposes, such as when there are no longer any valid Managed HSM Administrator accounts. For more information, see [Microsoft Entra ID best practices for securing the Global Adminstrator role](../../active-directory/roles/best-practices.md#5-limit-the-number-of-global-administrators-to-less-than-5).
For example, a subscription administrator (because they have Contributor permissions to all resources in the subscription) can delete a managed HSM in their subscription. But if they don't have data plane access specifically granted through Managed HSM local RBAC, they can't gain access to keys or manage role assignments in the managed HSM to grant themselves or others access to the data plane.
-## Azure Active Directory authentication
+<a name='azure-active-directory-authentication'></a>
-When you create a managed HSM in an Azure subscription, the managed HSM is automatically associated with the Azure Active Directory tenant of the subscription. All callers in both planes must be registered in this tenant and authenticate to access the managed HSM.
+## Microsoft Entra authentication
-The application authenticates with Azure Active Directory before calling either plane. The application can use any [supported authentication method](../../active-directory/develop/authentication-vs-authorization.md) depending on the application type. The application acquires a token for a resource in the plane to gain access. The resource is an endpoint in the management plane or data plane, depending on the Azure environment. The application uses the token and sends a REST API request to the managed HSM endpoint. To learn more, review the entire [authentication flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).
+When you create a managed HSM in an Azure subscription, the managed HSM is automatically associated with the Microsoft Entra tenant of the subscription. All callers in both planes must be registered in this tenant and authenticate to access the managed HSM.
+
+The application authenticates with Microsoft Entra ID before calling either plane. The application can use any [supported authentication method](../../active-directory/develop/authentication-vs-authorization.md) depending on the application type. The application acquires a token for a resource in the plane to gain access. The resource is an endpoint in the management plane or data plane, depending on the Azure environment. The application uses the token and sends a REST API request to the managed HSM endpoint. To learn more, review the entire [authentication flow](../../active-directory/develop/v2-oauth2-auth-code-flow.md).
Using a single authentication mechanism for both planes has several benefits: - Organizations can centrally control access to all managed HSMs in their organization. - If a user leaves the organization, they instantly lose access to all managed HSMs in the organization.-- Organizations can customize authentication by using options in Azure Active Directory, such as to enable multi-factor authentication for added security.
+- Organizations can customize authentication by using options in Microsoft Entra ID, such as to enable multi-factor authentication for added security.
## Resource endpoints
The following table shows the endpoints for the management plane and data plane.
## Management plane and Azure RBAC
-In the management plane, you use Azure RBAC to authorize the operations that a caller can execute. In the Azure RBAC model, each Azure subscription has an instance of Azure Active Directory. You grant access to users, groups, and applications from this directory. Access is granted to manage subscription resources that use the Azure Resource Manager deployment model. To grant access, use the [Azure portal](https://portal.azure.com/), the [Azure CLI](/cli/azure/install-classic-cli), [Azure PowerShell](/powershell/azureps-cmdlets-docs), or [Azure Resource Manager REST APIs](/rest/api/authorization/role-assignments).
+In the management plane, you use Azure RBAC to authorize the operations that a caller can execute. In the Azure RBAC model, each Azure subscription has an instance of Microsoft Entra ID. You grant access to users, groups, and applications from this directory. Access is granted to manage subscription resources that use the Azure Resource Manager deployment model. To grant access, use the [Azure portal](https://portal.azure.com/), the [Azure CLI](/cli/azure/install-classic-cli), [Azure PowerShell](/powershell/azureps-cmdlets-docs), or [Azure Resource Manager REST APIs](/rest/api/authorization/role-assignments).
-You create a key vault in a resource group and manage access by using Azure Active Directory. You grant users or groups the ability to manage the key vaults in a resource group. You grant the access at a specific scope level by assigning appropriate Azure roles. To grant access to a user to manage key vaults, you assign a predefined `key vault Contributor` role to the user at a specific scope. The following scope levels can be assigned to an Azure role:
+You create a key vault in a resource group and manage access by using Microsoft Entra ID. You grant users or groups the ability to manage the key vaults in a resource group. You grant the access at a specific scope level by assigning appropriate Azure roles. To grant access to a user to manage key vaults, you assign a predefined `key vault Contributor` role to the user at a specific scope. The following scope levels can be assigned to an Azure role:
- **Management group**: An Azure role assigned at the subscription level applies to all the subscriptions in that management group. - **Subscription**: An Azure role assigned at the subscription level applies to all resource groups and resources within that subscription.
key-vault Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/best-practices.md
Managed HSM is a cloud service that safeguards cryptographic keys. Because these
To control access to your managed HSM: -- Create an [Azure Active Directory security group](../../active-directory/fundamentals/active-directory-manage-groups.md) for the HSM Administrators (instead of assigning the Administrator role to individuals) to prevent "administration lockout" if an individual account is deleted.
+- Create an [Microsoft Entra security group](../../active-directory/fundamentals/active-directory-manage-groups.md) for the HSM Administrators (instead of assigning the Administrator role to individuals) to prevent "administration lockout" if an individual account is deleted.
- Lock down access to your management groups, subscriptions, resource groups, and managed HSMs. Use Azure role-based access control (Azure RBAC) to control access to your management groups, subscriptions, and resource groups. - Create per-key role assignments by using [Managed HSM local RBAC](access-control.md#data-plane-and-managed-hsm-local-rbac). - To maintain separation of duties, avoid assigning multiple roles to the same principals.
key-vault Managed Hsm Technical Details https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/managed-hsm-technical-details.md
The high-availability properties of Managed HSM pools come from the automaticall
When a new pool is requested, the HFC selects three servers across several racks that have available space on their HSM adapters, and then it starts to create the pool:
-1. The HFC instructs the Node Service agents on each of the three TEEs to launch a new instance of the service code by using a set of parameters. The parameters identify the customer's Azure Active Directory tenant, the internal virtual network IP addresses of all three instances, and some other service configurations. One partition is randomly assigned as primary.
+1. The HFC instructs the Node Service agents on each of the three TEEs to launch a new instance of the service code by using a set of parameters. The parameters identify the customer's Microsoft Entra tenant, the internal virtual network IP addresses of all three instances, and some other service configurations. One partition is randomly assigned as primary.
1. The three instances start. Each instance connects to a partition on its local HSM adapter, and then it zeroizes and initializes the partition by using randomly generated usernames and credentials (to ensure that the partition can't be accessed by a human operator or by another TEE instance). 1. The primary instance creates a partition owner root certificate by using the private key that's generated in the HSM. It establishes ownership of the pool by signing a partition-level certificate for the HSM partition by using this root certificate. The primary also generates a data encryption key, which is used to protect all customer data at rest inside the service. For key material, a double wrapping is used because the HSM also protects the key material itself. 1. Next, this ownership data is synchronized to the two secondary instances. Each secondary contacts the primary by using attested TLS. The primary shares the partition owner root certificate with the private key and the data encryption key. The secondaries now use the partition root certificate to issue a partition certificate to their own HSM partitions. After this is done, you have HSM partitions on three separate servers that are owned by the same partition root certificate.
In the extremely unlikely event that this catastrophe happens, the customer can
### Controlling access to the service
-As described, our service code in the TEE is the only entity that has access to the HSM itself because the necessary credentials aren't given to the customer or to anyone else. Instead, the customer's pool is bound to their Azure Active Directory instance, and this is used for authentication and authorization. At initial provisioning, the customer can choose an initial set of employees to assign the Administrator role for the pool. These individuals, and the employees in the customer's Azure Active Directory tenant Global Administrator role, can set access control policies within the pool. All access control policies are stored by the service in the same database as the masked keys, which are also encrypted. Only the service code in the TEE has access to these access control policies.
+As described, our service code in the TEE is the only entity that has access to the HSM itself because the necessary credentials aren't given to the customer or to anyone else. Instead, the customer's pool is bound to their Microsoft Entra instance, and this is used for authentication and authorization. At initial provisioning, the customer can choose an initial set of employees to assign the Administrator role for the pool. These individuals, and the employees in the customer's Microsoft Entra tenant Global Administrator role, can set access control policies within the pool. All access control policies are stored by the service in the same database as the masked keys, which are also encrypted. Only the service code in the TEE has access to these access control policies.
## Summary
key-vault Mhsm Control Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/mhsm-control-data.md
Several layers of technical controls in Managed HSM further protect your key mat
The data plane is where you work with the data that's stored in a managed HSM, which is HSM-backed encryption keys. From the data plane interface, you can add, delete, modify, and use keys to perform cryptographic operations, manage role assignments to control access to the keys, create a full HSM backup, restore a full backup, and manage security domain.
- To access a managed HSM in either plane, all callers must have proper authentication and authorization. *Authentication* establishes the identity of the caller. *Authorization* determines which operations the caller can execute. A caller can be any one of the security principals that are defined in Azure Active Directory: User, group, service principal, or managed identity.
+ To access a managed HSM in either plane, all callers must have proper authentication and authorization. *Authentication* establishes the identity of the caller. *Authorization* determines which operations the caller can execute. A caller can be any one of the security principals that are defined in Microsoft Entra ID: User, group, service principal, or managed identity.
- Both planes use Azure Active Directory for authentication. For authorization, they use different systems:
+ Both planes use Microsoft Entra ID for authentication. For authorization, they use different systems:
- The management plane uses Azure role-based access control (Azure RBAC), an authorization system that's built on Azure Resource Manager. - The data plane uses a managed HSM-level RBAC (Managed HSM local RBAC), an authorization system that's implemented and enforced at the managed HSM level. The local RBAC control model allows designated HSM administrators to have complete control over their HSM pool that even the management group, subscription, or resource group administrators can't override.
key-vault Quick Create Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/quick-create-powershell.md
New-AzResourceGroup -Name "myResourceGroup" -Location "eastus2"
## Get your principal ID
-To create a Managed HSM, you will need your Azure Active Directory principal ID. To obtain your ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, passing your email address to the "UserPrincipalName" parameter:
+To create a Managed HSM, you will need your Microsoft Entra principal ID. To obtain your ID, use the Azure PowerShell [Get-AzADUser](/powershell/module/az.resources/get-azaduser) cmdlet, passing your email address to the "UserPrincipalName" parameter:
```azurepowershell-interactive Get-AzADUser -UserPrincipalName "<your@email.address>"
Use the Azure PowerShell [New-AzKeyVaultManagedHsm](/powershell/module/az.keyvau
- Resource group name: **myResourceGroup**. - The location: **East US 2**.-- Your principal ID: Pass the Azure Active Directory principal ID that you obtained in the last section to the "Administrator" parameter.
+- Your principal ID: Pass the Microsoft Entra principal ID that you obtained in the last section to the "Administrator" parameter.
```azurepowershell-interactive New-AzKeyVaultManagedHsm -Name "your-unique-managed-hsm-name" -ResourceGroupName "myResourceGroup" -Location "eastus2" -Administrator "your-principal-ID" -SoftDeleteRetentionInDays "# of days to retain the managed hsm after softdelete"
key-vault Secure Your Managed Hsm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/managed-hsm/secure-your-managed-hsm.md
To assign management plane roles (Azure RBAC) you can use Azure portal or any of
The Azure CLI snippets in this section are built with the following assumptions: -- The Azure Active Directory administrator has created security groups to represent the three roles: Contoso Security Team, Contoso App DevOps, and Contoso App Auditors. The admin has added users to their respective groups.
+- The Microsoft Entra administrator has created security groups to represent the three roles: Contoso Security Team, Contoso App DevOps, and Contoso App Auditors. The admin has added users to their respective groups.
- All resources are located in the **ContosoAppRG** resource group. - The managed HSM logs are stored in the **contosologstorage** storage account. - The **ContosoMHSM** managed HSM and the **contosologstorage** storage account are in the same Azure location.
key-vault Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/policy-reference.md
Title: Built-in policy definitions for Key Vault description: Lists Azure Policy built-in policy definitions for Key Vault. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
key-vault About Managed Storage Account Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/about-managed-storage-account-keys.md
# About Azure Key Vault managed storage account keys > [!IMPORTANT]
-> We recommend using Azure Storage integration with Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. Azure AD integration is available for [Azure blobs and queues](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
-> Azure AD allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Azure AD managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use below solution only when Azure AD authentication is not possible.
+> We recommend using Azure Storage integration with Microsoft Entra ID, Microsoft's cloud-based identity and access management service. Microsoft Entra integration is available for [Azure blobs and queues](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
+> Microsoft Entra ID allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Microsoft Entra managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use below solution only when Microsoft Entra authentication is not possible.
An Azure storage account uses credentials comprising an account name and a key. The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.
key-vault Javascript Developer Guide Get Started https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/javascript-developer-guide-get-started.md
This article shows you how to connect to Azure Key Vault by using the Azure Key
npm install @azure/keyvault-secrets ```
-1. If you want to use passwordless connections using Azure AD, install the Azure Identity client library for JavaScript:
+1. If you want to use passwordless connections using Microsoft Entra ID, install the Azure Identity client library for JavaScript:
```bash npm install @azure/identity
This article shows you how to connect to Azure Key Vault by using the Azure Key
## Authorize access and connect to Key Vault
-Azure Active Directory (Azure AD) provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code.
+Microsoft Entra ID provides the most secure connection by managing the connection identity ([**managed identity**](../../active-directory/managed-identities-azure-resources/overview.md)). This **passwordless** functionality allows you to develop an application that doesn't require any secrets (keys or connection strings) stored in the code.
Before programmatically authenticating to Azure to use Azure Key Vault secrets, make sure you set up your environment.
key-vault Overview Storage Keys Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/overview-storage-keys-powershell.md
> Key Vault Managed Storage Account Keys (legacy) is supported as-is with no more updates planned. Only Account SAS are supported with SAS definitions signed storage service version no later than 2018-03-28. > [!IMPORTANT]
-> We recommend using Azure Storage integration with Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. Azure AD integration is available for [Azure blobs and queues](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
-> Azure AD allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Azure AD managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use this solution only when Azure AD authentication is not possible.
+> We recommend using Azure Storage integration with Microsoft Entra ID, Microsoft's cloud-based identity and access management service. Microsoft Entra integration is available for [Azure blobs and queues](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
+> Microsoft Entra ID allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Microsoft Entra managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use this solution only when Microsoft Entra authentication is not possible.
An Azure storage account uses credentials comprising an account name and a key. The key is autogenerated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.
When you use the managed storage account key feature, consider the following poi
## Service principal application ID
-An Azure AD tenant provides each registered application with a [service principal](../../active-directory/develop/developer-glossary.md#service-principal-object). The service principal serves as the application ID, which is used during authorization setup for access to other Azure resources via Azure RBAC.
+A Microsoft Entra tenant provides each registered application with a [service principal](../../active-directory/develop/developer-glossary.md#service-principal-object). The service principal serves as the application ID, which is used during authorization setup for access to other Azure resources via Azure RBAC.
-Key Vault is a Microsoft application that's pre-registered in all Azure AD tenants. Key Vault is registered under the same Application ID in each Azure cloud.
+Key Vault is a Microsoft application that's pre-registered in all Microsoft Entra tenants. Key Vault is registered under the same Application ID in each Azure cloud.
| Tenants | Cloud | Application ID | | | | |
-| Azure AD | Azure Government | `7e7c393b-45d0-48b1-a35e-2905ddf8183c` |
-| Azure AD | Azure public | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` |
+| Microsoft Entra ID | Azure Government | `7e7c393b-45d0-48b1-a35e-2905ddf8183c` |
+| Microsoft Entra ID | Azure public | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` |
| Other | Any | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` | ## Prerequisites
key-vault Overview Storage Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/overview-storage-keys.md
> Key Vault Managed Storage Account Keys (legacy) is supported as-is with no more updates planned. Only Account SAS are supported with SAS definitions signed storage service version no later than 2018-03-28. > [!IMPORTANT]
-> We recommend using Azure Storage integration with Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. Azure AD integration is available for [Azure blobs, queues, and tables](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
-> Azure AD allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Azure AD managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use below solution only when Azure AD authentication is not possible.
+> We recommend using Azure Storage integration with Microsoft Entra ID, Microsoft's cloud-based identity and access management service. Microsoft Entra integration is available for [Azure blobs, queues, and tables](../../storage/blobs/authorize-access-azure-active-directory.md), and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).
+> Microsoft Entra ID allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. You can use an [Microsoft Entra managed identity](../../active-directory/managed-identities-azure-resources/index.yml) when you run on Azure. Managed identities remove the need for client authentication and storing credentials in or with your application. Use below solution only when Microsoft Entra authentication is not possible.
An Azure storage account uses credentials comprising an account name and a key. The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.
When you use the managed storage account key feature, consider the following poi
## Service principal application ID
-An Azure AD tenant provides each registered application with a [service principal](../../active-directory/develop/developer-glossary.md#service-principal-object). The service principal serves as the Application ID, which is used during authorization setup for access to other Azure resources via Azure role-base access control (Azure RBAC).
+A Microsoft Entra tenant provides each registered application with a [service principal](../../active-directory/develop/developer-glossary.md#service-principal-object). The service principal serves as the Application ID, which is used during authorization setup for access to other Azure resources via Azure role-base access control (Azure RBAC).
-Key Vault is a Microsoft application that's pre-registered in all Azure AD tenants. Key Vault is registered under the same Application ID in each Azure cloud.
+Key Vault is a Microsoft application that's pre-registered in all Microsoft Entra tenants. Key Vault is registered under the same Application ID in each Azure cloud.
| Tenants | Cloud | Application ID | | | | |
-| Azure AD | Azure Government | `7e7c393b-45d0-48b1-a35e-2905ddf8183c` |
-| Azure AD | Azure public | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` |
+| Microsoft Entra ID | Azure Government | `7e7c393b-45d0-48b1-a35e-2905ddf8183c` |
+| Microsoft Entra ID | Azure public | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` |
| Other | Any | `cfa8b339-82a2-471a-a3c9-0fc0be7a4093` | ## Prerequisites
key-vault Quick Create Bicep https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/quick-create-bicep.md
* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-* Your Azure AD user object ID is needed by the template to configure permissions. The following procedure gets the object ID (GUID).
+* Your Microsoft Entra user object ID is needed by the template to configure permissions. The following procedure gets the object ID (GUID).
1. Run the following Azure PowerShell or Azure CLI command by select **Try it**, and then paste the script into the shell pane. To paste the script, right-click the shell, and then select **Paste**.
Two Azure resources are defined in the Bicep file:
> [!NOTE]
- > Replace **\<vault-name\>** with the name of the key vault. Replace **\<object-id\>** with the object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.
+ > Replace **\<vault-name\>** with the name of the key vault. Replace **\<object-id\>** with the object ID of a user, service principal, or security group in the Microsoft Entra tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets.
When the deployment finishes, you should see a message indicating the deployment succeeded.
key-vault Quick Create Python https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/quick-create-python.md
This quickstart is using Azure Identity library with Azure CLI or Azure PowerShe
1. In a terminal or command prompt, create a suitable project folder, and then create and activate a Python virtual environment as described on [Use Python virtual environments](/azure/developer/python/configure-local-development-environment#configure-python-virtual-environment).
-1. Install the Azure Active Directory identity library:
+1. Install the Microsoft Entra identity library:
```terminal pip install azure-identity
Remove-AzResourceGroup -Name myResourceGroup
- [Overview of Azure Key Vault](../general/overview.md) - [Azure Key Vault developer's guide](../general/developers-guide.md) - [Key Vault security overview](../general/security-features.md)-- [Authenticate with Key Vault](../general/authentication.md)
+- [Authenticate with Key Vault](../general/authentication.md)
key-vault Quick Create Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/quick-create-template.md
To complete this article:
* If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
-* Your Azure AD user object ID is needed by the template to configure permissions. The following procedure gets the object ID (GUID).
+* Your Microsoft Entra user object ID is needed by the template to configure permissions. The following procedure gets the object ID (GUID).
1. Run the following Azure PowerShell or Azure CLI command by select **Try it**, and then paste the script into the shell pane. To paste the script, right-click the shell, and then select **Paste**.
More Azure Key Vault template samples can be found in [Azure Quickstart Template
* **Location**: select a location. For example, **Central US**. * **Key Vault Name**: enter a name for the key vault, which must be globally unique within the .vault.azure.net namespace. You need the name in the next section when you validate the deployment. * **Tenant Id**: the template function automatically retrieves your tenant ID. Don't change the default value.
- * **Ad User Id**: enter your Azure AD user object ID that you retrieved from [Prerequisites](#prerequisites).
+ * **Ad User Id**: enter your Microsoft Entra user object ID that you retrieved from [Prerequisites](#prerequisites).
* **Secret Name**: enter a name for the secret that you store in the key vault. For example, **adminpassword**. * **Secret Value**: enter the secret value. If you store a password, it's recommended to use the generated password you created in Prerequisites. * **I agree to the terms and conditions state above**: Select.
key-vault Tutorial Rotation Dual https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/key-vault/secrets/tutorial-rotation-dual.md
The best way to authenticate to Azure services is by using a [managed identity](
This tutorial shows how to automate the periodic rotation of secrets for databases and services that use two sets of authentication credentials. Specifically, this tutorial shows how to rotate Azure Storage account keys stored in Azure Key Vault as secrets. You'll use a function triggered by Azure Event Grid notification. > [!NOTE]
-> For Storage account services, using Azure Active Directory to authorize requests is recommended. For more information, see [Authorize access to blobs using Azure Active Directory](../../storage/blobs/authorize-access-azure-active-directory.md). There are services that require storage account connection strings with access keys. For that scenario, we recommend this solution.
+> For Storage account services, using Microsoft Entra ID to authorize requests is recommended. For more information, see [Authorize access to blobs using Microsoft Entra ID](../../storage/blobs/authorize-access-azure-active-directory.md). There are services that require storage account connection strings with access keys. For that scenario, we recommend this solution.
Here's the rotation solution described in this tutorial:
kubernetes-fleet Architectural Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/kubernetes-fleet/architectural-overview.md
Azure Kubernetes Fleet Manager (Fleet) is meant to solve at-scale and multi-clus
Fleet supports joining the following types of existing AKS clusters as member clusters: * AKS clusters across same or different resource groups within same subscription
-* AKS clusters across different subscriptions of the same Azure AD tenant
+* AKS clusters across different subscriptions of the same Microsoft Entra tenant
* AKS clusters from different regions but within the same tenant During preview, you can join up to 20 AKS clusters as member clusters to the same fleet resource.
kubernetes-fleet Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/kubernetes-fleet/faq.md
During preview, you can join up to 20 AKS clusters as member clusters to the sam
Fleet supports joining the following types of AKS clusters as member clusters: * AKS clusters across same or different resource groups within same subscription
-* AKS clusters across different subscriptions of the same Azure AD tenant
+* AKS clusters across different subscriptions of the same Microsoft Entra tenant
* AKS clusters from different regions but within the same tenant ## Relationship to Azure-Arc enabled Kubernetes
kubernetes-fleet Quickstart Create Fleet And Members https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/kubernetes-fleet/quickstart-create-fleet-and-members.md
Fleet currently supports joining existing AKS clusters as member clusters.
--vnet-subnet-id "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${GROUP}/providers/Microsoft.Network/virtualNetworks/${SECOND_VNET}/subnets/${MEMBER_3_SUBNET}" ```
- We created the third cluster in a different region above to demonstrate that fleet can support joining clusters from different regions. Fleet also supports joining clusters from different subscriptions. The only requirement for AKS clusters being joined to fleet as members is that they all need to be a part of the same Azure AD tenant.
+ We created the third cluster in a different region above to demonstrate that fleet can support joining clusters from different regions. Fleet also supports joining clusters from different subscriptions. The only requirement for AKS clusters being joined to fleet as members is that they all need to be a part of the same Microsoft Entra tenant.
1. Set the following environment variables for members:
lab-services Account Setup Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/account-setup-guide.md
To plan your lab account settings, consider the following questions.
### Who should be the Owners and Contributors of the lab account?
-Your school's IT administrators ordinarily take on the Owner and Contributor roles for a lab account. These roles are responsible for managing the policies that apply to all the labs in the lab account. The person who creates the lab account is automatically an Owner. You can add more Owners and Contributors from the Azure Active Directory (Azure AD) tenant that's associated with your subscription.
+Your school's IT administrators ordinarily take on the Owner and Contributor roles for a lab account. These roles are responsible for managing the policies that apply to all the labs in the lab account. The person who creates the lab account is automatically an Owner. You can add more Owners and Contributors from the Microsoft Entra tenant that's associated with your subscription.
For more information about the lab account Owner and Contributor roles, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity). [!INCLUDE [Select a tenant](./includes/multi-tenant-support.md)]
-Lab users see only a single list of the VMs that they have access to across Azure AD tenants in Azure Lab Services.
+Lab users see only a single list of the VMs that they have access to across Microsoft Entra tenants in Azure Lab Services.
### Who will be allowed to create labs?
-You may choose to have your IT team or faculty members create labs. To create labs, you then assign these people to the Lab Creator role within the lab account. You ordinarily assign this role from the Azure AD tenant that's associated with your school subscription. Whoever creates a lab is automatically assigned as the Owner of the lab.
+You may choose to have your IT team or faculty members create labs. To create labs, you then assign these people to the Lab Creator role within the lab account. You ordinarily assign this role from the Microsoft Entra tenant that's associated with your school subscription. Whoever creates a lab is automatically assigned as the Owner of the lab.
For more information about the Lab Creator role, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity). ### Who will be allowed to own and manage labs?
-You can also choose to have IT and faculty members own\manage labs *without* giving them the ability to create labs. In this case, users from your subscription's Azure AD tenant are assigned either the Owner or Contributor for existing labs.
+You can also choose to have IT and faculty members own\manage labs *without* giving them the ability to create labs. In this case, users from your subscription's Microsoft Entra tenant are assigned either the Owner or Contributor for existing labs.
For more information about the lab Owner and Contributor roles, see the "Manage identity" section of [Azure Lab Services - Administrator guide](./administrator-guide-1.md#manage-identity).
lab-services Add Lab Creator https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/add-lab-creator.md
This article describes how to add users as lab creators to a lab account or lab
- To add lab creators to a lab plan, your Azure account needs to have the [Owner](./concept-lab-services-role-based-access-control.md#owner-role) Azure RBAC role assigned on the resource group. Learn more about the [Azure Lab Services built-in roles](./concept-lab-services-role-based-access-control.md).
-## Add Azure AD user account to Lab Creator role
+<a name='add-azure-ad-user-account-to-lab-creator-role'></a>
+
+## Add Microsoft Entra user account to Lab Creator role
[!INCLUDE [Add Lab Creator role](./includes/lab-services-add-lab-creator.md)]
If you're using a lab account, assign the Lab Creator role on the lab account.
## Add a guest user as a lab creator
-If you need to add an external user as a lab creator, you need to add the external user as a guest account in the Azure Active Directory that is linked to your Azure subscription.
+If you need to add an external user as a lab creator, you need to add the external user as a guest account in the Microsoft Entra ID that is linked to your Azure subscription.
The following types of email accounts can be used:
The following types of email accounts can be used:
To add a guest user as a lab creator:
-1. Follow these steps to [add guest users to Azure Active Directory](/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal).
+1. Follow these steps to [add guest users to Microsoft Entra ID](/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal).
- If using an email account that's provided by your universityΓÇÖs Azure AD, you don't have to add them as a guest account.
+ If using an email account that's provided by your universityΓÇÖs Microsoft Entra ID, you don't have to add them as a guest account.
-1. Follow these steps to [assign the Lab Creator role to the Azure AD user account](#add-azure-ad-user-account-to-lab-creator-role).
+1. Follow these steps to [assign the Lab Creator role to the Microsoft Entra user account](#add-azure-ad-user-account-to-lab-creator-role).
> [!IMPORTANT]
-> Only lab creators need an account in Azure AD connected to the Azure subscription. For account requirements for lab users see [Access a lab in Azure Lab Services](./how-to-access-lab-virtual-machine.md).
+> Only lab creators need an account in Microsoft Entra connected to the Azure subscription. For account requirements for lab users see [Access a lab in Azure Lab Services](./how-to-access-lab-virtual-machine.md).
## Next steps
lab-services Administrator Guide 1 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/administrator-guide-1.md
Your university might have one or more Azure subscriptions. You use subscription
The relationship between a lab account and its subscription is important because: - Billing is reported through the subscription that contains the lab account.-- You can grant users in the subscription's Azure Active Directory (Azure AD) tenant access to Azure Lab Services. You can add a user as a lab account Owner or Contributor, or as a Lab Creator or lab Owner.
+- You can grant users in the subscription's Microsoft Entra tenant access to Azure Lab Services. You can add a user as a lab account Owner or Contributor, or as a Lab Creator or lab Owner.
Labs and their virtual machines (VMs) are managed and hosted for you within a subscription that's owned by Azure Lab Services.
lab-services Administrator Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/administrator-guide.md
Your university might have one or more Azure subscriptions. You use subscription
The relationship between a lab plan and its subscription is important because: - Billing is reported through the subscription that contains the lab plan.-- You can grant users in the subscription's Azure Active Directory (Azure AD) tenant the ability to manage Azure Lab Services lab plans and labs. You can add someone as a lab plan owner, lab plan contributor, lab creator, or lab owner. For more information about built-in RBAC roles, see [Manage identity](#rbac-roles).
+- You can grant users in the subscription's Microsoft Entra tenant the ability to manage Azure Lab Services lab plans and labs. You can add someone as a lab plan owner, lab plan contributor, lab creator, or lab owner. For more information about built-in RBAC roles, see [Manage identity](#rbac-roles).
Labs virtual machines (VMs) are managed and hosted for you within a subscription that is owned by Azure Lab Services.
For information on VM sizes and their cost, see the [Azure Lab Services Pricing]
## RBAC roles
-Azure Lab Services provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Lab Services. An individual who has a profile in Azure Active Directory can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Lab Services resources. This article describes the different built-in roles that Azure Lab Services supports.
+Azure Lab Services provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Lab Services. An individual who has a profile in Microsoft Entra ID can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Lab Services resources. This article describes the different built-in roles that Azure Lab Services supports.
Learn more about [Azure role-based access control in Azure Lab Services](./concept-lab-services-role-based-access-control.md).
To obtain lab VMs with unique SID, create a lab without a template VM. You must
If you plan to use an endpoint management tool or similar software, we recommend that you don't use template VMs for your labs.
-## Azure AD register/join, Hybrid Azure AD join, or AD domain join
-To make labs easy to set up and manage, Azure Lab Services is designed with *no* requirement to register/join lab VMs to either Active Directory (AD) or Azure Active Directory (Azure AD). As a result, Azure Lab Services *doesnΓÇÖt* currently offer built-in support to register/join lab VMs. Although it's possible to Azure AD register/join, Hybrid Azure AD join, or AD domain join lab VMs using other mechanisms, we do *not* recommend that you attempt to register/join lab VMs to either AD or Azure AD due to product limitations.
+<a name='azure-ad-registerjoin-hybrid-azure-ad-join-or-ad-domain-join'></a>
+
+## Microsoft Entra register/join, Microsoft Entra hybrid join, or AD domain join
+To make labs easy to set up and manage, Azure Lab Services is designed with *no* requirement to register/join lab VMs to either Active Directory (AD) or Microsoft Entra ID. As a result, Azure Lab Services *doesnΓÇÖt* currently offer built-in support to register/join lab VMs. Although it's possible to Microsoft Entra register/join, Microsoft Entra hybrid join, or AD domain join lab VMs using other mechanisms, we do *not* recommend that you attempt to register/join lab VMs to either Active Directory or Microsoft Entra ID due to product limitations.
## Pricing
For more information about setting up and managing labs, see:
- [Configure a lab plan](lab-plan-setup-guide.md) - [Configure a lab](setup-guide.md)-- [Manage costs for labs](cost-management-guide.md)
+- [Manage costs for labs](cost-management-guide.md)
lab-services Classroom Labs Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/classroom-labs-scenarios.md
Labs meet the following requirements for conducting training in any virtual envi
Azure Lab Services uses Azure Role-Based Access (Azure RBAC) to manage access to Azure Lab Services. For more information, see the [Azure Lab Services built-in roles](./administrator-guide.md#rbac-roles). Using Azure RBAC lets you clearly separate roles and responsibilities for creating and managing labs across different teams and people in your organization.
-Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your organizational roles or personas, such as administrators, or educators. The scenarios and diagrams also include students to show where they fit in the process, although they don't require Azure AD permissions.
+Depending on your organizational structure, responsibilities, and skill level, there might be different options to map these permissions to your organizational roles or personas, such as administrators, or educators. The scenarios and diagrams also include students to show where they fit in the process, although they don't require Microsoft Entra permissions.
The following sections give different examples of assigning permissions across an organization. Azure Lab Services enables you to flexibly assign permissions beyond these typical scenarios to match your organizational setup.
Get started as an educator with the [Tutorial: set up a lab for classroom traini
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario1.png" alt-text="Diagram that shows lab creation steps where admins create the lab plan and educators create the lab.":::
-The following table shows the corresponding mapping of organization roles to Azure AD roles:
+The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
-| Org. role | Azure AD role | Description |
+| Org. role | Microsoft Entra role | Description |
| | | | | Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. | | Educator | Lab Creator | Create and manage the labs they created. | | | Lab Contributor | Optionally, assign to an educator to create and manage all labs (when assigned at the resource group level). | | | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need an Azure AD role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. | ### Scenario 2: The IT department owns the entire lab creation process
Get started as an educator and [add students to a lab](./how-to-manage-lab-users
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario2.png" alt-text="Diagram that shows lab creation steps where admins own the entire process.":::
-The following table shows the corresponding mapping of organization roles to Azure AD roles:
+The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
-| Org. role | Azure AD role | Description |
+| Org. role | Microsoft Entra role | Description |
| | | | | Administrator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. | | Educator | - Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need an Azure AD role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. | ### Scenario 3: The educator owns the entire lab creation process
Get started as an administrator with the [Quickstart: create and connect to a la
:::image type="content" source="./media/classroom-labs-scenarios/lab-services-process-education-roles-scenario3.png" alt-text="Diagram that shows lab creation steps where educators own the entire process.":::
-The following table shows the corresponding mapping of organization roles to Azure AD roles:
+The following table shows the corresponding mapping of organization roles to Microsoft Entra roles:
-| Org. role | Azure AD role | Description |
+| Org. role | Microsoft Entra role | Description |
| | | | | Educator | - Subscription Owner<br/>- Subscription Contributor | Create lab plan in Azure portal. As an Owner, you can also fully manage all labs. | | | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reimage/start/stop/connect lab VMs. |
-| Student | | Students don't need an Azure AD role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
+| Student | | Students don't need a Microsoft Entra role. Educators [grant students access](./how-to-manage-lab-users.md) in the lab configuration or students are automatically granted access, for example when using [Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams) or [Canvas](./how-to-manage-labs-within-canvas.md#manage-lab-user-lists-in-canvas). |
| Others | Lab Services Reader | Optionally, provide access to see all lab plans and labs without permission to modify. | ## Next steps
lab-services Concept Lab Accounts Versus Lab Plans https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/concept-lab-accounts-versus-lab-plans.md
By using lab plans, you can unlock several new capabilities:
**[Updates to lab owner experience](how-to-manage-labs.md)**. Choose to skip the template creation process when creating a new lab if you already have an image ready to use. In addition, you can add a non-admin user to lab VMs.
-**[Updates to lab user experience](how-to-manage-vm-pool.md#redeploy-lab-vms)**. In addition to reimaging their lab VM, lab users can now also redeploy their lab VM without losing the data inside the lab VM. In addition, the lab registration experience is simplified when you use labs in Teams, Canvas, or with Azure AD groups. In these cases, Azure Lab Services *automatically* assigns a lab VM to a lab user.
+**[Updates to lab user experience](how-to-manage-vm-pool.md#redeploy-lab-vms)**. In addition to reimaging their lab VM, lab users can now also redeploy their lab VM without losing the data inside the lab VM. In addition, the lab registration experience is simplified when you use labs in Teams, Canvas, or with Microsoft Entra groups. In these cases, Azure Lab Services *automatically* assigns a lab VM to a lab user.
**SDKs**. Azure Lab Services is now integrated with the [Az PowerShell module](/powershell/azure/release-notes-azureps) and supports Azure Resource Manager (ARM) templates. Also, you can use either the [.NET SDK](/dotnet/api/overview/azure/labservices) or [Python SDK](https://pypi.org/project/azure-mgmt-labservices/).
lab-services Concept Lab Services Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/concept-lab-services-role-based-access-control.md
Last updated 04/20/2023
# Azure role-based access control in Azure Lab Services
-Azure Lab Services provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Lab Services. An individual who has a profile in Azure Active Directory can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Lab Services resources. This article describes the different built-in roles that Azure Lab Services supports.
+Azure Lab Services provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Lab Services. An individual who has a profile in Microsoft Entra ID can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Lab Services resources. This article describes the different built-in roles that Azure Lab Services supports.
Azure role-based access control (RBAC) is an authorization system built on [Azure Resource Manager](/azure/azure-resource-manager/management/overview) that provides fine-grained access management of Azure resources.
lab-services Concept Lab Services Supported Networking Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/concept-lab-services-supported-networking-scenarios.md
The following table lists common networking scenarios and topologies and their s
| Use a connection broker, such as Parsec, for high-framerate gaming scenarios | Not recommended | This scenario isnΓÇÖt directly supported with Azure Lab Services and would run into the same challenges as accessing lab VMs by private IP address. | | *Cyber field* scenario, consisting of a set of vulnerable VMs on the network for lab users to discover and hack into (ethical hacking) | Yes | This scenario works with advanced networking for lab plans. Learn about the [ethical hacking class type](./class-type-ethical-hacking.md). | | Enable using Azure Bastion for lab VMs | No | Azure Bastion isn't supported in Azure Lab Services. |
-| Set up line-of-sight to domain controller | Not recommended | Line-of-sight from a lab to a domain controller is required to Hybrid Azure AD join or AD domain join VMs; however, we currently do *not* recommend that lab VMs be Azure AD joined/registered, Hybrid Azure AD joined, or AD domain joined due to product limitations. |
+| Set up line-of-sight to domain controller | Not recommended | Line-of-sight from a lab to a domain controller is required to Microsoft Entra hybrid join or AD domain join VMs; however, we currently do *not* recommend that lab VMs be Microsoft Entra joined/registered, Microsoft Entra hybrid joined, or AD domain joined due to product limitations. |
## Next steps
lab-services How To Access Lab Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-access-lab-virtual-machine.md
After the registration finishes, confirm that you see the lab virtual machine in
Azure Lab Services supports different email account types when registering for a lab: -- An organizational email account that's provided by your Azure Active Directory instance.
+- An organizational email account that's provided by your Microsoft Entra instance.
- A Microsoft-domain email account, such as *outlook.com*, *hotmail.com*, *msn.com*, or *live.com*. - A non-Microsoft email account, such as one provided by Yahoo! or Google. You need to link your account with a Microsoft account.
lab-services How To Attach Detach Shared Image Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-attach-detach-shared-image-gallery.md
Saving images to a compute gallery and replicating those images incurs extra cos
| [Owner](/azure/role-based-access-control/built-in-roles#owner) | Azure compute gallery | If you attach an existing compute gallery. | | [Owner](/azure/role-based-access-control/built-in-roles#owner) | Resource group | If you create a new compute gallery. | -- If your Azure account is a guest user in Azure Active Directory, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to attach an existing compute gallery.
+- If your Azure account is a guest user in Microsoft Entra ID, your Azure account needs to have the [Directory Readers](/azure/active-directory/roles/permissions-reference#directory-readers) role to attach an existing compute gallery.
Learn how to [assign an Azure role in Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/role-assignments-steps#step-5-assign-role).
To learn how to save a template image to the compute gallery or use an image fro
To explore other options for bringing custom images to compute gallery outside of the context of a lab, see [Recommended approaches for creating custom images](approaches-for-custom-image-creation.md).
-For more information about compute galleries in general, see [compute gallery](../virtual-machines/shared-image-galleries.md).
+For more information about compute galleries in general, see [compute gallery](../virtual-machines/shared-image-galleries.md).
lab-services How To Configure Canvas For Lab Plans https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-configure-canvas-for-lab-plans.md
If you've already configured your course to use Azure Lab Services, learn how yo
- Your Canvas account needs [Admin permissions](https://community.canvaslms.com/t5/Canvas-Basics-Guide/What-is-the-Admin-role/ta-p/78) to add the Azure Lab Services app to Canvas. -- To link lab plans, your Azure account needs the following permissions. Learn how to [assign Azure Active Directory roles to users](/azure/active-directory/roles/manage-roles-portal).
+- To link lab plans, your Azure account needs the following permissions. Learn how to [assign Microsoft Entra roles to users](/azure/active-directory/roles/manage-roles-portal).
- Reader role on the Azure subscription. - Contributor role on the resource group that contains your lab plan. - Write access to the lab plan.
lab-services How To Manage Lab Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-manage-lab-users.md
This article describes how to manage lab users in Azure Lab Services. Learn how
Azure Lab Services supports different options for managing the list of lab users: - Add users manually to the lab by specifying their email address. Optionally, you can upload a CSV file with email addresses.-- Synchronize the list of users with an Azure Active Directory (Azure AD) group.
+- Synchronize the list of users with a Microsoft Entra group.
- Integrate with Microsoft Teams or Canvas and synchronize the user list with the team (Teams) or course (Canvas) membership. When you add users to a lab based on their email address, lab users will first need to register for the lab by using a lab registration link. This registration process is a one-time operation. After a lab users registers for the lab, they can access their lab in the Azure Lab Services website.
-When you use Teams, Canvas, or an Azure AD group, Azure Lab Services automatically grants users access to the lab and assigns a lab VM based on their membership in Microsoft or Canvas. In this case, you don't have to specify the lab user list, and users don't have to register for the lab.
+When you use Teams, Canvas, or a Microsoft Entra group, Azure Lab Services automatically grants users access to the lab and assigns a lab VM based on their membership in Microsoft or Canvas. In this case, you don't have to specify the lab user list, and users don't have to register for the lab.
By default, access to a lab is restricted. Only users that are in the list of lab users can register for a lab, and get access to the lab virtual machine (VM). You can disable restricted access for a lab, which lets any user register for a lab if they have the registration link.
You can add lab users manually by providing their email address in the lab confi
Azure Lab Services supports different email account types when registering for a lab: -- An organizational email account that's provided by your Azure Active Directory instance.
+- An organizational email account that's provided by your Microsoft Entra instance.
- A Microsoft-domain email account, such as *outlook.com*, *hotmail.com*, *msn.com*, or *live.com*. - A non-Microsoft email account, such as one provided by Yahoo! or Google. You need to link your account with a Microsoft account. - A GitHub account. You need to link your account with a Microsoft account.
To view the list of lab users that have already registered for the lab by using
> [!NOTE] > If you [republish a lab](how-to-create-manage-template.md#publish-the-template-vm) or [Reimage VMs](how-to-manage-vm-pool.md#reimage-lab-vms), the users remain registered for the labs' VMs. However, the contents of the VMs will be deleted and the VMs will be recreated with the template VM's image.
-# [Azure AD group](#tab/aad)
+# [Microsoft Entra group](#tab/aad)
-You can manage the lab user list by synchronizing the lab with an Azure AD group. When you use an Azure AD group, you don't have to manually add or delete users in the lab settings. Add or remove users in Teams or Canvas to assign or remove access for a user to a lab VM.
+You can manage the lab user list by synchronizing the lab with a Microsoft Entra group. When you use a Microsoft Entra group, you don't have to manually add or delete users in the lab settings. Add or remove users in Teams or Canvas to assign or remove access for a user to a lab VM.
-You can create an Azure AD group within your organization's Azure AD to manage access to organizational resources and cloud-based apps. To learn more, see [Azure AD groups](../active-directory/fundamentals/active-directory-manage-groups.md). If your organization uses Microsoft Office 365 or Azure services, your organization already has admins who manage your Azure Active Directory.
+You can create a Microsoft Entra group within your organization's Microsoft Entra ID to manage access to organizational resources and cloud-based apps. To learn more, see [Microsoft Entra groups](../active-directory/fundamentals/active-directory-manage-groups.md). If your organization uses Microsoft Office 365 or Azure services, your organization already has admins who manage your Microsoft Entra ID.
Lab users don't have to register for their lab and a lab VM is automatically assigned. Lab users can [access the lab directly from the Azure Lab Services website](./how-to-access-lab-virtual-machine.md).
-### Synchronize the lab user list with Azure AD group
+<a name='synchronize-the-lab-user-list-with-azure-ad-group'></a>
-When you sync a lab with an Azure AD group, Azure Lab Services pulls all users inside the Azure AD group into the lab as lab users. Only people in the Azure AD group have access to the lab. The user list automatically refreshes every 24 hours to match the latest membership of the Azure AD group. You can also manually synchronize the list of lab users at any time.
+### Synchronize the lab user list with Microsoft Entra group
-The option to synchronize the list of lab users with an Azure AD group is only available if you haven't added users to the lab manually or through a CSV import yet. Make sure there are no users in the lab user list.
+When you sync a lab with a Microsoft Entra group, Azure Lab Services pulls all users inside the Microsoft Entra group into the lab as lab users. Only people in the Microsoft Entra group have access to the lab. The user list automatically refreshes every 24 hours to match the latest membership of the Microsoft Entra group. You can also manually synchronize the list of lab users at any time.
-To sync a lab with an existing Azure AD group:
+The option to synchronize the list of lab users with a Microsoft Entra group is only available if you haven't added users to the lab manually or through a CSV import yet. Make sure there are no users in the lab user list.
+
+To sync a lab with an existing Microsoft Entra group:
1. Sign in to the [Azure Lab Services website](https://labs.azure.com/).
To sync a lab with an existing Azure AD group:
1. In the left pane, select **Users**, and then select **Sync from group**.
- :::image type="content" source="./media/how-to-manage-lab-users/add-users-sync-group.png" alt-text="Screenshot that shows how to add users by syncing from an Azure AD group.":::
+ :::image type="content" source="./media/how-to-manage-lab-users/add-users-sync-group.png" alt-text="Screenshot that shows how to add users by syncing from a Microsoft Entra group.":::
+
+1. Select the Microsoft Entra group you want to sync users with from the list of groups.
-1. Select the Azure AD group you want to sync users with from the list of groups.
+ If you don't see any Microsoft Entra groups in the list, this could be because of the following reasons:
- If you don't see any Azure AD groups in the list, this could be because of the following reasons:
+ - You're a guest user in Microsoft Entra ID (usually if you're outside the organization that owns the Microsoft Entra ID), and you're not allowed to search for groups inside the Microsoft Entra ID. In this case, you can't add a Microsoft Entra group to the lab.
+ - Microsoft Entra groups you created through Microsoft Teams don't show up in this list. You can add the Azure Lab Services app inside Microsoft Teams to create and manage labs directly from within Microsoft Teams. Learn more about [managing a labΓÇÖs user list from within Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams).
- - You're a guest user in Azure Active Directory (usually if you're outside the organization that owns the Azure AD), and you're not allowed to search for groups inside the Azure AD. In this case, you can't add an Azure AD group to the lab.
- - Azure AD groups you created through Microsoft Teams don't show up in this list. You can add the Azure Lab Services app inside Microsoft Teams to create and manage labs directly from within Microsoft Teams. Learn more about [managing a labΓÇÖs user list from within Teams](./how-to-manage-labs-within-teams.md#manage-lab-user-lists-in-teams).
+1. Select **Add** to sync the lab users with the Microsoft Entra group.
-1. Select **Add** to sync the lab users with the Azure AD group.
+ Azure Lab Services automatically pulls the list of users from Microsoft Entra ID, and refreshes the list every 24 hours.
- Azure Lab Services automatically pulls the list of users from Azure AD, and refreshes the list every 24 hours.
+ Optionally, you can select **Sync** in the **Users** tab to manually synchronize to the latest changes in the Microsoft Entra group.
- Optionally, you can select **Sync** in the **Users** tab to manually synchronize to the latest changes in the Azure AD group.
+<a name='automatic-vm-management-based-on-azure-ad-group'></a>
-### Automatic VM management based on Azure AD group
+### Automatic VM management based on Microsoft Entra group
-When you synchronize a lab with an Azure AD group, Azure Lab Services automatically manages the number of lab VMs based on the number of users in the Azure AD group.
+When you synchronize a lab with a Microsoft Entra group, Azure Lab Services automatically manages the number of lab VMs based on the number of users in the Microsoft Entra group.
-When a user is added to the Azure AD group, Azure Lab Services automatically adds a lab VM for that user. When a user is no longer a member of the Azure AD group, the lab VM for that user is automatically deleted from the lab.
+When a user is added to the Microsoft Entra group, Azure Lab Services automatically adds a lab VM for that user. When a user is no longer a member of the Microsoft Entra group, the lab VM for that user is automatically deleted from the lab.
-You can't manually add or remove lab users, or update the lab capacity when synchronizing with an Azure AD group.
+You can't manually add or remove lab users, or update the lab capacity when synchronizing with a Microsoft Entra group.
# [Teams](#tab/teams)
lab-services How To Manage Vm Pool https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/how-to-manage-vm-pool.md
Learn how you can manage the pool of lab virtual machines (VMs) in Azure Lab Ser
The lab virtual machine pool represents the set of lab VMs that are available for lab users to connect to. The lab VM creation starts when you publish a lab template, or when you update the lab capacity.
-When you synchronize the lab user list with an Azure AD group, or create a lab in Teams or Canvas, Azure Lab Services manages the lab VM pool automatically based on membership.
+When you synchronize the lab user list with a Microsoft Entra group, or create a lab in Teams or Canvas, Azure Lab Services manages the lab VM pool automatically based on membership.
## Prerequisites
A lab VM can be in one of the following states:
## Change lab capacity
-When you synchronize the lab user list with an Azure AD group, or create a lab in Teams or Canvas, Azure Lab Services manages the lab VM pool automatically based on membership. When you add or remove a user, the lab capacity increases or decreases accordingly. Lab users are also automatically registered and assigned to their lab VM.
+When you synchronize the lab user list with a Microsoft Entra group, or create a lab in Teams or Canvas, Azure Lab Services manages the lab VM pool automatically based on membership. When you add or remove a user, the lab capacity increases or decreases accordingly. Lab users are also automatically registered and assigned to their lab VM.
If you manage the lab user list manually, you can modify the lab capacity to modify the number of lab VMs that are available for lab users.
lab-services Lab Plan Setup Guide https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/lab-plan-setup-guide.md
To plan your lab plan settings, consider the following questions.
### Who should be the Owners and Contributors of the lab plan?
-Your school's IT administrators ordinarily take on the Owner and Contributor roles for a lab plan. These roles are responsible for managing the policies that apply to all the labs in the lab plan. The person who creates the lab plan is automatically an Owner. You can add additional Owners and Contributors from the Azure Active Directory (Azure AD) tenant that's associated with your subscription.
+Your school's IT administrators ordinarily take on the Owner and Contributor roles for a lab plan. These roles are responsible for managing the policies that apply to all the labs in the lab plan. The person who creates the lab plan is automatically an Owner. You can add additional Owners and Contributors from the Microsoft Entra tenant that's associated with your subscription.
For more information about the lab plan Owner and Contributor roles, see [RBAC roles](./concept-lab-services-role-based-access-control.md). [!INCLUDE [Select a tenant](./includes/multi-tenant-support.md)]
-Lab users see only a single list of the VMs that they have access to across Azure AD tenants in Azure Lab Services.
+Lab users see only a single list of the VMs that they have access to across Microsoft Entra tenants in Azure Lab Services.
### Who will be allowed to create labs?
-You may choose to have your IT team or faculty members create labs. To create labs, you then assign these people to the Lab Creator role within the lab plan. You ordinarily assign this role from the Azure AD tenant that's associated with your school subscription. Whoever creates a lab is automatically assigned as the Owner of the lab.
+You may choose to have your IT team or faculty members create labs. To create labs, you then assign these people to the Lab Creator role within the lab plan. You ordinarily assign this role from the Microsoft Entra tenant that's associated with your school subscription. Whoever creates a lab is automatically assigned as the Owner of the lab.
For more information about the Lab Creator role, see [RBAC roles](./concept-lab-services-role-based-access-control.md). ### Who will be allowed to own and manage labs?
-You can also choose to have IT and faculty members own\manage labs *without* giving them the ability to create labs. In this case, users from your subscription's Azure AD tenant are assigned either the Owner or Contributor for existing labs.
+You can also choose to have IT and faculty members own\manage labs *without* giving them the ability to create labs. In this case, users from your subscription's Microsoft Entra tenant are assigned either the Owner or Contributor for existing labs.
For more information about the lab Owner and Contributor roles, see [RBAC roles](./concept-lab-services-role-based-access-control.md).
lab-services Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/policy-reference.md
Title: Built-in policy definitions for Lab Services description: Lists Azure Policy built-in policy definitions for Azure Lab Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
lab-services Quick Create Connect Lab https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/quick-create-connect-lab.md
After you complete this quickstart, you'll have a lab that you can connect to an
A lab contains the configuration and settings for creating lab VMs. All lab VMs within a lab are identical. You use the Azure Lab Services website to create a lab in the lab plan. > [!NOTE]
-> To create a lab, your Azure account needs the Lab Creator Azure Active Directory (Azure AD) role. As the owner of the lab plan, you can automatically create labs and you don't need the Lab Creator role.
+> To create a lab, your Azure account needs the Lab Creator Microsoft Entra role. As the owner of the lab plan, you can automatically create labs and you don't need the Lab Creator role.
Follow these steps to add a lab to the lab plan you created earlier:
You can now explore and experiment within the lab virtual machine.
You've successfully created a lab virtual machine for experimenting inside the VM. You created a lab plan in the Azure portal and added a lab from the Azure Lab Services website. You then published the lab to create the lab VM, and connect to it with remote desktop.
-Azure Lab Services supports different Azure AD roles to delegate specific tasks and responsibilities to different people in your organization. In the next tutorial, you learn how to set up a lab for classroom teaching, where you assign permissions to lab creators and invite lab users to connect to the lab VMs.
+Azure Lab Services supports different Microsoft Entra roles to delegate specific tasks and responsibilities to different people in your organization. In the next tutorial, you learn how to set up a lab for classroom teaching, where you assign permissions to lab creators and invite lab users to connect to the lab VMs.
> [!div class="nextstepaction"] > [Tutorial: Create a lab for classroom training](./tutorial-setup-lab.md)
lab-services Tutorial Connect Lab Virtual Machine https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/tutorial-connect-lab-virtual-machine.md
Last updated 06/29/2023
# Tutorial: Register and access a lab in the Azure Lab Services website
-Azure Lab Services supports inviting lab users based on their email address, by syncing with an Azure Active Directory group, or by integrating with Teams or Canvas. In this tutorial, you learn how to register for a lab with your email address, view the lab in the Azure Lab Services website, and connect to the lab virtual machine with a remote desktop client or SSH.
+Azure Lab Services supports inviting lab users based on their email address, by syncing with a Microsoft Entra group, or by integrating with Teams or Canvas. In this tutorial, you learn how to register for a lab with your email address, view the lab in the Azure Lab Services website, and connect to the lab virtual machine with a remote desktop client or SSH.
:::image type="content" source="./media/tutorial-connect-vm-in-classroom-lab/lab-services-process-register-access-lab.png" alt-text="Diagram that shows the steps involved in registering and accessing a lab from the Azure Lab Services website.":::
lab-services Tutorial Setup Lab Teams Canvas https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/tutorial-setup-lab-teams-canvas.md
In the next step, you use the Azure Lab Services app to create a lab.
1. Sign into Canvas, and select your course.
- If you're authenticated in Canvas as an educator, you'll see a sign in screen before you can use the Azure Lab Services app. Sign in here with an Azure AD account or Microsoft account that was added as a lab creator.
+ If you're authenticated in Canvas as an educator, you'll see a sign in screen before you can use the Azure Lab Services app. Sign in here with a Microsoft Entra account or Microsoft account that was added as a lab creator.
1. Select **Azure Lab Services** from the course navigation menu.
lab-services Tutorial Setup Lab https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lab-services/tutorial-setup-lab.md
Azure Lab Services supports multiple ways to add users to a lab:
- Manually by entering an email address - Upload a CSV file with student information-- Sync the lab with an Azure Active Directory group
+- Sync the lab with a Microsoft Entra group
In this quickstart, you manually add the users by providing their email address. Follow these steps to add the users:
lighthouse Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/architecture.md
# Azure Lighthouse architecture
-Azure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Azure Active Directory (Azure AD) tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management.
+Azure Lighthouse helps service providers simplify customer engagement and onboarding experiences, while managing delegated resources at scale with agility and precision. Authorized users, groups, and service principals can work directly in the context of a customer subscription without having an account in that customer's Microsoft Entra tenant or being a co-owner of the customer's tenant. The mechanism used to support this access is called Azure delegated resource management.
:::image type="content" source="../media/delegation.jpg" alt-text="Diagram illustrating Azure delegated resource management."::: > [!TIP]
-> Azure Lighthouse can also be used [within an enterprise which has multiple Azure AD tenants of its own](enterprise.md) to simplify cross-tenant management.
+> Azure Lighthouse can also be used [within an enterprise which has multiple Microsoft Entra tenants of its own](enterprise.md) to simplify cross-tenant management.
This topic discusses the relationship between tenants in Azure Lighthouse, and the resources created in the customer's tenant that enable that relationship.
lighthouse Cross Tenant Management Experience https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/cross-tenant-management-experience.md
# Cross-tenant management experiences
-As a service provider, you can use [Azure Lighthouse](../overview.md) to manage your customers' Azure resources from within your own Azure Active Directory (Azure AD) tenant. Many common tasks and services can be performed across these managed tenants.
+As a service provider, you can use [Azure Lighthouse](../overview.md) to manage your customers' Azure resources from within your own Microsoft Entra tenant. Many common tasks and services can be performed across these managed tenants.
> [!TIP]
-> Azure Lighthouse can also be used [within an enterprise which has multiple Azure AD tenants of its own](enterprise.md) to simplify cross-tenant administration.
+> Azure Lighthouse can also be used [within an enterprise which has multiple Microsoft Entra tenants of its own](enterprise.md) to simplify cross-tenant administration.
## Understanding tenants and delegation
-An Azure AD tenant is a representation of an organization. It's a dedicated instance of Azure AD that an organization receives when they create a relationship with Microsoft by signing up for Azure, Microsoft 365, or other services. Each Azure AD tenant is distinct and separate from other Azure AD tenants, and has its own tenant ID (a GUID). For more information, see [What is Azure Active Directory?](../../active-directory/fundamentals/active-directory-whatis.md)
+A Microsoft Entra tenant is a representation of an organization. It's a dedicated instance of Microsoft Entra ID that an organization receives when they create a relationship with Microsoft by signing up for Azure, Microsoft 365, or other services. Each Microsoft Entra tenant is distinct and separate from other Microsoft Entra tenants, and has its own tenant ID (a GUID). For more information, see [What is Microsoft Entra ID?](../../active-directory/fundamentals/active-directory-whatis.md)
Typically, in order to manage Azure resources for a customer, service providers must sign in to the Azure portal using an account associated with that customer's tenant. In this scenario, an administrator in the customer's tenant must create and manage user accounts for the service provider.
Most Azure tasks and services can be used with delegated resources across manage
- Use boot diagnostics to troubleshoot Azure VMs - Access VMs with serial console - Integrate VMs with Azure Key Vault for passwords, secrets, or cryptographic keys for disk encryption by using [managed identity through policy](https://github.com/Azure/Azure-Lighthouse-samples/tree/master/templates/create-keyvault-secret), ensuring that secrets are stored in a Key Vault in the managed tenants-- Note that you can't use Azure Active Directory for remote login to VMs
+- Note that you can't use Microsoft Entra ID for remote login to VMs
[Microsoft Defender for Cloud](../../security-center/index.yml):
lighthouse Enterprise https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/enterprise.md
Title: Azure Lighthouse in enterprise scenarios
-description: The capabilities of Azure Lighthouse can be used to simplify cross-tenant management within an enterprise which uses multiple Azure AD tenants.
+description: The capabilities of Azure Lighthouse can be used to simplify cross-tenant management within an enterprise which uses multiple Microsoft Entra tenants.
Last updated 05/10/2023 # Azure Lighthouse in enterprise scenarios
-A common scenario for [Azure Lighthouse](../overview.md) involves a service provider that manages resources in in its customers' Azure Active Directory (Azure AD) tenants. The capabilities of Azure Lighthouse can also be used to simplify cross-tenant management within an enterprise that uses multiple Azure AD tenants.
+A common scenario for [Azure Lighthouse](../overview.md) involves a service provider that manages resources in in its customers' Microsoft Entra tenants. The capabilities of Azure Lighthouse can also be used to simplify cross-tenant management within an enterprise that uses multiple Microsoft Entra tenants.
## Single vs. multiple tenants
-For most organizations, management is easier with a single Azure AD tenant. Having all resources within one tenant allows centralization of management tasks by designated users, user groups, or service principals within that tenant. We recommend using one tenant for your organization whenever possible.
+For most organizations, management is easier with a single Microsoft Entra tenant. Having all resources within one tenant allows centralization of management tasks by designated users, user groups, or service principals within that tenant. We recommend using one tenant for your organization whenever possible.
-Some organizations may need to use multiple Azure AD tenants. This might be a temporary situation, as when acquisitions have taken place and a long-term tenant consolidation strategy hasn't been defined yet. Other times, organizations may need to maintain multiple tenants on an ongoing basis due to wholly independent subsidiaries, geographical or legal requirements, or other considerations.
+Some organizations may need to use multiple Microsoft Entra tenants. This might be a temporary situation, as when acquisitions have taken place and a long-term tenant consolidation strategy hasn't been defined yet. Other times, organizations may need to maintain multiple tenants on an ongoing basis due to wholly independent subsidiaries, geographical or legal requirements, or other considerations.
In cases where a [multitenant architecture](/azure/architecture/guide/multitenant/overview) is required, Azure Lighthouse can help centralize and streamline management operations. By using Azure Lighthouse, users in one managing tenant can perform [cross-tenant management functions](cross-tenant-management-experience.md) in a centralized, scalable manner.
lighthouse Isv Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/isv-scenarios.md
# Azure Lighthouse in ISV scenarios
-A typical scenario for [Azure Lighthouse](../overview.md) involves a service provider that manages resources in its customers' Azure Active Directory (Azure AD) tenants. However, the capabilities of Azure Lighthouse can also be used by Independent Software Vendors (ISVs) using SaaS-based offerings with their customers. Azure Lighthouse can be especially useful for ISVs who are offering managed services or support that require access to the subscription scope.
+A typical scenario for [Azure Lighthouse](../overview.md) involves a service provider that manages resources in its customers' Microsoft Entra tenants. However, the capabilities of Azure Lighthouse can also be used by Independent Software Vendors (ISVs) using SaaS-based offerings with their customers. Azure Lighthouse can be especially useful for ISVs who are offering managed services or support that require access to the subscription scope.
## Managed Service offers in Azure Marketplace
An additional scenario is where the ISV hosts resources in a subscription in the
In this scenario, users in the customerΓÇÖs tenant are essentially granted access as a "managing tenant", even though the customer is not managing the ISV's resources. Because they are accessing the ISV's tenant directly, itΓÇÖs important to grant only the minimum permissions necessary, so that customers can't inadvertently make changes to the solution or other ISV resources.
-To enable this architecture, the ISV needs to obtain the object ID for a user group in the customer's Azure AD tenant, along with their tenant ID. The ISV then builds an ARM template granting this user group the appropriate permissions, and [deploys it on the ISV's subscription](../how-to/onboard-customer.md) that contains the resources that the customer will access.
+To enable this architecture, the ISV needs to obtain the object ID for a user group in the customer's Microsoft Entra tenant, along with their tenant ID. The ISV then builds an ARM template granting this user group the appropriate permissions, and [deploys it on the ISV's subscription](../how-to/onboard-customer.md) that contains the resources that the customer will access.
## Next steps
lighthouse Managed Services Offers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/managed-services-offers.md
This article describes the **Managed Service** offer type in [Azure Marketplace]
Managed Service offers streamline the process of onboarding customers to Azure Lighthouse. When a customer purchases an offer in Azure Marketplace, they'll be able to specify which subscriptions and/or resource groups should be onboarded.
-For each offer, you define the access that users in your organization will have to work on resources in the customer tenant. This is done through a manifest that specifies the Azure Active Directory (Azure AD) users, groups, and service principals that will have access to customer resources, along with [roles that define their level of access](tenants-users-roles.md#role-support-for-azure-lighthouse).
+For each offer, you define the access that users in your organization will have to work on resources in the customer tenant. This is done through a manifest that specifies the Microsoft Entra users, groups, and service principals that will have access to customer resources, along with [roles that define their level of access](tenants-users-roles.md#role-support-for-azure-lighthouse).
> [!NOTE] > Managed Service offers may not be available in Azure Government and other national clouds.
lighthouse Recommended Security Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/recommended-security-practices.md
When using [Azure Lighthouse](../overview.md), it's important to consider securi
> [!TIP] > These recommendations also apply to [enterprises managing multiple tenants](enterprise.md) with Azure Lighthouse.
-## Require Azure AD Multi-Factor Authentication
+<a name='require-azure-ad-multi-factor-authentication'></a>
-[Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) (also known as two-step verification) helps prevent attackers from gaining access to an account by requiring multiple authentication steps. You should require Azure AD Multi-Factor Authentication for all users in your managing tenant, including users who will have access to delegated customer resources.
+## Require Microsoft Entra multifactor authentication
-We recommend that you ask your customers to implement Azure AD Multi-Factor Authentication in their tenants as well.
+[Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) (also known as two-step verification) helps prevent attackers from gaining access to an account by requiring multiple authentication steps. You should require Microsoft Entra multifactor authentication for all users in your managing tenant, including users who will have access to delegated customer resources.
+
+We recommend that you ask your customers to implement Microsoft Entra multifactor authentication in their tenants as well.
## Assign permissions to groups, using the principle of least privilege
-To make management easier, use Azure Active Directory (Azure AD) groups for each role required to manage your customers' resources. This lets you add or remove individual users to the group as needed, rather than assigning permissions directly to each user.
+To make management easier, use Microsoft Entra groups for each role required to manage your customers' resources. This lets you add or remove individual users to the group as needed, rather than assigning permissions directly to each user.
> [!IMPORTANT]
-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
+> In order to add permissions for a Microsoft Entra group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
When creating your permission structure, be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors.
Keep in mind that when you [onboard customers through a public managed service
## Next steps - Review the [security baseline information](/security/benchmark/azure/baselines/lighthouse-security-baseline) to understand how guidance from the Microsoft cloud security benchmark applies to Azure Lighthouse.-- [Deploy Azure AD Multi-Factor Authentication](../../active-directory/authentication/howto-mfa-getstarted.md).
+- [Deploy Microsoft Entra multifactor authentication](../../active-directory/authentication/howto-mfa-getstarted.md).
- Learn about [cross-tenant management experiences](cross-tenant-management-experience.md).
lighthouse Tenants Users Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/concepts/tenants-users-roles.md
Title: Tenants, users, and roles in Azure Lighthouse scenarios
-description: Understand how Azure Active Directory tenants, users, and roles can be used in Azure Lighthouse scenarios.
+description: Understand how Microsoft Entra tenants, users, and roles can be used in Azure Lighthouse scenarios.
Last updated 05/04/2023 # Tenants, users, and roles in Azure Lighthouse scenarios
-Before onboarding customers for [Azure Lighthouse](../overview.md), it's important to understand how Azure Active Directory (Azure AD) tenants, users, and roles work, and how they can be used in Azure Lighthouse scenarios.
+Before onboarding customers for [Azure Lighthouse](../overview.md), it's important to understand how Microsoft Entra tenants, users, and roles work, and how they can be used in Azure Lighthouse scenarios.
-A *tenant* is a dedicated and trusted instance of Azure AD. Typically, each tenant represents a single organization. Azure Lighthouse enables [logical projection](architecture.md#logical-projection) of resources from one tenant to another tenant. This allows users in the managing tenant (such as one belonging to a service provider) to access delegated resources in a customer's tenant, or lets [enterprises with multiple tenants centralize their management operations](enterprise.md).
+A *tenant* is a dedicated and trusted instance of Microsoft Entra ID. Typically, each tenant represents a single organization. Azure Lighthouse enables [logical projection](architecture.md#logical-projection) of resources from one tenant to another tenant. This allows users in the managing tenant (such as one belonging to a service provider) to access delegated resources in a customer's tenant, or lets [enterprises with multiple tenants centralize their management operations](enterprise.md).
In order to achieve this logical projection, a subscription (or one or more resource groups within a subscription) in the customer tenant must be *onboarded* to Azure Lighthouse. This onboarding process can be done either [through Azure Resource Manager templates](../how-to/onboard-customer.md) or by [publishing a public or private offer to Azure Marketplace](../how-to/publish-managed-services-offers.md).
-With either onboarding method, you'll need to define *authorizations*. Each authorization includes a **principalId** (an Azure AD user, group, or service principal in the managing tenant) combined with a built-in role that defines the specific permissions that will be granted for the delegated resources.
+With either onboarding method, you'll need to define *authorizations*. Each authorization includes a **principalId** (a Microsoft Entra user, group, or service principal in the managing tenant) combined with a built-in role that defines the specific permissions that will be granted for the delegated resources.
> [!NOTE]
-> Unless explicitly specified, references to a "user" in the Azure Lighthouse documentation can apply to an Azure AD user, group, or service principal in an authorization.
+> Unless explicitly specified, references to a "user" in the Azure Lighthouse documentation can apply to a Microsoft Entra user, group, or service principal in an authorization.
## Best practices for defining users and roles When creating your authorizations, we recommend the following best practices: -- In most cases, you'll want to assign permissions to an Azure AD user group or service principal, rather than to a series of individual user accounts. This lets you add or remove access for individual users through your tenant's Azure AD, rather than having to [update the delegation](../how-to/update-delegation.md) every time your individual access requirements change.
+- In most cases, you'll want to assign permissions to a Microsoft Entra user group or service principal, rather than to a series of individual user accounts. This lets you add or remove access for individual users through your tenant's Microsoft Entra ID, rather than having to [update the delegation](../how-to/update-delegation.md) every time your individual access requirements change.
- Follow the principle of least privilege so that users only have the permissions needed to complete their job, helping to reduce the chance of inadvertent errors. For more information, see [Recommended security practices](../concepts/recommended-security-practices.md). - Include an authorization with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) so that you can [remove access to the delegation](../how-to/remove-delegation.md) later if needed. If this role isn't assigned, access to delegated resources can only be removed by a user in the customer's tenant. - Be sure that any user who needs to [view the My customers page in the Azure portal](../how-to/view-manage-customers.md) has the [Reader](../../role-based-access-control/built-in-roles.md#reader) role (or another built-in role that includes Reader access). > [!IMPORTANT]
-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
+> In order to add permissions for a Microsoft Entra group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
## Role support for Azure Lighthouse
In some cases, a role that was previously supported with Azure Lighthouse may be
As soon as a new applicable built-in role is added to Azure, it can be assigned when [onboarding a customer using Azure Resource Manager templates](../how-to/onboard-customer.md). There may be a delay before the newly added role becomes available in Partner Center when [publishing a managed service offer](../how-to/publish-managed-services-offers.md). Similarly, if a role becomes unavailable, you may still see it in Partner Center for a while; however, you won't be able to publish new offers using such roles.
-## Transferring delegated subscriptions between Azure AD tenants
+<a name='transferring-delegated-subscriptions-between-azure-ad-tenants'></a>
-If a subscription is [transferred to another Azure AD tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account), the [registration definition and registration assignment resources](architecture.md#delegation-resources-created-in-the-customer-tenant) created through the [Azure Lighthouse onboarding process](../how-to/onboard-customer.md) are preserved. This means that access granted through Azure Lighthouse to managing tenants remains in effect for that subscription (or for delegated resource groups within that subscription).
+## Transferring delegated subscriptions between Microsoft Entra tenants
-The only exception is if the subscription is transferred to an Azure AD tenant to which it had been previously delegated. In this case, the delegation resources for that tenant are removed and the access granted through Azure Lighthouse no longer applies, since the subscription now belongs directly to that tenant (rather than being delegated to it through Azure Lighthouse). However, if that subscription was also delegated to other managing tenants, those other managing tenants will retain the same access to the subscription.
+If a subscription is [transferred to another Microsoft Entra tenant account](../../cost-management-billing/manage/billing-subscription-transfer.md#transfer-a-subscription-to-another-azure-ad-tenant-account), the [registration definition and registration assignment resources](architecture.md#delegation-resources-created-in-the-customer-tenant) created through the [Azure Lighthouse onboarding process](../how-to/onboard-customer.md) are preserved. This means that access granted through Azure Lighthouse to managing tenants remains in effect for that subscription (or for delegated resource groups within that subscription).
+
+The only exception is if the subscription is transferred to a Microsoft Entra tenant to which it had been previously delegated. In this case, the delegation resources for that tenant are removed and the access granted through Azure Lighthouse no longer applies, since the subscription now belongs directly to that tenant (rather than being delegated to it through Azure Lighthouse). However, if that subscription was also delegated to other managing tenants, those other managing tenants will retain the same access to the subscription.
## Next steps - Learn about [recommended security practices for Azure Lighthouse](recommended-security-practices.md).-- Onboard your customers to Azure Lighthouse, either by [using Azure Resource Manager templates](../how-to/onboard-customer.md) or by [publishing a private or public managed services offer to Azure Marketplace](../how-to/publish-managed-services-offers.md).
+- Onboard your customers to Azure Lighthouse, either by [using Azure Resource Manager templates](../how-to/onboard-customer.md) or by [publishing a private or public managed services offer to Azure Marketplace](../how-to/publish-managed-services-offers.md).
lighthouse Create Eligible Authorizations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/create-eligible-authorizations.md
# Create eligible authorizations
-When onboarding customers to Azure Lighthouse, you create authorizations to grant specified Azure built-in roles to users in your managing tenant. You can also create eligible authorizations that use [Azure Active Directory (Azure AD) Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) to let users in your managing tenant temporarily elevate their role. This lets you grant additional permissions on a just-in-time basis so that users only have those permissions for a set duration.
+When onboarding customers to Azure Lighthouse, you create authorizations to grant specified Azure built-in roles to users in your managing tenant. You can also create eligible authorizations that use [Microsoft Entra Privileged Identity Management (PIM)](../../active-directory/privileged-identity-management/pim-configure.md) to let users in your managing tenant temporarily elevate their role. This lets you grant additional permissions on a just-in-time basis so that users only have those permissions for a set duration.
Creating eligible authorizations lets you minimize the number of permanent assignments of users to privileged roles, helping to reduce security risks related to privileged access by users in your tenant.
This topic explains how eligible authorizations work and how to create them when
## License requirements
-Creating eligible authorizations requires an Enterprise Mobility + Security E5 (EMS E5) or Azure AD Premium P2 license. To find the right license for your requirements, see [Comparing generally available features of the Free, Basic, and Premium editions](https://azure.microsoft.com/pricing/details/active-directory/).
+Creating eligible authorizations requires an Enterprise Mobility + Security E5 (EMS E5) or Microsoft Entra ID P2 license. To find the right license for your requirements, see [Comparing generally available features of the Free, Basic, and Premium editions](https://azure.microsoft.com/pricing/details/active-directory/).
-The EMS E5 or Azure AD Premium P2 license must be held by the managing tenant, not the customer tenant.
+The EMS E5 or Microsoft Entra ID P2 license must be held by the managing tenant, not the customer tenant.
Any extra costs associated with an eligible role will apply only during the period of time in which the user elevates their access to that role.
You can create an eligible authorization when onboarding customers with Azure Re
### User
-For each eligible authorization, you provide the Principal ID for either an individual user or an Azure AD group in the managing tenant. Along with the Principal ID, you must provide a display name of your choice for each authorization.
+For each eligible authorization, you provide the Principal ID for either an individual user or a Microsoft Entra group in the managing tenant. Along with the Principal ID, you must provide a display name of your choice for each authorization.
If a group is provided in an eligible authorization, any member of that group will be able to elevate their own individual access to that role, per the access policy.
The role can be any Azure built-in role that is [supported for Azure delegated r
### Access policy
-The access policy defines the multi-factor authentication requirements, the length of time a user will be activated in the role before it expires, and whether approvers are required.
+The access policy defines the multifactor authentication requirements, the length of time a user will be activated in the role before it expires, and whether approvers are required.
-#### Multi-factor authentication
+<a name='multi-factor-authentication'></a>
-Specify whether or not to require [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md) in order for an eligible role to be activated.
+#### Multifactor authentication
+
+Specify whether or not to require [Microsoft Entra multifactor authentication](../../active-directory/authentication/concept-mfa-howitworks.md) in order for an eligible role to be activated.
#### Maximum duration
If you donΓÇÖt include any approvers, the user will be able to activate the elig
To onboard your customer to Azure Lighthouse, you can publish Managed Services offers to Azure Marketplace. When [creating your offers in Partner Center](publish-managed-services-offers.md), you can now specify whether the **Access type** for each [Authorization](../../marketplace/create-managed-service-offer-plans.md#authorizations) should be **Active** or **Eligible**.
-When you select **Eligible**, the user in your authorization will be able to activate the role according to the access policy you configure. You must set a maximum duration between 30 minutes and 8 hours, and specify whether you'll require multi-factor authentication. You can also add up to 10 approvers if you choose to use them, providing a display name and a principal ID for each one.
+When you select **Eligible**, the user in your authorization will be able to activate the role according to the access policy you configure. You must set a maximum duration between 30 minutes and 8 hours, and specify whether you'll require multifactor authentication. You can also add up to 10 approvers if you choose to use them, providing a display name and a principal ID for each one.
Be sure to review the details in the [Eligible authorization elements](#eligible-authorization-elements) section when configuring your eligible authorizations in Partner Center.
This template also includes the `managedbyTenantApprovers` element, which adds a
Each entry within the `eligibleAuthorizations` parameter contains [three elements](#eligible-authorization-elements) that define an eligible authorization: `principalId`, `roleDefinitionId`, and `justInTimeAccessPolicy`.
-`principalId` specifies the ID for the Azure AD user or group to which this eligible authorization will apply.
+`principalId` specifies the ID for the Microsoft Entra user or group to which this eligible authorization will apply.
`roleDefinitionId` contains the role definition ID for an [Azure built-in role](../../role-based-access-control/built-in-roles.md) that the user will be eligible to use on a just-in-time basis. If you include multiple eligible authorizations that use the same `roleDefinitionId`, they all must have identical settings for `justInTimeAccessPolicy`. `justInTimeAccessPolicy` specifies three elements: -- `multiFactorAuthProvider` can either be set to **Azure**, which will require authentication using Azure AD Multi-Factor Authentication, or to **None** if no multi-factor authentication will be required.
+- `multiFactorAuthProvider` can either be set to **Azure**, which will require authentication using Microsoft Entra multifactor authentication, or to **None** if no multifactor authentication will be required.
- `maximumActivationDuration` sets the total length of time for which the user will have the eligible role. This value must use the ISO 8601 duration format. The minimum value is PT30M (30 minutes) and the maximum value is PT8H (8 hours). For simplicity, we recommend using values in half-hour increments only (for example, PT6H for 6 hours or PT6H30M for 6.5 hours). - `managedByTenantApprovers` is optional. If you include it, it must contain one or more combinations of a principalId and a principalIdDisplayName who will be required to approve any activation of the eligible role.
For more information about these elements, see the [Eligible authorization eleme
After you onboard a customer to Azure Lighthouse, any eligible roles you included will be available to the specified user (or to users in any specified groups).
-Each user can elevate their access at any time by visiting the **My customers** page in the Azure portal, selecting a delegation, and then selecting **Manage eligible roles**. After that, they can follow the [steps to activate the role](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md) in Azure AD Privileged Identity Management.
+Each user can elevate their access at any time by visiting the **My customers** page in the Azure portal, selecting a delegation, and then selecting **Manage eligible roles**. After that, they can follow the [steps to activate the role](../../active-directory/privileged-identity-management/pim-resource-roles-activate-your-roles.md) in Microsoft Entra Privileged Identity Management.
:::image type="content" source="../media/manage-eligible-roles.png" alt-text="Screenshot showing the Manage eligible roles button in the Azure portal.":::
Once the eligible role has been activated, the user will have that role for the
- Learn how to [onboard customers to Azure Lighthouse using ARM templates](onboard-customer.md). - Learn how to [onboard customers using Managed Services offers](publish-managed-services-offers.md).-- Learn more about [Azure AD Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md).
+- Learn more about [Microsoft Entra Privileged Identity Management](../../active-directory/privileged-identity-management/pim-configure.md).
- Learn more about [tenants, users, and roles in Azure Lighthouse](../concepts/tenants-users-roles.md).
lighthouse Deploy Policy Remediation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/deploy-policy-remediation.md
## Create a user who can assign roles to a managed identity in the customer tenant
-When you [onboard a customer to Azure Lighthouse](onboard-customer.md), you define authorizations that grant access to delegated resources in the customer tenant. Each authorization specifies a **principalId** that corresponds to an Azure AD user, group, or service principal in the managing tenant, and a **roleDefinitionId** that corresponds to the [Azure built-in role](../../role-based-access-control/built-in-roles.md) that will be granted.
+When you [onboard a customer to Azure Lighthouse](onboard-customer.md), you define authorizations that grant access to delegated resources in the customer tenant. Each authorization specifies a **principalId** that corresponds to a Microsoft Entra user, group, or service principal in the managing tenant, and a **roleDefinitionId** that corresponds to the [Azure built-in role](../../role-based-access-control/built-in-roles.md) that will be granted.
To allow a **principalId** to assign roles to a managed identity in the customer tenant, you must set its **roleDefinitionId** to **User Access Administrator**. While this role is not generally supported for Azure Lighthouse, it can be used in this specific scenario. Granting this role to this **principalId** allows it to assign specific built-in roles to managed identities. These roles are defined in the **delegatedRoleDefinitionIds** property, and can include any [supported Azure built-in role](../concepts/tenants-users-roles.md#role-support-for-azure-lighthouse) except for User Access Administrator or Owner.
lighthouse Manage Hybrid Infrastructure Arc https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/manage-hybrid-infrastructure-arc.md
# Manage hybrid infrastructure at scale with Azure Arc
-[Azure Lighthouse](../overview.md) can help service providers use Azure Arc to manage customers' hybrid environments, with visibility across all managed Azure Active Directory (Azure AD) tenants.
+[Azure Lighthouse](../overview.md) can help service providers use Azure Arc to manage customers' hybrid environments, with visibility across all managed Microsoft Entra tenants.
[Azure Arc](../../azure-arc/overview.md) helps simplify complex and distributed environments across on-premises, edge and multicloud, enabling deployment of Azure services anywhere and extending Azure management to any infrastructure.
lighthouse Manage Sentinel Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/manage-sentinel-workspaces.md
# Manage Microsoft Sentinel workspaces at scale
-[Azure Lighthouse](../overview.md) allows service providers to perform operations at scale across several Azure Active Directory (Azure AD) tenants at once, making management tasks more efficient.
+[Azure Lighthouse](../overview.md) allows service providers to perform operations at scale across several Microsoft Entra tenants at once, making management tasks more efficient.
[Microsoft Sentinel](../../sentinel/overview.md) delivers security analytics and threat intelligence, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. With Azure Lighthouse, you can manage multiple Microsoft Sentinel workspaces across tenants at scale. This enables scenarios such as running queries across multiple workspaces, or creating workbooks to visualize and monitor data from your connected data sources to gain insights. IP such as queries and playbooks remain in your managing tenant, but can be used to perform security management in the customer tenants.
This topic provides an overview of how Azure Lighthouse lets you use Microsoft S
## Architectural considerations
-For a managed security service provider (MSSP) who wants to build a Security-as-a-Service offering using Microsoft Sentinel, a single security operations center (SOC) may be needed to centrally monitor, manage, and configure multiple Microsoft Sentinel workspaces deployed within individual customer tenants. Similarly, enterprises with multiple Azure AD tenants may want to centrally manage multiple Microsoft Sentinel workspaces deployed across their tenants.
+For a managed security service provider (MSSP) who wants to build a Security-as-a-Service offering using Microsoft Sentinel, a single security operations center (SOC) may be needed to centrally monitor, manage, and configure multiple Microsoft Sentinel workspaces deployed within individual customer tenants. Similarly, enterprises with multiple Microsoft Entra tenants may want to centrally manage multiple Microsoft Sentinel workspaces deployed across their tenants.
This model of centralized management has the following advantages:
This model of centralized management has the following advantages:
- Ensures data isolation, since data for multiple customers isn't stored in the same workspace. - Prevents data exfiltration from the managed tenants, helping to ensure data compliance. - Related costs are charged to each managed tenant, rather than to the managing tenant.-- Data from all data sources and data connectors that are integrated with Microsoft Sentinel (such as Azure AD Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) will remain within each customer tenant.
+- Data from all data sources and data connectors that are integrated with Microsoft Sentinel (such as Microsoft Entra Activity Logs, Office 365 logs, or Microsoft Threat Protection alerts) will remain within each customer tenant.
- Reduces network latency. - Easy to add or remove new subsidiaries or customers. - Able to use a multi-workspace view when working through Azure Lighthouse.
lighthouse Migration At Scale https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/migration-at-scale.md
# Manage Azure Migrate projects at scale with Azure Lighthouse
-This topic provides an overview of how [Azure Lighthouse](../overview.md) can help you use [Azure Migrate](../../migrate/migrate-services-overview.md) in a scalable way across multiple Azure Active Directory (Azure AD) tenants.
+This topic provides an overview of how [Azure Lighthouse](../overview.md) can help you use [Azure Migrate](../../migrate/migrate-services-overview.md) in a scalable way across multiple Microsoft Entra tenants.
Azure Lighthouse allows service providers to perform operations at scale across several tenants at once, making management tasks more efficient.
For more information, see [Link your partner ID to track your impact on delegate
## Next steps - Learn more about [Azure Migrate](../../migrate/migrate-services-overview.md).-- Learn about other [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md) supported by Azure Lighthouse.
+- Learn about other [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md) supported by Azure Lighthouse.
lighthouse Onboard Customer https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/onboard-customer.md
ms.devlang: azurecli
# Onboard a customer to Azure Lighthouse
-This article explains how you, as a service provider, can onboard a customer to Azure Lighthouse. When you do so, delegated resources (subscriptions and/or resource groups) in the customer's Azure Active Directory (Azure AD) tenant can be managed by users in your tenant through [Azure delegated resource management](../concepts/architecture.md).
+This article explains how you, as a service provider, can onboard a customer to Azure Lighthouse. When you do so, delegated resources (subscriptions and/or resource groups) in the customer's Microsoft Entra tenant can be managed by users in your tenant through [Azure delegated resource management](../concepts/architecture.md).
> [!TIP] > Though we refer to service providers and customers in this topic, [enterprises managing multiple tenants](../concepts/enterprise.md) can use the same process to set up Azure Lighthouse and consolidate their management experience.
If you [create your template in the Azure portal](#create-your-template-in-the-a
## Define roles and permissions
-As a service provider, you may want to perform multiple tasks for a single customer, requiring different access for different scopes. You can define as many authorizations as you need in order to assign the appropriate [Azure built-in roles](../../role-based-access-control/built-in-roles.md). Each authorization includes a `principalId` which refers to an Azure AD user, group, or service principal in the managing tenant.
+As a service provider, you may want to perform multiple tasks for a single customer, requiring different access for different scopes. You can define as many authorizations as you need in order to assign the appropriate [Azure built-in roles](../../role-based-access-control/built-in-roles.md). Each authorization includes a `principalId` which refers to a Microsoft Entra user, group, or service principal in the managing tenant.
> [!NOTE]
-> Unless explicitly specified, references to a "user" in the Azure Lighthouse documentation can apply to an Azure AD user, group, or service principal in an authorization.
+> Unless explicitly specified, references to a "user" in the Azure Lighthouse documentation can apply to a Microsoft Entra user, group, or service principal in an authorization.
To define authorizations in your template, you must include the ID values for each user, user group, or service principal in the managing tenant to which you want to grant access. You'll also need to include the role definition ID for each [built-in role](../../role-based-access-control/built-in-roles.md) you want to assign. When you [create your template in the Azure portal](#create-your-template-in-the-azure-portal), you can select the user account and role, and these ID values will be added automatically. If you are [creating a template manually](#create-your-template-manually), you can [retrieve user IDs by using the Azure portal, Azure PowerShell, or Azure CLI](../../role-based-access-control/role-assignments-template.md#get-object-ids) from within the managing tenant. > [!TIP] > We recommend assigning the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when onboarding a customer, so that users in your tenant can [remove access to the delegation](remove-delegation.md) later if needed. If this role is not assigned, delegated resources can only be removed by a user in the customer's tenant.
-Whenever possible, we recommend using Azure AD user groups for each assignment whenever possible, rather than individual users. This gives you the flexibility to add or remove individual users to the group that has access, so that you don't have to repeat the onboarding process to make user changes. You can also assign roles to a service principal, which can be useful for automation scenarios.
+Whenever possible, we recommend using Microsoft Entra user groups for each assignment whenever possible, rather than individual users. This gives you the flexibility to add or remove individual users to the group that has access, so that you don't have to repeat the onboarding process to make user changes. You can also assign roles to a service principal, which can be useful for automation scenarios.
> [!IMPORTANT]
-> In order to add permissions for an Azure AD group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
+> In order to add permissions for a Microsoft Entra group, the **Group type** must be set to **Security**. This option is selected when the group is created. For more information, see [Create a basic group and add members using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).
When defining your authorizations, be sure to follow the principle of least privilege so that users only have the permissions needed to complete their job. For information about supported roles and best practices, see [Tenants, users, and roles in Azure Lighthouse scenarios](../concepts/tenants-users-roles.md).
You can create this template in the Azure portal, or by manually modifying the t
To create your template in the Azure portal, go to **My customers** and then select **Create ARM Template** from the overview page.
-On the **Create ARM Template offer** Page, provide your **Name** and an optional **Description**. These values will be used for the `mspOfferName` and `mspOfferDescription` in your template, and they may be visible to your customer. The `managedByTenantId` value will be provided automatically, based on the Azure AD tenant to which you are logged in.
+On the **Create ARM Template offer** Page, provide your **Name** and an optional **Description**. These values will be used for the `mspOfferName` and `mspOfferDescription` in your template, and they may be visible to your customer. The `managedByTenantId` value will be provided automatically, based on the Microsoft Entra tenant to which you are logged in.
Next, select either **Subscription** or **Resource group**, depending on the customer scope you want to onboard. If you select **Resource group**, you'll need to provide the name of the resource group to onboard. You can select the **+** icon to add additional resource groups in the same subscription if needed. (To onboard additional resource groups in a different subscription, you must create and deploy a separate template for that subscription.)
After a few minutes, you should see a notification that the deployment has compl
## Confirm successful onboarding
-When a customer subscription has successfully been onboarded to Azure Lighthouse, users in the service provider's tenant will be able to see the subscription and its resources (if they have been granted access to it through the process above, either individually or as a member of an Azure AD group with the appropriate permissions). To confirm this, check to make sure the subscription appears in one of the following ways.
+When a customer subscription has successfully been onboarded to Azure Lighthouse, users in the service provider's tenant will be able to see the subscription and its resources (if they have been granted access to it through the process above, either individually or as a member of a Microsoft Entra group with the appropriate permissions). To confirm this, check to make sure the subscription appears in one of the following ways.
### Confirm in the Azure portal
If you are unable to successfully onboard your customer, or if your users have t
- The **Microsoft.ManagedServices** resource provider must be registered for the delegated subscription. This should happen automatically during the deployment but if not, you can [register it manually](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider). - Authorizations must not include any users with the [Owner](../../role-based-access-control/built-in-roles.md#owner) role, any roles with [DataActions](../../role-based-access-control/role-definitions.md#dataactions), or any roles that include [restricted actions](../concepts/tenants-users-roles.md#role-support-for-azure-lighthouse). - Groups must be created with [**Group type**](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md#group-types) set to **Security** and not **Microsoft 365**.-- If access was granted to a group, check to make sure the user is a member of that group. If they aren't, you can [add them to the group using Azure AD](../../active-directory/fundamentals/active-directory-groups-members-azure-portal.md), without having to perform another deployment. Note that [group owners](../../active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md) are not necessarily members of the groups they manage, and may need to be added in order to have access.
+- If access was granted to a group, check to make sure the user is a member of that group. If they aren't, you can [add them to the group using Microsoft Entra ID](../../active-directory/fundamentals/active-directory-groups-members-azure-portal.md), without having to perform another deployment. Note that [group owners](../../active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md) are not necessarily members of the groups they manage, and may need to be added in order to have access.
- There may be an additional delay before access is enabled for [nested groups](../..//active-directory/fundamentals/active-directory-groups-membership-azure-portal.md). - The [Azure built-in roles](../../role-based-access-control/built-in-roles.md) that you include in authorizations must not include any deprecated roles. If an Azure built-in role becomes deprecated, any users who were onboarded with that role will lose access, and you won't be able to onboard additional delegations. To fix this, update your template to use only supported built-in roles, then perform a new deployment.
lighthouse Publish Managed Services Offers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/publish-managed-services-offers.md
To learn about the general publishing process, review the [commercial marketplac
Once a customer adds your offer, they will be able to delegate one or more subscriptions or resource groups, which will then be [onboarded to Azure Lighthouse](#the-customer-onboarding-process). > [!IMPORTANT]
-> Each plan in a Managed Service offer includes a **Manifest Details** section, where you define the Azure Active Directory (Azure AD) entities in your tenant that will have access to the delegated resource groups and/or subscriptions for customers who purchase that plan. It's important to be aware that any group (or user or service principal) that you include will have the same permissions for every customer who purchases the plan. To assign different groups to work with each customer, you can publish a separate [private plan](/partner-center/marketplace/private-plans) that is exclusive to each customer. These private plans are not supported with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program.
+> Each plan in a Managed Service offer includes a **Manifest Details** section, where you define the Microsoft Entra entities in your tenant that will have access to the delegated resource groups and/or subscriptions for customers who purchase that plan. It's important to be aware that any group (or user or service principal) that you include will have the same permissions for every customer who purchases the plan. To assign different groups to work with each customer, you can publish a separate [private plan](/partner-center/marketplace/private-plans) that is exclusive to each customer. These private plans are not supported with subscriptions established through a reseller of the Cloud Solution Provider (CSP) program.
## Publish your offer
If you publish an updated version of your offer, the customer can [review the ch
- Learn about the [commercial marketplace](/partner-center/marketplace/overview). - [Link your partner ID](partner-earned-credit.md) to track your impact across customer engagements. - Learn about [cross-tenant management experiences](../concepts/cross-tenant-management-experience.md).-- [View and manage customers](view-manage-customers.md) by going to **My customers** in the Azure portal.
+- [View and manage customers](view-manage-customers.md) by going to **My customers** in the Azure portal.
lighthouse View Manage Customers https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/view-manage-customers.md
Service providers using [Azure Lighthouse](../overview.md) can use the **My cust
To access the **My customers** page in the Azure portal, enter "My customers" in the search box near the top of the Azure portal. You can also select **All services**, then search for **Azure Lighthouse**, or search for "Azure Lighthouse". From the Azure Lighthouse page, select **Manage your customers**.
-Keep in mind that the top **Customers** section of the **My customers** page only shows info about customers who have delegated subscriptions or resource groups to your Azure Active Directory (Azure AD) tenant through Azure Lighthouse. If you work with other customers (such as through the [Cloud Solution Provider (CSP) program](/partner-center/csp-overview)), you won't see info about those customers in the **Customers** section unless you [onboarded their resources to Azure Lighthouse](onboard-customer.md). However, you may see details about certain CSP customers in the [Cloud Solution Provider (Preview) section](#cloud-solution-provider-preview) lower on the page.
+Keep in mind that the top **Customers** section of the **My customers** page only shows info about customers who have delegated subscriptions or resource groups to your Microsoft Entra tenant through Azure Lighthouse. If you work with other customers (such as through the [Cloud Solution Provider (CSP) program](/partner-center/csp-overview)), you won't see info about those customers in the **Customers** section unless you [onboarded their resources to Azure Lighthouse](onboard-customer.md). However, you may see details about certain CSP customers in the [Cloud Solution Provider (Preview) section](#cloud-solution-provider-preview) lower on the page.
> [!NOTE] > Your customers can view info about service providers by navigating to **Service providers** in the Azure portal. For more info, see [View and manage service providers](view-manage-service-providers.md).
lighthouse View Service Provider Activity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/how-to/view-service-provider-activity.md
# Monitor service provider activity
-Customers who have delegated subscriptions to service providers through [Azure Lighthouse](../overview.md) can [view Azure Activity log](../../azure-monitor/essentials/activity-log.md) data to see all actions taken. This data provides full visibility for actions that service providers take on delegated customer resources. The activity log also shows operations from users within the customer's own Azure Active Directory (Azure AD) tenant.
+Customers who have delegated subscriptions to service providers through [Azure Lighthouse](../overview.md) can [view Azure Activity log](../../azure-monitor/essentials/activity-log.md) data to see all actions taken. This data provides full visibility for actions that service providers take on delegated customer resources. The activity log also shows operations from users within the customer's own Microsoft Entra tenant.
## View activity log data
lighthouse Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/lighthouse/samples/policy-reference.md
Title: Built-in policy definitions for Azure Lighthouse description: Lists Azure Policy built-in policy definitions for Azure Lighthouse. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
load-balancer Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/gateway-overview.md
For pricing, see [Load Balancer pricing](https://azure.microsoft.com/pricing/det
* Gateway Load Balancer doesn't work with the Global Load Balancer tier. * Cross-tenant chaining isn't supported through the Azure portal.
-* Gateway Load Balancer doesn't currently support IPv6
## Next steps
load-balancer Load Balancer Basic Upgrade Guidance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/load-balancer-basic-upgrade-guidance.md
Use these PowerShell scripts to help with upgrading from Basic to Standard SKU:
## Upgrade manually > [!NOTE]
-> Although manually upgrading your Basic Load Balancer to a Standard Load Balancer using the Portal is an option, we recommend using the [**automated script option**](./load-balancer-multiple-ip-powershell.md) above, due to the number of steps and complexity of the migration. The automation ensures a consistent migration and minimizes downtime to load balanced applications.
+> Although manually upgrading your Basic Load Balancer to a Standard Load Balancer using the Portal is an option, we recommend using the [**automated script option**](./upgrade-basic-standard-with-powershell.md) above, due to the number of steps and complexity of the migration. The automation ensures a consistent migration and minimizes downtime to load balanced applications.
When manually migrating from a Basic to Standard SKU Load Balancer, there are a couple key considerations to keep in mind:
load-balancer Upgrade Basic Standard With Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-balancer/upgrade-basic-standard-with-powershell.md
PS C:\> Install-Module -Name AzureBasicLoadBalancerUpgrade -Scope CurrentUser -R
## Use the module
-1. Use `Connect-AzAccount` to connect to the required Azure AD tenant and Azure subscription
+1. Use `Connect-AzAccount` to connect to the required Microsoft Entra tenant and Azure subscription
```powershell PS C:\> Connect-AzAccount -Tenant <TenantId> -Subscription <SubscriptionId>
load-testing How To Assign Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-assign-roles.md
You can remove the access permission for a user who isn't managing the Azure loa
You can also configure role-based access to a load testing resource using the following [Azure PowerShell cmdlets](/azure/role-based-access-control/role-assignments-powershell):
-* [Get-AzRoleDefinition](/powershell/module/Az.Resources/Get-AzRoleDefinition) lists all Azure roles that are available in Azure Active Directory. You can use this cmdlet with the Name parameter to list all the actions that a specific role can perform.
+* [Get-AzRoleDefinition](/powershell/module/Az.Resources/Get-AzRoleDefinition) lists all Azure roles that are available in Microsoft Entra ID. You can use this cmdlet with the Name parameter to list all the actions that a specific role can perform.
```azurepowershell-interactive Get-AzRoleDefinition -Name 'Load Test Contributor'
load-testing How To Configure Load Test Cicd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-configure-load-test-cicd.md
To run a load test in your CI/CD workflow, you need to grant permission to the C
### Create a service connection in Azure Pipelines
-In Azure Pipelines, you create a *service connection* in your Azure DevOps project to access resources in your Azure subscription. When you create the service connection, Azure DevOps creates an Azure Active Directory service principal object.
+In Azure Pipelines, you create a *service connection* in your Azure DevOps project to access resources in your Azure subscription. When you create the service connection, Azure DevOps creates a Microsoft Entra service principal object.
1. Sign in to your Azure DevOps organization (`https://dev.azure.com/<your-organization>`), and select your project.
You can now use the service connection in your Azure Pipelines workflow definiti
# [GitHub Actions](#tab/github)
-To access your Azure Load Testing resource from the GitHub Actions workflow, you first create an Azure Active Directory [service principal](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). This service principal represents your GitHub Actions workflow in Azure Active Directory.
+To access your Azure Load Testing resource from the GitHub Actions workflow, you first create a Microsoft Entra [service principal](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). This service principal represents your GitHub Actions workflow in Microsoft Entra ID.
Next, you grant permissions to the service principal to create and run a load test with your Azure Load Testing resource.
load-testing How To Use A Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/how-to-use-a-managed-identity.md
This article shows how to create a managed identity for Azure Load Testing. You can use a managed identity to authenticate with and read secrets from Azure Key Vault.
-A managed identity from Azure Active Directory (Azure AD) allows your load testing resource to easily access other Azure AD-protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Azure AD, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview).
+A managed identity from Microsoft Entra ID allows your load testing resource to easily access other Microsoft Entra protected resources, such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to manage or rotate any secrets. For more information about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview).
Azure Load Testing supports two types of identities:
After the resource creation finishes, the following properties are configured fo
} ```
-The `tenantId` property identifies which Azure AD tenant the managed identity belongs to. The `principalId` is a unique identifier for the resource's new identity. Within Azure AD, the service principal has the same name as the Azure load testing resource.
+The `tenantId` property identifies which Microsoft Entra tenant the managed identity belongs to. The `principalId` is a unique identifier for the resource's new identity. Within Microsoft Entra ID, the service principal has the same name as the Azure load testing resource.
You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).
You can now [grant your load testing resource access to your Azure key vault](#g
## Assign a user-assigned identity to a load testing resource
-Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Azure AD. Then, you can assign the identity by using its resource identifier.
+Before you can add a user-assigned managed identity to an Azure load testing resource, you must first create this identity in Microsoft Entra ID. Then, you can assign the identity by using its resource identifier.
You can add multiple user-assigned managed identities to your resource. For example, if you need to access multiple Azure resources, you can grant different permissions to each of these identities.
You can create an Azure load testing resource by using an ARM template and the r
} ```
- The `principalId` is a unique identifier for the identity that's used for Azure AD administration. The `clientId` is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.
+ The `principalId` is a unique identifier for the identity that's used for Microsoft Entra administration. The `clientId` is a unique identifier for the resource's new identity that's used for specifying which identity to use during runtime calls.
You can now [grant your load testing resource access to your Azure key vault](#grant-access-to-your-azure-key-vault).
load-testing Quickstart Add Load Test Cicd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/quickstart-add-load-test-cicd.md
If you want to automate your load test with GitHub Actions, learn how to [manual
- An Azure DevOps organization and project. If you don't have an Azure DevOps organization, you can [create one for free](/azure/devops/pipelines/get-started/pipelines-sign-up?view=azure-devops&preserve-view=true). -- Your Azure DevOps organization is connected to Azure Active Directory in your subscription. Learn how you can [connect your organization to Azure Active Directory](/azure/devops/organizations/accounts/connect-organization-to-azure-ad).
+- Your Azure DevOps organization is connected to Microsoft Entra ID in your subscription. Learn how you can [connect your organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad).
- A load testing resource, which contains a test. Create a [URL-based load test](./quickstart-create-and-run-load-test.md) or [use an existing JMeter script](./how-to-create-and-run-load-test-with-jmeter-script.md) to create a load test.
In this section, you'll create a CI/CD pipeline in Azure Pipelines to run an exi
:::image type="content" source="media/how-to-set-up-cicd-pipeline-from-portal/set-up-cicd-pipeline.png" alt-text="Screenshot that shows the settings to be configured to set up a CI/CD pipeline." lightbox="media/how-to-set-up-cicd-pipeline-from-portal/set-up-cicd-pipeline.png"::: > [!IMPORTANT]
- > If you're getting an error creating a PAT token, or you don't see any repositories, make sure to [connect your Azure DevOps organization to Azure Active Directory (Azure AD)](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). Make sure the directory in Azure DevOps matches the directory you're using for Azure Load Testing. After connecting to Azure AD, close and reopen your browser window.
+ > If you're getting an error creating a PAT token, or you don't see any repositories, make sure to [connect your Azure DevOps organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). Make sure the directory in Azure DevOps matches the directory you're using for Azure Load Testing. After connecting to Microsoft Entra ID, close and reopen your browser window.
1. Select **Create Pipeline** to start creating the pipeline definition.
load-testing Tutorial Identify Performance Regression With Cicd https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/load-testing/tutorial-identify-performance-regression-with-cicd.md
Now that you have load testing resource and a load test for the sample applicati
:::image type="content" source="media/tutorial-identify-performance-regression-with-cicd/set-up-cicd-pipeline.png" alt-text="Screenshot that shows the settings to be configured to set up a CI/CD pipeline." lightbox="media/tutorial-identify-performance-regression-with-cicd/set-up-cicd-pipeline.png"::: > [!IMPORTANT]
- > If you're getting an error creating a PAT token, or you don't see any repositories, make sure to [connect your Azure DevOps organization to Azure Active Directory (Azure AD)](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). Make sure the directory in Azure DevOps matches the directory you're using for Azure Load Testing. After connecting to Azure AD, close and reopen your browser window.
+ > If you're getting an error creating a PAT token, or you don't see any repositories, make sure to [connect your Azure DevOps organization to Microsoft Entra ID](/azure/devops/organizations/accounts/connect-organization-to-azure-ad). Make sure the directory in Azure DevOps matches the directory you're using for Azure Load Testing. After connecting to Microsoft Entra ID, close and reopen your browser window.
1. Select **Create Pipeline** to start creating the pipeline definition.
logic-apps Create Maps Data Transformation Visual Studio Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-maps-data-transformation-visual-studio-code.md
ms.suite: integration Previously updated : 04/17/2023 Last updated : 10/10/2023 # As a developer, I want to transform data in Azure Logic Apps by creating a map between schemas with Visual Studio Code.
This how-to guide shows how to create a blank data map, choose your source and t
1. [Create a local folder, a local Standard logic app project, and a stateful or stateless workflow](create-single-tenant-workflows-visual-studio-code.md#create-project). During workflow creation, select **Open in current window**.
- After you create your logic app project, in your project's root folder, open the **local.settings.json** file, and add the following values:
-
- - `"FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated"`
-
- - `"AzureWebJobsFeatureFlags": "EnableMultiLanguageWorker"`
- - Sample input data if you want to test the map and check that the transformation works as you expect. ## Create a data map
logic-apps Create Run Custom Code Functions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-run-custom-code-functions.md
ms.suite: integration
Previously updated : 08/07/2023 Last updated : 10/10/2023 # Customer intent: As a logic app workflow developer, I want to write and run my own .NET Framework code to perform custom integration tasks.
After you finish writing your code, compile to make sure that no build errors ex
1. Confirm that the following items exist in your logic app project:
- - In your workspace, expand the folowing folders: **LogicApp** > **lib\custom** > **net472**. Confirm that the subfolder named **net472** contains the multiple assembly (DLL) files required to run your code, including a file named **<*function-name*>.dll**.
+ - In your workspace, expand the following folders: **LogicApp** > **lib\custom** > **net472**. Confirm that the subfolder named **net472** contains the multiple assembly (DLL) files required to run your code, including a file named **<*function-name*>.dll**.
- - In your workspace, expand the folowing folders: **LogicApp** > **lib\custom** > **<*function-name*>**. Confirm that the subfolder named **<*function-name*>** contains a **function.json** file, which includes the metadata about the function code that you wrote. The workflow designer uses this file to determine the necessary inputs and outputs when calling your code.
+ - In your workspace, expand the following folders: **LogicApp** > **lib\custom** > **<*function-name*>**. Confirm that the subfolder named **<*function-name*>** contains a **function.json** file, which includes the metadata about the function code that you wrote. The workflow designer uses this file to determine the necessary inputs and outputs when calling your code.
The following example shows sample generated assemblies and other files in the logic app project:
logic-apps Create Single Tenant Workflows Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-single-tenant-workflows-azure-portal.md
ms.suite: integration Previously updated : 09/20/2023 Last updated : 10/10/2023 # Customer intent: As a developer, I want to create my first example Standard logic app workflow that runs in single-tenant Azure Logic Apps using the Azure portal.
logic-apps Create Single Tenant Workflows Visual Studio Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/create-single-tenant-workflows-visual-studio-code.md
ms.suite: integration Previously updated : 07/21/2023 Last updated : 10/10/2023 # Customer intent: As a logic apps developer, I want to create a Standard logic app workflow that runs in single-tenant Azure Logic Apps using Visual Studio Code.
Before you can create your logic app, create a local project so that you can man
[!INCLUDE [Visual Studio Code - logic app project structure](../../includes/logic-apps-single-tenant-project-structure-visual-studio-code.md)]
-<a name="enable-built-in-connector-authoring"></a>
-
-## Enable built-in connector authoring
+<a name="convert-project-nuget"></a>
-You can create your own built-in connectors for any service you need by using the [single-tenant Azure Logic Apps extensibility framework](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272). Similar to built-in connectors such as Azure Service Bus and SQL Server, these connectors provide higher throughput, low latency, local connectivity, and run natively in the same process as the single-tenant Azure Logic Apps runtime.
+## Convert your project to NuGet package-based (.NET)
-The authoring capability is currently available only in Visual Studio Code, but isn't enabled by default. To create these connectors, you need to first convert your project from extension bundle-based (Node.js) to NuGet package-based (.NET).
+By default, Visual Studio Code creates a logic app project that is extension bundle-based (Node.js), not NuGet package-based (.NET). If you require a logic app project that is NuGet package-based (.NET), for example, to enable built-in connector authoring, you must convert your project from extension bundle-based (Node.js) to NuGet package-based (.NET).
> [!IMPORTANT]
+>
> This action is a one-way operation that you can't undo. 1. In the Explorer pane, at your project's root, move your mouse pointer over any blank area below all the other files and folders, open the shortcut menu, and select **Convert to NuGet-based Logic App project**.
The authoring capability is currently available only in Visual Studio Code, but
1. When the prompt appears, confirm the project conversion.
-1. To continue, review and follow the steps in the article, [Azure Logic Apps Running Anywhere - Built-in connector extensibility](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272).
+<a name="enable-built-in-connector-authoring"></a>
+
+## Enable built-in connector authoring
+
+You can create your own built-in connectors for any service you need by using the [single-tenant Azure Logic Apps extensibility framework](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272). Similar to built-in connectors such as Azure Service Bus and SQL Server, these connectors provide higher throughput, low latency, local connectivity, and run natively in the same process as the single-tenant Azure Logic Apps runtime.
+
+The authoring capability is currently available only in Visual Studio Code, but isn't enabled by default. To create these connectors, follow these steps:
+
+1. If you haven't already, [convert your project from extension bundle-based (Node.js) to NuGet package-based (.NET)](#convert-project-nuget).
+
+1. Review and follow the steps in the article, [Azure Logic Apps Running Anywhere - Built-in connector extensibility](https://techcommunity.microsoft.com/t5/integrations-on-azure/azure-logic-apps-running-anywhere-built-in-connector/ba-p/1921272).
<a name="add-custom-artifacts"></a>
To add schemas to your project, in your project hierarchy, expand **Artifacts**
:::image type="content" source="media/create-single-tenant-workflows-visual-studio-code/schema-upload-visual-studio-code.png" alt-text="Screenshot shows Visual Studio Code project hierarchy with Artifacts and Schemas folders expanded." lightbox="media/create-single-tenant-workflows-visual-studio-code/schema-upload-visual-studio-code.png":::
-### Add assemblies to your project
-
-A Standard logic app can currently use or reference the following assembly types:
--- Client/SDK assembly (.NET Framework)-- Client/SDK assembly (Java)-- Custom assembly (.NET Framework) -
-You can upload these assemblies to your project in Visual Studio Code, similar how you upload them in the Azure portal through your logic app resource menu under **Artifacts** > **Assemblies**.
--
-The following section provides more information about each assembly type and where exactly to put them in your project.
+<a name="add-assembly"></a>
-- Client/SDK assembly (.NET Framework):
+### Add assemblies to your project
- This assembly section provides storage and deployment of client and custom SDK for .NET Framework. For example, the [SAP built-in connector](/azure/logic-apps/connectors/built-in/reference/sap/) uses this assembly section to load the SAP NCo non-redistributable DLL files. You can add these assemblies in the following folder: **\lib\builtinOperationSdks\net472**
-
-- Client/SDK assembly (Java)
+A Standard logic app can use or reference specific kinds of assemblies, which you can upload to your project in Visual Studio Code. However, you must add them to specific folders in your project. The following table provides more information about each assembly type and where exactly to put them in your project.
- This assembly section provides storage and deployment of custom SDK for Java. For example, the [JDBC built-in connector](/azure/logic-apps/connectors/built-in/reference/jdbc/) uses these JAR files to find JDBC drivers for custom relational databases (RDBs). You can add these assemblies in the following folder: **\lib\builtinOperationSdks\JAR**
-
-- Custom assembly (.NET Framework)
-
- This assembly section provides storage and deployment of custom DLLs. For example, the **Transform XML** operation uses these assemblies for the custom transformation functions that are required during XML transformation. You can add these assemblies in the following folder: **\lib\custom\net472**
+| Assembly type | Description |
+||-|
+| **Client/SDK Assembly (.NET Framework)** | This assembly type provides storage and deployment of client and custom SDK for the .NET Framework. For example, the SAP built-in connector uses these assemblies to load the SAP NCo non-redistributable DLL files. <br><br>Make sure that you add these assemblies to the following folder: **\lib\builtinOperationSdks\net472** |
+| **Client/SDK Assembly (Java)** | This assembly type provides storage and deployment of custom SDK for Java. For example, the [JDBC built-in connector](/azure/logic-apps/connectors/built-in/reference/jdbc/) uses these JAR files to find JDBC drivers for custom relational databases (RDBs). <br><br>Make sure to add these assemblies to the following folder: **\lib\builtinOperationSdks\JAR** |
+| **Custom Assembly (.NET Framework)** | This assembly type provides storage and deployment of custom DLLs. For example, the [**Transform XML** operation](logic-apps-enterprise-integration-transform.md) uses these assemblies for the custom transformation functions that are required during XML transformation. <br><br>Make sure to add these assemblies to the following folder: **\lib\custom\net472** |
The following image shows where to put each assembly type in your project: :::image type="content" source="media/create-single-tenant-workflows-visual-studio-code/assembly-upload-visual-studio-code.png" alt-text="Screenshot shows Visual Studio Code, logic app project, and where to upload assemblies." lightbox="media/create-single-tenant-workflows-visual-studio-code/assembly-upload-visual-studio-code.png":::
+For more information about uploading assemblies to your logic app resource in the Azure portal, see [Add referenced assemblies](logic-apps-enterprise-integration-maps.md?tabs=standard#add-assembly).
+ ### Migrate NuGet-based projects to use "lib\\*" assemblies > [!IMPORTANT]
To locally run webhook-based triggers and actions in Visual Studio Code, you nee
} ```
- > [!NOTE]
- >
- > If your project is NuGet package-based (.NET), not extension bundle-based (Node.js),
- > `"FUNCTIONS_WORKER_RUNTIME"` is set to `"dotnet"`. To use the **Transform XML** action
- > [with XSLT maps that call .NET Framework assemblies](#add-assemblies-to-your-project),
- > to [create maps for data transformation](create-maps-data-transformation-visual-studio-code.md),
- > or to [create and run .NET code from Standard workflows](create-run-custom-code-functions.md),
- > you must set `"FUNCTIONS_WORKER_RUNTIME"` to `"dotnet-isolated"`. To use **Inline Code Operations**,
- > you must set`"FUNCTIONS_WORKER_RUNTIME"` to `"node"`.
- The first time when you start a local debugging session or run the workflow without debugging, the Azure Logic Apps runtime registers the workflow with the service endpoint and subscribes to that endpoint for notifying the webhook operations. The next time that your workflow runs, the runtime won't register or resubscribe because the subscription registration already exists in local storage. When you stop the debugging session for a workflow run that uses locally run webhook-based triggers or actions, the existing subscription registrations aren't deleted. To unregister, you have to manually remove or delete the subscription registrations.
logic-apps Edit App Settings Host Settings https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/edit-app-settings-host-settings.md
ms.suite: integration Previously updated : 07/10/2023 Last updated : 10/10/2023
App settings in Azure Logic Apps work similarly to app settings in Azure Functio
| Setting | Default value | Description | |||-|
-| `AzureWebJobsStorage` | None | Sets the connection string for an Azure storage account. |
+| `AzureWebJobsStorage` | None | Sets the connection string for an Azure storage account. For more information, see [AzureWebJobsStorage](../azure-functions/functions-app-settings.md#azurewebjobsstorage) |
+| `FUNCTIONS_WORKER_RUNTIME` | `node` | Sets the language worker runtime to use with your logic app resource and workflows. However, this setting is no longer necessary due to automatically enabled multi-language support. <br><br>For more information, see [FUNCTIONS_WORKER_RUNTIME](../azure-functions/functions-app-settings.md#functions_worker_runtime). |
| `ServiceProviders.Sftp.FileUploadBufferTimeForTrigger` | `00:00:20` <br>(20 seconds) | Sets the buffer time to ignore files that have a last modified timestamp that's greater than the current time. This setting is useful when large file writes take a long time and avoids fetching data for a partially written file. | | `ServiceProviders.Sftp.OperationTimeout` | `00:02:00` <br>(2 min) | Sets the time to wait before timing out on any operation. | | `ServiceProviders.Sftp.ServerAliveInterval` | `00:30:00` <br>(30 min) | Send a "keep alive" message to keep the SSH connection active if no data exchange with the server happens during the specified period. For more information, see the [ServerAliveInterval setting](https://man.openbsd.org/ssh_config.5#ServerAliveInterval). |
To add, update, or delete app settings, select and review the following sections
### [Azure portal](#tab/azure-portal)
-To review the app settings for your single-tenant based logic app in the Azure portal, follow these steps:
+##### View app settings in the portal
1. In the [Azure portal](https://portal.azure.com/) search box, find and open your logic app.
-1. On your logic app menu, under **Settings**, select **Configuration**.
+1. On your logic app menu, under **Settings**, select **Environment variables**.
-1. On the **Configuration** page, on the **Application settings** tab, review the app settings for your logic app.
+1. On the **Environment variables** page, on the **App settings** tab, review the app settings for your logic app.
For more information about these settings, review the [reference guide for available app settings - local.settings.json](#reference-local-settings-json).
-1. To view all values, select **Show Values**. Or, to view a single value, select that value.
+1. To view all values, select **Show Values**. Or, to view a single value, in the **Value** column, next to the value, select the "eye".
-To add a setting, follow these steps:
-
-1. On the **Application settings** tab, under **Application settings**, select **New application setting**.
+##### Add an app setting in the portal
-1. For **Name**, enter the *key* or name for your new setting.
+1. On the **App settings** tab, at the bottom of the list, in the **Name** column, enter the *key* or name for your new setting.
1. For **Value**, enter the value for your new setting.
-1. When you're ready to create your new *key-value* pair, select **OK**.
+1. When you're ready to create your new *key-value* pair, select **Apply**.
+ :::image type="content" source="./media/edit-app-settings-host-settings/portal-app-settings-values.png" alt-text="Screenshot shows Azure portal with app settings page and values for a Standard logic app resource." lightbox="./media/edit-app-settings-host-settings/portal-app-settings-values.png":::
### [Visual Studio Code](#tab/visual-studio-code)
-To review the app settings for your logic app in Visual Studio Code, follow these steps:
+##### View app settings in Visual Studio Code
1. In your logic app project, at the root project level, find and open the **local.settings.json** file.
To review the app settings for your logic app in Visual Studio Code, follow thes
For more information about these settings, review the [reference guide for available app settings - local.settings.json](#reference-local-settings-json).
-To add an app setting, follow these steps:
+##### Add an app setting in Visual Studio Code
1. In the **local.settings.json** file, find the `Values` object.
logic-apps Logic Apps Add Run Inline Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-add-run-inline-code.md
Title: Run code snippets in workflows
description: Run code snippets in workflows using Inline Code operations in Azure Logic Apps. ms.suite: integration-+ Previously updated : 08/07/2023 Last updated : 10/10/2023
The following diagram shows the highlights from example workflow:
* Standard: [Create example Standard logic app workflows](create-single-tenant-workflows-azure-portal.md)
-* Based on whether your logic app is Consumption or Standard, review the following requirements:
+* Based on whether you have a Consumption or Standard logic app workflow, review the following requirements:
- * Consumption: Requires [Node.js version 8.11.10](https://nodejs.org/en/download/releases/) and a [link to an integration account](logic-apps-enterprise-integration-create-integration-account.md), empty or otherwise, from your logic app resource.
+ * Consumption workflow
- > [!IMPORTANT]
- >
- > Make sure that you use an integration account that's appropriate for your use case or scenario.
- >
- > For example, [Free-tier](logic-apps-pricing.md#integration-accounts) integration accounts are meant only
- > for exploratory scenarios and workloads, not production scenarios, are limited in usage and throughput,
- > and aren't supported by a service-level agreement (SLA).
- >
- > Other integration account tiers incur costs, but include SLA support, offer more throughput, and have higher limits.
- > Learn more about [integration account tiers](logic-apps-pricing.md#integration-accounts),
- > [limits](logic-apps-limits-and-config.md#integration-account-limits), and
- > [pricing](https://azure.microsoft.com/pricing/details/logic-apps/).
+ * [Node.js version 8.11.10](https://nodejs.org/en/download/releases/)
- * Standard: Requires [Node.js versions 16.x.x](https://nodejs.org/en/download/releases/), but no integration account.
+ * [Link to an integration account](logic-apps-enterprise-integration-create-integration-account.md), empty or otherwise, from your logic app resource.
+
+ > [!IMPORTANT]
+ >
+ > Make sure that you use an integration account that's appropriate for your use case or scenario.
+ >
+ > For example, [Free-tier](logic-apps-pricing.md#integration-accounts) integration accounts are meant only
+ > for exploratory scenarios and workloads, not production scenarios, are limited in usage and throughput,
+ > and aren't supported by a service-level agreement (SLA).
+ >
+ > Other integration account tiers incur costs, but include SLA support, offer more throughput, and have higher limits.
+ > Learn more about [integration account tiers](logic-apps-pricing.md#integration-accounts),
+ > [limits](logic-apps-limits-and-config.md#integration-account-limits), and
+ > [pricing](https://azure.microsoft.com/pricing/details/logic-apps/).
+
+ * Standard workflow
+
+ * [Node.js versions 16.x.x](https://nodejs.org/en/download/releases/)
+
+ * No integration account required.
## Add the Execute JavaScript Code action
logic-apps Logic Apps Enterprise Integration Maps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-enterprise-integration-maps.md
ms.suite: integration Previously updated : 04/25/2023 Last updated : 10/04/2023 # Add maps for transformations in workflows with Azure Logic Apps
Workflow actions such as **Transform XML** and **Liquid** require a map to perfo
For example, suppose you regularly receive B2B orders or invoices from a customer who uses the YearMonthDay date format (YYYYMMDD). However, your organization uses the MonthDayYear date format (MMDDYYYY). You can define and use a map that transforms the YYYYMMDD format to the MMDDYYYY format before storing the order or invoice details in your customer activity database.
-This article shows how to add a map to your integration account. If you're working with a Standard logic app workflow, you can also add a map directly to your logic app resource.
+This how-to guide shows how to add a map to your integration account. If you're working with a Standard logic app workflow, you can also add a map directly to your logic app resource.
## Prerequisites * An Azure account and subscription. If you don't have a subscription yet, [sign up for a free Azure account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* The map that you want to add. To create maps, you can use the following tools:
+* The map that you want to add. To create maps, you can use any of the following tools:
* Visual Studio Code and the Data Mapper extension. To call the maps created with Data Mapper from your workflow, you must use the **Data Mapper Operations** action named **Transform using Data Mapper XSLT**, not the **XML Operations** action named **Transform XML**. For more information, see [Create maps for data transformation with Visual Studio Code](create-maps-data-transformation-visual-studio-code.md).
This article shows how to add a map to your integration account. If you're worki
So, if you don't have or need an integration account, you can use the upload option. Otherwise, you can use the linking option. Either way, you can use these artifacts across all child workflows within the same logic app resource.
+* Consumption and Standard workflows support XSLT maps that reference external assemblies, which enable directly calling custom .NET code from XSLT maps. To support this capability, Consumption workflows also have the following requirements:
+
+ * You need a 64-bit assembly. The transform service runs a 64-bit process, so 32-bit assemblies aren't supported. If you have the source code for a 32-bit assembly, recompile the code into a 64-bit assembly. If you don't have the source code, but you obtained the binary from a third-party provider, get the 64-bit version from that provider. For example, some vendors provide assemblies in packages that have both 32-bit and 64-bit versions. If you have the option, use the 64-bit version instead.
+
+ * You have to upload *both the assembly and the map* in a specific order to your integration account. Make sure you [*upload your assembly first*](#add-assembly), and then upload the map that references the assembly.
+
+ * If your assembly or map is [2 MB or smaller](#smaller-map), you can add your assembly and map to your integration account *directly* from the Azure portal.
+
+ * If your assembly is bigger than 2 MB but not bigger than the [size limit for assemblies](logic-apps-limits-and-config.md#artifact-capacity-limits), you'll need an Azure storage account and blob container where you can upload your assembly. Later, you can provide that container's location when you add the assembly to your integration account. For this task, the following table describes the items you need:
+
+ | Item | Description |
+ ||-|
+ | [Azure storage account](../storage/common/storage-account-overview.md) | In this account, create an Azure blob container for your assembly. Learn [how to create a storage account](../storage/common/storage-account-create.md). |
+ | Blob container | In this container, you can upload your assembly. You also need this container's content URI location when you add the assembly to your integration account. Learn how to [create a blob container](../storage/blobs/storage-quickstart-blobs-portal.md). |
+ | [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) | This tool helps you more easily manage storage accounts and blob containers. To use Storage Explorer, either [download and install Azure Storage Explorer](https://www.storageexplorer.com/). Then, connect Storage Explorer to your storage account by following the steps in [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md). To learn more, see [Quickstart: Create a blob in object storage with Azure Storage Explorer](../storage/blobs/quickstart-storage-explorer.md). <br><br>Or, in the Azure portal, select your storage account. From your storage account menu, select **Storage Explorer**. |
+
+ To add larger maps, you can use the [Azure Logic Apps REST API - Maps](/rest/api/logic/maps/createorupdate). For Standard workflows, the Azure Logic Apps REST API is currently unavailable.
+ ## Limitations * Limits apply to the number of artifacts, such as maps, per integration account. For more information, review [Limits and configuration information for Azure Logic Apps](logic-apps-limits-and-config.md#integration-account-limits).
This article shows how to add a map to your integration account. If you're worki
* Standard workflows
- * Supports references to external assemblies from maps, which enable direct calls from XSLT maps to custom .NET code. To configure support for external assemblies, see [.NET Framework assembly support for XSLT transformations added to Azure Logic Apps (Standard)](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/net-framework-assembly-support-added-to-azure-logic-apps/ba-p/3669120).
-
- * Supports XSLT 1.0, 2.0, and 3.0.
+ * Support XSLT 1.0, 2.0, and 3.0.
* No limits apply to map file sizes.
This article shows how to add a map to your integration account. If you're worki
* Create [Standard logic app workflows](logic-apps-overview.md#resource-environment-differences), which run in single-tenant Azure Logic Apps and offer dedicated and flexible options for compute and memory resources.
- * Supports references to external assemblies from maps, which enable direct calls from XSLT maps to custom .NET code with the following requirements:
-
- * You need a 64-bit assembly. The transform service runs a 64-bit process, so 32-bit assemblies aren't supported. If you have the source code for a 32-bit assembly, recompile the code into a 64-bit assembly. If you don't have the source code, but you obtained the binary from a third-party provider, get the 64-bit version from that provider. For example, some vendors provide assemblies in packages that have both 32-bit and 64-bit versions. If you have the option, use the 64-bit version instead.
-
- * You have to upload *both the assembly and the map* in a specific order to your integration account. Make sure you [*upload your assembly first*](#add-assembly), and then upload the map that references the assembly.
-
- * If your assembly or map is [2 MB or smaller](#smaller-map), you can add your assembly and map to your integration account *directly* from the Azure portal.
-
- * If your assembly is bigger than 2 MB but not bigger than the [size limit for assemblies](logic-apps-limits-and-config.md#artifact-capacity-limits), you'll need an Azure storage account and blob container where you can upload your assembly. Later, you can provide that container's location when you add the assembly to your integration account. For this task, the following table describes the items you need:
-
- | Item | Description |
- ||-|
- | [Azure storage account](../storage/common/storage-account-overview.md) | In this account, create an Azure blob container for your assembly. Learn [how to create a storage account](../storage/common/storage-account-create.md). |
- | Blob container | In this container, you can upload your assembly. You also need this container's content URI location when you add the assembly to your integration account. Learn how to [create a blob container](../storage/blobs/storage-quickstart-blobs-portal.md). |
- | [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) | This tool helps you more easily manage storage accounts and blob containers. To use Storage Explorer, either [download and install Azure Storage Explorer](https://www.storageexplorer.com/). Then, connect Storage Explorer to your storage account by following the steps in [Get started with Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md). To learn more, see [Quickstart: Create a blob in object storage with Azure Storage Explorer](../storage/blobs/quickstart-storage-explorer.md). <br><br>Or, in the Azure portal, select your storage account. From your storage account menu, select **Storage Explorer**. |
-
- To add larger maps, you can use the [Azure Logic Apps REST API - Maps](/rest/api/logic/maps/createorupdate). For Standard workflows, the Azure Logic Apps REST API is currently unavailable.
- <a name="create-maps"></a> ## Create maps
The following example shows a map that references an assembly named `XslUtilitie
### [Consumption](#tab/consumption)
-A Consumption logic app resource supports referencing external assemblies from maps, which enable direct calls from XSLT maps to custom .NET code.
+A Consumption logic app resource supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps.
-1. In the [Azure portal](https://portal.azure.com), sign in with your Azure account credentials.
-
-1. In the main Azure search box, enter `integration accounts`, and select **Integration accounts**.
+1. In the [Azure portal](https://portal.azure.com) search box, enter **integration accounts**, and select **Integration accounts**.
1. Select the integration account where you want to add your assembly.
After your assembly finishes uploading, the assembly appears in the **Assemblies
### [Standard](#tab/standard)
-A Standard logic app resource supports referencing external assemblies from maps, which enable direct calls from XSLT maps to custom .NET code. To configure this support, see [.NET Framework assembly support for XSLT transformations added to Azure Logic Apps (Standard)](https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/net-framework-assembly-support-added-to-azure-logic-apps/ba-p/3669120).
+A Standard logic app resource supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps. For more information about this capability, see [Create and run .NET Framework code from Standard workflows](create-run-custom-code-functions.md).
+
+1. In the [Azure portal](https://portal.azure.com) search box, find and open your logic app resource.
+
+1. On the logic app menu, under **Artifacts**, select **Assemblies**.
+
+1. On the **Assemblies** page toolbar, select **Add**. On the **Add Assembly** pane, under **Assembly Type**, select the following type for your assembly, based on your scenario:
+
+ | Assembly type | Description |
+ ||-|
+ | **Client/SDK Assembly (.NET Framework)** | This assembly type provides storage and deployment of client and custom SDK for the .NET Framework. For example, the [SAP built-in connector](/azure/logic-apps/connectors/built-in/reference/sap/) uses these assemblies to load the SAP NCo non-redistributable DLL files. |
+ | **Client/SDK Assembly (Java)** | This assembly type provides storage and deployment of custom SDK for Java. For example, the [JDBC built-in connector](/azure/logic-apps/connectors/built-in/reference/jdbc/) uses these JAR files to find JDBC drivers for custom relational databases (RDBs). |
+ | **Custom Assembly (.NET Framework)** | This assembly type provides storage and deployment of custom DLLs. For example, the [**Transform XML** operation](logic-apps-enterprise-integration-transform.md) uses these assemblies for the custom transformation functions that are required during XML transformation. |
+
+1. Now, either drag-and-drop your assemblies to the **Upload Files** area, or browse to and select your assemblies.
+
+1. When you're done, select **Upload Files**.
+
+ Your selected assemblies now appear on your logic app's **Assemblies** page.
logic-apps Logic Apps Enterprise Integration Transform https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-enterprise-integration-transform.md
Previously updated : 04/25/2023 Last updated : 10/04/2023 # Transform XML in workflows with Azure Logic Apps
If you're new to logic apps, review [What is Azure Logic Apps](logic-apps-overvi
## Advanced capabilities
-### Reference assembly or custom code from maps
+### Reference assemblies or call custom code from maps
-The **Transform XML** action supports maps that reference an external assembly. For more information, review [Add XSLT maps for workflows in Azure Logic Apps](logic-apps-enterprise-integration-maps.md#add-assembly).
+The **Transform XML** action supports referencing external assemblies from maps, which enable directly calling custom .NET code from XSLT maps. For more information, see [Add XSLT maps for workflows in Azure Logic Apps](logic-apps-enterprise-integration-maps.md).
### Byte order mark
logic-apps Logic Apps Limits And Config https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/logic-apps-limits-and-config.md
ms.suite: integration Previously updated : 09/14/2023 Last updated : 10/09/2023 # Limits and configuration reference for Azure Logic Apps
The following table lists the values for a single workflow definition:
| Runtime endpoint - Concurrent inbound calls | ~1,000 calls | None | You can reduce the number of concurrent requests or reduce the duration as necessary. | | Runtime endpoint - Read calls per 5 min | 60,000 read calls | None | This limit applies to calls that get the raw inputs and outputs from a workflow's run history. You can distribute the workload across more than one workflow as necessary. | | Runtime endpoint - Invoke calls per 5 min | 45,000 invoke calls | None | You can distribute workload across more than one workflow as necessary. |
-| Content throughput per 5 min | 600 MB | None | You can distribute workload across more than one workflow as necessary. |
+| Content throughput per 5 min | 6 GB | None | For example, suppose the backend has 100 workers. Each worker has a limit of 60 MB, which is the result from dividing 6 GB by 100 workers. You can distribute workload across more than one workflow as necessary. |
<a name="run-high-throughput-mode"></a>
By default, the HTTP action and APIConnection actions follow the [standard async
<a name="content-storage-size-limits"></a>
-### Request trigger size limits
+### Request trigger and webhook trigger size limits
| Name | Multi-tenant | Single-tenant | Notes | ||--||-|
-| Request trigger (inbound) - Content size limit per 5-minute rolling interval per workflow | 3,145,728 KB | None | This limit applies only to the content size for inbound requests received by the Request trigger. <br><br>For example, suppose the backend has 100 workers. Each worker has a limit of 31,457,280 bytes, which is the result from dividing 3,145,728,000 bytes by 100 workers. To avoid experiencing premature throttling, use a new HTTP client for each request, which helps evenly distribute the calls across all nodes. |
+| Request trigger (inbound) and webhook-based triggers - Content size limit per 5-minute rolling interval per workflow | 3,145,728 KB | None | This limit applies only to the content size for inbound requests received by the Request trigger or any webhook trigger. <br><br>For example, suppose the backend has 100 workers. Each worker has a limit of 31,457,280 bytes, which is the result from dividing 3,145,728,000 bytes by 100 workers. To avoid experiencing premature throttling for the Request trigger, use a new HTTP client for each request, which helps evenly distribute the calls across all nodes. For a webhook trigger, you might have to use multiple workflows, which splits the load and avoids throttling. |
<a name="message-size-limits"></a>
logic-apps Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/logic-apps/policy-reference.md
Title: Built-in policy definitions for Azure Logic Apps description: Lists Azure Policy built-in policy definitions for Azure Logic Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023 ms.suite: integration
machine-learning How To Manage Inputs Outputs Pipeline https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-manage-inputs-outputs-pipeline.md
At the pipeline level, inputs and outputs are useful for submitting pipeline job
### Types of Inputs and Outputs
-Inputs could be either of below types:
+The following types are supported as **outputs** of a component or a pipeline.
+
+- Data types. Check [data types in Azure Machine Learning](./concept-data.md#data-types) to learn more about data types.
+ - `uri_file`
+ - `uri_folder`
+ - `mltable`
+
+- Model types.
+ - `mlflow_model`
+ - `custom_model`
+
+Using data or model output essentially serializing the outputs and save them as files in a storage location. In subsequent steps, this storage location can be mounted, downloaded, or uploaded to the compute target filesystem, enabling the next step to access the files during job execution.
+This process requires the component's source code serializing the desired output object - usually stored in memory - into files. For instance, you could serialize a pandas dataframe as a CSV file. Note that Azure Machine Learning doesn't define any standardized methods for object serialization. As a user, you have the flexibility to choose your preferred method to serialize objects into files. Following that, in the downstream component, you can independently deserialize and read these files. Here are a few examples for your reference:
+
+- In the *nyc_taxi_data_regression* example, the [prep component](https://github.com/Azure/azureml-examples/blob/main/cli/jobs/pipelines-with-components/nyc_taxi_data_regression/prep.yml) has an`uri_folder` type output. In the component source code, it reads the csv files from input folder, processes the files and writes processed CSV files to the output folder.
+- In the *nyc_taxi_data_regression* example, the [train component](https://github.com/Azure/azureml-examples/blob/main/cli/jobs/pipelines-with-components/nyc_taxi_data_regression/train.yml) has a `mlflow_model` type output. In the component source code, it saves the trained model using `mlflow.sklearn.save_model` method.
- - Data asset types: `uri_file`, `uri_folder`, `mltable`.
- - Model asset types: `mlflow_model`, `custom_model`
-Outputs need to be asset types.
+In addition to above data or model types, pipeline or component **inputs** can also be following primitive types.
+ - `string`
+ - `number`
+ - `integer`
+ - `boolean`
+In the *nyc_taxi_data_regression* example, [train component](https://github.com/Azure/azureml-examples/blob/main/cli/jobs/pipelines-with-components/nyc_taxi_data_regression/train.yml) has a `number` input named `test_split_ratio`.
+
+> [!NOTE]
+>Primitive types output is not supported.
+
### Path and mode for data inputs/outputs For data asset input/output, you must specify a `path` parameter that points to the data location. This table shows the different data locations that Azure Machine Learning pipeline supports, and also shows path parameter examples:
For data asset input/output, you must specify a `path` parameter that points to
> [!NOTE] > For input/output on storage, we highly suggest to use Azure Machine Learning datastore path instead of direct Azure Storage path. Datastore path are supported across various job types in pipeline.
-For data input/output, you can choose from various modes (download or mount) to define how the data is accessed in the compute target.
-This table shows the possible modes for different type/mode/input/output combinations. To learn more, see [data asset modes](./how-to-read-write-data-v2.md#modes).
+For data input/output, you can choose from various modes (download, mount or upload) to define how the data is accessed in the compute target.
+This table shows the possible modes for different type/mode/input/output combinations.
Type | Input/Output | `upload` | `download` | `ro_mount` | `rw_mount` | `direct` | `eval_download` | `eval_mount` | | :: | :: | :: | :: | :: | :: | ::
Type | Input/Output | `upload` | `download` | `ro_mount` | `rw_mount` | `direct`
`uri_file` | Output | Γ£ô | | | Γ£ô | | | `mltable` | Output | Γ£ô | | | Γ£ô | Γ£ô | |
+> [!NOTE]
+> In most cases, we suggest to use `ro_mount` or `rw_mount` mode. To learn more about mode, see [data asset modes](./how-to-read-write-data-v2.md#modes).
++ ### Visual representation in Azure Machine Learning studio The following screenshots provide an example of how inputs and outputs are displayed in a pipeline job in Azure Machine Learning studio. This particular job, named `nyc-taxi-data-regression`, can be found in [azureml-example.](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/pipelines-with-components/nyc_taxi_data_regression)
-In the pipeline job page of studio, the asset type inputs/output of a component is shown as a small circle in the corresponding component, known as the Input/Output port. These ports represent the data flow in a pipeline.
+In the pipeline job page of studio, the data/model type inputs/output of a component is shown as a small circle in the corresponding component, known as the Input/Output port. These ports represent the data flow in a pipeline.
The pipeline level output is displayed as a purple box for easy identification.
machine-learning How To Submit Spark Jobs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-submit-spark-jobs.md
To troubleshoot a Spark job, you can access the logs generated for that job in A
> To troubleshoot Spark jobs created during interactive data wrangling in a notebook session, select **Job details** near the top right corner of the notebook UI. A Spark jobs from an interactive notebook session is created under the experiment name **notebook-runs**. ## Improving serverless Spark session start-up time while using session-level Conda packages
-A serverless Spark session [*cold start* with session-level Conda packages](./apache-spark-azure-ml-concepts.md#inactivity-periods-and-tear-down-mechanism) may take 10 to 15 minutes. You can improve the Spark session *cold start* time by setting configuration variable `spark.hadoop.aml.enable_cache` to true. A session *cold start* with session level Conda packages typically takes 10 to 15 minutes when the session starts for the first time. However, subsequent session *cold starts* typically take three to five minutes.
+A serverless Spark session [*cold start* with session-level Conda packages](./apache-spark-azure-ml-concepts.md#inactivity-periods-and-tear-down-mechanism) may take 10 to 15 minutes. You can improve the Spark session *cold start* time by setting configuration variable `spark.hadoop.aml.enable_cache` to true. Declaring this configuration variable is optional. To ensure that the configuration variable was set successfully, check status of the latest job in the experiment `cachejobmamangement`. A successful job indicates that the cache was created successfully. A session *cold start* with session level Conda packages typically takes 10 to 15 minutes when the session starts for the first time. However, subsequent session *cold starts* typically take three to five minutes.
# [CLI](#tab/cli) [!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)]
Define configuration variable `spark.hadoop.aml.enable_cache` in the **Configure
## Next steps - [Code samples for Spark jobs using Azure Machine Learning CLI](https://github.com/Azure/azureml-examples/tree/main/cli/jobs/spark)-- [Code samples for Spark jobs using Azure Machine Learning Python SDK](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/spark)
+- [Code samples for Spark jobs using Azure Machine Learning Python SDK](https://github.com/Azure/azureml-examples/tree/main/sdk/python/jobs/spark)
machine-learning How To Troubleshoot Kubernetes Compute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-troubleshoot-kubernetes-compute.md
You can check the following items to troubleshoot the issue:
> [!TIP] > More troubleshoot guide of common errors when creating/updating the Kubernetes online endpoints and deployments, you can find in [How to troubleshoot online endpoints](how-to-troubleshoot-online-endpoints.md).
+### Identity error
+
+#### ERROR: RefreshExtensionIdentityNotSet
+
+This error occurs when the extension is installed but the extension identity is not correctly assigned. You can try to re-install the extension to fix it.
+
+> Please notice this error is only for managed clusters
+++++ ### How to check sslCertPemFile and sslKeyPemFile is correct? Use the commands below to run a baseline check for your cert and key. This is to allow for any known errors to be surfaced. Expect the second command to return "RSA key ok" without prompting you for password.
machine-learning How To Use Pipelines Prompt Flow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/how-to-use-pipelines-prompt-flow.md
Azure Machine Learning offers notebook tutorials for several use cases with prom
**Test Data Generation and Auto Prompt**
-[Use vector indexes to build a retrieval augmented generation model](https://github.com/Azure/azureml-examples/blob/main/sdk/python/generative-ai/rag/notebooks/mlindex_with_testgen_autoprompt.ipynb) and to evaluate prompt flow on a test dataset.
+[Use vector indexes to build a retrieval augmented generation model](https://github.com/Azure/azureml-examples/blob/main/sdk/python/generative-ai/rag/notebooks/mlindex_with_testgen.ipynb) and to evaluate prompt flow on a test dataset.
**Create a FAISS based Vector Index**
machine-learning Interactive Data Wrangling With Apache Spark Azure Ml https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/interactive-data-wrangling-with-apache-spark-azure-ml.md
The session configuration changes persist and become available to another notebo
> [!TIP] >
-> If you use session-level Conda packages, you can [improve](./how-to-submit-spark-jobs.md#improving-serverless-spark-session-start-up-time-while-using-session-level-conda-packages) the Spark session *cold start* time if you set the configuration variable `spark.hadoop.aml.enable_cache` to true.
+> If you use session-level Conda packages, you can [improve](./how-to-submit-spark-jobs.md#improving-serverless-spark-session-start-up-time-while-using-session-level-conda-packages) the Spark session *cold start* time if you set the configuration variable `spark.hadoop.aml.enable_cache` to true. A session cold start with session level Conda packages typically takes 10 to 15 minutes when the session starts for the first time. However, subsequent session cold starts with the configuration variable set to true typically take three to five minutes.
### Import and wrangle data from Azure Data Lake Storage (ADLS) Gen 2
df.to_csv(output_path, index_col="PassengerId")
- [Code samples for interactive data wrangling with Apache Spark in Azure Machine Learning](https://github.com/Azure/azureml-examples/tree/main/sdk/python/data-wrangling) - [Optimize Apache Spark jobs in Azure Synapse Analytics](../synapse-analytics/spark/apache-spark-performance.md) - [What are Azure Machine Learning pipelines?](./concept-ml-pipelines.md)-- [Submit Spark jobs in Azure Machine Learning](./how-to-submit-spark-jobs.md)
+- [Submit Spark jobs in Azure Machine Learning](./how-to-submit-spark-jobs.md)
machine-learning Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/policy-reference.md
Title: Built-in policy definitions for Azure Machine Learning description: Lists Azure Policy built-in policy definitions for Azure Machine Learning. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
machine-learning How To Deploy To Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/prompt-flow/how-to-deploy-to-code.md
model: azureml:basic-chat-model:1
# You can also specify model files path inline # path: examples/flows/chat/basic-chat environment:
- image: mcr.microsoft.com/azureml/promptflow/promptflow-runtime:20230831.v1
+ image: mcr.microsoft.com/azureml/promptflow/promptflow-runtime:latest
# inference config is used to build a serving container for online deployments inference_config: liveness_route:
model: azureml:basic-chat-model:1
# You can also specify model files path inline # path: examples/flows/chat/basic-chat environment:
- image: mcr.microsoft.com/azureml/promptflow/promptflow-runtime:20230831.v1
+ image: mcr.microsoft.com/azureml/promptflow/promptflow-runtime:latest
# inference config is used to build a serving container for online deployments inference_config: liveness_route:
machine-learning Tutorial Enable Materialization Backfill Data https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-enable-materialization-backfill-data.md
You can create a new notebook and execute the instructions in this tutorial step
1. Upload the *conda.yml* file that you [uploaded in the first tutorial](./tutorial-get-started-with-feature-store.md#prepare-the-notebook-environment). 1. Increase the session time-out (idle time) to avoid frequent prerequisite reruns.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=start-spark-session)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=start-spark-session)]
### Set up the root directory for the samples
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=root-dir)]
+[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=root-dir)]
1. Set up the CLI.
You can create a new notebook and execute the instructions in this tutorial step
1. Install the Azure Machine Learning extension.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=install-ml-ext-cli)]
1. Authenticate.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=auth-cli)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=auth-cli)]
1. Set the default subscription.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_and_cli/2. Enable materialization and backfill feature data.ipynb?name=set-default-subs-cli)]
You can create a new notebook and execute the instructions in this tutorial step
This is the current workspace. You'll run the tutorial notebook from this workspace.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=init-ws-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-ws-crud-client)]
1. Initialize the feature store properties. Be sure to update the `featurestore_name` and `featurestore_location` values to reflect what you created in the first tutorial.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=init-fs-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-crud-client)]
1. Initialize the feature store core SDK client.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=init-fs-core-sdk)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-core-sdk)]
1. Set up the offline materialization store.
You can create a new notebook and execute the instructions in this tutorial step
You can optionally override the default settings.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=setup-utility-fns)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=setup-utility-fns)]
# [Azure CLI](#tab/cli)
You can create a new notebook and execute the instructions in this tutorial step
The materialization store uses these values. You can optionally override the default settings.
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-offline-store-params)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-offline-store-params)]
1. Create storage containers.
The materialization store uses these values. You can optionally override the def
# [Python SDK](#tab/python)
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-storage)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-storage)]
# [Azure CLI](#tab/cli)
The materialization store uses these values. You can optionally override the def
# [Python SDK](#tab/python)
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-storage)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-storage)]
# [Azure CLI](#tab/cli)
The materialization store uses these values. You can optionally override the def
### Set the UAI values
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-uai-params)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=set-uai-params)]
### Set up a UAI The first option is to create a new managed identity.
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-uai)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=create-new-uai)]
The second option is to reuse an existing managed identity.
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-uai)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=use-existing-uai)]
### Retrieve UAI properties
The next CLI commands assign the first two roles to the UAI. In this example, th
# [Python SDK](#tab/python)
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-uai)]
# [Azure CLI](#tab/cli)
Obtain your Azure AD object ID value from the Azure portal, as described in [Fin
To learn more about access control, see [Manage access control for managed feature store](./how-to-setup-access-control-feature-store.md).
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-user-identity)]
+[!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=grant-rbac-to-user-identity)]
The following steps grant the Storage Blob Data Reader role access to your user account:
The following steps grant the Storage Blob Data Reader role access to your user
# [Python SDK](#tab/python)
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-store)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-store)]
# [Azure CLI](#tab/cli)
The following steps grant the Storage Blob Data Reader role access to your user
# [Python SDK](#tab/python)
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=enable-offline-mat-txns-fset)]
# [Azure CLI](#tab/cli)
The following steps grant the Storage Blob Data Reader role access to your user
# [Python SDK](#tab/python)
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=dump-txn-fset-yaml)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=dump-txn-fset-yaml)]
# [Azure CLI](#tab/cli)
The following steps grant the Storage Blob Data Reader role access to your user
> [!NOTE] > You might need to determine a backfill data window. The window must match the window of your training data. For example, to use two years of data for training, you need to retrieve features for the same window. This means you should backfill for a two-year window.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=backfill-txns-fset)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=backfill-txns-fset)]
Next, print sample data from the feature set. The output information shows that the data was retrieved from the materialization store. The `get_offline_features()` method retrieved the training and inference data. It also uses the materialization store by default.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=sample-txns-fset-data)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/2. Enable materialization and backfill feature data.ipynb?name=sample-txns-fset-data)]
## Clean up
machine-learning Tutorial Enable Recurrent Materialization Run Batch Inference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-enable-recurrent-materialization-run-batch-inference.md
Before you proceed with the following procedures, be sure to complete the first,
1. Start the Spark session.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=start-spark-session)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=start-spark-session)]
1. Set up the root directory for the samples.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=root-dir)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=root-dir)]
### [Python SDK](#tab/python)
Before you proceed with the following procedures, be sure to complete the first,
The tutorial notebook runs from this current workspace.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=init-ws-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-ws-crud-client)]
1. Initialize the feature store variables. Be sure to update the `featurestore_name` value, to reflect what you created in the first tutorial.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-crud-client)]
1. Initialize the feature store SDK client.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-core-sdk)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=init-fs-core-sdk)]
## Enable recurrent materialization on the transactions feature set
To handle inference of the model in production, you might want to set up recurre
As explained in earlier tutorials, after data is materialized (backfill or recurrent materialization), feature retrieval uses the materialized data by default.
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=enable-recurrent-mat-txns-fset)]
+[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=enable-recurrent-mat-txns-fset)]
## (Optional) Save the YAML file for the feature set asset
You use the updated settings to save the YAML file.
### [Python SDK](#tab/python)
-[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=dump-txn-fset-with-mat-yaml)]
+[!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=dump-txn-fset-with-mat-yaml)]
### [Azure CLI](#tab/cli)
The batch inference has these steps:
> [!NOTE] > You use a job for batch inference in this example. You can also use batch endpoints in Azure Machine Learning.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=run-batch-inf-pipeline)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=run-batch-inf-pipeline)]
### Inspect the output data for batch inference
In the pipeline view:
In the batch inference pipeline (*/project/fraud_mode/pipelines/batch_inference_pipeline.yaml*) outputs, because you didn't provide `name` or `version` values for `outputs` of `inference_step`, the system created an untracked data asset with a GUID as the name value and `1` as the version value. In this cell, you derive and then display the data path from the asset.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/4. Enable recurrent materialization and run batch inference.ipynb?name=inspect-batch-inf-output-data)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Enable recurrent materialization and run batch inference.ipynb?name=inspect-batch-inf-output-data)]
## Clean up
machine-learning Tutorial Experiment Train Models Using Features https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-experiment-train-models-using-features.md
Before you proceed with the following procedures, be sure to complete the first
1. Start the Spark session.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=start-spark-session)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=start-spark-session)]
1. Set up the root directory for the samples.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=root-dir)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=root-dir)]
### [Python SDK](#tab/python)
Before you proceed with the following procedures, be sure to complete the first
This is the current workspace, and the tutorial notebook runs in this resource.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=init-ws-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=init-ws-crud-client)]
1. Initialize the feature store variables. Be sure to update the `featurestore_name` and `featurestore_location` values to reflect what you created in the first tutorial.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=init-fs-crud-client)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=init-fs-crud-client)]
1. Initialize the feature store consumption client.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=init-fs-core-sdk)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=init-fs-core-sdk)]
1. Create a compute cluster named `cpu-cluster` in the project workspace. You'll need this compute cluster when you run the training/batch inference jobs.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=create-compute-cluster)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=create-compute-cluster)]
## Create the account feature set locally
You don't need to connect to a feature store. In this procedure, you create the
> [!NOTE] > This notebook uses sample data hosted in a publicly accessible blob container. Only a `wasbs` driver can read it in Spark. When you create feature sets by using your own source data, host those feature sets in an Azure Data Lake Storage Gen2 account, and use an `abfss` driver in the data path.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=explore-accts-fset-src-data)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=explore-accts-fset-src-data)]
1. Create the `accounts` feature set specification locally, from these precomputed features. You don't need any transformation code here, because you reference precomputed features.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=create-accts-fset-spec)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=create-accts-fset-spec)]
1. Export as a feature set specification.
You don't need to connect to a feature store. In this procedure, you create the
You don't need any transformation code here, because you reference precomputed features.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=dump-accts-fset-spec)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=dump-accts-fset-spec)]
## Locally experiment with unregistered features
As you develop features, you might want to locally test and validate them before
1. Select features for the model.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=select-unreg-features-for-model)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=select-unreg-features-for-model)]
1. Locally generate training data. This step generates training data for illustrative purposes. As an option, you can locally train models here. Later steps in this tutorial explain how to train a model in the cloud.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=gen-training-data-locally)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=gen-training-data-locally)]
1. Register the `accounts` feature set with the feature store. After you locally experiment with feature definitions, and they seem reasonable, you can register a feature set asset definition with the feature store.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=reg-accts-fset)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=reg-accts-fset)]
1. Get the registered feature set and test it.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=sample-accts-fset-data)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=sample-accts-fset-data)]
## Run a training experiment
In the following steps, you select a list of features, run a training pipeline,
1. Optionally, discover features from the SDK.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=discover-features-from-sdk)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=discover-features-from-sdk)]
1. Select features for the model, and export the model as a feature retrieval specification.
In the following steps, you select a list of features, run a training pipeline,
1. Select features for the model.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=select-reg-features)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=select-reg-features)]
1. Export selected features as a feature retrieval specification.
In the following steps, you select a list of features, run a training pipeline,
Use of the feature retrieval specification and the built-in feature retrieval component is optional. You can directly use the `get_offline_features()` API, as shown earlier. The name of the specification should be *feature_retrieval_spec.yaml* when it's packaged with the model. This way, the system can recognize it.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=export-as-frspec)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=export-as-frspec)]
## Train in the cloud with pipelines, and register the model
In this procedure, you manually trigger the training pipeline. In a production s
> [!NOTE] > In the second tutorial, you ran a backfill job to materialize data for the `transactions` feature set. The feature retrieval step reads feature values from the offline store for this feature set. The behavior is the same, even if you use the `get_offline_features()` API.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/3. Experiment and train models using features.ipynb?name=run-training-pipeline)]
+ [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/2. Experiment and train models using features.ipynb?name=run-training-pipeline)]
1. Inspect the training pipeline and the model.
machine-learning Tutorial Online Materialization Inference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/machine-learning/tutorial-online-materialization-inference.md
To prepare the notebook environment for development:
1. This code cell starts the Spark session. It needs about 10 minutes to install all dependencies and start the Spark session.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-spark-session)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-spark-session)]
1. Set up the root directory for the samples
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=root-dir)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=root-dir)]
1. Initialize the `MLClient` for the project workspace, where the tutorial notebook runs. The `MLClient` is used for the create, read, update, and delete (CRUD) operations.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-prj-ws-client)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-prj-ws-client)]
1. Initialize the `MLClient` for the feature store workspace, for the create, read, update, and delete (CRUD) operations on the feature store workspace.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-ws-client)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-ws-client)]
> [!NOTE] > A **feature store workspace** supports feature reuse across projects. A **project workspace** - the current workspace in use - leverages features from a specific feature store, to train and inference models. Many project workspaces can share and reuse the same feature store workspace. 1. As mentioned earlier, this tutorial uses the Python feature store core SDK (`azureml-featurestore`). This initialized SDK client is used for create, read, update, and delete (CRUD) operations, on feature stores, feature sets, and feature store entities.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-core-sdk)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-fs-core-sdk)]
## Prepare Azure Cache for Redis
This tutorial uses Azure Cache for Redis as the online materialization store. Yo
1. Set values for the Azure Cache for Redis resource, to use as online materialization store. In this code cell, define the name of the Azure Cache for Redis resource to create or reuse. You can override other default settings.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=redis-settings)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=redis-settings)]
1. You can create a new Redis instance. You would select the Redis Cache tier (basic, standard, premium, or enterprise). Choose an SKU family available for the cache tier you select. For more information about tiers and cache performance, see [this resource](../azure-cache-for-redis/cache-best-practices-performance.md). For more information about SKU tiers and Azure cache families, see [this resource](https://azure.microsoft.com/pricing/details/cache/). Execute this code cell to create an Azure Cache for Redis with premium tier, SKU family `P`, and cache capacity 2. It may take from five to 10 minutes to prepare the Redis instance.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=provision-redis)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=provision-redis)]
1. Optionally, this code cell reuses an existing Redis instance with the previously defined name.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=reuse-redis)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=reuse-redis)]
1. Retrieve the user-assigned managed identity (UAI) that the feature store used for materialization. This code cell retrieves the principal ID, client ID, and ARM ID property values for the UAI used by the feature store for data materialization.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=retrieve-uai)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=retrieve-uai)]
1. Grant the `Contributor` role to the UAI on the Azure Cache for Redis. This role is required to write data into Redis during materialization. This code cell grants the `Contributor` role to the UAI on the Azure Cache for Redis.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=uai-redis-rbac)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=uai-redis-rbac)]
## Attach online materialization store to the feature store The feature store needs the Azure Cache for Redis as an attached resource, for use as the online materialization store. This code cell handles that step.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=attach-online-store)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=attach-online-store)]
## Materialize the `accounts` feature set data to online store
The feature store needs the Azure Cache for Redis as an attached resource, for u
Earlier in this tutorial series, you did **not** materialize the accounts feature set because it had precomputed features, and only batch inference scenarios used it. This code cell enables online materialization so that the features become available in the online store, with low latency access. For consistency, it also enables offline materialization. Enabling offline materialization is optional.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-accounts-material)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-accounts-material)]
### Backfill the `account` feature set The `begin_backfill` function backfills data to all the materialization stores enabled for this feature set. Here offline and online materialization are both enabled. This code cell backfills the data to both online and offline materialization stores.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-accounts-backfill)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-accounts-backfill)]
This code cell tracks completion of the backfill job. With the Azure Cache for Redis premium tier provisioned earlier, this step may take approximately 10 minutes to complete.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-accounts-backfill)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-accounts-backfill)]
## Materialize `transactions` feature set data to the online store
Earlier in this tutorial series, you materialized `transactions` feature set dat
1. This code cell enables the `transactions` feature set online materialization.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-transact-material)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=enable-transact-material)]
1. This code cell backfills the data to both the online and offline materialization store, to ensure that both stores have the latest data. The recurrent materialization job, which you set up in tutorial 2 of this series, now materializes data to both online and offline materialization stores.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-transact-material)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=start-transact-material)]
This code cell tracks completion of the backfill job. Using the premium tier Azure Cache for Redis provisioned earlier, this step may take approximately five minutes to complete.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-transact-material)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=track-transact-material)]
## Test locally
Now, use your development environment to look up features from the online materi
This code cell parses the list of features from the existing feature retrieval specification.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=parse-feat-list)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=parse-feat-list)]
This code retrieves feature values from the online materialization store.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-online-lookup)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=init-online-lookup)]
Prepare some observation data for testing, and use that data to look up features from the online materialization store. During the online look-up, the keys (`accountID`) defined in the observation sample data might not exist in the Redis (due to `TTL`). In this case:
Prepare some observation data for testing, and use that data to look up features
1. Open the console for the Redis instance, and check for existing keys with the `KEYS *` command. 1. Replace the `accountID` values in the sample observation data with the existing keys.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=online-feat-loockup)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=online-feat-loockup)]
These steps looked up features from the online store. In the next step, you'll test online features using an Azure Machine Learning managed online endpoint.
Visit [this resource](./how-to-deploy-online-endpoints.md?tabs=azure-cli) to lea
This code cell defines the `fraud-model` managed online endpoint.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-endpoint)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-endpoint)]
This code cell creates the managed online endpoint defined in the previous code cell.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=create-endpoint)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=create-endpoint)]
### Grant required RBAC permissions
Here, you grant required RBAC permissions to the managed online endpoint on the
This code cell retrieves the managed identity of the managed online endpoint:
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=get-endpoint-identity)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=get-endpoint-identity)]
#### Grant the `Contributor` role to the online endpoint managed identity on the Azure Cache for Redis This code cell grants the `Contributor` role to the online endpoint managed identity on the Redis instance. This RBAC permission is needed to materialize data into the Redis online store.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-redis-rbac)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-redis-rbac)]
#### Grant `AzureML Data Scientist` role to the online endpoint managed identity on the feature store This code cell grants the `AzureML Data Scientist` role to the online endpoint managed identity on the feature store. This RBAC permission is required for successful deployment of the model to the online endpoint.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-fs-rbac)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=endpoint-fs-rbac)]
#### Deploy the model to the online endpoint
Review the scoring script `project/fraud_model/online_inference/src/scoring.py`.
Next, execute this code cell to create a managed online deployment definition for model deployment.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-online-deployment)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=define-online-deployment)]
Deploy the model to online endpoint with this code cell. The deployment may need four to five minutes.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=begin-online-deployment)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=begin-online-deployment)]
### Test online deployment with mock data Execute this code cell to test the online deployment with the mock data. You should see `0` or `1` as the output of this cell.
- [!notebook-python[] (~/azureml-examples-main/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=test-online-deployment)]
+ [!notebook-python[] (~/azureml-examples-temp-fix/sdk/python/featurestore_sample/notebooks/sdk_only/5. Enable online store and run online inference.ipynb?name=test-online-deployment)]
## Next steps
managed-instance-apache-cassandra Configure Hybrid Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/configure-hybrid-cluster.md
This quickstart demonstrates how to use the Azure CLI commands to configure a hy
> - Azure KeyVault > - Azure Virtual Machine Scale Sets > - Azure Monitoring
- > - Azure Active Directory
+ > - Microsoft Entra ID
> - Azure Security 1. Now we will apply some special permissions to the VNet and subnet which Cassandra Managed Instance requires, using Azure CLI. Use the `az role assignment create` command, replacing `<subscriptionID>`, `<resourceGroupName>`, and `<vnetName>` with the appropriate values:
managed-instance-apache-cassandra Create Cluster Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-cli.md
This quickstart demonstrates how to use the Azure CLI commands to create a clust
> - Azure KeyVault > - Azure Virtual Machine Scale Sets > - Azure Monitoring
- > - Azure Active Directory
+ > - Microsoft Entra ID
> - Azure Security 1. Apply some special permissions to the Virtual Network, which are required by the managed instance. Use the `az role assignment create` command, replacing `<subscriptionID>`, `<resourceGroupName>`, and `<vnetName>` with the appropriate values:
managed-instance-apache-cassandra Create Cluster Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/create-cluster-portal.md
If you don't have an Azure subscription, create a [free account](https://azure.m
> - Azure KeyVault > - Azure Virtual Machine Scale Sets > - Azure Monitoring
- > - Azure Active Directory
+ > - Microsoft Entra ID
> - Azure Security 1. Next select the **Data center** tab.
managed-instance-apache-cassandra Ldap https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/ldap.md
In this section, we'll walk through creating a simple LDAP server on a Virtual M
## Next steps
-* [LDAP authentication with Azure Active Directory](../active-directory/fundamentals/auth-ldap.md)
+* [LDAP authentication with Microsoft Entra ID](../active-directory/fundamentals/auth-ldap.md)
* [Manage Azure Managed Instance for Apache Cassandra resources using Azure CLI](manage-resources-cli.md)
-* [Deploy a Managed Apache Spark Cluster with Azure Databricks](deploy-cluster-databricks.md)
+* [Deploy a Managed Apache Spark Cluster with Azure Databricks](deploy-cluster-databricks.md)
managed-instance-apache-cassandra Management Operations https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/management-operations.md
Azure Managed Instance for Apache Cassandra provides automated deployment and sc
* Node health monitoring consists of: * Actively monitoring each node's membership in the Cassandra ring.
- * Auto-detecting, and auto-mitigating infrastructure issues like virtual machine, network, storage, Linux, and support software failures.
+ * Autodetecting, and automitigating infrastructure issues like virtual machine, network, storage, Linux, and support software failures.
* Pro-actively monitoring CPU, disk, quorum loss, and other resource issues. * Automatically bringing up failed nodes where possible, and manually bringing up nodes in response to auto-generated warnings.
Our support benefits include:
- Single point of contact for Cassandra infrastructure issues - no need to raise support cases with IaaS teams (disk, compute, networking) separately. - Pro-active advise via email on performance bottle necks, sizing, and other resource constraint issues.-- 24x7 support coverage, including auto-generated incidents for any severe outage issues.
+- 24x7 support coverage, including autogenerated incidents for any severe outage issues.
- Community approved patch support (see [Patching](#patching)). - In-house Java JDK/JVM engineering team support. - Linux Operating System support with software supply chain security.
Our support benefits include:
## Backup and restore
-Snapshot backups are enabled by default and taken every 24 hours. Backups are stored in an internal Azure Blob Storage account and are retained for up to 2 days (48 hours). There's no cost for the initial 2 backups. Additional backups are charged, see [pricing](https://azure.microsoft.com/pricing/details/managed-instance-apache-cassandra/). To change the backup interval or retention period, you can edit the policy in the portal:
+Snapshot backups are enabled by default and taken every 24 hours. Backups are stored in an internal Azure Blob Storage account and are retained for up to 2 days (48 hours). There's no cost for the initial 2 backups. Extra backups are charged, see [pricing](https://azure.microsoft.com/pricing/details/managed-instance-apache-cassandra/). To change the backup interval or retention period, you can edit the policy in the portal:
:::image type="content" source="./media/resilient-applications/backup.png" alt-text="Screenshot of backup schedule configuration page." lightbox="./media/resilient-applications/backup.png" border="true":::
To restore from an existing backup, file a [support request](https://portal.azur
1. If restore of the whole cluster is not required, provide the keyspace and table (if applicable) that needs to be restored. 1. Advise whether you want the backup to be restored in the existing cluster, or in a new cluster. 1. If you want to restore to a new cluster, you need to create the new cluster first. Ensure that the target cluster matches the source cluster in terms of the number of data centers, and that corresponding data center has the same number of nodes. You can also decide whether to keep the credentials (username/password) in the new target cluster, or allow restore to override username/password with what was originally created.
-1. You can also decide whether to keep `system_auth` keyspace in the new target cluster or allow the restore to overwrite it with data from the backup. The `system_auth` keyspace in Cassandra contains authorization and internal authentication data, including roles, role permissions, and passwords. Note that our default restore process will overwrite the `system_auth` keyspace.
+1. You can also decide whether to keep `system_auth` keyspace in the new target cluster or allow the restore to overwrite it with data from the backup. The `system_auth` keyspace in Cassandra contains authorization and internal authentication data, including roles, role permissions, and passwords. Note that our default restore process overwrites the `system_auth` keyspace.
> [!NOTE]
-> The time it takes to respond to a request to restore from backup will depend both on the severity of support case you raise, and the amount of data to be restored. For example, if you raise a Sev-A support case, the SLA for response to the ticket is 15 minutes. However, we do not provide an SLA for time to complete the restore, as this is very dependent on the volume of data being restored.
+> The time it takes to respond to a request to restore from backup will depend both on the severity of support case you raise (and it's corresponding SLA for response time), and the amount of data to be restored. However, we do not provide an SLA for time to complete the restore, as this is very dependent on the volume of data being restored.
> [!WARNING] > Backups are intended for accidental deletion scenarios, and are not geo-redundant. They are therefore not recommended for use as a disaster recovery (DR) strategy in case of a total regional outage. To safeguard against region-wide outages, we recommend a multi-region deployment. Take a look at our [quickstart for multi-region deployments](create-multi-region-cluster.md).
managed-instance-apache-cassandra Network Rules https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/managed-instance-apache-cassandra/network-rules.md
If you're using Azure Firewall to restrict outbound access, we highly recommend
| AzureKeyVault | HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster.| | EventHub | HTTPS | 443 | Required to forward logs to Azure | | AzureMonitor | HTTPS | 443 | Required to forward metrics to Azure |
-| AzureActiveDirectory| HTTPS | 443 | Required for Azure Active Directory authentication.|
+| AzureActiveDirectory| HTTPS | 443 | Required for Microsoft Entra authentication.|
| AzureResourceManager| HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot)| | AzureFrontDoor.Firstparty| HTTPS | 443 | Required for logging operations.| | GuestAndHybridManagement | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
The required network rules and IP address dependencies are:
|management.azure.com:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure Virtual Machine Scale Sets/Azure Management API | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot)| |\*.servicebus.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure EventHub | HTTPS | 443 | Required to forward logs to Azure| |jarvis-west.dc.ad.msft.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure Monitor | HTTPS | 443 | Required to forward metrics Azure |
-|login.microsoftonline.com:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure AD | HTTPS | 443 | Required for Azure Active Directory authentication.|
+|login.microsoftonline.com:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Microsoft Entra ID | HTTPS | 443 | Required for Microsoft Entra authentication.|
| packages.microsoft.com | HTTPS | 443 | Required for updates to Azure security scanner definition and signatures | | azure.microsoft.com | HTTPS | 443 | Required to get information about virtual machine scale sets | | \<region\>-dsms.dsms.core.windows.net | HTTPS | 443 | Certificate for logging |
mariadb Concepts Data Access Security Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mariadb/concepts-data-access-security-vnet.md
You have the option of using [Azure role-based access control (Azure RBAC)][rbac
> [!NOTE] > In some cases the Azure Database for MariaDB and the VNet-subnet are in different subscriptions. In these cases you must ensure the following configurations:
-> - Both subscriptions must be in the same Azure Active Directory tenant.
+> - Both subscriptions must be in the same Microsoft Entra tenant.
> - The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server. > - Make sure that both the subscription have the **Microsoft.Sql** and **Microsoft.DBforMariaDB** resource provider registered. For more information refer [resource-manager-registration][resource-manager-portal]
mariadb Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mariadb/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Database for MariaDB
migrate Concepts Migration Webapps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/concepts-migration-webapps.md
Support | Details
- [Security recommendations](../app-service/security-recommendations.md). - [Networking features](../app-service/networking-features.md). - [Monitor App Service with Azure Monitor](../app-service/monitor-app-service.md).
- - [Configure Azure AD authentication](../app-service/configure-authentication-provider-aad.md).
+ - [Configure Microsoft Entra authentication](../app-service/configure-authentication-provider-aad.md).
- [Review best practices](../app-service/deploy-best-practices.md) for deploying to Azure App service.
migrate How To Set Up Appliance Vmware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/how-to-set-up-appliance-vmware.md
ms. Previously updated : 01/31/2023 Last updated : 10/11/2023
Before you deploy the OVA file, verify that the file is secure:
``` C:\>CertUtil -HashFile C:\Users\Administrator\Desktop\MicrosoftAzureMigration.ova SHA256 ```
+
+1. Verify the latest appliance versions and hash values:
+
+ - For the Azure public cloud:
+
+ **Algorithm** | **Download** | **SHA256**
+ | |
+ VMware (11.9 GB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191954) | 06256F9C6FB3F011152D861DA43FFA1C5C8FF966931D5CE00F1F252D3A2F4723
-1. Verify the latest hash value by comparing the outcome of above command to the value documented [here](./tutorial-discover-vmware.md#verify-security).
+ - For Azure Government:
+
+ **Algorithm** | **Download** | **SHA256**
+ | |
+ VMware (85.8 MB) | [Latest version](https://go.microsoft.com/fwlink/?linkid=2191847) | 7EF01AE30F7BB8F4486EDC1688481DB656FB8ECA7B9EF6363B4DAB1CFCFDA141
#### Create the appliance server
migrate Migrate Appliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/migrate-appliance.md
The Azure Migrate appliance needs connectivity to the internet.
**URL** | **Details** | | *.portal.azure.com | Navigate to the Azure portal.
-*.windows.net <br> *.msftauth.net <br> *.msauth.net <br> *.microsoft.com <br> *.live.com <br> *.office.com <br> *.microsoftonline.com <br> *.microsoftonline-p.com <br> *.microsoftazuread-sso.com | Used for access control and identity management by Azure Active Directory
+*.windows.net <br> *.msftauth.net <br> *.msauth.net <br> *.microsoft.com <br> *.live.com <br> *.office.com <br> *.microsoftonline.com <br> *.microsoftonline-p.com <br> *.microsoftazuread-sso.com | Used for access control and identity management by Microsoft Entra ID
management.azure.com | Used for resource deployments and management operations *.services.visualstudio.com | Upload appliance logs used for internal monitoring. *.vault.azure.net | Manage secrets in the Azure Key Vault.<br> Note: Ensure servers to replicate have access to this.
download.microsoft.com/download | Allow downloads from Microsoft download center
| | *.portal.azure.us | Navigate to the Azure portal. graph.windows.net <br> graph.microsoftazure.us | Sign in to your Azure subscription.
-login.microsoftonline.us | Used for access control and identity management by Azure Active Directory.
+login.microsoftonline.us | Used for access control and identity management by Microsoft Entra ID.
management.usgovcloudapi.net | Used for resource deployments and management operations. *.services.visualstudio.com | Upload appliance logs used for internal monitoring. *.vault.usgovcloudapi.net | Manage secrets in the Azure Key Vault.
The appliance needs access to the following URLs (directly or via proxy) over an
**URL** | **Details** | | *.portal.azure.com | Navigate to the Azure portal.
-*.windows.net <br> *.msftauth.net <br> *.msauth.net <br> *.microsoft.com <br> *.live.com <br> *.office.com <br> *.microsoftonline.com <br> *.microsoftonline-p.com <br> *.microsoftazuread-sso.com | Used for access control and identity management by Azure Active Directory
+*.windows.net <br> *.msftauth.net <br> *.msauth.net <br> *.microsoft.com <br> *.live.com <br> *.office.com <br> *.microsoftonline.com <br> *.microsoftonline-p.com <br> *.microsoftazuread-sso.com | Used for access control and identity management by Microsoft Entra ID
management.azure.com | Used for resource deployments and management operations *.services.visualstudio.com (optional) | Upload appliance logs used for internal monitoring. aka.ms/* (optional) | Allow access to these links; used to download and install the latest updates for appliance services.
download.microsoft.com/download | Allow downloads from Microsoft download center
| | *.portal.azure.us | Navigate to the Azure portal. graph.windows.net | Sign in to your Azure subscription.
-login.microsoftonline.us | Used for access control and identity management by Azure Active Directory.
+login.microsoftonline.us | Used for access control and identity management by Microsoft Entra ID.
management.usgovcloudapi.net | Used for resource deployments and management operations. *.services.visualstudio.com (optional)| Upload appliance logs used for internal monitoring. aka.ms/* (optional)| Allow access to these links; used to download and install the latest updates for appliance services.
download.microsoft.com/download | Allow downloads from Microsoft download center
| | *.portal.azure.cn | Navigate to the Azure portal. graph.chinacloudapi.cn | Sign in to your Azure subscription.
-login.microsoftonline.cn | Used for access control and identity management by Azure Active Directory.
+login.microsoftonline.cn | Used for access control and identity management by Microsoft Entra ID.
management.chinacloudapi.cn | Used for resource deployments and management operations *.services.visualstudio.com | Upload appliance logs used for internal monitoring. *.vault.chinacloudapi.cn | Manage secrets in the Azure Key Vault.
download.microsoft.com/download | Allow downloads from Microsoft download center
| | *.portal.azure.cn | Navigate to the Azure portal. graph.chinacloudapi.cn | Sign in to your Azure subscription.
-login.microsoftonline.cn | Used for access control and identity management by Azure Active Directory.
+login.microsoftonline.cn | Used for access control and identity management by Microsoft Entra ID.
management.chinacloudapi.cn | Used for resource deployments and management operations *.services.visualstudio.com | Upload appliance logs used for internal monitoring. *.vault.chinacloudapi.cn | Manage secrets in the Azure Key Vault.
migrate Migrate Replication Appliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/migrate-replication-appliance.md
The replication appliance needs access to these URLs in the Azure public cloud.
`https://management.azure.com` | Used for replication management operations and coordination. `*.services.visualstudio.com` | (Optional) Used for logging purposes. `time.windows.com` | Used to check time synchronization between system and global time.
-`https://login.microsoftonline.com` <br> `https://login.live.com` <br> `https://graph.windows.net` <br> `https://login.windows.net` <br> `https://www.live.com` <br> `https://www.microsoft.com` | Appliance setup needs access to these URLs. They're used for access control and identity management by Azure Active Directory.
+`https://login.microsoftonline.com` <br> `https://login.live.com` <br> `https://graph.windows.net` <br> `https://login.windows.net` <br> `https://www.live.com` <br> `https://www.microsoft.com` | Appliance setup needs access to these URLs. They're used for access control and identity management by Microsoft Entra ID.
`https://dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi` | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed. ## Azure Government URL access
The replication appliance needs access to these URLs in Azure Government.
`https://management.usgovcloudapi.net` | Used for replication management operations and coordination `*.services.visualstudio.com` | (Optional) Used for logging purposes. `time.nist.gov` | Used to check time synchronization between system and global time.
-`https://login.microsoftonline.com` <br> `https://login.live.com` <br> `https://graph.windows.net` <br> `https://login.windows.net` <br> `https://www.live.com` <br> `https://www.microsoft.com` | Appliance setup with OVA needs access to these URLs. They're used for access control and identity management by Azure Active Directory.
+`https://login.microsoftonline.com` <br> `https://login.live.com` <br> `https://graph.windows.net` <br> `https://login.windows.net` <br> `https://www.live.com` <br> `https://www.microsoft.com` | Appliance setup with OVA needs access to these URLs. They're used for access control and identity management by Microsoft Entra ID.
`https://dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi` | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed. >[!Note]
The replication appliance needs access to these URLs in Azure Government.
> If your Migrate project has private endpoint connectivity, you will need access to the following URLs over and above private link access: > - `*.blob.core.windows.com` - To access the storage account that stores replicated data. This is optional and is not required if the storage account has a private endpoint attached. > - `https://management.azure.com` for replication management operations and coordination.
->- `https://login.microsoftonline.com` <br>`https://login.windows.net` <br> `https://www.live.com` and <br> `https://www.microsoft.com` for access control and identity management by Azure Active Directory
+>- `https://login.microsoftonline.com` <br>`https://login.windows.net` <br> `https://www.live.com` and <br> `https://www.microsoft.com` for access control and identity management by Microsoft Entra ID
## Microsoft Azure operated by 21Vianet (Microsoft Azure operated by 21Vianet) URL access
The replication appliance needs access to these URLs.
`https://management.chinacloudapi.cn` | Used for replication management operations and coordination. `*.services.visualstudio.com` | (Optional) Used for logging purposes. `time.windows.cn` | Used to check time synchronization between system and global time.
-`https://login.microsoftonline.cn` <br/> `https://secure.aadcdn.microsoftonline-p.cn` <br/> `https://login.live.com` <br/> `https://graph.chinacloudapi.cn` <br/> `https://login.chinacloudapi.cn` <br/> `https://www.live.com` <br/> `https://www.microsoft.com` | Appliance setup with OVA needs access to these URLs. They're used for access control and identity management by Azure Active Directory.
+`https://login.microsoftonline.cn` <br/> `https://secure.aadcdn.microsoftonline-p.cn` <br/> `https://login.live.com` <br/> `https://graph.chinacloudapi.cn` <br/> `https://login.chinacloudapi.cn` <br/> `https://www.live.com` <br/> `https://www.microsoft.com` | Appliance setup with OVA needs access to these URLs. They're used for access control and identity management by Microsoft Entra ID.
`https://dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-5.7.20.0.msi` | To complete MySQL download. In a few regions, the download might be redirected to the CDN URL. Ensure that the CDN URL is also allowed if needed. ## Port access
migrate Migrate Support Matrix Physical Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/migrate-support-matrix-physical-migration.md
ms. Previously updated : 07/11/2023 Last updated : 10/11/2023
migrate Migrate Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/migrate-support-matrix.md
For Azure Migrate to work with Azure you need these permissions before you start
**Task** | **Permissions** | **Details** | | Create a project | Your Azure account needs permissions to create a project. | Set up for [VMware](./tutorial-discover-vmware.md#prepare-an-azure-user-account), [Hyper-V](./tutorial-discover-hyper-v.md#prepare-an-azure-user-account), or [physical servers](./tutorial-discover-physical.md#prepare-an-azure-user-account).
-Register the Azure Migrate appliance| Azure Migrate uses a lightweight [Azure Migrate appliance](migrate-appliance.md) to discover and assess servers with Azure Migrate: Discovery and assessment, and to run [agentless migration](server-migrate-overview.md) of VMware VMs with the Migration and modernization tool. This appliance discovers servers, and sends metadata and performance data to Azure Migrate.<br><br> During registration, register providers (Microsoft.OffAzure, Microsoft.Migrate, and Microsoft.KeyVault) are registered with the subscription chosen in the appliance, so that the subscription works with the resource provider. To register, you need Contributor or Owner access on the subscription.<br><br> **VMware**-During onboarding, Azure Migrate creates two Azure Active Directory (Azure AD) apps. The first app communicates between the appliance agents and the Azure Migrate service. The app doesn't have permissions to make Azure resource management calls or have Azure RBAC access for resources. The second app accesses an Azure Key Vault created in the user subscription for agentless VMware migration only. In agentless migration, Azure Migrate creates a Key Vault to manage access keys to the replication storage account in your subscription. It has Azure RBAC access on the Azure Key Vault (in the customer tenant) when discovery is initiated from the appliance.<br><br> **Hyper-V**-During onboarding. Azure Migrate creates one Azure AD app. The app communicates between the appliance agents and the Azure Migrate service. The app doesn't have permissions to make Azure resource management calls or have Azure RBAC access for resources. | Set up for [VMware](./tutorial-discover-vmware.md#prepare-an-azure-user-account), [Hyper-V](./tutorial-discover-hyper-v.md#prepare-an-azure-user-account), or [physical servers](./tutorial-discover-physical.md#prepare-an-azure-user-account).
+Register the Azure Migrate appliance| Azure Migrate uses a lightweight [Azure Migrate appliance](migrate-appliance.md) to discover and assess servers with Azure Migrate: Discovery and assessment, and to run [agentless migration](server-migrate-overview.md) of VMware VMs with the Migration and modernization tool. This appliance discovers servers, and sends metadata and performance data to Azure Migrate.<br><br> During registration, register providers (Microsoft.OffAzure, Microsoft.Migrate, and Microsoft.KeyVault) are registered with the subscription chosen in the appliance, so that the subscription works with the resource provider. To register, you need Contributor or Owner access on the subscription.<br><br> **VMware**-During onboarding, Azure Migrate creates two Microsoft Entra apps. The first app communicates between the appliance agents and the Azure Migrate service. The app doesn't have permissions to make Azure resource management calls or have Azure RBAC access for resources. The second app accesses an Azure Key Vault created in the user subscription for agentless VMware migration only. In agentless migration, Azure Migrate creates a Key Vault to manage access keys to the replication storage account in your subscription. It has Azure RBAC access on the Azure Key Vault (in the customer tenant) when discovery is initiated from the appliance.<br><br> **Hyper-V**-During onboarding. Azure Migrate creates one Microsoft Entra app. The app communicates between the appliance agents and the Azure Migrate service. The app doesn't have permissions to make Azure resource management calls or have Azure RBAC access for resources. | Set up for [VMware](./tutorial-discover-vmware.md#prepare-an-azure-user-account), [Hyper-V](./tutorial-discover-hyper-v.md#prepare-an-azure-user-account), or [physical servers](./tutorial-discover-physical.md#prepare-an-azure-user-account).
Create a key vault for VMware agentless migration | To migrate VMware VMs with agentless Migration and modernization, Azure Migrate creates a Key Vault to manage access keys to the replication storage account in your subscription. To create the vault, you set permissions (Owner, or Contributor and User Access Administrator) on the resource group where the project resides. | [Set up](./tutorial-discover-vmware.md#prepare-an-azure-user-account) permissions. ## Supported geographies
migrate Onboard To Azure Arc With Azure Migrate https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/onboard-to-azure-arc-with-azure-migrate.md
Once the vCenter Server discovery has been completed, software inventory (discov
3. In the **Region** drop-down list, select the Azure region to store the servers' metadata.
-4. Provide the **Azure Active Directory service principal** details for onboarding at scale. Review this article to [create a service principal using the Azure portal or Azure PowerShell.](../azure-arc/servers/onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) <br/>
+4. Provide the **Microsoft Entra service principal** details for onboarding at scale. Review this article to [create a service principal using the Azure portal or Azure PowerShell.](../azure-arc/servers/onboard-service-principal.md#create-a-service-principal-for-onboarding-at-scale) <br/>
The following inputs are required:
- - **Directory (tenant) ID** - The [unique identifier (GUID)](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) that represents your dedicated instance of Azure AD.
+ - **Directory (tenant) ID** - The [unique identifier (GUID)](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) that represents your dedicated instance of Microsoft Entra ID.
- **Application (client) ID** - The [unique identifier (GUID)](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) that represents the application ID of the service principal. - **Service principal secret (application secret)** - The [client secret](../active-directory/develop/howto-create-service-principal-portal.md#option-3-create-a-new-client-secret) for password-based authentication.
migrate Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/policy-reference.md
Title: Built-in policy definitions for Azure Migrate description: Lists Azure Policy built-in policy definitions for Azure Migrate. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
migrate Prepare Isv Movere https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/prepare-isv-movere.md
If you've added an [ISV tool](migrate-services-overview.md#isv-integration) or Movere to an Azure Migrate project, there are a few steps to follow before you link the tool and send data to Azure Migrate.
-## Check Azure AD permissions
+<a name='check-azure-ad-permissions'></a>
+
+## Check Microsoft Entra permissions
Your Azure user account needs these permissions: -- Permission to register an Azure Active Directory (Azure AD) app with your Azure tenant-- Permission to allocate a role to the Azure AD app at the subscription level
+- Permission to register a Microsoft Entra app with your Azure tenant
+- Permission to allocate a role to the Microsoft Entra app at the subscription level
+
+<a name='set-permissions-to-register-an-azure-ad-app'></a>
-### Set permissions to register an Azure AD app
+### Set permissions to register a Microsoft Entra app
-1. In Azure AD, check the role for your account.
-2. If you have the user role, select **User settings** on the left and verify whether users can register applications. If it's set to **Yes**, any users in the Azure AD tenant can register an app. If it's set to **No**, then only admin users can register apps.
+1. In Microsoft Entra ID, check the role for your account.
+2. If you have the user role, select **User settings** on the left and verify whether users can register applications. If it's set to **Yes**, any users in the Microsoft Entra tenant can register an app. If it's set to **No**, then only admin users can register apps.
3. If you don't have permissions, an admin user can provide your user account with the [Application Administrator](../active-directory/roles/permissions-reference.md#application-administrator) role, so that you can register the app. 4. After the tool is linked to Azure Migrate, the admin can remove the role from your account.
-### Set permissions to assign a role to an Azure AD app
+<a name='set-permissions-to-assign-a-role-to-an-azure-ad-app'></a>
+
+### Set permissions to assign a role to a Microsoft Entra app
-In your Azure subscription, your account needs **Microsoft.Authorization/*/Write** access to assign a role to an Azure AD app.
+In your Azure subscription, your account needs **Microsoft.Authorization/*/Write** access to assign a role to a Microsoft Entra app.
1. In the Azure portal, open **Subscriptions**. 2. Select the relevant subscription. If you don't see it, select the **global subscriptions filter**.
For ISV tools and Azure Database Migration Assistant, allow access to the public
| *.portal.azure.com | Navigate to the Azure portal. *.windows.net<br/> *.msftauth.net<br/> *.msauth.net <br/> *.microsoft.com<br/> *.live.com | Sign in to your Azure subscription.
-*.microsoftonline.com<br/> *.microsoftonline-p.com | Create Azure Active Directory (AD) apps for the appliance to communicate with Azure Migrate.
+*.microsoftonline.com<br/> *.microsoftonline-p.com | Create Microsoft Entra apps for the appliance to communicate with Azure Migrate.
management.azure.com | Make Azure Resource Manager calls to the Azure Migrate Project. *.servicebus.windows.net | Communication between the appliance and EventHub for sending the messages.
migrate Replicate Using Expressroute https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/replicate-using-expressroute.md
Even with replication data going over the Microsoft peered circuit, you still ne
- Regional BGP community for the source Azure region (Azure Migrate Project region) - Regional BGP community for the target Azure region (region for migration)-- BGP community for Azure Active Directory (12076:5060)
+- BGP community for Microsoft Entra ID (12076:5060)
Learn more about [route filters](../expressroute/how-to-routefilter-portal.md) and the list of [BGP communities for ExpressRoute](../expressroute/expressroute-routing.md#bgp).
migrate Server Migrate Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/server-migrate-overview.md
Use these selected comparisons to help you decide which method to use. You can a
**Setting** | **Agentless** | **Agent-based** | |
-**Azure permissions** | You need permissions to create an Azure Migrate project, and to register Azure AD apps created when you deploy the Azure Migrate appliance. | You need Contributor permissions on the Azure subscription.
+**Azure permissions** | You need permissions to create an Azure Migrate project, and to register Microsoft Entra apps created when you deploy the Azure Migrate appliance. | You need Contributor permissions on the Azure subscription.
**Replication** | You can simultaneously replicate a maximum of 500 VMs across multiple vCenter Servers (discovered from one appliance) using a scale-out appliance. In the portal, you can select up to 10 machines at once for replication. To replicate more machines, add in batches of 10.| Replication capacity increases by scaling the replication appliance. **Appliance deployment** | The [Azure Migrate appliance](migrate-appliance.md) is deployed on-premises. | The [Azure Migrate Replication appliance](migrate-replication-appliance.md) is deployed on-premises. **Site Recovery compatibility** | Compatible. | You can't replicate with the Migration and modernization tool if you've set up replication for a machine using Site Recovery.
After reviewing the limitations, understanding the steps involved in deploying e
## Next steps [Migrate VMware VMs](tutorial-migrate-vmware.md) with agentless migration.---
migrate Troubleshoot Appliance Diagnostic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-appliance-diagnostic.md
You can run **Diagnose and solve** at any time from the appliance configuration
||VDDK check | Checks if the required VDDK files have been downloaded and copied at the required location on the appliance server. **Service health checks** |Operational status |Checks if the agents on the appliance are in running state. <br>*If not, appliance will auto-resolve by restarting the agents.* ||Service endpoint connectivity |Checks if the agents can communicate to their respective services on Azure either directly or via proxy.
-**Azure-specific checks** |Azure Active Directory App availability* | Checks if the Azure Active Directory App created during the appliance registration is available and is accessible from the appliance.
+**Azure-specific checks** |Microsoft Entra App availability* | Checks if the Microsoft Entra App created during the appliance registration is available and is accessible from the appliance.
||Migrate project availability* | Checks if the Migrate project to which the appliance has been registered still exists and is accessible from the appliance. ||Essential resources availability*| Checks if the Migrate resources created during appliance registration still exist and are accessible from the appliance. **Appliance-specific checks** | Key Vault certificate availability* | Checks if the certificate downloaded from Key Vault during appliance registration is still available on the appliance server. <br> *If not, appliance will auto-resolve by downloading the certificate again, provided the Key Vault is available and accessible*.
If you're getting any issues with the appliance during its configuration or seei
1. You can follow the remediation steps on the report to solve an issue. If you're unable to resolve the issue, it's recommended that you attach the diagnostics report while creating a Microsoft support case so that it helps expedite the resolution. ## Next steps
-If you're getting issues not covered under **Diagnose and solve**, you can go to [troubleshoot the Azure Migrate appliance](./troubleshoot-appliance.md) to find the remediation steps.
+If you're getting issues not covered under **Diagnose and solve**, you can go to [troubleshoot the Azure Migrate appliance](./troubleshoot-appliance.md) to find the remediation steps.
migrate Troubleshoot Appliance https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-appliance.md
You have two options:
- To complete the registration of the appliance, use the same Azure user account that generated the Azure Migrate project key on the portal. - You can also assign the required roles and [permissions](./tutorial-discover-vmware.md#prepare-an-azure-user-account) to the other Azure user account being used for appliance registration.
-## "Azure Active Directory (AAD) operation failed with status Forbidden" error occurs during appliance registration
+<a name='azure-active-directory-aad-operation-failed-with-status-forbidden-error-occurs-during-appliance-registration'></a>
-You're unable to complete registration because of insufficient Azure Active Directory privileges and get the error "Azure Active Directory (AAD) operation failed with status Forbidden."
+## "Microsoft Entra operation failed with status Forbidden" error occurs during appliance registration
+
+You're unable to complete registration because of insufficient Microsoft Entra ID privileges and get the error "Microsoft Entra operation failed with status Forbidden."
### Remediation
-Ensure that you have the [required permissions](./tutorial-discover-vmware.md#prepare-an-azure-user-account) to create and manage Azure Active Directory applications in Azure. You should have the **Application Developer** role *or* the user role with **User can register applications** allowed at the tenant level.
+Ensure that you have the [required permissions](./tutorial-discover-vmware.md#prepare-an-azure-user-account) to create and manage Microsoft Entra applications in Azure. You should have the **Application Developer** role *or* the user role with **User can register applications** allowed at the tenant level.
## "Forbidden to access Key Vault" error occurs during appliance registration
migrate Troubleshoot Changed Block Tracking Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-changed-block-tracking-replication.md
This error typically occurs because the User Access Policy for the Key Vault doe
When the portal creates the key vault, it also adds a user access policy granting the currently logged in user permissions to configure storage accounts to be Key Vault managed. This can fail for two reasons: -- The logged in user is a remote principal on the customer's Azure tenant (CSP subscription - and the logged in user is the partner admin). The work-around in this case is to delete the key vault, sign out from the portal, and then sign in with a user account from the customer's tenant (not a remote principal) and retry the operation. The CSP partner will typically have a user account in the customers Azure Active Directory tenant that they can use. If not, they can create a new user account for themselves in the customers Azure Active Directory tenant, sign in to the portal as the new user, and then retry the replicate operation. The account used must have either Owner or Contributor+User Access Administrator permissions granted to the account on the resource group (Migrate project resource group).
+- The logged in user is a remote principal on the customer's Azure tenant (CSP subscription - and the logged in user is the partner admin). The work-around in this case is to delete the key vault, sign out from the portal, and then sign in with a user account from the customer's tenant (not a remote principal) and retry the operation. The CSP partner will typically have a user account in the customers Microsoft Entra tenant that they can use. If not, they can create a new user account for themselves in the customers Microsoft Entra tenant, sign in to the portal as the new user, and then retry the replicate operation. The account used must have either Owner or Contributor+User Access Administrator permissions granted to the account on the resource group (Migrate project resource group).
- The other case where this may happen is when one user (user1) attempted to set up replication initially and encountered a failure, but the key vault has already been created (and user access policy appropriately assigned to this user). Now at a later point a different user (user2) tries to set up replication, but the Configure Managed Storage Account or Generate SAS definition operation fails as there's no user access policy corresponding to user2 in the key vault.
migrate Troubleshoot Network Connectivity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-network-connectivity.md
In addition to the URLs above, the appliance needs access to the following URLs
| **Other public cloud URLs <br> (Public endpoint URLs)** | **Details** | | | | |*.portal.azure.com | Navigate to the Azure portal
-|*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com <br/> *.office.com <br/> *.microsoftonline.com <br/> *.microsoftonline-p.com <br/> | Used for access control and identity management by Azure Active Directory
+|*.windows.net <br/> *.msftauth.net <br/> *.msauth.net <br/> *.microsoft.com <br/> *.live.com <br/> *.office.com <br/> *.microsoftonline.com <br/> *.microsoftonline-p.com <br/> | Used for access control and identity management by Microsoft Entra ID
|management.azure.com | For triggering Azure Resource Manager deployments |*.services.visualstudio.com (optional) | Upload appliance logs used for internal monitoring. |aka.ms/* (optional) | Allow access to *also know as* links; used to download and install the latest updates for appliance services
migrate Troubleshoot Project https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-project.md
If you try to create a project and encounter a deployment error:
- Try to create the project again in case it's a transient error. In **Deployments**, click on **Re-deploy** to try again. - Check you have Contributor or Owner permissions in the subscription. - If you're deploying in a newly added geography, wait a short time and try again.-- If you receive the error, "Requests must contain user identity headers", this might indicate that you don't have access to the Azure Active Directory (Azure AD) tenant of the organization. In this case:
- - When you're added to an Azure AD tenant for the first time, you receive an email invitation to join the tenant.
+- If you receive the error, "Requests must contain user identity headers", this might indicate that you don't have access to the Microsoft Entra tenant of the organization. In this case:
+ - When you're added to a Microsoft Entra tenant for the first time, you receive an email invitation to join the tenant.
- Accept the invitation to be added to the tenant. - If you can't see the email, contact a user with access to the tenant, and ask them to [resend the invitation](../active-directory/external-identities/add-users-administrator.md#resend-invitations-to-guest-users) to you. - After receiving the invitation email, open it and select the link to accept the invitation. Then, sign out of the Azure portal and sign in again. (refreshing the browser won't work.) You can then start creating the migration project.
Make sure you have the right project selected. In the Azure Migrate hub > **Serv
## Next steps
-Add [assessment](how-to-assess.md) or [migration](how-to-migrate.md) tools to Azure Migrate projects.
+Add [assessment](how-to-assess.md) or [migration](how-to-migrate.md) tools to Azure Migrate projects.
migrate Troubleshoot Webapps Migration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/troubleshoot-webapps-migration.md
UnableToConnectToServer | Connecting to the remote server failed. | Check error
- [Security recommendations](../app-service/security-recommendations.md). - [Networking features](../app-service/networking-features.md). - [Monitor App Service with Azure Monitor](../app-service/monitor-app-service.md).
- - [Configure Azure AD authentication](../app-service/configure-authentication-provider-aad.md).
-- [Review best practices](../app-service/deploy-best-practices.md) for deploying to Azure App service.
+ - [Configure Microsoft Entra authentication](../app-service/configure-authentication-provider-aad.md).
+- [Review best practices](../app-service/deploy-best-practices.md) for deploying to Azure App service.
migrate Tutorial App Containerization Aspnet App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-aspnet-app-service.md
If you don't have an Azure subscription, create a [free account](https://azure.m
After your subscription is set up, you'll need an Azure user account with: - Owner permissions on the Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Screenshot that shows the Add role assignment page.](./media/tutorial-discover-vmware/assign-role.png)
- Your Azure account also needs permissions to register Azure Active Directory apps.
-8. In the Azure portal, go to **Azure Active Directory** > **Users** > **User Settings**.
-9. In **User settings**, verify that Azure AD users can register applications. (This option is set to **Yes** by default.)
+ Your Azure account also needs permissions to register Microsoft Entra apps.
+8. In the Azure portal, go to **Microsoft Entra ID** > **Users** > **User Settings**.
+9. In **User settings**, verify that Microsoft Entra users can register applications. (This option is set to **Yes** by default.)
![Screenshot that shows the User settings page.](./media/tutorial-discover-vmware/register-apps.png)
-10. If the **App registrations** option is set to **No**, ask the tenant/global admin to assign the required permission. Alternatively, the tenant/global admin can assign the Application developer role to an account to allow the registration of Azure Active Directory apps. For more information, see [Assign roles to users](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+10. If the **App registrations** option is set to **No**, ask the tenant/global admin to assign the required permission. Alternatively, the tenant/global admin can assign the Application developer role to an account to allow the registration of Microsoft Entra apps. For more information, see [Assign roles to users](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
## Download and install the Azure Migrate App Containerization tool
migrate Tutorial App Containerization Aspnet Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-aspnet-kubernetes.md
If you don't have an Azure subscription, create a [free account](https://azure.m
Once your subscription is set up, you need an Azure user account with: - Owner permissions on the Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Screenshot of add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. Your Azure account also needs **permissions to register Azure Active Directory apps.**
+1. Your Azure account also needs **permissions to register Microsoft Entra apps.**
-1. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
+1. In Azure portal, navigate to **Microsoft Entra ID** > **Users** > **User Settings**.
-1. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+1. In **User settings**, verify that Microsoft Entra users can register applications (set to **Yes** by default).
![Screenshot of verification in User Settings if users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
-1. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+1. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Microsoft Entra App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
## Download and install Azure Migrate: App Containerization tool
To troubleshoot any issues with the tool, you can look at the log files on the W
- Containerizing ASP.NET web apps and deploying them on Windows containers on App Service. [Learn more](./tutorial-app-containerization-aspnet-app-service.md). - Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on AKS. [Learn more](./tutorial-app-containerization-java-kubernetes.md).-- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md).
+- Containerizing Java web apps on Apache Tomcat (on Linux servers) and deploying them on Linux containers on App Service. [Learn more](./tutorial-app-containerization-java-app-service.md).
migrate Tutorial App Containerization Java App Service https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-java-app-service.md
If you don't have an Azure subscription, create a [free account](https://azure.m
Once your subscription is set up, you'll need an Azure user account with: - Owner permissions on the Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Opens the Add Role assignment page to assign a role to the account.](./media/tutorial-discover-vmware/assign-role.png)
- Your Azure account also needs **permissions to register Azure Active Directory apps.**
-8. In the Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
-9. In **User settings**, verify if Azure AD users can register applications (set to **Yes** by default).
+ Your Azure account also needs **permissions to register Microsoft Entra apps.**
+8. In the Azure portal, navigate to **Microsoft Entra ID** > **Users** > **User Settings**.
+9. In **User settings**, verify if Microsoft Entra users can register applications (set to **Yes** by default).
![Verify in User Settings that users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
-10. In case the 'App registrations' setting is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+10. In case the 'App registrations' setting is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Microsoft Entra App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
## Download and install Azure Migrate: App Containerization tool
migrate Tutorial App Containerization Java Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-app-containerization-java-kubernetes.md
If you don't have an Azure subscription, create a [free account](https://azure.m
Once your subscription is set up, you'll need an Azure user account with: - Owner permissions on the Azure subscription-- Permissions to register Azure Active Directory apps
+- Permissions to register Microsoft Entra apps
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. Your Azure account also needs **permissions to register Azure Active Directory apps.**
+1. Your Azure account also needs **permissions to register Microsoft Entra apps.**
-1. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**.
+1. In Azure portal, navigate to **Microsoft Entra ID** > **Users** > **User Settings**.
-1. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+1. In **User settings**, verify that Microsoft Entra users can register applications (set to **Yes** by default).
![Verify in User Settings that users can register Active Directory apps.](./media/tutorial-discover-vmware/register-apps.png)
-1. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Azure Active Directory App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
+1. In case the 'App registrations' settings is set to 'No', request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the **Application Developer** role to an account to allow the registration of Microsoft Entra App. [Learn more](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md).
## Download and install Azure Migrate: App Containerization tool
migrate Tutorial Discover Aws https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-aws.md
Before you start this tutorial, check you have these prerequisites in place.
To create a project and register the Azure Migrate appliance, you need an account with: * Contributor or Owner permissions on an Azure subscription.
-* Permissions to register Azure Active Directory apps.
+* Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. To register the appliance, your Azure account needs **permissions to register Azure Active Directory apps.**
+1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
-1. In the portal, go to **Azure Active Directory** > **Users**.
+1. In the portal, go to **Microsoft Entra ID** > **Users**.
-1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Azure AD app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
+1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Microsoft Entra app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
## Prepare AWS instances
migrate Tutorial Discover Gcp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-gcp.md
Before you start this tutorial, check you have these prerequisites in place.
To create a project and register the Azure Migrate appliance, you need an account with: * Contributor or Owner permissions on an Azure subscription.
-* Permissions to register Azure Active Directory apps.
+* Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. To register the appliance, your Azure account needs **permissions to register Azure Active Directory apps**.
+1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps**.
-1. In the portal, go to **Azure Active Directory** > **Users**.
+1. In the portal, go to **Microsoft Entra ID** > **Users**.
-1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Azure AD app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
+1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Microsoft Entra app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
## Prepare GCP instances
migrate Tutorial Discover Hyper V https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-hyper-v.md
Before you start this tutorial, check you have these prerequisites in place.
To create a project and register the Azure Migrate appliance, you need an account with: - Contributor or Owner permissions on an Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. To register the appliance, your Azure account needs **permissions to register Azure Active Directory apps.**
+1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
-1. In the portal, go to **Azure Active Directory** > **Users**.
+1. In the portal, go to **Microsoft Entra ID** > **Users**.
-1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Azure AD app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
+1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Microsoft Entra app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
## Prepare Hyper-V hosts
migrate Tutorial Discover Import https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-import.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To create an Azure Migrate project, you need an account with: - Contributor or Owner permissions on an Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
1. In the portal, search for users, and under **Services**, select **Users**.
-1. In **User settings**, verify that Azure AD users can register applications (set to **Yes** by default).
+1. In **User settings**, verify that Microsoft Entra users can register applications (set to **Yes** by default).
![Verify in User Settings that users can register Active Directory apps](./media/tutorial-discover-import/register-apps.png)
migrate Tutorial Discover Physical https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-physical.md
Before you start this tutorial, ensure you have these prerequisites in place.
To create a project and register the Azure Migrate appliance, you need an account with: - Contributor or Owner permissions on an Azure subscription.-- Permissions to register Azure Active Directory apps.
+- Permissions to register Microsoft Entra apps.
If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner to assign the permissions as follows:
If you just created a free Azure account, you're the owner of your subscription.
![Add role assignment page in Azure portal.](../../includes/role-based-access-control/media/add-role-assignment-page.png)
-1. To register the appliance, your Azure account needs **permissions to register Azure Active Directory apps.**
+1. To register the appliance, your Azure account needs **permissions to register Microsoft Entra apps.**
-1. In the portal, go to **Azure Active Directory** > **Users**.
+1. In the portal, go to **Microsoft Entra ID** > **Users**.
-1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Azure AD app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
+1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Microsoft Entra app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
## Prepare Windows server
migrate Tutorial Discover Vmware https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-discover-vmware.md
ms. Previously updated : 09/15/2023 Last updated : 10/11/2023 #Customer intent: As an VMware admin, I want to discover my on-premises servers running in a VMware environment.
Requirement | Details
To create a project and register the Azure Migrate appliance, you must have an Azure account that has these permissions: - Contributor or Owner permissions in the Azure subscription.-- Permissions to register Azure Active Directory (Azure AD) apps.
+- Permissions to register Microsoft Entra apps.
- Owner or Contributor and User Access Administrator permissions at subscription level to create an instance of Azure Key Vault, which is used during agentless server migration. If you created a free Azure account, by default, you're the owner of the Azure subscription. If you're not the subscription owner, work with the owner to assign permissions.
To set Contributor or Owner permissions in the Azure subscription:
:::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Add role assignment page in Azure portal.":::
-To give the account the required permissions to register Azure AD apps:
+To give the account the required permissions to register Microsoft Entra apps:
-1. In the portal, go to **Azure Active Directory** > **Users**.
+1. In the portal, go to **Microsoft Entra ID** > **Users**.
-1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Azure AD app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
+1. Request the tenant or global admin to assign the [Application Developer role](../active-directory/roles/permissions-reference.md#application-developer) to the account to allow Microsoft Entra app registration by users. [Learn more](../active-directory/roles/manage-roles-portal.md#assign-a-role).
## Prepare VMware
-On vCenter Server, check that your account has permissions to create a VM by using a VMware Open Virtualization Appliance (OVA) virtual machine (VM) installation file. You must have these permissions when you deploy the Azure Migrate appliance as a VMware VM by using an OVA file.
+On vCenter Server, check that your account has [permissions](migrate-support-matrix-vmware-migration.md#vmware-vsphere-requirements-agentless) to create a VM by using a VMware Open Virtualization Appliance (OVA) virtual machine (VM) installation file. You must have these [permissions](migrate-support-matrix-vmware-migration.md#vmware-vsphere-requirements-agentless) when you deploy the Azure Migrate appliance as a VMware VM by using an OVA file.
-Azure Migrate must have a vCenter Server read-only account to discover and assess servers running in your VMware environment. If you also want to run discovery of installed applications and agentless dependency analysis, the account must have permissions enabled in VMware for VM guest operations.
+Azure Migrate must have a vCenter Server read-only account to discover and assess servers running in your VMware environment. If you also want to run discovery of installed applications and agentless dependency analysis, the account must have [permissions](migrate-support-matrix-vmware-migration.md#vmware-vsphere-requirements-agentless) enabled in VMware for VM guest operations.
### Create an account to access vCenter Server
migrate Tutorial Migrate Vmware Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-migrate-vmware-agent.md
Assign the Virtual Machine Contributor role to the account, so that you have per
- Write to an Azure managed disk.
-### Assign permissions to register the Replication Appliance in Azure AD
+<a name='assign-permissions-to-register-the-replication-appliance-in-azure-ad'></a>
-If you are following the least privilege principle, assign the **Application Developer** Azure AD role to the user registering the Replication Appliance. Follow the [Assign administrator and non-administrator roles to users with Azure Active Directory](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) guide to do so.
+### Assign permissions to register the Replication Appliance in Microsoft Entra ID
+
+If you are following the least privilege principle, assign the **Application Developer** Microsoft Entra role to the user registering the Replication Appliance. Follow the [Assign administrator and non-administrator roles to users with Microsoft Entra ID](../active-directory/fundamentals/active-directory-users-assign-role-azure-portal.md) guide to do so.
> [!IMPORTANT]
-> If the user registering the Replication Appliance is an Azure AD Global administrator, that user already has the required permissions.
+> If the user registering the Replication Appliance is a Microsoft Entra Global Administrator, that user already has the required permissions.
### Set up an Azure network
After downloading the OVF template, you import it into VMware vSphere to create
3. After the installation finishes, sign in to the VM as the administrator, using the admin password. The first time you sign in, the replication appliance setup tool (Azure Site Recovery Configuration Tool) starts within a few seconds. 5. Enter a name to use for registering the appliance with the Migration and modernization tool. Select **Next**. 6. The tool checks that the VM can connect to Azure. After the connection is established, select **Sign in** to sign in to your Azure subscription.
-7. Wait for the tool to finish registering an Azure AD app to identify the appliance. The appliance reboots.
+7. Wait for the tool to finish registering a Microsoft Entra app to identify the appliance. The appliance reboots.
1. Sign in to the machine again. In a few seconds, the Configuration Server Management Wizard starts automatically. ### Register the replication appliance
migrate Tutorial Modernize Asp Net Appservice Code https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/migrate/tutorial-modernize-asp-net-appservice-code.md
Once you have successfully completed migration, you may explore the following st
- [Security recommendations](../app-service/security-recommendations.md). - [Networking features](../app-service/networking-features.md). - [Monitor App Service with Azure Monitor](../app-service/monitor-app-service.md).-- [Configure Azure AD authentication](../app-service/configure-authentication-provider-aad.md).
+- [Configure Microsoft Entra authentication](../app-service/configure-authentication-provider-aad.md).
## Next steps - Investigate the [cloud migration journey](/azure/architecture/cloud-adoption/getting-started/migrate) in the Azure Cloud Adoption Framework.-- [Review best practices](../app-service/deploy-best-practices.md) for deploying to Azure App service.
+- [Review best practices](../app-service/deploy-best-practices.md) for deploying to Azure App service.
modeling-simulation-workbench Concept Chamber https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/concept-chamber.md
In Azure Modeling and Simulation Workbench, a chamber is defined as a group of c
Chambers create a secure and isolated environment by adding private IP access and removing internet access. Public domain access is restricted to authorized networks over encrypted sessions enabled by the connector component. A [connector](./concept-connector.md) exists per chamber that supports the protocols established through VPN, Azure Express Route, or allowlisted Public IP addresses.
-Only provisioned users can access the chamber environment. User provisioning is done at the chamber component using IAM [(Access Control)](/azure/role-based-access-control/role-assignments-portal). This enables Cross team and/or cross-organization individuals to collaborate on the same projects through the chambers. Multifactor authentication (MFA) enabled through Azure AD is recommended to enhance your organization's security.
+Only provisioned users can access the chamber environment. User provisioning is done at the chamber component using IAM [(Access Control)](/azure/role-based-access-control/role-assignments-portal). This enables Cross team and/or cross-organization individuals to collaborate on the same projects through the chambers. Multifactor authentication (MFA) enabled through Microsoft Entra ID is recommended to enhance your organization's security.
## Chamber storage
modeling-simulation-workbench Concept Workbench https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/concept-workbench.md
The Azure virtual network enables over-provisioned network resources with high b
- [Azure VPN](/azure/vpn-gateway/vpn-gateway-about-vpngateways) - A VPN gateway is a specific type of virtual network gateway, sending encrypted traffic between an Azure virtual network and an on-premises network over the public network. -- Remote desktop service - As robust security is mandatory to protect IP within and outside chambers, remote desktop access needs to be secured, with custom restrictions on data transfer through the sessions. Customer IT admins can enable multifactor authentication through [Azure Active Directory](/azure/active-directory/) and provision role assignments to Modeling and Simulation Workbench users.
+- Remote desktop service - As robust security is mandatory to protect IP within and outside chambers, remote desktop access needs to be secured, with custom restrictions on data transfer through the sessions. Customer IT admins can enable multifactor authentication through [Microsoft Entra ID](/azure/active-directory/) and provision role assignments to Modeling and Simulation Workbench users.
## Next steps
modeling-simulation-workbench How To Guide Set Up Networking https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/how-to-guide-set-up-networking.md
Follow these steps to get redirect URIs:
Follow these steps to add redirect URIs:
-1. In the Azure portal, in **Azure Active Directory** > **App registrations**, select the application that you created in your Microsoft Entra ID instance.
+1. In the Azure portal, in **Microsoft Entra ID** > **App registrations**, select the application that you created in your Microsoft Entra instance.
1. Under **Manage**, select **Authentication**.
modeling-simulation-workbench Modeling Simulation Workbench Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/modeling-simulation-workbench-overview.md
The Azure Modeling and Simulation Workbench is a secure, on-demand service that
## Isolated chambers
-The Modeling and Simulation [Workbench](./concept-workbench.md) can be created with one or more isolated chambers, where access can be provided to a group of users to work with complete privacy. These isolated chambers allow intellectual property (IP) owners to operate within a private environment to retain full control of their IP and limit who can access it. RBAC [(Role Based Access Control)](/azure/role-based-access-control/overview) allows only provisioned [Chamber](./concept-chamber.md) Users and Chamber Admins to have access to the chamber, through multi-factor authentication using [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) services. Once in the chamber, users have access to all the resources within that specific isolated Chamber environment, including private storage and workload VMs.
+The Modeling and Simulation [Workbench](./concept-workbench.md) can be created with one or more isolated chambers, where access can be provided to a group of users to work with complete privacy. These isolated chambers allow intellectual property (IP) owners to operate within a private environment to retain full control of their IP and limit who can access it. RBAC [(Role Based Access Control)](/azure/role-based-access-control/overview) allows only provisioned [Chamber](./concept-chamber.md) Users and Chamber Admins to have access to the chamber, through multi-factor authentication using [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) services. Once in the chamber, users have access to all the resources within that specific isolated Chamber environment, including private storage and workload VMs.
## Compute capabilities
modeling-simulation-workbench Quickstart Create Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/quickstart-create-portal.md
Get started with Azure Modeling and Simulation Workbench (preview) by using the
- The Azure account must have permission to manage resource providers and to manage resources for the subscription. The permission is included in the Contributor and Owner roles. -- The Azure account must have permission to manage applications in Azure Active Directory (Azure AD). The following Azure AD roles include the required permissions:
+- The Azure account must have permission to manage applications in Microsoft Entra ID. The following Microsoft Entra roles include the required permissions:
- [Application administrator](/azure/active-directory/roles/permissions-reference#application-administrator) - [Application developer](/azure/active-directory/roles/permissions-reference#application-developer) - [Cloud application administrator](/azure/active-directory/roles/permissions-reference#cloud-application-administrator) -- An Azure AD tenant.
+- A Microsoft Entra tenant.
## Sign in to Azure portal
Open your web browser and go to the [Azure portal](https://portal.azure.com/). E
> > To allow your application to continue sooner than waiting for all regions to complete, don't block the creation of resources for a resource provider in the registering state.
-## Create an application in Azure Active Directory
+<a name='create-an-application-in-azure-active-directory'></a>
-To create an application in Azure Active Directory, you first register the application and add a client secret. Then you create a Key Vault, set up Key Vault role assignments, and add client secrets to the Key Vault.
+## Create an application in Microsoft Entra ID
+
+To create an application in Microsoft Entra ID, you first register the application and add a client secret. Then you create a Key Vault, set up Key Vault role assignments, and add client secrets to the Key Vault.
### Register an application
Follow these steps to create the app registration:
1. If you have access to multiple tenants, use the Directories + subscriptions** filter :::image type="content" source="/azure/active-directory/develop/media/common/portal-directory-subscription-filter.png" alt-text="Showing filter icon."::: in the top menu to switch to the tenant in which you want to register the application.
-1. Search for and select **Azure Active Directory**.
+1. Search for and select **Microsoft Entra ID**.
1. Under **Manage**, select **App registrations** > **New registration**.
Follow these steps to create the app registration:
### Add a client secret
-Creating a client secret allows the Azure Modeling and Simulation Workbench to redirect Azure AD sign-in requests directly to your organization's Azure Active Directory, as the only identity provider. This integration provides a single sign-on experience for your design team. The secret's lifetime should last the workbench's lifetime. However, if the secret does expire, your design team loses access to the chamber. To address an expired secret, you need to create a new secret and update the Azure Modeling and Simulation Workbench with the new values.
+Creating a client secret allows the Azure Modeling and Simulation Workbench to redirect Microsoft Entra sign-in requests directly to your organization's Microsoft Entra ID, as the only identity provider. This integration provides a single sign-on experience for your design team. The secret's lifetime should last the workbench's lifetime. However, if the secret does expire, your design team loses access to the chamber. To address an expired secret, you need to create a new secret and update the Azure Modeling and Simulation Workbench with the new values.
1. In **App registrations**, select your application *QuickstartModSimWorkbenchApp*. 1. Select **Certificates & secrets** > **Client secrets** > **New client secret**.
To create an Azure Modeling and Simulation Workbench, you first fill out the Azu
1. Leave the **Assign access to** default **User, group, or service principal**. Select **+ Select members**. In the **Select members** blade on the left side of the screen, search for your security principal by entering a string or scrolling through the list. Select your security principal. Select **Select** to save the selections. > [!NOTE]
- > Chamber Admins and Chamber Users *MUST* have an alias set within their Azure AD profile email field, or they can't log into the environment.
+ > Chamber Admins and Chamber Users *MUST* have an alias set within their Microsoft Entra profile email field, or they can't log into the environment.
:::image type="content" source="./media/quickstart-create-portal/chamber-iam-04.png" alt-text="Screenshot of the Add role assignment page showing where you select the security principal.":::
To create an Azure Modeling and Simulation Workbench, you first fill out the Azu
1. Repeat steps 3-6 to assign the **Chamber User** role to other users who need to work on the chamber.
-## Add redirect URIs for the application in Azure Active Directory
+<a name='add-redirect-uris-for-the-application-in-azure-active-directory'></a>
+
+## Add redirect URIs for the application in Microsoft Entra ID
A *redirect URI* is the location where the Microsoft identity platform redirects a user's client and sends security tokens after authentication.
Follow these steps to get redirect URIs:
Follow these steps to add redirect URIs:
-1. In the Azure portal, in **Azure Active Directory** > **App registrations**, select your application created in **Register an application** step.
+1. In the Azure portal, in **Microsoft Entra ID** > **App registrations**, select your application created in **Register an application** step.
1. Under **Manage**, select **Authentication**.
Follow these steps to add redirect URIs:
1. On the **Configure Web** pane, paste the **Dashboard reply URL** you documented in the previous step in the Redirect URI field. Then select **Configure**.
- :::image type="content" source="./media/quickstart-create-portal/update-aad-app-02.png" alt-text="Screenshot of the Azure AD app Authentication page showing where you configure web authentication.":::
+ :::image type="content" source="./media/quickstart-create-portal/update-aad-app-02.png" alt-text="Screenshot of the Microsoft Entra app Authentication page showing where you configure web authentication.":::
1. Under **Platform configurations** > **Web** > **Redirect URIs**, select **Add URI**. 1. Paste the **Authentication reply URL** you documented in the previous step. Then select **Save**.
- :::image type="content" source="./media/quickstart-create-portal/update-aad-app-03.png" alt-text="Screenshot of the Azure AD app Authentication page showing where you set the second Redirect URI.":::
+ :::image type="content" source="./media/quickstart-create-portal/update-aad-app-03.png" alt-text="Screenshot of the Microsoft Entra app Authentication page showing where you set the second Redirect URI.":::
## Connect to chamber with remote desktop
modeling-simulation-workbench Resources Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/modeling-simulation-workbench/resources-troubleshoot.md
A *not authorized error* while accessing the remote desktop dashboard URL indica
#### Failing for all users -- Review the [Create an application in Azure Active Directory](./quickstart-create-portal.md#create-an-application-in-azure-active-directory) article to verify your application registration is set up correctly.-- Review the [Update the application in Azure Active Directory](./quickstart-create-portal.md#add-redirect-uris-for-the-application-in-azure-active-directory) article to confirm your chamber connector's redirect URIs are set up correctly.
+- Review the [Create an application in Microsoft Entra ID](./quickstart-create-portal.md#create-an-application-in-azure-active-directory) article to verify your application registration is set up correctly.
+- Review the [Update the application in Microsoft Entra ID](./quickstart-create-portal.md#add-redirect-uris-for-the-application-in-azure-active-directory) article to confirm your chamber connector's redirect URIs are set up correctly.
- Review the application registration secrets for Modeling and Simulation Workbench and check to see if your application client secret has expired. Complete the following steps if it's expired. 1. Generate a new secret and make note of the client secret value. 1. Update your Key Vault app secret value with the newly generated client **secret value.**
A *not authorized error* while accessing the remote desktop dashboard URL indica
- Make note of the network setup so you can properly configure the new connector with appropriate allowlist IPs or subnet value. - For the new connector, ensure you register your chamber connector's redirect URIs. - A new Remote Desktop URL is also provided to access the chamber workloads.
- 1. The connector creation picks up the new secret and enables the Azure AD single sign-on experience. All Chamber Admins and Chamber Users that are provisioned at the chamber level automatically have access via this new connector.
+ 1. The connector creation picks up the new secret and enables the Microsoft Entra single sign-on experience. All Chamber Admins and Chamber Users that are provisioned at the chamber level automatically have access via this new connector.
#### Failing for some users 1. Ensure the user is provisioned as a Chamber User or a Chamber Admin on the **chamber** resource. They should be set up as an IAM role directly for that chamber, not as a parent resource with inherited permission.
-1. Ensure the user has a valid email set for their Azure AD profile, and that their Azure AD alias matches their email alias. For example, an Azure AD sign in alias of _jane.doe_ must also have an email alias of _jane.doe_. Jane Doe can't sign in to Azure AD with jadoe or any other variation.
+1. Ensure the user has a valid email set for their Microsoft Entra profile, and that their Microsoft Entra alias matches their email alias. For example, a Microsoft Entra sign-in alias of _jane.doe_ must also have an email alias of _jane.doe_. Jane Doe can't sign in to Microsoft Entra ID with jadoe or any other variation.
1. Validate your /mount/sharehome folder has available space. The /mount/sharedhome directory is set up to store user keys to establish a secure connection. Don't store uploaded tarballs/binaries in this folder or install tools and use disk capacity, as it may create system connection errors causing an outage. Use /mount/chamberstorages/\<storage name\> directory instead for all your data storage and tool installation needs. 1. Validate your folder permission settings are correct within your chamber. User provisioning may not work properly if the folder permission settings aren't correct. You can check folder permissions in a terminal session using the *ls -al* command for each /mount/sharedhome/\<useralias\>/.ssh folder, results should match below expectations:
A *not authorized error* while accessing the remote desktop dashboard URL indica
1. Then add the user's role assignment back at chamber level. 1. Wait 5 minutes. 1. Advise user to sign in again.
-1. If user still can't sign in, they should clear the browser cache and attempt a new sign into the desktop dashboard URL, or try it with a different browser. When the cache is properly cleared or a sign in to new browser is attempted, your organization's sign-in Azure AD prompt displays. OAuth credentials are cached and sometimes a fresh sign in can resolve issues with cached credentials.
+1. If user still can't sign in, they should clear the browser cache and attempt a new sign into the desktop dashboard URL, or try it with a different browser. When the cache is properly cleared or a sign in to new browser is attempted, your organization's sign-in Microsoft Entra prompt displays. OAuth credentials are cached and sometimes a fresh sign in can resolve issues with cached credentials.
### License error
mysql Concepts Azure Ad Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-azure-ad-authentication.md
Title: Active Directory authentication - Azure Database for MySQL - Flexible Server
-description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for MySQL - Flexible Server.
+description: Learn about the concepts of Microsoft Entra ID for authentication with Azure Database for MySQL - Flexible Server.
[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
-Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for MySQL - Flexible Server using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, simplifying permission management.
+Microsoft Entra authentication is a mechanism of connecting to Azure Database for MySQL - Flexible Server using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, simplifying permission management.
## Benefits - Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place-- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords-- Customers can manage database permissions using external (Azure AD) groups.-- Azure AD authentication uses MySQL database users to authenticate identities at the database level
+- Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords
+- Customers can manage database permissions using external (Microsoft Entra ID) groups.
+- Microsoft Entra authentication uses MySQL database users to authenticate identities at the database level
- Support of token-based authentication for applications connecting to Azure Database for MySQL flexible server
-## Use the steps below to configure and use Azure AD authentication
+<a name='use-the-steps-below-to-configure-and-use-azure-ad-authentication'></a>
-1. Select your preferred authentication method for accessing the flexible server. By default, the authentication selected is set to MySQL authentication only. Select Azure Active Directory authentication only or MySQL and Azure Active Directory authentication to enable Azure AD authentication.
-1. Select the user managed identity (UMI) with the following privileges to configure Azure AD authentication:
- - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
- - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.
- - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
+## Use the steps below to configure and use Microsoft Entra authentication
-1. Add Azure AD Admin. It can be Azure AD Users or Groups, which has access to a flexible server.
-1. Create database users in your database mapped to Azure AD identities.
-1. Connect to your database by retrieving a token for an Azure AD identity and logging in.
+1. Select your preferred authentication method for accessing the flexible server. By default, the authentication selected is set to MySQL authentication only. Select Microsoft Entra authentication only or MySQL and Microsoft Entra authentication to enable Microsoft Entra authentication.
+1. Select the user managed identity (UMI) with the following privileges to configure Microsoft Entra authentication:
+ - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Microsoft Entra user information.
+ - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Microsoft Entra group information.
+ - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Microsoft Entra service principal (application) information.
+
+1. Add Microsoft Entra Admin. It can be Microsoft Entra users or Groups, which has access to a flexible server.
+1. Create database users in your database mapped to Microsoft Entra identities.
+1. Connect to your database by retrieving a token for a Microsoft Entra identity and logging in.
> [!NOTE]
-> For detailed, step-by-step instructions about how to configure Azure AD authentication with Azure Database for MySQL - Flexible Server, see [Learn how to set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md)
+> For detailed, step-by-step instructions about how to configure Microsoft Entra authentication with Azure Database for MySQL - Flexible Server, see [Learn how to set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md)
## Architecture
-User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity. When the managed identity is deleted, the corresponding service principal is automatically removed.
+User-managed identities are required for Microsoft Entra authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity. When the managed identity is deleted, the corresponding service principal is automatically removed.
-The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Azure Database currently supports only a User-assigned Managed Identity (UMI) for Azure Database for MySQL - Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
+The service then uses the managed identity to request access tokens for services that support Microsoft Entra authentication. Azure Database currently supports only a User-assigned Managed Identity (UMI) for Azure Database for MySQL - Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
-The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways.
+The following high-level diagram summarizes how authentication works using Microsoft Entra authentication with Azure Database for MySQL. The arrows indicate communication pathways.
1. Your application can request a token from the Azure Instance Metadata Service identity endpoint.
-1. When you use the client ID and certificate, a call is made to Azure AD to request an access token.
-1. A JSON Web Token (JWT) access token is returned by Azure AD. Your application sends the access token on a call to your flexible server.
-1. The flexible server validates the token with Azure AD.
+1. When you use the client ID and certificate, a call is made to Microsoft Entra ID to request an access token.
+1. A JSON Web Token (JWT) access token is returned by Microsoft Entra ID. Your application sends the access token on a call to your flexible server.
+1. The flexible server validates the token with Microsoft Entra ID.
## Administrator structure
-There are two Administrator accounts for the MySQL server when using Azure AD authentication: the original MySQL administrator and the Azure AD administrator.
+There are two Administrator accounts for the MySQL server when using Microsoft Entra authentication: the original MySQL administrator and the Microsoft Entra administrator.
-Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator sign-in can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the Flexible server. Only one Azure AD administrator (a user or group) can be configured at a time.
+Only the administrator based on a Microsoft Entra account can create the first Microsoft Entra ID contained database user in a user database. The Microsoft Entra administrator sign-in can be a Microsoft Entra user or a Microsoft Entra group. When the administrator is a group account, it can be used by any group member, enabling multiple Microsoft Entra administrators for the flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the Flexible server. Only one Microsoft Entra administrator (a user or group) can be configured at a time.
Methods of authentication for accessing the flexible server include: - MySQL authentication only - This is the default option. Only the native MySQL authentication with a MySQL sign-in and password can be used to access the flexible server.-- Only Azure AD authentication - MySQL native authentication is disabled, and users are able to authenticate using only their Azure AD user and token. To enable this mode, the server parameter **aad_auth_only** is set to _**ON**_.
+- Only Microsoft Entra authentication - MySQL native authentication is disabled, and users are able to authenticate using only their Microsoft Entra user and token. To enable this mode, the server parameter **aad_auth_only** is set to _**ON**_.
-- Authentication with MySQL and Azure AD - Both native MySQL authentication and Azure AD authentication are supported. To enable this mode, the server parameter **aad_auth_only** is set to _**OFF**_.
+- Authentication with MySQL and Microsoft Entra ID - Both native MySQL authentication and Microsoft Entra authentication are supported. To enable this mode, the server parameter **aad_auth_only** is set to _**OFF**_.
## Permissions
The following permissions are required to allow the UMI to read from the Microso
> [!IMPORTANT] > Only a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) can grant these permissions. -- [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.-- [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.-- [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
+- [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Microsoft Entra user information.
+- [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Microsoft Entra group information.
+- [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Microsoft Entra service principal (application) information.
For guidance about how to grant and use the permissions, refer to [Overview of Microsoft Graph permissions](/graph/permissions-overview)
After you grant the permissions to the UMI, they're enabled for all servers crea
## Token Validation
-Azure AD authentication in Azure Database for MySQL - Flexible Server ensures that the user exists in the MySQL server and checks the token's validity by validating the token's contents. The following token validation steps are performed:
+Microsoft Entra authentication in Azure Database for MySQL - Flexible Server ensures that the user exists in the MySQL server and checks the token's validity by validating the token's contents. The following token validation steps are performed:
-- Token is signed by Azure AD and hasn't been tampered.-- Token was issued by Azure AD for the tenant associated with the server.
+- Token is signed by Microsoft Entra ID and hasn't been tampered.
+- Token was issued by Microsoft Entra ID for the tenant associated with the server.
- Token hasn't expired. - Token is for the flexible server resource (and not another Azure resource).
-## Connect using Azure AD identities
+<a name='connect-using-azure-ad-identities'></a>
+
+## Connect using Microsoft Entra identities
-Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities:
+Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities:
-- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA
+- Microsoft Entra Password
+- Microsoft Entra integrated
+- Microsoft Entra Universal with MFA
- Using Active Directory Application certificates or client secrets - Managed Identity Once you authenticate against the Active Directory, you retrieve a token. This token is your password for logging in. > [!NOTE]
-> That management operation, such as adding new users, is only supported for Azure AD user roles.
+> That management operation, such as adding new users, is only supported for Microsoft Entra user roles.
> [!NOTE]
-> For more information on how to connect with an Active Directory token, see [Configure and sign in with Azure AD for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md).
+> For more information on how to connect with an Active Directory token, see [Configure and sign in with Microsoft Entra ID for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md).
## Other considerations -- You can only configure one Azure AD administrator per flexible server at any time.
+- You can only configure one Microsoft Entra administrator per flexible server at any time.
-- Only an Azure AD administrator for MySQL can initially connect to the flexible server using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the flexible server.
+- Only a Microsoft Entra administrator for MySQL can initially connect to the flexible server using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users or a Microsoft Entra group. When the administrator is a group account, it can be used by any group member, enabling multiple Microsoft Entra administrators for the flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the flexible server.
-- If a user is deleted from Azure AD, that user can no longer authenticate with Azure AD. Therefore, acquiring an access token for that user is no longer possible. Although the matching user is still in the database, connecting to the server with that user isn't possible.
+- If a user is deleted from Microsoft Entra ID, that user can no longer authenticate with Microsoft Entra ID. Therefore, acquiring an access token for that user is no longer possible. Although the matching user is still in the database, connecting to the server with that user isn't possible.
> [!NOTE]
-> Log in with the deleted Azure AD user can still be done until the token expires (up to 60 minutes from token issuing). If you remove the user from Azure Database for MySQL, this access is revoked immediately.
+> Log in with the deleted Microsoft Entra user can still be done until the token expires (up to 60 minutes from token issuing). If you remove the user from Azure Database for MySQL, this access is revoked immediately.
-- If the Azure AD admin is removed from the server, the server is no longer associated with an Azure AD tenant, and therefore all Azure AD logins are disabled for the server. Adding a new Azure AD admin from the same tenant re-enables Azure AD logins.
+- If the Microsoft Entra admin is removed from the server, the server is no longer associated with a Microsoft Entra tenant, and therefore all Microsoft Entra logins are disabled for the server. Adding a new Microsoft Entra admin from the same tenant re-enables Microsoft Entra logins.
-- A flexible server matches access tokens to the Azure Database for MySQL users using the user's unique Azure AD user ID instead of the username. This means that if an Azure AD user is deleted in Azure AD and a new user is created with the same name, the flexible server considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name is added, the new user isn't able to connect with the existing user.
+- A flexible server matches access tokens to the Azure Database for MySQL users using the user's unique Microsoft Entra user ID instead of the username. This means that if a Microsoft Entra user is deleted in Microsoft Entra ID and a new user is created with the same name, the flexible server considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and then a new user with the same name is added, the new user isn't able to connect with the existing user.
> [!NOTE]
-> The subscriptions of a flexible server with Azure AD authentication enabled can't be transferred to another tenant or directory.
+> The subscriptions of a flexible server with Microsoft Entra authentication enabled can't be transferred to another tenant or directory.
## Next steps -- To learn how to configure Azure AD with Azure Database for MySQL, see [Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md)--
+- To learn how to configure Microsoft Entra ID with Azure Database for MySQL, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](how-to-azure-ad.md)
mysql Concepts Customer Managed Key https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-customer-managed-key.md
Data encryption with customer-managed keys for Azure Database for MySQL - Flexib
- ## How does data encryption with a customer-managed key work?
-Managed identities in Azure Active Directory (Azure AD) provide Azure services an alternative to storing credentials in the code by provisioning an automatically assigned identity that can be used to authenticate to any service supporting Azure AD authentication, such as Azure Key Vault (AKV). Azure Database for MySQL - Flexible Server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
+Managed identities in Microsoft Entra ID provide Azure services an alternative to storing credentials in the code by provisioning an automatically assigned identity that can be used to authenticate to any service supporting Microsoft Entra authentication, such as Azure Key Vault (AKV). Azure Database for MySQL - Flexible Server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
To configure the CMK for an Azure Database for MySQL flexible server, you need to link the UMI to the server and specify the Azure Key vault and key to use.
After logging is enabled, auditors can use Azure Monitor to review Key Vault aud
Before you attempt to configure Key Vault, be sure to address the following requirements. -- The Key Vault and Azure Database for MySQL - Flexible Server must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and flexible server interactions need to be supported. You'll need to reconfigure data encryption if you move Key Vault resources after performing the configuration.
+- The Key Vault and Azure Database for MySQL - Flexible Server must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and flexible server interactions need to be supported. You'll need to reconfigure data encryption if you move Key Vault resources after performing the configuration.
- The Key Vault and Azure Database for MySQL - Flexible Server must reside in the same region. - Enable the [soft-delete](../../key-vault/general/soft-delete-overview.md) feature on the key vault with a retention period set to 90 days to protect from data loss should an accidental key (or Key Vault) deletion occur. The recover and purge actions have their own permissions in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through the Azure portal or by using PowerShell or the Azure CLI. - Enable the [Purge Protection](../../key-vault/general/soft-delete-overview.md#purge-protection) feature on the key vault and set the retention period to 90 days. When purge protection is on, a vault or an object in the deleted state can't be purged until the retention period has passed. You can enable this feature using PowerShell or the Azure CLI, and only after you've enabled soft-delete.
It might happen that someone with sufficient access rights to Key Vault accident
- Deleting the key - Deleting the key vault - Changing the key vault's firewall rules-- Deleting the user managed identity used for encryption on the flexible server with a customer managed key in Azure AD
+- Deleting the user managed identity used for encryption on the flexible server with a customer managed key in Microsoft Entra ID
## Monitor the customer-managed key in Key Vault
mysql Concepts Data Out Replication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/concepts-data-out-replication.md
The main scenarios to consider about using Data-out replication are:
## Limitations and considerations
-### Azure AD isn't supported
+<a name='azure-ad-isnt-supported'></a>
-Data-out replication isn't supported on Azure Database for MySQL - Flexible Server, which has Azure authentication configured. Any Azure AD transaction (Azure AD user create/update) on the source server will break data-out replication.
+### Microsoft Entra ID isn't supported
+
+Data-out replication isn't supported on Azure Database for MySQL - Flexible Server, which has Azure authentication configured. Any Microsoft Entra transaction (Microsoft Entra user create/update) on the source server will break data-out replication.
> [!TIP] > Use guidance published here - MySQL :: MySQL Replication :: 2.7.3 Skipping Transactions to skip past an event or events by issuing a CHANGE MASTER TO statement to move the source's binary log position forward. Restart replication posts the action.
mysql Connect Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/connect-java.md
This topic demonstrates creating a sample application that uses Java and [JDBC](
JDBC is the standard Java API to connect to traditional relational databases.
-In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and MySQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the MySQL authentication.
+In this article, we'll include two authentication methods: Microsoft Entra authentication and MySQL authentication. The **Passwordless** tab shows the Microsoft Entra authentication and the **Password** tab shows the MySQL authentication.
-Azure AD authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
+Microsoft Entra authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
MySQL authentication uses accounts stored in MySQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in MySQL, you'll need to manage the rotation of the passwords by yourself.
az identity create \
> [!IMPORTANT] > After creating the user-assigned identity, ask your *Global Administrator* or *Privileged Role Administrator* to grant the following permissions for this identity: `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.ALL`. For more information, see the [Permissions](./concepts-azure-ad-authentication.md#permissions) section of [Active Directory authentication](./concepts-azure-ad-authentication.md).
-Run the following command to assign the identity to MySQL server for creating Azure AD admin:
+Run the following command to assign the identity to MySQL server for creating Microsoft Entra admin:
```azurecli-interactive az mysql flexible-server identity assign \
az mysql flexible-server identity assign \
--identity $AZ_USER_IDENTITY_NAME ```
-Run the following command to set the Azure AD admin user:
+Run the following command to set the Microsoft Entra admin user:
```azurecli-interactive az mysql flexible-server ad-admin create \
az mysql flexible-server ad-admin create \
``` > [!IMPORTANT]
-> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. Only one Azure AD admin can be created per MySQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.
+> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. Only one Microsoft Entra admin can be created per MySQL server and selection of another one will overwrite the existing Microsoft Entra admin configured for the server.
This command creates a small MySQL server and sets the Active Directory admin to the signed-in user.
FLUSH privileges;
EOF ```
-Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user:
```bash mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $CURRENT_USERNAME --enable-cleartext-plugin --password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) < create_ad_user.sql
FLUSH PRIVILEGES;
EOF ```
-Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user:
```bash mysql -h $AZ_DATABASE_NAME.mysql.database.azure.com --user $AZ_MYSQL_ADMIN_USERNAME --enable-cleartext-plugin --password=$AZ_MYSQL_ADMIN_PASSWORD < create_user.sql
mysql How To Azure Ad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-azure-ad.md
Title: Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server
-description: Learn how to set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server
+ Title: Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server
+description: Learn how to set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server
-# Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server
+# Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server
[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
-This tutorial shows you how to set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server.
+This tutorial shows you how to set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server.
In this tutorial, you learn how to: -- Configure the Azure AD Admin-- Connect to Azure Database for MySQL - Flexible Server using Azure AD
+- Configure the Microsoft Entra Admin
+- Connect to Azure Database for MySQL - Flexible Server using Microsoft Entra ID
## Prerequisites
In this tutorial, you learn how to:
- Install or upgrade Azure CLI to the latest version. See [Install Azure CLI](/cli/azure/install-azure-cli).
-## Configure the Azure AD Admin
+<a name='configure-the-azure-ad-admin'></a>
-To create an Azure AD Admin user, follow the following steps.
+## Configure the Microsoft Entra Admin
-- In the Azure portal, select the instance of Azure Database for MySQL - Flexible Server that you want to enable for Azure AD.
+To create a Microsoft Entra Admin user, follow the following steps.
+
+- In the Azure portal, select the instance of Azure Database for MySQL - Flexible Server that you want to enable for Microsoft Entra ID.
- Under the Security pane, select **Authentication**: - There are three types of authentication available: - **MySQL authentication only** ΓÇô By default, MySQL uses the built-in mysql_native_password authentication plugin, which performs authentication using the native password hashing method
- - **Azure Active Directory authentication only** ΓÇô Only allows authentication with an Azure AD account. Disables mysql_native_password authentication and turns _ON_ the server parameter aad_auth_only
+ - **Microsoft Entra authentication only** ΓÇô Only allows authentication with a Microsoft Entra account. Disables mysql_native_password authentication and turns _ON_ the server parameter aad_auth_only
- - **MySQL and Azure Active Directory authentication** ΓÇô Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter aad_auth_only
+ - **MySQL and Microsoft Entra authentication** ΓÇô Allows authentication using a native MySQL password or a Microsoft Entra account. Turns _OFF_ the server parameter aad_auth_only
- **Select Identity** ΓÇô Select/Add User assigned managed identity. The following permissions are required to allow the UMI to read from Microsoft Graph as the server identity. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role.
- - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
- - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.
- - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
+ - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Microsoft Entra user information.
+ - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Microsoft Entra group information.
+ - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Microsoft Entra service principal (application) information.
> [!IMPORTANT] > Only a [Global Administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or [Privileged Role Administrator](../../active-directory/roles/permissions-reference.md#privileged-role-administrator) can grant these permissions. -- Select a valid Azure AD user or an Azure AD group in the customer tenant to be **Azure AD administrator**. Once Azure AD authentication support has been enabled, Azure AD Admins can be added as security principals with permission to add Azure AD Users to the MySQL server.
+- Select a valid Microsoft Entra user or a Microsoft Entra group in the customer tenant to be **Microsoft Entra administrator**. Once Microsoft Entra authentication support has been enabled, Microsoft Entra Admins can be added as security principals with permission to add Microsoft Entra users to the MySQL server.
> [!NOTE]
- > Only one Azure AD admin can be created per MySQL server, and selecting another overwrites the existing Azure AD admin configured for the server.
+ > Only one Microsoft Entra admin can be created per MySQL server, and selecting another overwrites the existing Microsoft Entra admin configured for the server.
### Grant permissions to User assigned managed identity
In the final steps of the script, if you have more UMIs with similar names, you
### Check permissions for user-assigned managed identity
-To check permissions for a UMI, go to the [Azure portal](https://portal.azure.com). In the **Azure Active Directory** resource, go to **Enterprise applications**. Select **All Applications** for **Application type**, and search for the UMI that was created.
+To check permissions for a UMI, go to the [Azure portal](https://portal.azure.com). In the **Microsoft Entra ID** resource, go to **Enterprise applications**. Select **All Applications** for **Application type**, and search for the UMI that was created.
Select the UMI, and go to the **Permissions** settings under **Security**. After you grant the permissions to the UMI, they're enabled for all servers created with the UMI assigned as a server identity.
-## Connect to Azure Database for MySQL - Flexible Server using Azure AD
+<a name='connect-to-azure-database-for-mysqlflexible-server-using-azure-ad'></a>
+
+## Connect to Azure Database for MySQL - Flexible Server using Microsoft Entra ID
-### 1 - Authenticate with Azure AD
+<a name='1authenticate-with-azure-ad'></a>
-Start by authenticating with Azure AD using the Azure CLI tool.
+### 1 - Authenticate with Microsoft Entra ID
+
+Start by authenticating with Microsoft Entra ID using the Azure CLI tool.
_(This step isn't required in Azure Cloud Shell.)_ - Sign in to Azure account using [az login](/cli/azure/reference-index#az-login) command. Note the ID property, which refers to the Subscription ID for your Azure account:
_(This step isn't required in Azure Cloud Shell.)_
az login ```
-The command launches a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and password.
+The command launches a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and password.
- If you have multiple subscriptions, choose the appropriate subscription using the az account set command:
The command launches a browser window to the Azure AD authentication page. It re
az account set --subscription \<subscription id\> ```
-### 2 - Retrieve Azure AD access token
+<a name='2retrieve-azure-ad-access-token'></a>
+
+### 2 - Retrieve Microsoft Entra access token
-Invoke the Azure CLI tool to acquire an access token for the Azure AD authenticated user from step 1 to access Azure Database for MySQL - Flexible Server.
+Invoke the Azure CLI tool to acquire an access token for the Microsoft Entra authenticated user from step 1 to access Azure Database for MySQL - Flexible Server.
- Example (for Public Cloud):
Invoke the Azure CLI tool to acquire an access token for the Azure AD authentica
$accessToken.Token | out-file C:\temp\MySQLAccessToken.txt ```
-After authentication is successful, Azure AD returns an access token:
+After authentication is successful, Microsoft Entra ID returns an access token:
```json {
mysql -h mydb.mysql.database.azure.com \
- Launch MySQL Workbench and Select the Database option, then select **Connect to database**. - In the hostname field, enter the MySQL FQDN for example, mysql.database.azure.com.-- In the username field, enter the MySQL Azure Active Directory administrator name. For example, user@tenant.onmicrosoft.com.
+- In the username field, enter the MySQL Microsoft Entra administrator name. For example, user@tenant.onmicrosoft.com.
- In the password field, select **Store in Vault** and paste in the access token from the file for example, C:\temp\MySQLAccessToken.txt. - Select the advanced tab and ensure that you check **Enable Cleartext Authentication Plugin**. - Select OK to connect to the database. ## Important considerations when connecting -- `user@tenant.onmicrosoft.com` is the name of the Azure AD user or group you're trying to connect as-- Make sure to use the exact way the Azure AD user or group name is spelled-- Azure AD user and group names are case sensitive
+- `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user or group you're trying to connect as
+- Make sure to use the exact way the Microsoft Entra user or group name is spelled
+- Microsoft Entra user and group names are case sensitive
- When connecting as a group, use only the group name (for example, `GroupName`) - If the name contains spaces, use `\` before each space to escape it > [!NOTE] > The ΓÇ£enable-cleartext-pluginΓÇ¥ setting ΓÇô you need to use a similar configuration with other clients to make sure the token gets sent to the server without being hashed.
-You're now authenticated to your MySQL flexible server using Azure AD authentication.
+You're now authenticated to your MySQL flexible server using Microsoft Entra authentication.
-## Other Azure AD admin commands
+<a name='other-azure-ad-admin-commands'></a>
+
+## Other Microsoft Entra admin commands
- Manage server Active Directory administrator
You're now authenticated to your MySQL flexible server using Azure AD authentica
az mysql flexible-server ad-admin wait -g testgroup -s testsvr ΓÇôdeleted ```
-## Create Azure AD users in Azure Database for MySQL
+<a name='create-azure-ad-users-in-azure-database-for-mysql'></a>
+
+## Create Microsoft Entra users in Azure Database for MySQL
-To add an Azure AD user to your Azure Database for MySQL database, perform the following steps after connecting:
+To add a Microsoft Entra user to your Azure Database for MySQL database, perform the following steps after connecting:
-1. First ensure that the Azure AD user `<user>@yourtenant.onmicrosoft.com` is a valid user in Azure AD tenant.
-1. Sign in to your Azure Database for MySQL instance as the Azure AD Admin user.
+1. First ensure that the Microsoft Entra user `<user>@yourtenant.onmicrosoft.com` is a valid user in Microsoft Entra tenant.
+1. Sign in to your Azure Database for MySQL instance as the Microsoft Entra Admin user.
1. Create user `<user>@yourtenant.onmicrosoft.com` in Azure Database for MySQL. _Example:_
CREATE AADUSER 'userWithLongName@yourtenant.onmicrosoft.com' as 'userDefinedShor
``` > [!NOTE] > 1. MySQL ignores leading and trailing spaces, so the user name should not have any leading or trailing spaces.
-> 2. Authenticating a user through Azure AD does not give the user any permissions to access objects within the Azure Database for MySQL database. You must grant the user the required permissions manually.
+> 2. Authenticating a user through Microsoft Entra ID does not give the user any permissions to access objects within the Azure Database for MySQL database. You must grant the user the required permissions manually.
+
+<a name='create-azure-ad-groups-in-azure-database-for-mysql'></a>
-## Create Azure AD groups in Azure Database for MySQL
+## Create Microsoft Entra groups in Azure Database for MySQL
-To enable an Azure AD group for access to your database, use the exact mechanism as for users, but instead specify the group name:
+To enable a Microsoft Entra group for access to your database, use the exact mechanism as for users, but instead specify the group name:
_Example:_
Most drivers are supported; however, make sure to use the settings for sending t
## Next steps -- Review the concepts for [Azure Active Directory authentication with Azure Database for MySQL - Flexible Server](concepts-azure-ad-authentication.md)
+- Review the concepts for [Microsoft Entra authentication with Azure Database for MySQL - Flexible Server](concepts-azure-ad-authentication.md)
mysql How To Networking Private Link Azure Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-networking-private-link-azure-cli.md
az network private-endpoint-connection delete --id {PrivateEndpointConnectionID}
- Learn how to [configure private link for Azure Database for MySQL flexible server from the [Azure portal](how-to-networking-private-link-portal.md). - Learn how to [manage connectivity](concepts-networking.md) to your Azure Database for MySQL flexible Server. - Learn how to [add another layer of encryption to your Azure Database for MySQL flexible server using [Customer Managed Keys](concepts-customer-managed-key.md).-- Learn how to configure and use [Azure AD authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.--
+- Learn how to configure and use [Microsoft Entra authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.
mysql How To Networking Private Link Deny Public Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-networking-private-link-deny-public-access.md
This article describes how you can configure an Azure Database for MySQL flexibl
- Learn how to [configure private link for Azure Database for MySQL flexible server from the [Azure portal](how-to-networking-private-link-portal.md). - Learn how to [manage connectivity](concepts-networking.md) to your Azure Database for MySQL flexible Server. - Learn how to [add another layer of encryption to your Azure Database for MySQL flexible server using [Customer Managed Keys](concepts-customer-managed-key.md).-- Learn how to configure and use [Azure AD authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.-
+- Learn how to configure and use [Microsoft Entra authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.
mysql How To Networking Private Link Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/how-to-networking-private-link-portal.md
In this section, you learn how to add a private endpoint to the MySQL flexible s
- Learn how to configure private link for Azure Database for MySQL flexible server from [Azure CLI](how-to-networking-private-link-azure-cli.md). - Learn how to [manage connectivity](concepts-networking.md) to your Azure Database for MySQL flexible Server. - Learn how to [add another layer of encryption to your Azure Database for MySQL flexible server using [Customer Managed Keys](concepts-customer-managed-key.md).-- Learn how to configure and use [Azure AD authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.
+- Learn how to configure and use [Microsoft Entra authentication](concepts-azure-ad-authentication.md) on your Azure Database for MySQL flexible server.
mysql Tutorial Add Mysql Connection In Key Vault https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/tutorial-add-mysql-connection-in-key-vault.md
namespace KeyVaultDemo
``` ### [Java](#tab/java)
-In this Java code, we use the [Azure SDK for Java](https://github.com/Azure/azure-sdk-for-java) to interact with Azure Key Vault. We first define the Key Vault URL and the name of the secret (connection string) we want to retrieve. Then, we create a SecretClient object using the SecretClientBuilder class. We set the Key Vault URL and provide the DefaultAzureCredential to authenticate with Azure AD. The DefaultAzureCredential automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.
+In this Java code, we use the [Azure SDK for Java](https://github.com/Azure/azure-sdk-for-java) to interact with Azure Key Vault. We first define the Key Vault URL and the name of the secret (connection string) we want to retrieve. Then, we create a SecretClient object using the SecretClientBuilder class. We set the Key Vault URL and provide the DefaultAzureCredential to authenticate with Microsoft Entra ID. The DefaultAzureCredential automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.
Next, we use the _getSecret_ method on the **SecretClient** to retrieve the secret. The method returns a **KeyVaultSecret** object, from which we can obtain the secret value using the _getValue_ method. Finally, we print the retrieved connection string to the console. Make sure to replace the _keyVaultUrl_ and _secretName_ variables with your own Key Vault URL and secret name. Next, we create a new **SecretClient** object and pass in the Key Vault URI and the credential object. We can then call the GetSecretAsync method on the client object, passing in the name of the secret we want to retrieve.
public class KeyVaultDemo {
``` ### [PHP](#tab/php)
-In this PHP code, we first require the necessary autoload file and import the required classes from the [Azure SDK for PHP](https://github.com/Azure/azure-sdk-for-php). We define the _$keyVaultUrl_ variable with the URL of your Azure Key Vault and _$secretName_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Azure AD, which automatically picks up the available credentials from your environment.
+In this PHP code, we first require the necessary autoload file and import the required classes from the [Azure SDK for PHP](https://github.com/Azure/azure-sdk-for-php). We define the _$keyVaultUrl_ variable with the URL of your Azure Key Vault and _$secretName_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Microsoft Entra ID, which automatically picks up the available credentials from your environment.
We then create a **SecretClient** object, passing the Key Vault URL and the credential object to authenticate with the Key Vault. The _getSecret_ method on the **SecretClient** can retrieve the secret by passing the _$secretName_. The method returns a KeyVaultSecret object, from which we can obtain the secret value using the getValue method. Finally, we print the retrieved connection string to the console. Make sure to have the necessary Azure SDK packages installed and the autoload file included properly in your PHP project.
echo 'Connection string retrieved: ' . $connString;
``` ### [Python](#tab/python)
-In this Python code, we first import the necessary modules from the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python). We define the _key_vault_url_ variable with the URL of your Azure Key Vault and _secret_name_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Azure AD. The **DefaultAzureCredential** automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.
+In this Python code, we first import the necessary modules from the [Azure SDK for Python](https://github.com/Azure/azure-sdk-for-python). We define the _key_vault_url_ variable with the URL of your Azure Key Vault and _secret_name_ variable with the name of the secret (connection string) you want to retrieve. Next, we create a **DefaultAzureCredential** object to authenticate with Microsoft Entra ID. The **DefaultAzureCredential** automatically authenticates using the available credentials, such as environment variables, managed identities, or Visual Studio Code authentication.
Then, we create a **SecretClient** object, passing the Key Vault URL and the credential object to authenticate with the Key Vault. The _get_secret_ method on the **SecretClient** can retrieve the secret by passing the secret_name. The method returns a **KeyVaultSecret** object, from which we can obtain the secret value using the value property. Finally, we print the retrieved connection string to the console. Make sure to replace the _key_vault_url_ and _secret_name_ variables with your own Key Vault URL and secret name.
mysql Tutorial Deploy Springboot On Aks Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/tutorial-deploy-springboot-on-aks-vnet.md
az group delete --name rg-mysqlaksdemo
``` > [!NOTE]
-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.
+> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.
## Next steps
mysql Tutorial Deploy Wordpress On Aks https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/flexible-server/tutorial-deploy-wordpress-on-aks.md
az group delete --name wordpress-project --yes --no-wait
``` > [!NOTE]
-> When you delete the cluster, the Azure Active Directory service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.
+> When you delete the cluster, the Microsoft Entra service principal used by the AKS cluster is not removed. For steps on how to remove the service principal, see [AKS service principal considerations and deletion](../../aks/kubernetes-service-principal.md#other-considerations). If you used a managed identity, the identity is managed by the platform and does not require removal.
## Next steps
mysql 13 Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/migrate/mysql-on-premises-azure-db/13-security.md
Moving to a cloud-based service doesnΓÇÖt mean the entire internet has access to
## Authentication
-Azure Database for MySQL supports the basic authentication mechanisms for MySQL user connectivity, but also supports [integration with Azure Active Directory](../../concepts-azure-ad-authentication.md). This security integration works by issuing tokens that act like passwords during the MySQL login process. [Configuring Active Directory integration](../../howto-configure-sign-in-azure-ad-authentication.md) is incredibly simple to do and supports not only users, but AAD groups as well.
+Azure Database for MySQL supports the basic authentication mechanisms for MySQL user connectivity, but also supports [integration with Microsoft Entra ID](../../concepts-azure-ad-authentication.md). This security integration works by issuing tokens that act like passwords during the MySQL login process. [Configuring Active Directory integration](../../howto-configure-sign-in-azure-ad-authentication.md) is incredibly simple to do and supports not only users, but Microsoft Entra groups as well.
This tight integration allows administrators and applications to take advantage of the enhanced security features of [Azure Identity Protection](../../../active-directory/identity-protection/overview-identity-protection.md) to surface any identity issues.
Review a set of potential [security baseline](/azure/mysql/security-baseline) ta
## Security checklist
- - Use Azure AD authentication where possible.
+ - Use Microsoft Entra authentication where possible.
- Enable Advanced Thread Protection.
Review a set of potential [security baseline](/azure/mysql/security-baseline) ta
## Next steps > [!div class="nextstepaction"]
-> [Summary](./14-summary.md)
+> [Summary](./14-summary.md)
mysql Select Right Deployment Type https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/select-right-deployment-type.md
The main differences between these options are listed in the following table:
| Network Connectivity | - Public endpoints with server firewall.<br />- Private access with Private Link support. | - Public endpoints with server firewall.<br />- Private access with Virtual Network integration. | - Public endpoints with server firewall.<br />- Private access with Private Link support. | | SSL/TLS | Enabled by default with support for TLS v1.2, 1.1 and 1.0 | Enabled by default with support for TLS v1.2, 1.1 and 1.0 | Supported with TLS v1.2, 1.1 and 1.0 | | Data Encryption at rest | Supported with customer-managed keys (BYOK) | Supported with service managed keys | Not Supported |
-| Azure AD Authentication | Supported | Supported | Not Supported |
+| Microsoft Entra authentication | Supported | Supported | Not Supported |
| Microsoft Defender for Cloud support | Yes | No | No | | Server Audit | Supported | Supported | User Managed | | [**Patching & Maintenance**](flexible-server/concepts-maintenance.md) | | |
mysql Concepts Azure Ad Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/concepts-azure-ad-authentication.md
Title: Active Directory authentication - Azure Database for MySQL
-description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for MySQL
+description: Learn about the concepts of Microsoft Entra ID for authentication with Azure Database for MySQL
Last updated 06/20/2022
-# Use Azure Active Directory for authenticating with MySQL
+# Use Microsoft Entra ID for authenticating with MySQL
[!INCLUDE[applies-to-mysql-single-server](../includes/applies-to-mysql-single-server.md)] [!INCLUDE[azure-database-for-mysql-single-server-deprecation](../includes/azure-database-for-mysql-single-server-deprecation.md)]
-Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for MySQL using identities defined in Azure AD.
-With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
+Microsoft Entra authentication is a mechanism of connecting to Azure Database for MySQL using identities defined in Microsoft Entra ID.
+With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
-Benefits of using Azure AD include:
+Benefits of using Microsoft Entra ID include:
- Authentication of users across Azure Services in a uniform way - Management of password policies and password rotation in a single place-- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords-- Customers can manage database permissions using external (Azure AD) groups.-- Azure AD authentication uses MySQL database users to authenticate identities at the database level
+- Multiple forms of authentication supported by Microsoft Entra ID, which can eliminate the need to store passwords
+- Customers can manage database permissions using external (Microsoft Entra ID) groups.
+- Microsoft Entra authentication uses MySQL database users to authenticate identities at the database level
- Support of token-based authentication for applications connecting to Azure Database for MySQL
-To configure and use Azure Active Directory authentication, use the following process:
+To configure and use Microsoft Entra authentication, use the following process:
-1. Create and populate Azure Active Directory with user identities as needed.
+1. Create and populate Microsoft Entra ID with user identities as needed.
2. Optionally associate or change the Active Directory currently associated with your Azure subscription.
-3. Create an Azure AD administrator for the Azure Database for MySQL server.
-4. Create database users in your database mapped to Azure AD identities.
-5. Connect to your database by retrieving a token for an Azure AD identity and logging in.
+3. Create a Microsoft Entra administrator for the Azure Database for MySQL server.
+4. Create database users in your database mapped to Microsoft Entra identities.
+5. Connect to your database by retrieving a token for a Microsoft Entra identity and logging in.
> [!NOTE]
-> To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see [Configure and sign in with Azure AD for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
+> To learn how to create and populate Microsoft Entra ID, and then configure Microsoft Entra ID with Azure Database for MySQL, see [Configure and sign in with Microsoft Entra ID for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
## Architecture
-The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways.
+The following high-level diagram summarizes how authentication works using Microsoft Entra authentication with Azure Database for MySQL. The arrows indicate communication pathways.
![authentication flow][1] ## Administrator structure
-When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL server. Only one Azure AD administrator (a user or group) can be configured at any time.
+When using Microsoft Entra authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Microsoft Entra administrator. Only the administrator based on a Microsoft Entra account can create the first Microsoft Entra ID contained database user in a user database. The Microsoft Entra administrator login can be a Microsoft Entra user or a Microsoft Entra group. When the administrator is a group account, it can be used by any group member, enabling multiple Microsoft Entra administrators for the MySQL server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the MySQL server. Only one Microsoft Entra administrator (a user or group) can be configured at any time.
![admin structure][2] ## Permissions
-To create new users that can authenticate with Azure AD, you must be the designated Azure AD administrator. This user is assigned by configuring the Azure AD Administrator account for a specific Azure Database for MySQL server.
+To create new users that can authenticate with Microsoft Entra ID, you must be the designated Microsoft Entra administrator. This user is assigned by configuring the Microsoft Entra Administrator account for a specific Azure Database for MySQL server.
-To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in [Configure and Login with Azure AD for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
+To create a new Microsoft Entra database user, you must connect as the Microsoft Entra administrator. This is demonstrated in [Configure and Login with Microsoft Entra ID for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
-Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials.
+Any Microsoft Entra authentication is only possible if the Microsoft Entra admin was created for Azure Database for MySQL. If the Microsoft Entra admin was removed from the server, existing Microsoft Entra users created previously can no longer connect to the database using their Microsoft Entra credentials.
-## Connecting using Azure AD identities
+<a name='connecting-using-azure-ad-identities'></a>
-Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities:
+## Connecting using Microsoft Entra identities
-- Azure Active Directory Password-- Azure Active Directory Integrated-- Azure Active Directory Universal with MFA
+Microsoft Entra authentication supports the following methods of connecting to a database using Microsoft Entra identities:
+
+- Microsoft Entra Password
+- Microsoft Entra integrated
+- Microsoft Entra Universal with MFA
- Using Active Directory Application certificates or client secrets - [Managed Identity](how-to-connect-with-managed-identity.md) Once you have authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in.
-Please note that management operations, such as adding new users, are only supported for Azure AD user roles at this point.
+Please note that management operations, such as adding new users, are only supported for Microsoft Entra user roles at this point.
> [!NOTE]
-> For more details on how to connect with an Active Directory token, see [Configure and sign in with Azure AD for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
+> For more details on how to connect with an Active Directory token, see [Configure and sign in with Microsoft Entra ID for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
## Additional considerations -- Azure Active Directory authentication is only available for MySQL 5.7 and newer.-- Only one Azure AD administrator can be configured for a Azure Database for MySQL server at any time.-- Only an Azure AD administrator for MySQL can initially connect to the Azure Database for MySQL using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.-- If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user.
+- Microsoft Entra authentication is only available for MySQL 5.7 and newer.
+- Only one Microsoft Entra administrator can be configured for a Azure Database for MySQL server at any time.
+- Only a Microsoft Entra administrator for MySQL can initially connect to the Azure Database for MySQL using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users.
+- If a user is deleted from Microsoft Entra ID, that user will no longer be able to authenticate with Microsoft Entra ID, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user.
> [!NOTE]
-> Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for MySQL this access will be revoked immediately.
-- If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. Adding a new Azure AD admin from the same tenant will re-enable Azure AD logins.-- Azure Database for MySQL matches access tokens to the Azure Database for MySQL user using the userΓÇÖs unique Azure AD user ID, as opposed to using the username. This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for MySQL considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing user.
+> Login with the deleted Microsoft Entra user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for MySQL this access will be revoked immediately.
+- If the Microsoft Entra admin is removed from the server, the server will no longer be associated with a Microsoft Entra tenant, and therefore all Microsoft Entra logins will be disabled for the server. Adding a new Microsoft Entra admin from the same tenant will re-enable Microsoft Entra logins.
+- Azure Database for MySQL matches access tokens to the Azure Database for MySQL user using the userΓÇÖs unique Microsoft Entra user ID, as opposed to using the username. This means that if a Microsoft Entra user is deleted in Microsoft Entra ID and a new user created with the same name, Azure Database for MySQL considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and then a new user with the same name added, the new user will not be able to connect with the existing user.
> [!NOTE]
-> The subscriptions of an Azure MySQL with Azure AD authentication enabled cannot be transferred to another tenant or directory.
+> The subscriptions of an Azure MySQL with Microsoft Entra authentication enabled cannot be transferred to another tenant or directory.
## Next steps -- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see [Configure and sign in with Azure AD for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
+- To learn how to create and populate Microsoft Entra ID, and then configure Microsoft Entra ID with Azure Database for MySQL, see [Configure and sign in with Microsoft Entra ID for Azure Database for MySQL](how-to-configure-sign-in-azure-ad-authentication.md).
- For an overview of logins, and database users for Azure Database for MySQL, see [Create users in Azure Database for MySQL](how-to-create-users.md). <!--Image references-->
mysql Concepts Data Access And Security Vnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/concepts-data-access-and-security-vnet.md
You have the option of using [Azure role-based access control (Azure RBAC)][rbac
> [!NOTE] > In some cases the Azure Database for MySQL and the VNet-subnet are in different subscriptions. In these cases you must ensure the following configurations:
-> - Both subscriptions must be in the same Azure Active Directory tenant.
+> - Both subscriptions must be in the same Microsoft Entra tenant.
> - The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server. > - Make sure that both the subscription have the **Microsoft.Sql** and **Microsoft.DBforMySQL** resource provider registered. For more information refer [resource-manager-registration][resource-manager-portal]
For articles on creating VNet rules, see:
[expressroute-indexmd-744v]: ../../expressroute/index.yml
-[resource-manager-portal]: ../../azure-resource-manager/management/resource-providers-and-types.md
+[resource-manager-portal]: ../../azure-resource-manager/management/resource-providers-and-types.md
mysql Concepts Data Encryption Mysql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/concepts-data-encryption-mysql.md
When the server is configured to use the customer-managed key stored in the key
The following are requirements for configuring Key Vault:
-* Key Vault and Azure Database for MySQL must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving Key Vault resource afterwards requires you to reconfigure the data encryption.
+* Key Vault and Azure Database for MySQL must belong to the same Microsoft Entra tenant. Cross-tenant Key Vault and server interactions aren't supported. Moving Key Vault resource afterwards requires you to reconfigure the data encryption.
* Enable the [soft-delete](../../key-vault/general/soft-delete-overview.md) feature on the key vault with retention period set to **90 days**, to protect from data loss if an accidental key (or Key Vault) deletion happens. Soft-deleted resources are retained for 90 days by default, unless the retention period is explicitly set to <=90 days. The recover and purge actions have their own permissions associated in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through PowerShell or the Azure CLI (note that you can't enable it through the Azure portal). * Enable the [Purge Protection](../../key-vault/general/soft-delete-overview.md#purge-protection) feature on the key vault with retention period set to **90 days**. Purge protection can only be enabled once soft-delete is enabled. It can be turned on via Azure CLI or PowerShell. When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed. * Grant the Azure Database for MySQL access to the key vault with the get, wrapKey, and unwrapKey permissions by using its unique managed identity. In the Azure portal, the unique 'Service' identity is automatically created when data encryption is enabled on the MySQL. See [Configure data encryption for MySQL](how-to-data-encryption-portal.md) for detailed, step-by-step instructions when you're using the Azure portal.
It might happen that someone with sufficient access rights to Key Vault accident
* Deleting the key. * Deleting the key vault. * Changing the key vault's firewall rules.
-* Deleting the managed identity of the server in Azure AD.
+* Deleting the managed identity of the server in Microsoft Entra ID.
## Monitor the customer-managed key in Key Vault
mysql Connect Java https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/connect-java.md
This article demonstrates creating a sample application that uses Java and [JDBC
JDBC is the standard Java API to connect to traditional relational databases.
-In this article, we'll include two authentication methods: Azure Active Directory (Azure AD) authentication and MySQL authentication. The **Passwordless** tab shows the Azure AD authentication and the **Password** tab shows the MySQL authentication.
+In this article, we'll include two authentication methods: Microsoft Entra authentication and MySQL authentication. The **Passwordless** tab shows the Microsoft Entra authentication and the **Password** tab shows the MySQL authentication.
-Azure AD authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
+Microsoft Entra authentication is a mechanism for connecting to Azure Database for MySQL using identities defined in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
MySQL authentication uses accounts stored in MySQL. If you choose to use passwords as credentials for the accounts, these credentials will be stored in the `user` table. Because these passwords are stored in MySQL, you'll need to manage the rotation of the passwords by yourself.
az mysql server create \
--output tsv ```
-Next, run the following command to set the Azure AD admin user:
+Next, run the following command to set the Microsoft Entra admin user:
```azurecli-interactive az mysql server ad-admin create \
az mysql server ad-admin create \
``` > [!IMPORTANT]
-> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. You can only create one Azure AD admin per MySQL server. Selection of another user will overwrite the existing Azure AD admin configured for the server.
+> When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions. You can only create one Microsoft Entra admin per MySQL server. Selection of another user will overwrite the existing Microsoft Entra admin configured for the server.
This command creates a small MySQL server and sets the Active Directory admin to the signed-in user.
FLUSH privileges;
EOF ```
-Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user:
```bash mysql -h $AZ_DATABASE_SERVER_NAME.mysql.database.azure.com --user $CURRENT_USERNAME@$AZ_DATABASE_SERVER_NAME --enable-cleartext-plugin --password=$(az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken) < create_ad_user.sql
FLUSH PRIVILEGES;
EOF ```
-Then, use the following command to run the SQL script to create the Azure AD non-admin user:
+Then, use the following command to run the SQL script to create the Microsoft Entra non-admin user:
```bash mysql -h $AZ_DATABASE_SERVER_NAME.mysql.database.azure.com --user $AZ_MYSQL_ADMIN_USERNAME@$AZ_DATABASE_SERVER_NAME --enable-cleartext-plugin --password=$AZ_MYSQL_ADMIN_PASSWORD < create_user.sql
mysql How To Configure Sign In Azure Ad Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/how-to-configure-sign-in-azure-ad-authentication.md
Title: Use Azure Active Directory - Azure Database for MySQL
-description: Learn about how to set up Azure Active Directory (Azure AD) for authentication with Azure Database for MySQL
+ Title: Use Microsoft Entra ID - Azure Database for MySQL
+description: Learn about how to set up Microsoft Entra ID for authentication with Azure Database for MySQL
Last updated 06/20/2022
-# Use Azure Active Directory for authentication with MySQL
+# Use Microsoft Entra ID for authentication with MySQL
[!INCLUDE[applies-to-mysql-single-server](../includes/applies-to-mysql-single-server.md)] [!INCLUDE[azure-database-for-mysql-single-server-deprecation](../includes/azure-database-for-mysql-single-server-deprecation.md)]
-This article will walk you through the steps how to configure Azure Active Directory access with Azure Database for MySQL, and how to connect using an Azure AD token.
+This article will walk you through the steps how to configure Microsoft Entra ID access with Azure Database for MySQL, and how to connect using a Microsoft Entra token.
> [!IMPORTANT]
-> Azure Active Directory authentication is only available for MySQL 5.7 and newer.
+> Microsoft Entra authentication is only available for MySQL 5.7 and newer.
-## Setting the Azure AD Admin user
+<a name='setting-the-azure-ad-admin-user'></a>
-Only an Azure AD Admin user can create/enable users for Azure AD-based authentication. To create an Azure AD Admin user, please follow the following steps
+## Setting the Microsoft Entra Admin user
-1. In the Azure portal, select the instance of Azure Database for MySQL that you want to enable for Azure AD.
+Only a Microsoft Entra Admin user can create/enable users for Microsoft Entra ID-based authentication. To create a Microsoft Entra Admin user, please follow the following steps
+
+1. In the Azure portal, select the instance of Azure Database for MySQL that you want to enable for Microsoft Entra ID.
2. Under Settings, select Active Directory Admin:
-![set azure ad administrator][2]
+![set Microsoft Entra administrator][2]
-3. Select a valid Azure AD user in the customer tenant to be Azure AD administrator.
+3. Select a valid Microsoft Entra user in the customer tenant to be Microsoft Entra administrator.
> [!IMPORTANT] > When setting the administrator, a new user is added to the Azure Database for MySQL server with full administrator permissions.
-Only one Azure AD admin can be created per MySQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.
+Only one Microsoft Entra admin can be created per MySQL server and selection of another one will overwrite the existing Microsoft Entra admin configured for the server.
After configuring the administrator, you can now sign in:
-## Connecting to Azure Database for MySQL using Azure AD
+<a name='connecting-to-azure-database-for-mysql-using-azure-ad'></a>
+
+## Connecting to Azure Database for MySQL using Microsoft Entra ID
-The following high-level diagram summarizes the workflow of using Azure AD authentication with Azure Database for MySQL:
+The following high-level diagram summarizes the workflow of using Microsoft Entra authentication with Azure Database for MySQL:
![authentication flow][1]
-WeΓÇÖve designed the Azure AD integration to work with common MySQL tools like the mysql CLI, which are not Azure AD aware and only support specifying username and password when connecting to MySQL. We pass the Azure AD token as the password as shown in the picture above.
+WeΓÇÖve designed the Microsoft Entra integration to work with common MySQL tools like the mysql CLI, which are not Microsoft Entra aware and only support specifying username and password when connecting to MySQL. We pass the Microsoft Entra token as the password as shown in the picture above.
We currently have tested the following clients:
We currently have tested the following clients:
We have also tested most common application drivers, you can see details at the end of this page.
-These are the steps that a user/application will need to do authenticate with Azure AD described below:
+These are the steps that a user/application will need to do authenticate with Microsoft Entra ID described below:
### Prerequisites You can follow along in Azure Cloud Shell, an Azure VM, or on your local machine. Make sure you have the [Azure CLI installed](/cli/azure/install-azure-cli).
-### Step 1: Authenticate with Azure AD
+<a name='step-1-authenticate-with-azure-ad'></a>
+
+### Step 1: Authenticate with Microsoft Entra ID
-Start by authenticating with Azure AD using the Azure CLI tool. This step is not required in Azure Cloud Shell.
+Start by authenticating with Microsoft Entra ID using the Azure CLI tool. This step is not required in Azure Cloud Shell.
``` az login ```
-The command will launch a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and the password.
+The command will launch a browser window to the Microsoft Entra authentication page. It requires you to give your Microsoft Entra user ID and the password.
-### Step 2: Retrieve Azure AD access token
+<a name='step-2-retrieve-azure-ad-access-token'></a>
-Invoke the Azure CLI tool to acquire an access token for the Azure AD authenticated user from step 1 to access Azure Database for MySQL.
+### Step 2: Retrieve Microsoft Entra access token
+
+Invoke the Azure CLI tool to acquire an access token for the Microsoft Entra authenticated user from step 1 to access Azure Database for MySQL.
Example (for Public Cloud):
$accessToken.Token | out-file C:\temp\MySQLAccessToken.txt
```
-After authentication is successful, Azure AD will return an access token:
+After authentication is successful, Microsoft Entra ID will return an access token:
```json {
mysql -h mydb.mysql.database.azure.com \
#### Using MySQL Workbench * Launch MySQL Workbench and Click the Database option, then click "Connect to database" * In the hostname field, enter the MySQL FQDN eg. mydb.mysql.database.azure.com
-* In the username field, enter the MySQL Azure Active Directory administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com@mydb
+* In the username field, enter the MySQL Microsoft Entra administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com@mydb
* In the password field, click "Store in Vault" and paste in the access token from file e.g. C:\temp\MySQLAccessToken.txt * Click the advanced tab and ensure that you check "Enable Cleartext Authentication Plugin" * Click OK to connect to the database #### Important considerations when connecting:
-* `user@tenant.onmicrosoft.com` is the name of the Azure AD user or group you are trying to connect as
-* Always append the server name after the Azure AD user/group name (e.g. `@mydb`)
-* Make sure to use the exact way the Azure AD user or group name is spelled
-* Azure AD user and group names are case sensitive
+* `user@tenant.onmicrosoft.com` is the name of the Microsoft Entra user or group you are trying to connect as
+* Always append the server name after the Microsoft Entra user/group name (e.g. `@mydb`)
+* Make sure to use the exact way the Microsoft Entra user or group name is spelled
+* Microsoft Entra user and group names are case sensitive
* When connecting as a group, use only the group name (e.g. `GroupName@mydb`) * If the name contains spaces, use `\` before each space to escape it Note the ΓÇ£enable-cleartext-pluginΓÇ¥ setting ΓÇô you need to use a similar configuration with other clients to make sure the token gets sent to the server without being hashed.
-You are now authenticated to your MySQL server using Azure AD authentication.
+You are now authenticated to your MySQL server using Microsoft Entra authentication.
+
+<a name='creating-azure-ad-users-in-azure-database-for-mysql'></a>
-## Creating Azure AD users in Azure Database for MySQL
+## Creating Microsoft Entra users in Azure Database for MySQL
-To add an Azure AD user to your Azure Database for MySQL database, perform the following steps after connecting (see later section on how to connect):
+To add a Microsoft Entra user to your Azure Database for MySQL database, perform the following steps after connecting (see later section on how to connect):
-1. First ensure that the Azure AD user `<user>@yourtenant.onmicrosoft.com` is a valid user in Azure AD tenant.
-2. Sign in to your Azure Database for MySQL instance as the Azure AD Admin user.
+1. First ensure that the Microsoft Entra user `<user>@yourtenant.onmicrosoft.com` is a valid user in Microsoft Entra tenant.
+2. Sign in to your Azure Database for MySQL instance as the Microsoft Entra Admin user.
3. Create user `<user>@yourtenant.onmicrosoft.com` in Azure Database for MySQL. **Example:**
CREATE AADUSER 'userWithLongName@yourtenant.onmicrosoft.com' as 'userDefinedShor
``` > [!NOTE] > 1. MySQL ignores leading and trailing spaces so user name should not have any leading or trailing spaces.
-> 2. Authenticating a user through Azure AD does not give the user any permissions to access objects within the Azure Database for MySQL database. You must grant the user the required permissions manually.
+> 2. Authenticating a user through Microsoft Entra ID does not give the user any permissions to access objects within the Azure Database for MySQL database. You must grant the user the required permissions manually.
+
+<a name='creating-azure-ad-groups-in-azure-database-for-mysql'></a>
-## Creating Azure AD groups in Azure Database for MySQL
+## Creating Microsoft Entra groups in Azure Database for MySQL
-To enable an Azure AD group for access to your database, use the same mechanism as for users, but instead specify the group name:
+To enable a Microsoft Entra group for access to your database, use the same mechanism as for users, but instead specify the group name:
**Example:**
When logging in, members of the group will use their personal access tokens, but
## Token Validation
-Azure AD authentication in Azure Database for MySQL ensures that the user exists in the MySQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed:
+Microsoft Entra authentication in Azure Database for MySQL ensures that the user exists in the MySQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed:
-- Token is signed by Azure AD and has not been tampered with-- Token was issued by Azure AD for the tenant associated with the server
+- Token is signed by Microsoft Entra ID and has not been tampered with
+- Token was issued by Microsoft Entra ID for the tenant associated with the server
- Token has not expired - Token is for the Azure Database for MySQL resource (and not another Azure resource)
Most drivers are supported, however make sure to use the settings for sending th
## Next steps
-* Review the overall concepts for [Azure Active Directory authentication with Azure Database for MySQL](concepts-azure-ad-authentication.md)
+* Review the overall concepts for [Microsoft Entra authentication with Azure Database for MySQL](concepts-azure-ad-authentication.md)
<!--Image references-->
mysql How To Connect With Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/how-to-connect-with-managed-identity.md
Last updated 05/03/2023
[!INCLUDE[azure-database-for-mysql-single-server-deprecation](../includes/azure-database-for-mysql-single-server-deprecation.md)]
-This article shows you how to use a user-assigned identity for an Azure Virtual Machine (VM) to access an Azure Database for MySQL server. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert credentials into your code.
+This article shows you how to use a user-assigned identity for an Azure Virtual Machine (VM) to access an Azure Database for MySQL server. Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Microsoft Entra authentication, without needing to insert credentials into your code.
You learn how to:
You learn how to:
- If you're not familiar with the managed identities for Azure resources feature, see this [overview](../../../articles/active-directory/managed-identities-azure-resources/overview.md). If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue. - To do the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Assign Azure roles to manage access to your Azure subscription resources](../../../articles/role-based-access-control/role-assignments-portal.md). - You need an Azure VM (for example running Ubuntu Linux) that you'd like to use for access your database using Managed Identity-- You need an Azure Database for MySQL database server that has [Azure AD authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured
+- You need an Azure Database for MySQL database server that has [Microsoft Entra authentication](how-to-configure-sign-in-azure-ad-authentication.md) configured
- To follow the C# example, first complete the guide how to [Connect using C#](connect-csharp.md) ## Creating a user-assigned managed identity for your VM
echo $CLIENT_ID
## Creating a MySQL user for your Managed Identity
-Now, connect as the Azure AD administrator user to your MySQL database, and run the following SQL statements:
+Now, connect as the Microsoft Entra administrator user to your MySQL database, and run the following SQL statements:
```sql SET aad_auth_validate_oids_in_tenant = OFF;
You are now connected to the database you've configured earlier.
## Connecting using Managed Identity in C#
-This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for MySQL. Azure Database for MySQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to MySQL, you pass the access token in the password field.
+This section shows how to get an access token using the VM's user-assigned managed identity and use it to call Azure Database for MySQL. Azure Database for MySQL natively supports Microsoft Entra authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. When creating a connection to MySQL, you pass the access token in the password field.
Here's a .NET code example of opening a connection to MySQL using an access token. This code must run on the VM to access the VM's user-assigned managed identity's endpoint. .NET Framework 4.6 or higher or .NET Core 2.2 or higher is required to use the access token method. Replace the values of HOST, USER, DATABASE, and CLIENT_ID.
MySQL version: 5.7.27
## Next steps -- Review the overall concepts for [Azure Active Directory authentication with Azure Database for MySQL](concepts-azure-ad-authentication.md)
+- Review the overall concepts for [Microsoft Entra authentication with Azure Database for MySQL](concepts-azure-ad-authentication.md)
mysql Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Database for MySQL
mysql Single Server Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/mysql/single-server/single-server-overview.md
Single Server uses the FIPS 140-2 validated cryptographic module for storage enc
The service allows private access to the servers using [private link](concepts-data-access-security-private-link.md) and offers threat protection through the optional [Microsoft Defender for open-source relational databases](../../defender-for-cloud/defender-for-databases-introduction.md) plan. Microsoft Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
-In addition to native authentication, Single Server supports [Azure Active Directory](../../active-directory/fundamentals/active-directory-whatis.md) authentication. Azure AD authentication is a mechanism of connecting to the MySQL servers using identities defined and managed in Azure AD. With Azure AD authentication, you can manage database user identities and other Azure services in a central location, which simplifies and centralizes access control.
+In addition to native authentication, Single Server supports [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) authentication. Microsoft Entra authentication is a mechanism of connecting to the MySQL servers using identities defined and managed in Microsoft Entra ID. With Microsoft Entra authentication, you can manage database user identities and other Azure services in a central location, which simplifies and centralizes access control.
[Audit logging](concepts-audit-logs.md) is available to track all database level activity.
Now that you've read an introduction to Azure Database for MySQL - Single Server
- [Ruby](./connect-ruby.md) - [PHP](./connect-php.md) - [.NET (C#)](./connect-csharp.md)
- - [Go](./connect-go.md)
+ - [Go](./connect-go.md)
nat-gateway Nat Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/nat-gateway/nat-overview.md
Virtual appliance UDR / VPN Gateway / ExpressRoute >> NAT gateway >> Instance-le
## Pricing and SLA
-For Azure NAT Gateway pricing, see [NAT gateway pricing](https://azure.microsoft.com/pricing/details/virtual-network/#pricing).
+For Azure NAT Gateway pricing, see [NAT gateway pricing](https://azure.microsoft.com/pricing/details/azure-nat-gateway/).
For information on the SLA, see [SLA for Azure NAT Gateway](https://azure.microsoft.com/support/legal/sla/virtual-network-nat/v1_0/).
networking Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/networking/policy-reference.md
Title: Built-in policy definitions for Azure networking services description: Lists Azure Policy built-in policy definitions for Azure networking services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
open-datasets Dataset Taxi Yellow https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/open-datasets/dataset-taxi-yellow.md
azure_storage_sas_token = r""
container_name = "nyctlc" folder_name = "yellow"
-from azure.storage.blob import BlockBlobServicefrom azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
+from azure.storage.blob import BlobServiceClient, BlobClient, ContainerClient
if azure_storage_account_name is None or azure_storage_sas_token is None: raise Exception(
partner-solutions Manage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/elastic/manage.md
Title: Manage Elastic Cloud (Elasticsearch) - An Azure Native ISV Service description: This article describes management of Elastic Cloud (Elasticsearch) on the Azure portal. How to configure diagnostic settings and delete the resource. - Previously updated : 05/22/2023 Last updated : 10/06/2023 - # Manage Elastic Cloud (Elasticsearch) - An Azure Native ISV Service
To associate an already existing traffic filter to the current deployment, you s
If a traffic filter is no longer needed, unlink it from deployment and then delete it.
+## Connected Elastic resources
+
+To access all Elastic resources and deployments you have created using the Azure or Elastic portal experience, go to the **Connected Elastic resources** tab in any of your Azure Elastic resources.
++
+You can easily manage the corresponding Elastic deployments or Azure resources using the links, provided you have owner or contributor rights to those deployments and resources.
+ ## Delete Elastic resource When you no longer need your Elastic resource, delete the resource in the Azure portal.
When the Elastic resource is deleted, logs are no longer sent to Elastic. All bi
> [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Elastic%2Fmonitors) > [!div class="nextstepaction"]
- > [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/elastic.ec-azure-pp?tab=Overview)
+ > [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/elastic.ec-azure-pp?tab=Overview)
partner-solutions Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/partner-solutions/elastic/troubleshoot.md
Title: Troubleshooting Elastic Cloud (Elasticsearch) - An Azure Native ISV Service description: This article provides information about troubleshooting Elastic integration with Azure- Previously updated : 06/01/2023 Last updated : 10/06/2023 - # Troubleshooting Elastic Cloud (Elasticsearch) - An Azure Native ISV Service
Only users who have *Owner* or *Contributor* access on the Azure subscription ca
To contact support about the Elastic integration with Azure, select the **New Support request** in the left pane. Select **Open an Elastic Support ticket**. In the Elastic site, open a support request. +
+## Suggest a feature
+
+To suggest a new feature for the Elastic integration with Azure, select the **Suggest a feature** link at the top of the resource overview page.
++
+This link takes you to the **Developer community forum** where you can suggest a new feature. You can also view, upvote, or comment on feature suggestions from other customers.
## Next steps
In the Elastic site, open a support request.
> [Azure portal](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Elastic%2Fmonitors) > [!div class="nextstepaction"]
- > [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/elastic.ec-azure-pp?tab=Overview)
+ > [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/elastic.ec-azure-pp?tab=Overview)
playwright-testing How To Manage Workspace Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/playwright-testing/how-to-manage-workspace-access.md
You can revoke a user's access to a Microsoft Playwright Testing workspace using
For more information about how to remove role assignments, see [Remove Azure role assignments](/azure/role-based-access-control/role-assignments-remove).
-## (Optional) Use Azure AD security groups to manage workspace access
+<a name='optional-use-azure-ad-security-groups-to-manage-workspace-access'></a>
-Instead of granting or revoking access to individual users, you can manage access for groups of users using Azure AD security groups. This approach has the following benefits:
+## (Optional) Use Microsoft Entra security groups to manage workspace access
+
+Instead of granting or revoking access to individual users, you can manage access for groups of users using Microsoft Entra security groups. This approach has the following benefits:
- Avoid the need for granting team or project leaders the Owner role on the workspace. You can grant them access only to the security group to let them manage access to the workspace. - You can organize, manage and revoke users' permissions on a workspace and other resources as a group, without having to manage permissions on a user-by-user basis.-- Using Azure AD groups helps you to avoid reaching the [subscription limit](/azure/role-based-access-control/troubleshooting#limits) on role assignments.
+- Using Microsoft Entra groups helps you to avoid reaching the [subscription limit](/azure/role-based-access-control/troubleshooting#limits) on role assignments.
-To use Azure AD security groups:
+To use Microsoft Entra security groups:
1. [Create a security group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal).
To use Azure AD security groups:
## Create a custom role for restricted tenants
-If you're using Azure Active Directory [tenant restrictions](/azure/active-directory/external-identities/tenant-restrictions-v2) and users with temporary access, you can create a custom role in Azure RBAC to manage permissions and grant access to run tests.
+If you're using Microsoft Entra [tenant restrictions](/azure/active-directory/external-identities/tenant-restrictions-v2) and users with temporary access, you can create a custom role in Azure RBAC to manage permissions and grant access to run tests.
Perform the following steps to manage permissions with a custom role:
Here are a few things to be aware of while you use Azure role-based access contr
- When you create a resource in Azure, such as a workspace, you are not automatically the owner of the resource. Your role is inherited from the highest scope role that you're authorized against in that subscription. As an example, if you're a Contributor for the subscription, you have the permissions to create a Microsoft Playwright Testing workspace. However, you would be assigned the Contributor role against that workspace, and not the Owner role. -- When there are two role assignments to the same Azure Active Directory user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they're also listed as Actions in another role. To learn more about how Azure parses role assignments, read [How Azure RBAC determines if a user has access to a resource](/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource).
+- When there are two role assignments to the same Microsoft Entra user with conflicting sections of Actions/NotActions, your operations listed in NotActions from one role might not take effect if they're also listed as Actions in another role. To learn more about how Azure parses role assignments, read [How Azure RBAC determines if a user has access to a resource](/azure/role-based-access-control/overview#how-azure-rbac-determines-if-a-user-has-access-to-a-resource).
- It can sometimes take up to 1 hour for your new role assignments to take effect over cached permissions.
playwright-testing Troubleshoot Unable Sign Into Playwright Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/playwright-testing/troubleshoot-unable-sign-into-playwright-portal.md
Follow these steps to enable the Microsoft Playwright Testing service principal:
1. Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator).
-1. Install the Microsoft Azure Active Directory Module for Windows PowerShell by running the following cmdlet:
+1. Install the Microsoft Azure Active Directory module for Windows PowerShell by running the following cmdlet:
```powershell Install-Module MSOnline ```
-1. Connect to Azure AD for your Microsoft 365 subscription by running the following cmdlet:
+1. Connect to Microsoft Entra ID for your Microsoft 365 subscription by running the following cmdlet:
```powershell Connect-MsolService
postgresql Howto Restore Different Subscription Resource Group Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/flexible-server/howto-restore-different-subscription-resource-group-api.md
+
+ Title: Cross subscription and cross resource group restore - Azure REST API in Azure Database for PostgreSQL - Flexible Server
+description: This article describes how to restore to a different Subscription or resource group server in Azure Database for PostgreSQL - Flexible Server using Azure REST API.
++++++ Last updated : 10/04/2023++
+# Cross subscription and cross resource group restore in Azure Database for PostgreSQL Flexible Server using Azure REST API
+
+In this article, you learn how to restore a flexible server to a different subscription or resource group using the REST API [Azure REST API](/rest/api/azure/). To learn more about backup and restore see the [overview](concepts-backup-restore.md).
+
+## Prerequisites
+An [Azure Database for PostgreSQL server](quickstart-create-server-portal.md) to be the primary server.
+
+### Restore to a different Subscription or Resource group
+
+ 1. Browse to the PostgreSQL [Create Server REST API Page](/rest/api/postgresql/flexibleserver/servers/create) and select the **Try It** tab highlighted in green. Sign in with your Azure account.
+
+2. Provide the **resourceGroupName**(Target Resource group name), **serverName** (Target server name), **subscriptionId** (Target subscription) properties. Please use the latest api-version that is available. For this example we're using 2023-06-01-preview.
+
+ ![Screenshot showing the REST API Try It page.](./media/how-to-restore-server-portal/geo-restore-different-subscription-or-resource-group-api.png)
+++
+3. Go to **Request Body** section and paste the following replacing the "location" (e.g. CentralUS, EastUS etc.), "pointInTimeUTC", and ))"SourceServerResourceID", For "pointInTimeUTC", specify a timestamp value to which you want to restore. Finally, you can use createMode as **PointInTimeRestore** for performing regular restore and **GeoRestore** for restoring geo-redundant backups.
+
+ **GeoRestore**
+
+```json
+ {
+ "location": "NorthEurope",
+ "properties":
+ {
+ "pointInTimeUTC": "2023-10-03T16:05:02Z",
+ "SourceServerResourceID": "/subscriptions/fffffffff-ffff-ffff-fffffffffff/resourceGroups/source-resourcegroupname-rg/providers/Microsoft.DBforPostgreSQL/flexibleServers/SourceServer-Name",
+ "createMode": "GeoRestore"
+ }
+}
+```
+**Point In Time Restore**
+
+```json
+ {
+ "location": "EastUS",
+ "properties":
+ {
+ "pointInTimeUTC": "2023-06-15T16:05:02Z",
+ "createMode": "PointInTimeRestore",
+ "sourceServerResourceId": "/subscriptions/ffffffff-ffff-ffff-ffff-ffffffffffff/resourceGroups/SourceResourceGroup-Name/providers/Microsoft.DBforPostgreSQL/flexibleServers/SourceServer-Name"
+ }
+ }
+```
++
+4. If you see Response Code 201 or 202, the restore request is successfully submitted.
+
+ The server creation can take time depending on the database size and compute resources provisioned on the original server. The restore status can be monitored from Activity log by filtering for
+ - **Subscription** = Your Subscription
+ - **Resource Type** = Azure Database for PostgreSQL Flexible servers (Microsoft.DBforPostgreSQL/flexibleServers)
+ - **Operation** = Update PostgreSQL Server Create
++
+## Common Errors
+
+ - If you utilize the incorrect API version, you might experience restore failures or timeouts. Please use 2023-06-01-preview API to avoid such issues.
+ - To avoid potential DNS errors, it's recommended to use a different name when initiating the restore process, as some restore operations might fail with the same name.
+
+## Next steps
+
+- Learn about [business continuity](./concepts-business-continuity.md).
+- Learn about [zone-redundant high availability](./concepts-high-availability.md).
+- Learn about [backup and recovery](./concepts-backup-restore.md).
postgresql Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/postgresql/single-server/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Database for PostgreSQL
private-5g-core Azure Stack Edge Disconnects https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/azure-stack-edge-disconnects.md
The following functions aren't supported while disconnected:
### Monitoring and troubleshooting during disconnects
-While disconnected, you can't enable local monitoring authentication or sign in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) using Azure Active Directory. However, you can access both distributed tracing and packet core dashboards via local access if enabled.
+While disconnected, you can't enable local monitoring authentication or sign in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) using Microsoft Entra ID. However, you can access both distributed tracing and packet core dashboards via local access if enabled.
New [Azure Monitor platform metrics](monitor-private-5g-core-with-platform-metrics.md) won't be collected while in disconnected mode. Once the disconnect ends, Azure Monitor will automatically resume gathering metrics about the packet core instance.
Once reconnected, you can continue to manage your deployment:
- [Create a site using the Azure portal](create-a-site.md) - [Modify the packet core instance in a site](modify-packet-core.md) - [Provision new SIMs for Azure Private 5G Core - Azure portal](provision-sims-azure-portal.md)-- [Provision new SIMs for Azure Private 5G Core - ARM template](provision-sims-arm-template.md)
+- [Provision new SIMs for Azure Private 5G Core - ARM template](provision-sims-arm-template.md)
private-5g-core Collect Required Information For A Site https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/collect-required-information-for-a-site.md
If you want to configure diagnostics package gathering during site creation, see
## Choose the authentication method for local monitoring tools
-Azure Private 5G Core provides dashboards for monitoring your deployment and a web GUI for collecting detailed signal traces. You can access these tools using [Azure Active Directory (Azure AD)](../active-directory/authentication/overview-authentication.md) or a local username and password. We recommend setting up Azure AD authentication to improve security in your deployment.
+Azure Private 5G Core provides dashboards for monitoring your deployment and a web GUI for collecting detailed signal traces. You can access these tools using [Microsoft Entra ID](../active-directory/authentication/overview-authentication.md) or a local username and password. We recommend setting up Microsoft Entra authentication to improve security in your deployment.
-If you want to access your local monitoring tools using Azure AD, after creating a site you'll need to follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you want to access your local monitoring tools using Microsoft Entra ID, after creating a site you'll need to follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
If you want to access your local monitoring tools using local usernames and passwords, you don't need to set any additional configuration. After deploying the site, set up your username and password by following [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards). You'll be able to change the authentication method later by following [Modify the local access configuration in a site](modify-local-access-configuration.md). > [!NOTE]
-> While in [disconnected mode](disconnected-mode.md), you won't be able to change the local monitoring authentication method or sign in using Azure AD. If you expect to need access to your local monitoring tools while the ASE is disconnected, consider using the local username and password authentication method instead.
+> While in [disconnected mode](disconnected-mode.md), you won't be able to change the local monitoring authentication method or sign in using Microsoft Entra ID. If you expect to need access to your local monitoring tools while the ASE is disconnected, consider using the local username and password authentication method instead.
## Collect local monitoring values
If you want to provide a custom HTTPS certificate at site creation, follow the s
Use the information you've collected to create the site: - [Create a site - Azure portal](create-a-site.md)-- [Create a site - ARM template](create-site-arm-template.md)
+- [Create a site - ARM template](create-site-arm-template.md)
private-5g-core Commission Cluster https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/commission-cluster.md
If you're running other VMs on your Azure Stack Edge, we recommend that you stop
1. For the **Node size**, select **Standard_F16s_HPN**. 1. Ensure the **Arc enabled Kubernetes** checkbox is selected.
-1. Select the **Change** link and enter the Azure AD application Object Id (OID) for the custom location which you obtained from [Retrieve the Object ID (OID)](complete-private-mobile-network-prerequisites.md#retrieve-the-object-id-oid).
+1. Select the **Change** link and enter the Microsoft Entra application Object Id (OID) for the custom location which you obtained from [Retrieve the Object ID (OID)](complete-private-mobile-network-prerequisites.md#retrieve-the-object-id-oid).
:::image type="content" source="media/commission-cluster/commission-cluster-configure-kubernetes.png" alt-text="Screenshot of Configure Arc enabled Kubernetes pane, showing where to enter the custom location OID."::: 1. The Arc enabled Kubernetes service is automatically created in the same resource group as your **Azure Stack Edge** resource. If your Azure Stack Edge resource group is not in a region that supports Azure Private 5G Core, you must change the region. 1. Click **Configure** to apply the configuration.
-1. Check the **Region** and **Azure AD application Object Id (OID)** fields show the appropriate values, and then click **Create**.
+1. Check the **Region** and **Microsoft Entra application Object Id (OID)** fields show the appropriate values, and then click **Create**.
1. Work through the prompts to set up the service. The creation of the Kubernetes cluster takes about 20 minutes. During creation, there may be a critical alarm displayed on the **Azure Stack Edge** resource. This alarm is expected and should disappear after a few minutes.
private-5g-core Create A Site https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/create-a-site.md
If you decided not to configure diagnostics packet collection or use a user assi
## Next steps
-If you decided to set up Azure AD for local monitoring access, follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you decided to set up Microsoft Entra ID for local monitoring access, follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. See [Policy control](policy-control.md) to learn more about designing the policy control configuration for your private mobile network.
private-5g-core Create Additional Packet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/create-additional-packet-core.md
If you decided not to configure diagnostics packet collection or use a user assi
## Next steps
-If you decided to set up Azure AD for local monitoring access, follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you decided to set up Microsoft Entra ID for local monitoring access, follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. See [Policy control](policy-control.md) to learn more about designing the policy control configuration for your private mobile network.
private-5g-core Create Site Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/create-site-arm-template.md
Four Azure resources are defined in the template.
## Next steps
-If you decided to set up Azure AD for local monitoring access, follow the steps in [Modify the local access configuration in a site](modify-local-access-configuration.md) and [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you decided to set up Microsoft Entra ID for local monitoring access, follow the steps in [Modify the local access configuration in a site](modify-local-access-configuration.md) and [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. See [Policy control](policy-control.md) to learn more about designing the policy control configuration for your private mobile network.
private-5g-core Delete Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/delete-resources.md
All data will be lost when deleting your deployment. Back up any information you
1. Refer to [Collect the required information for your SIMs](provision-sims-azure-portal.md#collect-the-required-information-for-your-sims) to take a backup of all the information you'll need to recreate your SIMs. 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location. 1. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing.
Once you have created a new deployment, complete the following steps to restore
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools.
-1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
+1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
private-5g-core Distributed Tracing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/distributed-tracing.md
Azure Private 5G Core offers a *distributed tracing web GUI*, which you can use
> [!TIP] > When signing in, if you see a warning in your browser that the connection isn't secure, you may be using a self-signed certificate to attest access to your local monitoring tools. We recommend following [Modify the local access configuration in a site](modify-local-access-configuration.md) to configure a custom HTTPS certificate signed by a globally known and trusted certificate authority.
-### Azure Active Directory
+<a name='azure-active-directory'></a>
-To sign in to the distributed tracing web GUI if you enabled Azure Active Directory authentication:
+### Microsoft Entra ID
+
+To sign in to the distributed tracing web GUI if you enabled Microsoft Entra authentication:
1. In your browser, enter https://*\<local monitoring domain\>*/sas, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](enable-azure-active-directory.md#configure-domain-system-name-dns-for-local-monitoring-ip). 1. Follow the prompts to sign in with your account credentials.
To view help information, select the **Options** symbol in the upper-right corne
## Next steps - [Learn how to export, upload and share your traces for diagnostics](distributed-tracing-share-traces.md)-- [Learn more about how you can monitor your deployment using the packet core dashboards](packet-core-dashboards.md)
+- [Learn more about how you can monitor your deployment using the packet core dashboards](packet-core-dashboards.md)
private-5g-core Enable Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/enable-azure-active-directory.md
Title: Enable Azure Active Directory (Azure AD) for local monitoring tools
+ Title: Enable Microsoft Entra ID for local monitoring tools
-description: Complete the prerequisite tasks for enabling Azure Active Directory to access Azure Private 5G Core's local monitoring tools.
+description: Complete the prerequisite tasks for enabling Microsoft Entra ID to access Azure Private 5G Core's local monitoring tools.
Last updated 12/29/2022
-# Enable Azure Active Directory (Azure AD) for local monitoring tools
+# Enable Microsoft Entra ID for local monitoring tools
-Azure Private 5G Core provides the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) tools for monitoring your deployment at the edge. You can access these tools using [Azure Active Directory (Azure AD)](../active-directory/authentication/overview-authentication.md) or a local username and password. We recommend setting up Azure AD authentication to improve security in your deployment.
+Azure Private 5G Core provides the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) tools for monitoring your deployment at the edge. You can access these tools using [Microsoft Entra ID](../active-directory/authentication/overview-authentication.md) or a local username and password. We recommend setting up Microsoft Entra authentication to improve security in your deployment.
-In this how-to guide, you'll carry out the steps you need to complete after deploying or configuring a site that uses Azure AD to authenticate access to your local monitoring tools. You don't need to follow this if you decided to use local usernames and passwords to access the distributed tracing and packet core dashboards.
+In this how-to guide, you'll carry out the steps you need to complete after deploying or configuring a site that uses Microsoft Entra ID to authenticate access to your local monitoring tools. You don't need to follow this if you decided to use local usernames and passwords to access the distributed tracing and packet core dashboards.
> [!CAUTION]
-> Azure AD for local monitoring tools is not supported when a web proxy is enabled on the Azure Stack Edge device on which Azure Private 5G Core is running. If you have configured a firewall that blocks traffic not transmitted via the web proxy, then enabling Azure AD will cause the Azure Private 5G Core installation to fail.
+> Microsoft Entra ID for local monitoring tools is not supported when a web proxy is enabled on the Azure Stack Edge device on which Azure Private 5G Core is running. If you have configured a firewall that blocks traffic not transmitted via the web proxy, then enabling Microsoft Entra ID will cause the Azure Private 5G Core installation to fail.
## Prerequisites - You must have completed the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) and [Collect the required information for a site](collect-required-information-for-a-site.md).-- You must have deployed a site with Azure Active Directory set as the authentication type.
+- You must have deployed a site with Microsoft Entra ID set as the authentication type.
- Identify the IP address for accessing the local monitoring tools that you set up in [Management network](complete-private-mobile-network-prerequisites.md#management-network).-- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have permission to manage applications in Azure AD. [Azure AD built-in roles](../active-directory/roles/permissions-reference.md) that have the required permissions include, for example, Application administrator, Application developer, and Cloud application administrator. If you do not have this access, contact your tenant Azure AD administrator so they can confirm your user has been assigned the correct role by following [Assign user roles with Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
+- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have permission to manage applications in Microsoft Entra ID. [Microsoft Entra built-in roles](../active-directory/roles/permissions-reference.md) that have the required permissions include, for example, Application administrator, Application developer, and Cloud application administrator. If you do not have this access, contact your tenant Microsoft Entra administrator so they can confirm your user has been assigned the correct role by following [Assign user roles with Microsoft Entra ID](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
- Ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access). ## Configure domain system name (DNS) for local monitoring IP
In the authoritative DNS server for the DNS zone you want to create the DNS reco
## Register application
-You'll now register a new local monitoring application with Azure AD to establish a trust relationship with the Microsoft identity platform.
+You'll now register a new local monitoring application with Microsoft Entra ID to establish a trust relationship with the Microsoft identity platform.
If your deployment contains multiple sites, you can use the same two redirect URIs for all sites, or create different URI pairs for each site. You can configure a maximum of two redirect URIs per site. If you've already registered an application for your deployment and you want to use the same URIs across your sites, you can skip this step.
If your deployment contains multiple sites, you can use the same two redirect UR
|Value | How to collect | Kubernetes secret parameter name ||||
- | **Tenant ID** | In the Azure portal, search for Azure Active Directory. You can find the **Tenant ID** field in the Overview page. | `tenant_id` |
+ | **Tenant ID** | In the Azure portal, search for Microsoft Entra ID. You can find the **Tenant ID** field in the Overview page. | `tenant_id` |
| **Application (client) ID** | Navigate to the new local monitoring app registration you just created. You can find the **Application (client) ID** field in the Overview page, under the **Essentials** heading. | `client_id` | | **Authorization URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 authorization endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/authorize`. | `auth_url` | | **Token URL** | In the local monitoring app registration Overview page, select **Endpoints**. Copy the contents of the **OAuth 2.0 token endpoint (v2)** field. <br /><br /> **Note:** <br />If the string contains `organizations`, replace `organizations` with the Tenant ID value. For example, <br />`https://login.microsoftonline.com/organizations/oauth2/v2.0/token`<br /> becomes <br />`https://login.microsoftonline.com/72f998bf-86f1-31af-91ab-2d7cd001db56/oauth2/v2.0/token`. | `token_url` |
If your deployment contains multiple sites, you can use the same two redirect UR
## Create Kubernetes Secret Objects
-To support Azure AD on Azure Private 5G Core applications, you'll need a YAML file containing Kubernetes secrets.
+To support Microsoft Entra ID on Azure Private 5G Core applications, you'll need a YAML file containing Kubernetes secrets.
1. Convert each of the values you collected in [Collect the information for Kubernetes Secret Objects](#collect-the-information-for-kubernetes-secret-objects) into Base64 format. For example, you can run the following command in an Azure Cloud Shell **Bash** window:
To support Azure AD on Azure Private 5G Core applications, you'll need a YAML fi
## Apply Kubernetes Secret Objects
-You'll need to apply your Kubernetes Secret Objects if you're enabling Azure AD for a site, after a packet core outage, or after updating the Kubernetes Secret Object YAML file.
+You'll need to apply your Kubernetes Secret Objects if you're enabling Microsoft Entra ID for a site, after a packet core outage, or after updating the Kubernetes Secret Object YAML file.
1. Sign in to [Azure Cloud Shell](../cloud-shell/overview.md) and select **PowerShell**. If this is your first time accessing your cluster via Azure Cloud Shell, follow [Access your cluster](../azure-arc/kubernetes/cluster-connect.md?tabs=azure-cli) to configure kubectl access. 1. Apply the Secret Object for both distributed tracing and the packet core dashboards, specifying the core kubeconfig filename.
You'll need to apply your Kubernetes Secret Objects if you're enabling Azure AD
## Verify access
-Follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to check if you can access your local monitoring tools using Azure AD.
+Follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to check if you can access your local monitoring tools using Microsoft Entra ID.
## Update Kubernetes Secret Objects
Follow this step if you need to update your existing Kubernetes Secret Objects;
If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. -- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)
+- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)
private-5g-core Modify Local Access Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/modify-local-access-configuration.md
# Modify the local access configuration in a site
-You can use [Azure Active Directory (Azure AD)](../active-directory/authentication/overview-authentication.md) or a local username and password to authenticate access to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md). Additionally, you can use a self-signed certificate or provide your own to attest access to your local diagnostics tools.
+You can use [Microsoft Entra ID](../active-directory/authentication/overview-authentication.md) or a local username and password to authenticate access to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md). Additionally, you can use a self-signed certificate or provide your own to attest access to your local diagnostics tools.
-To improve security in your deployment, we recommend setting up Azure AD authentication over local usernames and passwords, as well as providing a certificate signed by a globally known and trusted certificate authority (CA).
+To improve security in your deployment, we recommend setting up Microsoft Entra authentication over local usernames and passwords, as well as providing a certificate signed by a globally known and trusted certificate authority (CA).
In this how-to guide, you'll learn how to use the Azure portal to change the authentication method and the certificate used for securing access to a site's local monitoring tools.
In this step, you'll navigate to the **Packet Core Control Plane** resource repr
Follow this step if you changed the authentication type for local monitoring access.
-If you switched from local usernames and passwords to Azure AD, follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you switched from local usernames and passwords to Microsoft Entra ID, follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
-If you switched from Azure AD to local usernames and passwords:
+If you switched from Microsoft Entra ID to local usernames and passwords:
1. Sign in to [Azure Cloud Shell](../cloud-shell/overview.md) and select **PowerShell**. If this is your first time accessing your cluster via Azure Cloud Shell, follow [Access your cluster](../azure-arc/kubernetes/cluster-connect.md?tabs=azure-cli) to configure kubectl access. 1. Delete the Kubernetes Secret Objects:
If you switched from Azure AD to local usernames and passwords:
## Next steps - [Learn more about the distributed tracing web GUI](distributed-tracing.md)-- [Learn more about the packet core dashboards](packet-core-dashboards.md)
+- [Learn more about the packet core dashboards](packet-core-dashboards.md)
private-5g-core Modify Packet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/modify-packet-core.md
If you want to modify a packet core instance's local access configuration, follo
- If you want to make changes to the attached data networks, refer to [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to collect the new values and make sure they're in the correct format. - Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope.-- If you use Azure Active Directory (Azure AD) to authenticate access to your local monitoring tools and you're making a change that requires a packet core reinstall, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
+- If you use Microsoft Entra ID to authenticate access to your local monitoring tools and you're making a change that requires a packet core reinstall, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
## Plan a maintenance window
If you're making any of these changes to a healthy packet core instance, we reco
The following list contains the data that will be lost over a packet core reinstall. If you're making a change that requires a reinstall, back up any information you'd like to preserve; after the reinstall, you can use this information to reconfigure your packet core instance. If your packet core instance is in **Uninstalled**, **Uninstalling** or **Failed** state, or if you're connecting an ASE device for the first time, you can skip this step and proceed to [Select the packet core instance to modify](#select-the-packet-core-instance-to-modify). 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location. 1. All traces are deleted during upgrade and cannot be retrieved. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing. 1. Any customizations made to the packet core dashboards won't be carried over the reinstall. Refer to [Exporting a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#exporting-a-dashboard) in the Grafana documentation to save a backed-up copy of your dashboards.
If you made changes that triggered a packet core reinstall, reconfigure your dep
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
private-5g-core Packet Core Dashboards https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/packet-core-dashboards.md
The packet core dashboards are powered by *Grafana*, an open-source, metric anal
> [!TIP] > When signing in, if you see a warning in your browser that the connection isn't secure, you may be using a self-signed certificate to attest access to your local monitoring tools. We recommend following [Modify the local access configuration in a site](modify-local-access-configuration.md) to configure a custom HTTPS certificate signed by a globally known and trusted certificate authority.
-### Azure Active Directory
+<a name='azure-active-directory'></a>
-To sign in to the packet core dashboards if you enabled Azure Active Directory authentication:
+### Microsoft Entra ID
+
+To sign in to the packet core dashboards if you enabled Microsoft Entra authentication:
1. In your browser, enter https://*\<local monitoring domain\>*/grafana, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](enable-azure-active-directory.md#configure-domain-system-name-dns-for-local-monitoring-ip). 1. Follow the prompts to sign in with your account credentials.
private-5g-core Private Mobile Network Design Requirements https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/private-mobile-network-design-requirements.md
Building enterprise networks using automation and other programmatic techniques
We recommend adopting a programmatic, *infrastructure as code* approach to your deployments. You can use templates or the Azure REST API to build your deployment using parameters as inputs with values that you have collected during the design phase of the project. You should save provisioning information such as SIM data, switch/router configuration, and network policies in machine-readable format so that, in the event of a failure, you can reapply the configuration in the same way as you originally did. Another best practice to recover from failure is to deploy a spare Azure Stack Edge server to minimize recovery time if the first unit fails; you can then use your saved templates and inputs to quickly recreate the deployment. For more information on deploying a network using templates, refer to [Quickstart: Deploy a private mobile network and site - ARM template](deploy-private-mobile-network-with-site-arm-template.md).
-You must also consider how you integrate other Azure products and services with the private enterprise network. These products include [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) and [role-based access control (RBAC)](../role-based-access-control/overview.md), where you must consider how tenants, subscriptions and resource permissions will align with the business model that exists between you and the enterprise, and as your own approach to customer system management. For example, you might use [Azure Blueprints](../governance/blueprints/overview.md) to set up the subscriptions and resource group model that works best for your organization.
+You must also consider how you integrate other Azure products and services with the private enterprise network. These products include [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md) and [role-based access control (RBAC)](../role-based-access-control/overview.md), where you must consider how tenants, subscriptions and resource permissions will align with the business model that exists between you and the enterprise, and as your own approach to customer system management. For example, you might use [Azure Blueprints](../governance/blueprints/overview.md) to set up the subscriptions and resource group model that works best for your organization.
## Next steps
private-5g-core Region Move Private Mobile Network Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/region-move-private-mobile-network-resources.md
You might move your resources to another region for a number of reasons. For exa
- Ensure Azure Private 5G Core supports the region to which you want to move your resources. Refer to [Products available by region](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=private-5g-core). - Verify pricing and charges associated with the target region to which you want to move your resources. - Choose a name for your new resource group in the target region. This must be different to the source region's resource group name.-- If you use Azure Active Directory (Azure AD) to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
+- If you use Microsoft Entra ID to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
## Back up deployment information
The following list contains the data that will be lost over the region move. Bac
1. For security reasons, your SIM configuration won't be carried over a region move. Refer to [Collect the required information for your SIMs](provision-sims-azure-portal.md#collect-the-required-information-for-your-sims) to take a backup of all the information you'll need to recreate your SIMs. 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location. 1. All traces are deleted during upgrade and cannot be retrieved. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing.
Configure your deployment in the new region using the information you gathered i
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
Use [Azure Monitor](monitor-private-5g-core-with-platform-metrics.md) or the [pa
## Next steps - If you no longer require a deployment in the source region, [delete the original resource group](../azure-resource-manager/management/manage-resource-groups-portal.md).-- Learn more about [reliability in Azure Private 5G Core](reliability-private-5g-core.md).
+- Learn more about [reliability in Azure Private 5G Core](reliability-private-5g-core.md).
private-5g-core Reinstall Packet Core https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/reinstall-packet-core.md
Reinstalling the packet core deletes the packet core instance and redeploys it w
- Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope. - If your packet core instance is still handling requests from your UEs, we recommend performing the reinstall during a maintenance window to minimize the impact on your service. You should allow up to two hours for the reinstall process to complete.-- If you use Azure Active Directory (Azure AD) to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
+- If you use Microsoft Entra ID to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
## View the packet core instance's installation status
Follow this step to check the packet core instance's installation status and to
The following list contains the data that will be lost over a packet core reinstall. Back up any information you'd like to preserve; after the reinstall, you can use this information to reconfigure your packet core instance. 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location.  1. All traces are deleted during upgrade and cannot be retrieved. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing. 1. Any customizations made to the packet core dashboards won't be carried over the reinstall. Refer to [Exporting a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#exporting-a-dashboard) in the Grafana documentation to save a backed-up copy of your dashboards.
Reconfigure your deployment using the information you gathered in [Back up deplo
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
private-5g-core Security https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/security.md
For more information on how to generate a Key Vault certificate, see [Certificat
### Access authentication
-You can use [Azure Active Directory (Azure AD)](../active-directory/authentication/overview-authentication.md) or a local username and password to access the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md).
+You can use [Microsoft Entra ID](../active-directory/authentication/overview-authentication.md) or a local username and password to access the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md).
-Azure AD allows you to natively authenticate using passwordless methods to simplify the sign-in experience and reduce the risk of attacks. Therefore, to improve security in your deployment, we recommend setting up Azure AD authentication over local usernames and passwords.
+Microsoft Entra ID allows you to natively authenticate using passwordless methods to simplify the sign-in experience and reduce the risk of attacks. Therefore, to improve security in your deployment, we recommend setting up Microsoft Entra authentication over local usernames and passwords.
-If you decide to set up Azure AD for local monitoring access, after deploying a mobile network site, you'll need to follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+If you decide to set up Microsoft Entra ID for local monitoring access, after deploying a mobile network site, you'll need to follow the steps in [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md).
See [Choose the authentication method for local monitoring tools](collect-required-information-for-a-site.md#choose-the-authentication-method-for-local-monitoring-tools) for additional information on configuring local monitoring access authentication. ## Next steps -- [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)
+- [Deploy a private mobile network - Azure portal](how-to-guide-deploy-a-private-mobile-network-azure-portal.md)
private-5g-core Set Up Kubectl Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/set-up-kubectl-access.md
# Set up kubectl access
-This how-to guide explains how to obtain the necessary *kubeconfig* files as needed for other procedures. The read-only file is sufficient to view cluster configuration. The core namespace file is needed for operations such as modifying local or Azure Active Directory authentication, or for gathering packet capture.
+This how-to guide explains how to obtain the necessary *kubeconfig* files as needed for other procedures. The read-only file is sufficient to view cluster configuration. The core namespace file is needed for operations such as modifying local or Microsoft Entra authentication, or for gathering packet capture.
## Read-only access
The downloaded file is called *config.json*. This file has permission to describ
## Core namespace access
-The Azure Private 5G Core deployment uses the *core* namespace. For operations such as modifying local or Azure Active Directory authentication, or for gathering packet capture, you need a *kubeconfig* file with full access to the *core* namespace. To download this file set up a minishell session and run the necessary commands as directed in this section.
+The Azure Private 5G Core deployment uses the *core* namespace. For operations such as modifying local or Microsoft Entra authentication, or for gathering packet capture, you need a *kubeconfig* file with full access to the *core* namespace. To download this file set up a minishell session and run the necessary commands as directed in this section.
You only need to perform this procedure once. If you've done this procedure before you can use the previously saved *kubeconfig* file.
For more information, see [Configure cluster access via Kubernetes RBAC](../data
## Next steps - Save the *kubeconfig* file so it's available to use if you need it in the future.-- If you need the *kubeconfig* file as part of completing a different procedure (such as to set up Azure Active Directory authentication), return to that procedure and continue.
+- If you need the *kubeconfig* file as part of completing a different procedure (such as to set up Microsoft Entra authentication), return to that procedure and continue.
private-5g-core Upgrade Packet Core Arm Template https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/upgrade-packet-core-arm-template.md
If your environment meets the prerequisites, you're familiar with using ARM temp
- You must have a running packet core. Use Azure monitor platform metrics or the packet core dashboards to confirm your packet core instance is operating normally. - Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope. - Identify the name of the site that hosts the packet core instance you want to upgrade.-- If you use Azure Active Directory (Azure AD) to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
+- If you use Microsoft Entra ID to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
## Review the template
In addition, consider the following points for pre- and post-upgrade steps you m
The following list contains the data that will be lost over a packet core upgrade. Back up any information you'd like to preserve; after the upgrade, you can use this information to reconfigure your packet core instance. 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location.  1. All traces are deleted during upgrade and cannot be retrieved. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing. 1. Any customizations made to the packet core dashboards won't be carried over the upgrade. Refer to [Exporting a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#exporting-a-dashboard) in the Grafana documentation to save a backed-up copy of your dashboards.
Reconfigure your deployment using the information you gathered in [Back up deplo
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
private-5g-core Upgrade Packet Core Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-5g-core/upgrade-packet-core-azure-portal.md
If your deployment contains multiple sites, we recommend upgrading the packet co
- You must have a running packet core. Use Azure monitor platform metrics or the packet core dashboards to confirm your packet core instance is operating normally. - Ensure you can sign in to the Azure portal using an account with access to the active subscription you used to create your private mobile network. This account must have the built-in Contributor or Owner role at the subscription scope.-- If you use Azure Active Directory (Azure AD) to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
+- If you use Microsoft Entra ID to authenticate access to your local monitoring tools, ensure your local machine has core kubectl access to the Azure Arc-enabled Kubernetes cluster. This requires a core kubeconfig file, which you can obtain by following [Core namespace access](set-up-kubectl-access.md#core-namespace-access).
## View the current packet core version
In addition, consider the following points for pre- and post-upgrade steps you m
The following list contains the data that will be lost over a packet core upgrade. Back up any information you'd like to preserve; after the upgrade, you can use this information to reconfigure your packet core instance. 1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, save a copy of the Kubernetes Secret Object YAML file you created in [Create Kubernetes Secret Objects](enable-azure-active-directory.md#create-kubernetes-secret-objects).
- If you use local usernames and passwords and want to keep using the same credentials, save a copy of the current passwords to a secure location. 1. All traces are deleted during upgrade and cannot be retrieved. If you want to retain any traces, [export and save](distributed-tracing-share-traces.md#export-trace-from-the-distributed-tracing-web-gui) them securely before continuing. 1. Any customizations made to the packet core dashboards won't be carried over the upgrade. Refer to [Exporting a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#exporting-a-dashboard) in the Grafana documentation to save a backed-up copy of your dashboards.
Reconfigure your deployment using the information you gathered in [Back up deplo
1. Depending on your authentication method when signing in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md):
- - If you use Azure AD, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
+ - If you use Microsoft Entra ID, [reapply the Secret Object for distributed tracing and the packet core dashboards](enable-azure-active-directory.md#apply-kubernetes-secret-objects).
- If you use local usernames and passwords, follow [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards) to restore access to your local monitoring tools. 1. If you backed up any packet core dashboards, follow [Importing a dashboard](https://grafana.com/docs/grafana/v6.1/reference/export_import/#importing-a-dashboard) in the Grafana documentation to restore them.
private-link Private Endpoint Dns https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/private-link/private-endpoint-dns.md
Previously updated : 05/26/2023 Last updated : 10/11/2023
You can use the following options to configure your DNS settings for private end
> It is not recommended to override a zone that's actively in use to resolve public endpoints. Connections to resources won't be able to resolve correctly without DNS forwarding to the public DNS. To avoid issues, create a different domain name or follow the suggested name for each service below. > [!IMPORTANT]
-> Existing Private DNS Zones tied to a single service should not be associated with two different Private Endpoints as it will not be possible to properly resolve two different A-Records that point to the same service. However, Private DNS Zones tied to multiple services would not face this resolution constraint.
+> Existing Private DNS Zones linked to a single service should not be associated with two different Private Endpoints. This will cause a deletion of the initial A-record and result in resolution issue when attempting to access that service from each respective Private Endpoint. However, linking a Private DNS Zones with private endpoints associated with different services would not face this resolution constraint.
## Azure services DNS zone configuration
Your applications don't need to change the connection URL. When resolving to a p
> [!IMPORTANT] > * Private networks already using the private DNS zone for a given type, can only connect to public resources if they don't have any private endpoint connections, otherwise a corresponding DNS configuration is required on the private DNS zone in order to complete the DNS resolution sequence.
-> * Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the table below.
+> * Private endpoint private DNS zone configurations will only automatically generate if you use the recommended naming scheme in the following table.
For Azure services, use the recommended zone names as described in the following table:
Based on your preferences, the following scenarios are available with DNS resolu
## Virtual network workloads without custom DNS server
-This configuration is appropriate for virtual network workloads without a custom DNS server. In this scenario, the client queries for the private endpoint IP address to the Azure-provided DNS service [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md). Azure DNS will be responsible for DNS resolution of the private DNS zones.
+This configuration is appropriate for virtual network workloads without a custom DNS server. In this scenario, the client queries for the private endpoint IP address to the Azure-provided DNS service [168.63.129.16](../virtual-network/what-is-ip-address-168-63-129-16.md). Azure DNS is responsible for DNS resolution of the private DNS zones.
> [!NOTE] > This scenario uses the Azure SQL Database-recommended private DNS zone. For other services, you can adjust the model using the following reference: [Azure services DNS zone configuration](#azure-services-dns-zone-configuration).
The following diagram shows the DNS resolution for both networks, on-prem
## Private DNS zone group
-If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group is a strong association between the private DNS zone and the private endpoint that helps auto-updating the private DNS zone when there is an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated.
+If you choose to integrate your private endpoint with a private DNS zone, a private DNS zone group is also created. The DNS zone group has a strong association between the private DNS zone and the private endpoint. It helps with managing the private DNS zone records when there's an update on the private endpoint. For example, when you add or remove regions, the private DNS zone is automatically updated with the correct number of records.
Previously, the DNS records for the private endpoint were created via scripting (retrieving certain information about the private endpoint and then adding it on the DNS zone). With the DNS zone group, there is no need to write any additional CLI/PowerShell lines for every DNS zone. Also, when you delete the private endpoint, all the DNS records within the DNS zone group will be deleted as well.
A common scenario for DNS zone group is in a hub-and-spoke topology, where it al
> [!NOTE] > Adding multiple DNS zone groups to a single Private Endpoint is not supported.
+> [!NOTE]
+> Delete and update operations for DNS records can be seen performed by "Azure Traffic Manager and DNS." This is a normal platform operation necessary for managing your DNS Records.
+ ## Next steps - [Learn about private endpoints](private-endpoint-overview.md)
public-multi-access-edge-compute-mec Considerations For Deployment https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/public-multi-access-edge-compute-mec/considerations-for-deployment.md
The following sections show some examples.
#### Identity services -- Azure Active Directory
+- Microsoft Entra ID
#### Secrets management
public-multi-access-edge-compute-mec Tutorial Create Vm Using Go Sdk https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/public-multi-access-edge-compute-mec/tutorial-create-vm-using-go-sdk.md
Obtain these values from the portal by following these instructions:
- Get Client ID / Client Secret / Tenant ID
- For information on how to get Client ID, Client Secret, and Tenant ID, see [Create an Azure Active Directory application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal).
+ For information on how to get Client ID, Client Secret, and Tenant ID, see [Create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal).
- Setting Environment Variables
quotas How To Guide Monitoring Alerting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/quotas/how-to-guide-monitoring-alerting.md
+
+ Title: Monitoring and alerting - how to guide
+description: Learn how to create alerts for quotas
Last updated : 10/11/2023+++
+# Monitoring & Alerting: How-To Guide
+
+## Create an alert rule
+
+#### Prerequisite
+
+| Requirement | Description |
+|:--|:--|
+| Access to Create Alerts | Users who are creating Alert should have [Access to Create Alert](../azure-monitor/alerts/alerts-overview.md#azure-role-based-access-control-for-alerts) |
+| [Managed Identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp) | When utilizing an existing Managed Identity, ensure it has **Subscription Reader** access for accessing usage data. In cases where a new Managed Identity is generated, the Subscription **Owner** is responsible for **granting** Subscription **Reader** access to this newly created Managed Identity. |
++
+### Create Alerts from Portal
+
+Step-by-Step instructions to create an alert rule for your quota in the Azure portal.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) and enter **"quotas"** in the search box, then select **Quotas**. In Quotas page, Click **My quotas** and choose **Compute** Resource Provider. Upon page load, you can choose `Quota Name` for creating new alert rule.
+
+ :::image type="content" source="media/monitoring-alerting/my-quotas-create-rule-navigation-inline.png" alt-text="Screenshot showing how to select Quotas to navigate to create Alert rule screen." lightbox="media/monitoring-alerting/my-quotas-create-rule-navigation-expanded.png":::
+
+2. When the Create usage alert rule page appears, **populate the fields** with data as shown in the table. Make sure you have the **right access** to the subscriptions and Quotas to **create alerts**.
+
+ :::image type="content" source="media/monitoring-alerting/quota-details-create-rule-inline.png" alt-text="Screenshot showing create Alert rule screen with required fields." lightbox="media/monitoring-alerting/quota-details-create-rule-expanded.png":::
+
+ | **Fields** | **Description** |
+ |:--|:--|
+ | Alert Rule Name | Alert rule name must be **distinct** and can't be duplicated, even across different resource groups |
+ | Alert me when the usage % reaches | **Adjust** the slider to select your desired usage percentage for **triggering** alerts. For example, at the default 80%, you receive an alert when your quota reaches 80% capacity.|
+ | Severity | Select the **severity** of the alert when the **ruleΓÇÖs condition** is met.|
+ | [Frequency of evaluation](../azure-monitor/alerts/alerts-overview.md#stateful-alerts) | Choose how **often** the alert rule should **run**, by selecting 5, 10, or 15 minutes. If the frequency is smaller than the aggregation granularity, frequency of evaluation results in sliding window evaluation. |
+ | [Resource Group](../azure-resource-manager/management/manage-resource-groups-portal.md) | Resource Group is a collection of resources that share the same lifecycles, permissions, and policies. Select a resource group similar to other quotas in your subscription, or create a new resource group. |
+ | [Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md?tabs=azure-portal) | A workspace within the subscription that is being **monitored** and is used as the **scope for rule execution**. Select from the dropdown or create a new workspace. If you create a new workspace, use it for all alerts in your subscription. |
+ | [Managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp) | Select from the dropdown, or **Create New**. Managed Identity should have **read permissions** to the Subscription (to read Usage data from ARG) and Log Analytics workspace that is chosen(to read the log alerts). |
+ | Notify me by | There are three notifications methods and you can check one or all three check boxes, depending on your notification preference. |
+ | [Use an existing action group](../azure-monitor/alerts/action-groups.md) | Check the box to use an existing action group. An action group **invokes** a defined set of **notifications** and actions when an alert is triggered. You can create Action Group to automatically Increase the Quota whenever possible. |
+ | [Dimensions](../azure-monitor/alerts/alerts-types.md#dimensions-in-log-alert-rules) | Here are the options for selecting **multiple Quotas** and **regions** within a single alert rule. Adding dimensions is a cost-effective approach compared to creating a new alert for each quota or region.|
+ | [Estimated cost](https://azure.microsoft.com/pricing/details/monitor/) |Estimated cost is automatically calculated cost associated with running this **new alert rule** against your quota. Each alert creation costs $0.50 USD, and each additional dimension adds $0.05 USD to the cost. |
+
+ > [!TIP]
+ > We advise using the **same Resource Group, Log Analytics Workspace,** and **Managed Identity** data that were initially employed when creating your first alert rule for quotas within the same subscription.
+
+3. After completing entering the fields, click the **Create Alert** button
+
+ - If **Successful**, you receive the following notification: 'We successfully created 'alert rule name' and 'Action Group 'name' was successfully created.'
+
+ - If the **Alert fails**, you receive an 'Alert rule failed to create' notification. Ensure that you verify the necessary access **permissions** given for the Log Analytics or Managed Identity. Refer to the prerequisites."
++
+### Create Alerts using API
+
+Alerts can be created programmatically using existing [**Monitoring API**]
+(https://learn.microsoft.com/rest/api/monitor/scheduledqueryrule-2018-04-16/scheduled-query-rules/create-or-update?tabs=HTTP).
+
+Monitoring API helps to **create or update log search rule**.
+
+`PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Insights/scheduledQueryRules/{ruleName}?api-version=2018-04-16`
+
+#### Sample Request body
+
+```json
+{
+ "location": "westus2",
+ "identity": {
+ "type": "UserAssigned",
+ "userAssignedIdentities": {
+ "/subscriptions/<SubscriptionId>/resourcegroups/<ResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<ManagedIdentityName>": {}
+ }
+ },
+ "properties": {
+ "severity": 4,
+ "enabled": true,
+ "evaluationFrequency": "PT15M",
+ "scopes": ["/subscriptions/<SubscriptionID>/resourcegroups/<rg>/providers/microsoft.operationalinsights/workspaces/<LogAnalyticsWorkspace>"],
+ "windowSize": "PT15M",
+ "criteria": {
+ "allOf": [{
+ "query": "arg(\"\").QuotaResources \n| where subscriptionId =~ '<SubscriptionId'\n| where type =~ 'microsoft.compute/locations/usages'\n| where isnotempty(properties)\n| mv-expand propertyJson = properties.value limit 400\n| extend\n usage = propertyJson.currentValue,\n quota = propertyJson.['limit'],\n quotaName = tostring(propertyJson.['name'].value)\n| extend usagePercent = toint(usage)*100 / toint(quota)| project-away properties| where location in~ ('westus2')| where quotaName in~ ('cores')",
+ "timeAggregation": "Maximum",
+ "metricMeasureColumn": "usagePercent",
+ "operator": "GreaterThanOrEqual",
+ "threshold": 3,
+ "dimensions": [{
+ "name": "type",
+ "operator": "Include",
+ "values": ["microsoft.compute/locations/usages"]
+ }, {
+ "name": "location",
+ "operator": "Include",
+ "values": ["westus2"]
+ }, {
+ "name": "quotaName",
+ "operator": "Include",
+ "values": ["cores"]
+ }],
+ "failingPeriods": {
+ "numberOfEvaluationPeriods": 1,
+ "minFailingPeriodsToAlert": 1
+ }
+ }]
+ },
+ "actions": {
+ "actionGroups": ["/subscriptions/<SubscriptionId>/resourcegroups/argintrg/providers/microsoft.insights/actiongroups/<ActionGroupName>"]
+ }
+ }
+}
+```
++
+### Create Alerts using ARG Query
+
+Use existing **Azure Monitor Alerts** blade to [create alerts using query](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=log). **Resource Graph Explorer** allows you to run and test queries before using them to create an alert. To learn on how to create Alerts using Alerts page visit this [Tutorial](/training/modules/configure-azure-alerts/?source=recommendations).
+
+For Quota alerts, make sure Scope is selected as the Log analytics workspace that is created and the signal type is Customer Query log. Add **Sample Query** for Quota usages. Follow the remaining steps as mentioned in the [create alerts](../azure-monitor/alerts/alerts-create-new-alert-rule.md?tabs=log).
+
+>[!Note]
+>Our **recommendation** for creating alerts in the Portal is to use the **Quota Alerts page**, as it offers the simplest and most user-friendly approach.
+
+#### Sample Query to create Alerts
+```kusto
+arg("").QuotaResources
+| where subscriptionId =~ '<SubscriptionId>'
+| where type =~ 'microsoft.compute/locations/usages'
+| where isnotempty(properties)
+| mv-expand propertyJson = properties.value limit 400
+| extend
+ usage = propertyJson.currentValue,
+ quota = propertyJson.['limit'],
+ quotaName = tostring(propertyJson.['name'].value)
+| extend usagePercent = toint(usage)*100 / toint(quota)| project-away properties| where location in~ ('westus2')| where quotaName in~ ('cores')
+```
+
+## Manage Quota Alerts
+
+### View Alert Rules
+
+Select **Quotas** | **Alert Rules** to see all the rules create for a given subscription. Here, you have the option to edit, enable, or disable them as needed.
+
+ :::image type="content" source="media/monitoring-alerting/view-alert-rules-inline.png" alt-text="Screenshot showing how to navigate to Alert rule screen." lightbox="media/monitoring-alerting/view-alert-rules-expanded.png":::
+
+### View Fired Alerts
+
+Select **Quotas** | **Fired Alert Rules** to see all the alerts that have been fired create for a given subscription. This page displays an overview of all the alert rules that have been triggered. You can click on each alert to view its details, including the history of how many times it was triggered and the status of each occurrence.
+
+ :::image type="content" source="media/monitoring-alerting/view-fired-alerts-inline.png" alt-text="Screenshot showing how to navigate to Fired Alert screen." lightbox="media/monitoring-alerting/view-fired-alerts-expanded.png":::
+
+### Edit, Update, Enable, Disable Alerts
+
+Multiple ways we can manage the create alerts
+1. Expand the options below the dots and select appropriate action.
+
+ :::image type="content" source="media/monitoring-alerting/edit-enable-disable-delete-inline.png" alt-text="Screenshot showing how to edit , enable, disable or delete alert rules." lightbox="media/monitoring-alerting/edit-enable-disable-delete-expanded.png":::
+
+ By using the 'Edit' action, users can also add multiple quotas or locations for the same alert rule.
+
+ :::image type="content" source="media/monitoring-alerting/edit-dimension-inline.png" alt-text="Screenshot showing how to add dimensions while editing a quota rule." lightbox="media/monitoring-alerting/edit-dimension-expanded.png":::
+
+2. Go to **Alert Rules**, then click on the specific alert rule you want to change.
+
+ :::image type="content" source="media/monitoring-alerting/alert-rule-edit-inline.png" alt-text="Screenshot showing how to edit rules from Alert Rule screen." lightbox="media/monitoring-alerting/alert-rule-edit-expanded.png":::
+
+
+## Respond to Alerts
+
+For the created alerts, an action group can be established to automate quota increases. By utilizing existing action groups, users can invoke the Quota API to automatically increase quotas wherever possible, eliminating the need for manual intervention.
+
+Refer the following link for detailed instructions on how to utilize functions to call the Quota API and request for more quota
+
+GitHub link to call [Quota API](https://github.com/allison-inman/azure-sdk-for-net/blob/main/sdk/quota/Microsoft.Azure.Management.Quota/tests/ScenarioTests/QuotaTests.cs)
+
+Use `Test_SetQuota()` code to write an Azure function to set the Quota.
+
+## Query using Resource Graph Explorer
+
+Using [Azure Resource Graph](../governance/resource-graph/overview.md), Alerts can be [Managed programatically](../azure-monitor/alerts/alerts-manage-alert-instances.md#manage-your-alerts-programmatically) where you can query your alerts instances and analyze your alerts to identify patterns and trends.
+For Usages, the **QuotaResources** table in [Azure Resource Graph](../governance/resource-graph/overview.md) explorer provides **usage and limit/quota data** for a given resource x region x subscription. Customers can query usage and quota data across multiple subscriptions with Azure Resource Graph queries.
+
+As a **prerequisite**, users must have at least a **Subscription Reader** role for the subscription.
+
+#### Sample Query
+
+1. Query Compute resources current usages, quota/limit, and usage percentage for a subscription(s) x region x VM family
+
+```kusto
+QuotaResources
+| where type =~ "microsoft.compute/locations/usages"
+| where location =~ "northeurope" or location =~ "westeurope"
+| where subscriptionId in~ ("<Subscription1>","<Subscription2>")
+| mv-expand json = properties.value limit 400
+| extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue)
+|where usagevCPUs > 0
+|extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit)
+|project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,json
+| order by ['usagePercent'] desc
+```
+
+2. Query to Summarize total vCPUs (On-demand, Low Priority/Spot) per subscription per region
+
+```kusto
+QuotaResources
+| where type =~ "microsoft.compute/locations/usages"
+| where subscriptionId in~ ("<Subscription1>","<Subscription2>")
+| mv-expand json = properties.value limit 400
+| extend usagevCPUs = json.currentValue, QuotaLimit = json['limit'], quotaName = tostring(json['name'].localizedValue)
+|extend usagePercent = toint(usagevCPUs)*100 / toint(QuotaLimit)
+|where quotaName =~ "Total Regional vCPUs" or quotaName =~ "Total Regional Low-priority vCPUs"
+|project subscriptionId,quotaName,usagevCPUs,QuotaLimit,usagePercent,location,['json']
+| order by ['usagePercent'] desc
+```
+
+## Provide Feedback
+
+User can find **Feedback** button on every Quota page and can use to share thoughts, questions, or concerns with our team. Additionally, Users can submit a support ticket if they encounter any problem while creating alert rules for quotas.
+++
+## Next steps
+
+- Learn about [Monitoring and Alerting](monitoring-alerting.md)
+- Learn more about [Quota overview](quotas-overview.md) and [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md).
+- Learn how to request increases for [VM-family vCPU quotas](per-vm-quota-requests.md), [vCPU quotas by region](regional-quota-requests.md), [spot vCPU quotas](spot-quota.md), and [storage accounts](storage-account-quota-requests.md).
quotas Monitoring Alerting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/quotas/monitoring-alerting.md
+
+ Title: Quota monitoring & alerting
+description: Monitoring and Alerting for Quota Usages.
Last updated : 10/11/2023+++
+# Quota Monitoring and Alerting
+
+**Monitoring and Alerting** in Azure provides real-time insights into resource utilization, enabling proactive issue resolution and resource optimization.It helps detect anomalies and potential issues before they impact services, ensuring uninterrupted operations.
+
+To view the features on **Quotas** page, sign in to the [Azure portal](https://portal.azure.com) and enter "quotas" into the search box, then select **Quotas**.
+
+> [!NOTE]
+> When Monitoring & Alerting is enabled for your account, the Quotas in **MyQuotas** will be highlighted and clickable.
+
+## Monitoring
+
+**Monitoring for quotas** empowers users to proactively manage their resources in Azure. Azure sets predefined limits, or quotas, for various resources like **Compute**, **Azure Machine Learning**, and **HPC Cache**. This monitoring involves continuous tracking of resource usage to ensure it remains within allocated limits, with users receiving notifications when these limits are approached or reached.
+
+## Alerting
+
+**Quota alerts** in Azure are notifications triggered when the usage of a specific Azure resource nears the **predefined quota limit**. These alerts are crucial for informing Azure users and administrators about resource consumption, facilitating proactive resource management. AzureΓÇÖs alert rule capabilities allow you to create multiple alert rules for a given quota or across quotas in your subscription.
+
+> [!NOTE]
+> [General Role based access control](../azure-monitor/alerts/alerts-overview.md#azure-role-based-access-control-for-alerts) applies while creating alerts.
++
+## Next steps
+
+- Learn [how to Create Quota alert](how-to-guide-monitoring-alerting.md).
+- Learn more about [Alerts](../azure-monitor/alerts/alerts-overview.md)
+- Learn about [Azure Resource Graph](../governance/resource-graph/overview.md)
+
quotas Quotas Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/quotas/quotas-overview.md
Quotas were previously referred to as limits. Quotas do have limits, but the lim
> [!NOTE] > There is no cost associated with requesting a quota increase. Costs are incurred based on resource usage, not the quotas themselves.
+## Usage Alerts
+
+The Quotas page allows you to [Monitor & Create Alerts](monitoring-alerting.md) for specific Quotas, enabling you to receive notifications when the usage reaches predefined thresholds.
+ ## Adjustable and non-adjustable quotas Quotas can be adjustable or non-adjustable.
Different entry points, data views, actions, and programming options are availab
## Next steps - Learn more about [viewing quotas in the Azure portal](view-quotas.md).
+- Learn more about [Monitoring & Creating Alerts](how-to-guide-monitoring-alerting.md) for Quota usages.
- Learn how to request increases for [VM-family vCPU quotas](per-vm-quota-requests.md), [vCPU quotas by region](regional-quota-requests.md), and [spot vCPU quotas](spot-quota.md). - Learn about [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md).
remote-rendering Entities https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/concepts/entities.md
An *Entity* represents a movable object in space and is the fundamental building
## Entity properties
-Entities have a transform defined by a position, rotation, and scale. By themselves entities do not have any observable functionality. Instead, behavior is added through components, which are attached to entities. For instance, attaching a [CutPlaneComponent](../overview/features/cut-planes.md) will create a cut plane at the position of the entity.
+Entities have a transform defined by a position, rotation, and scale. By themselves entities don't have any observable functionality. Instead, behavior is added through components, which are attached to entities. For instance, attaching a [CutPlaneComponent](../overview/features/cut-planes.md) creates a cut plane at the position of the entity.
The most important aspect of the entity itself is the hierarchy and the resulting hierarchical transform. For example, when multiple entities are attached as children to a shared parent entity, all of these entities can be moved, rotated, and scaled in unison by changing the transform of the parent entity. Also, the entity's `enabled` state can be used to turn off visibility and responses to ray casts for a full sub graph in the hierarchy.
Entities are created when the server loads content or when the user wants to add
## Create an entity
-To add a new entity to the scene, for example to pass it as a root object for loading models or to attach components to it, use the following code:
+To add a new entity to the scene, for example to pass it as a root object for loading models or attaching components to it, use the following code:
```cs Entity CreateNewEntity(RenderingSession session)
ApiHandle<Entity> CreateNewEntity(ApiHandle<RenderingSession> session)
## Query functions
-There are two types of query functions on entities: synchronous and asynchronous calls. Synchronous queries can only be used for data that is present on the client and does not involve much computation. Examples are querying for components, relative object transforms, or parent/child relationships. Asynchronous queries are used for data that only resides on the server or involves extra computation that would be too expensive to run on the client. Examples are spatial bounds queries or meta data queries.
+There are two types of query functions on entities: synchronous and asynchronous calls. Synchronous queries can only be used for data that is present on the client and doesn't involve much computation. Examples are querying for components, relative object transforms, or parent/child relationships. Asynchronous queries are used for data that only resides on the server or involves extra computation that would be too expensive to run on the client. Examples are spatial bounds queries or meta data queries.
### Querying components
ApiHandle<CutPlaneComponent> cutplane = entity->FindComponentOfType<CutPlaneComp
### Querying transforms
-Transform queries are synchronous calls on the object. It is important to note that transforms queried through the API are local space transforms, relative to the object's parent. Exceptions are root objects, for which local space and world space are identical.
+Transform queries are synchronous calls on the object. It's important to note that transforms queried through the API are local space transforms, relative to the object's parent. Exceptions are root objects, for which local space and world space are identical.
> [!NOTE] > There is no dedicated API to query the world space transform of arbitrary objects.
Bounds queries are asynchronous calls that operate on a full object hierarchy, u
### Querying metadata
-Metadata is additional data stored on objects, that is ignored by the server. Object metadata is essentially a set of (name, value) pairs, where _value_ can be of numeric, boolean or string type. Metadata can be exported with the model.
+Metadata is extra data stored on objects that is ignored by the server. Object metadata is essentially a set of (name, value) pairs, where _value_ can be of numeric, boolean or string type. Metadata can be [exported with the model](../how-tos/conversion/configure-model-conversion.md#node-metadata).
Metadata queries are asynchronous calls on a specific entity. The query only returns the metadata of a single entity, not the merged information of a sub graph.
entity->QueryMetadataAsync([](Status status, ApiHandle<ObjectMetadata> metaData)
}); ```
-The query will succeed even if the object does not hold any metadata.
+The query succeeds even if the object doesn't hold any metadata.
## API documentation
remote-rendering Configure Model Conversion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/remote-rendering/how-tos/conversion/configure-model-conversion.md
The rendering engine expects color values to be in linear space. If a model is d
* `sceneGraphMode`: Defines how the scene graph in the source file is converted. * `dynamic` (default): All objects in the file are exposed as [entities](../../concepts/entities.md) in the API and can be transformed and reparented arbitrarily. At runtime, the node hierarchy is identical to the structure in the source file.
- * `static`: Similar to `dynamic`, but objects in the scene graph can't be reparented to other objects dynamically at runtime. For dynamic models that have many moving parts, such as the explosion view model, the `dynamic` option generates a model that is more efficient to render, but `static` mode still allows for individual part transforms. If dynamic reparenting isn't required, the `static` option is the most suitable for models that have many individual parts.
+ * `static`: Similar to `dynamic`, but objects in the scene graph can't be reparented to other objects dynamically at runtime. For dynamic models that have many moving parts, such as the explosion view, the `dynamic` option generates a model that is more efficient to render, but `static` mode still allows for individual part transforms. If dynamic reparenting isn't required, the `static` option is the most suitable for models that have many individual parts.
* `none`: The scene graph is collapsed into one object. Each mode has different runtime performance. In `dynamic` mode, the performance cost scales linearly with the number of [entities](../../concepts/entities.md) in the graph, even when no part is moved. Use `dynamic` mode only when it's necessary to move many parts or large subgraphs simultaneously. An example is explosion view animation.
The `none` mode has the least runtime overhead and also slightly better loading
For GLTF files, this data comes from the [extras object on nodes](https://github.com/KhronosGroup/glTF/tree/master/specification/2.0#nodeextras). For FBX files, this data comes from the `Properties70` data on `Model nodes`. For more information, see the documentation for your 3D Asset Tool.
+When loading a model with meta data enabled, a specific entity's list of meta data entries can be retrieved through the [asynchronous QueryMetadataAsync function](../../concepts/entities.md#querying-metadata).
+ ### Vertex format It's possible to adjust the vertex format for a mesh to trade precision for memory savings. If your model has a lower memory footprint, you can load larger models or achieve better performance. However, depending on your data, the wrong format can significantly affect rendering quality.
The following table describes formats that are allowed for respective components
| Vertex component | Supported formats | Usage in materials | |:--|:|:|
-|`position`| `32_32_32_FLOAT` (*default*), `16_16_16_16_FLOAT` | Vertex position, must always be present. |
+|`position`| `32_32_32_FLOAT` (*default*), `16_16_16_16_FLOAT` | Vertex position. Must always be present. |
|`color0`| `8_8_8_8_UNSIGNED_NORMALIZED` (*default*), `NONE` | Vertex colors. See `useVertexColor` property both in [color materials](../../overview/features/color-materials.md) and [PBR materials](../../overview/features/pbr-materials.md), and `vertexMix` in [color materials](../../overview/features/color-materials.md). | |`color1`| `8_8_8_8_UNSIGNED_NORMALIZED`, `NONE` (*default*)| Unused. Leave as default `NONE`. | |`normal`| `8_8_8_8_SIGNED_NORMALIZED` (*default*), `16_16_16_16_FLOAT`, `NONE` | Used for lighting in [PBR materials](../../overview/features/pbr-materials.md). |
As discussed in [Best practices for component format changes](configure-model-co
### Texture sizes Depending on the type of scenario, the amount of texture data might outweigh the memory that's used for mesh data. Photogrammetry models are candidates.
-The conversion configuration doesn't provide a way to automatically scale down textures. If necessary, texture scaling must be done as a client-side pre-processing step. But the conversion step does choose a suitable [texture compression format](/windows/win32/direct3d11/texture-block-compression-in-direct3d-11):
+The conversion configuration doesn't provide a way to automatically scale down textures. If necessary, texture scaling must be done as a client-side preprocessing step. But the conversion step does choose a suitable [texture compression format](/windows/win32/direct3d11/texture-block-compression-in-direct3d-11):
* BC1 file format for opaque color textures * BC7 file format for source color textures with alpha channel
resource-mover Common Questions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/common-questions.md
Yes, both in transit and at rest.
### How is managed identity used in Resource Mover?
-[Managed identity](../active-directory/managed-identities-azure-resources/overview.md) (formerly known as Managed Service Identity (MSI)) provides Azure services with an automatically managed identity in Azure AD.
+[Managed identity](../active-directory/managed-identities-azure-resources/overview.md) (formerly known as Managed Service Identity (MSI)) provides Azure services with an automatically managed identity in Microsoft Entra ID.
- Resource Mover uses managed identity so that it can access Azure subscriptions to move resources across regions. - A move collection needs a system-assigned identity, with access to the subscription that contains resources you're moving.
resource-mover Support Matrix Move Region Azure Vm https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/support-matrix-move-region-azure-vm.md
Azure VMs that you want to move need outbound access.
**Name** | **Azure public cloud** | **Details** | | Storage | `*.blob.core.windows.net` | Allows data to be written from the VM to the cache storage account in the source region.
-Azure Active Directory | `login.microsoftonline.com` | Provides authorization and authentication to Site Recovery service URLs.
+Microsoft Entra ID | `login.microsoftonline.com` | Provides authorization and authentication to Site Recovery service URLs.
Replication | `*.hypervrecoverymanager.windowsazure.com` | Allows the VM to communicate with the Site Recovery service. Service Bus | `*.servicebus.windows.net` | Allows the VM to write Site Recovery monitoring and diagnostics data.
resource-mover Tutorial Move Region Encrypted Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/resource-mover/tutorial-move-region-encrypted-virtual-machines.md
Before you begin, verify the following:
| Requirement |Details | | | -|
-|**Subscription permissions** | Ensure that you have *Owner* access on the subscription that contains the resources you want to move.<br/><br/> *Why do I need Owner access?* The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types), formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (*Contributor* and *User access administrator* in the source subscription), the account you use to add resources needs *Owner* permissions in the subscription. For more information, see [Azure roles, Azure AD roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).|
+|**Subscription permissions** | Ensure that you have *Owner* access on the subscription that contains the resources you want to move.<br/><br/> *Why do I need Owner access?* The first time you add a resource for a specific source and destination pair in an Azure subscription, Resource Mover creates a [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types), formerly known as the Managed Service Identity (MSI). This identity is trusted by the subscription. Before you can create the identity and assign it the required roles (*Contributor* and *User access administrator* in the source subscription), the account you use to add resources needs *Owner* permissions in the subscription. For more information, see [Azure roles, Microsoft Entra roles, and classic subscription administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#azure-roles).|
| **VM support** | Ensure that the VMs you want to move are supported by doing the following:<li>[Verify](support-matrix-move-region-azure-vm.md#windows-vm-support) supported Windows VMs.<li>[Verify](support-matrix-move-region-azure-vm.md#linux-vm-support) supported Linux VMs and kernel versions.<li>Check supported [compute](support-matrix-move-region-azure-vm.md#supported-vm-compute-settings), [storage](support-matrix-move-region-azure-vm.md#supported-vm-storage-settings), and [networking](support-matrix-move-region-azure-vm.md#supported-vm-networking-settings) settings.| | **Key vault requirements (Azure Disk Encryption)** | If you have Azure Disk Encryption enabled for VMs, you require a key vault in both the source and destination regions. For more information, see [Create a key vault](../key-vault/general/quick-create-portal.md).<br/><br/> For the key vaults in the source and destination regions, you require these permissions:<li>Key permissions: Key Management Operations (Get, List) and Cryptographic Operations (Decrypt and Encrypt)<li>Secret permissions: Secret Management Operations (Get, List, and Set)<li>Certificate (List and Get)| | **Disk encryption set (server-side encryption with CMK)** | If you're using VMs with server-side encryption that uses a CMK, you require a disk encryption set in both the source and destination regions. For more information, see [Create a disk encryption set](../virtual-machines/disks-enable-customer-managed-keys-portal.md#set-up-your-disk-encryption-set).<br/><br/> Moving between regions isn't supported if you're using a hardware security module (HSM keys) for customer-managed keys.|
To delete your resources, do the following:
## Next steps [Learn more](./tutorial-move-region-sql.md) about moving Azure SQL databases and elastic pools to another region.-
role-based-access-control Best Practices https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/best-practices.md
For information about how to assign roles, see [Assign Azure roles using the Azu
You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. This recommendation can be monitored in Microsoft Defender for Cloud. For other identity and access recommendations in Defender for Cloud, see [Security recommendations - a reference guide](../security-center/recommendations-reference.md).
-## Use Azure AD Privileged Identity Management
+<a name='use-azure-ad-privileged-identity-management'></a>
-To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. Access can be time bound after which privileges are revoked automatically.
+## Use Microsoft Entra Privileged Identity Management
-For more information, see [What is Azure AD Privileged Identity Management?](../active-directory/privileged-identity-management/pim-configure.md).
+To protect privileged accounts from malicious cyber-attacks, you can use Microsoft Entra Privileged Identity Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through reports and alerts. PIM helps protect privileged accounts by providing just-in-time privileged access to Microsoft Entra ID and Azure resources. Access can be time bound after which privileges are revoked automatically.
+
+For more information, see [What is Microsoft Entra Privileged Identity Management?](../active-directory/privileged-identity-management/pim-configure.md).
## Assign roles to groups, not users
role-based-access-control Classic Administrators https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/classic-administrators.md
To add a guest user as a Co-Administrator, follow the same steps as in the previ
- The guest user must have a presence in your directory. This means that the user was invited to your directory and accepted the invite.
-For more information, about how to add a guest user to your directory, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
+For more information, about how to add a guest user to your directory, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
Before you remove a guest user from your directory, you should first remove any role assignments for that guest user. For more information, see [Remove a guest user from your directory](./role-assignments-external-users.md#remove-a-guest-user-from-your-directory).
Before you remove a guest user from your directory, you should first remove any
Guest users that have been assigned the Co-Administrator role might see some differences as compared to member users with the Co-Administrator role. Consider the following scenario: -- User A with an Azure AD account (work or school account) is the Service Administrator for an Azure subscription.
+- User A with a Microsoft Entra account (work or school account) is the Service Administrator for an Azure subscription.
- User B has a Microsoft account. - User A assigns the Co-Administrator role to user B.-- User B can do almost everything, but is unable to register applications or look up users in the Azure AD directory.
+- User B can do almost everything, but is unable to register applications or look up users in the Microsoft Entra directory.
-You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Azure AD as compared to member users. For example, member users can read other users in Azure AD and guest users cannot. Member users can register new service principals in Azure AD and guest users cannot.
+You would expect that user B could manage everything. The reason for this difference is that the Microsoft account is added to the subscription as a guest user instead of a member user. Guest users have different default permissions in Microsoft Entra ID as compared to member users. For example, member users can read other users in Microsoft Entra ID and guest users cannot. Member users can register new service principals in Microsoft Entra ID and guest users cannot.
-If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Azure AD roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md). For more information about granting access for guest users, see [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).
+If a guest user needs to be able to perform these tasks, a possible solution is to assign the specific Microsoft Entra roles the guest user needs. For example, in the previous scenario, you could assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to read other users and assign the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role to be able to create service principals. For more information about member and guest users and their permissions, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md). For more information about granting access for guest users, see [Assign Azure roles to external guest users using the Azure portal](role-assignments-external-users.md).
-Note that the [Azure built-in roles](../role-based-access-control/built-in-roles.md) are different than the [Azure AD roles](../active-directory/roles/permissions-reference.md). The built-in roles don't grant any access to Azure AD. For more information, see [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
+Note that the [Azure built-in roles](../role-based-access-control/built-in-roles.md) are different than the [Microsoft Entra roles](../active-directory/roles/permissions-reference.md). The built-in roles don't grant any access to Microsoft Entra ID. For more information, see [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md).
-For information that compares member users and guest users, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
+For information that compares member users and guest users, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).
## Remove a Co-Administrator
Follow these steps to change the Service Administrator in the Azure portal.
### Limitations for changing the Service Administrator
-There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is an Azure AD account (work or school account).
+There can only be one Service Administrator per Azure subscription. Changing the Service Administrator will behave differently depending on whether the Account Administrator is a Microsoft account or whether it is a Microsoft Entra account (work or school account).
-| Account Administrator account | Can change the Service Administrator to a different Microsoft account? | Can change the Service Administrator to an Azure AD account in the same directory? | Can change the Service Administrator to an Azure AD account in a different directory? |
+| Account Administrator account | Can change the Service Administrator to a different Microsoft account? | Can change the Service Administrator to a Microsoft Entra account in the same directory? | Can change the Service Administrator to a Microsoft Entra account in a different directory? |
| | | | | | Microsoft account | Yes | No | No |
-| Azure AD account | Yes | Yes | No |
+| Microsoft Entra account | Yes | Yes | No |
-If the Account Administrator is an Azure AD account, you can change the Service Administrator to an Azure AD account in the same directory, but not in a different directory. For example, abby@contoso.com can change the Service Administrator to bob@contoso.com, but cannot change the Service Administrator to john@notcontoso.com unless john@notcontoso.com has a presence in the contoso.com directory.
+If the Account Administrator is a Microsoft Entra account, you can change the Service Administrator to a Microsoft Entra account in the same directory, but not in a different directory. For example, abby@contoso.com can change the Service Administrator to bob@contoso.com, but cannot change the Service Administrator to john@notcontoso.com unless john@notcontoso.com has a presence in the contoso.com directory.
-For more information about Microsoft accounts and Azure AD accounts, see [What is Azure Active Directory?](../active-directory/fundamentals/active-directory-whatis.md).
+For more information about Microsoft accounts and Microsoft Entra accounts, see [What is Microsoft Entra ID?](../active-directory/fundamentals/active-directory-whatis.md).
## Remove the Service Administrator
Follow these steps to view the Account Administrator.
* [Understand the different roles](../role-based-access-control/rbac-and-directory-admin-roles.md) * [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md)
-* [Add or change Azure subscription administrators](../cost-management-billing/manage/add-change-subscription-administrator.md)
+* [Add or change Azure subscription administrators](../cost-management-billing/manage/add-change-subscription-administrator.md)
role-based-access-control Conditions Custom Security Attributes Example https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes-example.md
Title: Scale the management of Azure role assignments by using conditions and custom security attributes (Preview) - Azure ABAC
-description: Scale the management of Azure role assignments by using Azure attribute-based access control (Azure ABAC) conditions and Azure AD custom security attributes for principals.
+description: Scale the management of Azure role assignments by using Azure attribute-based access control (Azure ABAC) conditions and Microsoft Entra custom security attributes for principals.
Azure role-based access control (Azure RBAC) has a [limit of role assignments per subscription](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-rbac-limits). If you need to create hundreds or even thousands of Azure role assignments, you might encounter this limit. Managing hundreds or thousands of role assignments can be difficult. Depending on your scenario, you might be able to reduce the number of role assignments and make it easier to manage access.
-This article describes a solution to scale the management of role assignments by using [Azure attribute-based access control (Azure ABAC)](conditions-overview.md) conditions and [Azure AD custom security attributes](../active-directory/fundamentals/custom-security-attributes-overview.md) for principals.
+This article describes a solution to scale the management of role assignments by using [Azure attribute-based access control (Azure ABAC)](conditions-overview.md) conditions and [Microsoft Entra custom security attributes](../active-directory/fundamentals/custom-security-attributes-overview.md) for principals.
## Example scenario
Consider a company named Contoso with thousands of customers that wants to set u
- Distribute customer data across 128 storage accounts for security and performance reasonsΓÇï. - Add 2,000 containers to each storage account where there is a container for each customer.-- Represent each customer by a unique Azure AD service principal.
+- Represent each customer by a unique Microsoft Entra service principal.
- Allow each customer to access objects in their container, but not other containers.ΓÇï This configuration could potentially require 256,000 [Storage Blob Data Owner](built-in-roles.md#storage-blob-data-owner) role assignments in a subscription, which is well beyond the role assignments limit. Having this many role assignments would be difficult, if not impossible, to maintain.
There are several attributes you could use in your condition, such as the follow
You can also define your own custom security attributes for users, enterprise applications, and managed identities.
-For more information, see [Azure role assignment condition format and syntax](conditions-format.md#attributes) and [What are custom security attributes in Azure AD?](../active-directory/fundamentals/custom-security-attributes-overview.md).
+For more information, see [Azure role assignment condition format and syntax](conditions-format.md#attributes) and [What are custom security attributes in Microsoft Entra ID?](../active-directory/fundamentals/custom-security-attributes-overview.md).
#### Step 3: Create a condition at a higher scope
Create one or more role assignments that use a condition at a higher scope to ma
## Next steps - [What is Azure attribute-based access control (Azure ABAC)?](conditions-overview.md)-- [What are custom security attributes in Azure AD?](../active-directory/fundamentals/custom-security-attributes-overview.md)
+- [What are custom security attributes in Microsoft Entra ID?](../active-directory/fundamentals/custom-security-attributes-overview.md)
- [Allow read access to blobs based on tags and custom security attributes (Preview)](conditions-custom-security-attributes.md)
role-based-access-control Conditions Custom Security Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-custom-security-attributes.md
In this article, you learn how to allow read access to blobs based on blob index
## Prerequisites
-To assign custom security attributes and add role assignments conditions in your Azure AD tenant, you need:
+To assign custom security attributes and add role assignments conditions in your Microsoft Entra tenant, you need:
-- Azure AD Premium P1 or P2 license
+- Microsoft Entra ID P1 or P2 license
- [Attribute Definition Administrator](../active-directory/roles/permissions-reference.md#attribute-definition-administrator) and [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) - [User Access Administrator](built-in-roles.md#user-access-administrator) or [Owner](built-in-roles.md#owner)
For more information about conditions, see [What is Azure attribute-based access
1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Click **Azure Active Directory** > **Custom security attributes (Preview)**.
+1. Click **Microsoft Entra ID** > **Custom security attributes (Preview)**.
-1. Add an attribute named `Project` with values of `Baker` and `Cascade`. Or use an existing attribute. For more information, see [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md).
+1. Add an attribute named `Project` with values of `Baker` and `Cascade`. Or use an existing attribute. For more information, see [Add or deactivate custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-add.md).
![Screenshot of adding a custom security attribute.](./media/conditions-custom-security-attributes/project-attribute-add.png) ## Step 2: Assign the custom security attribute to a user
-1. In Azure AD, create a security group.
+1. In Microsoft Entra ID, create a security group.
1. Add a user as a member of the group.
You can also use Azure CLI to add role assignments conditions. The following com
## Next steps -- [What are custom security attributes in Azure AD? (Preview)](../active-directory/fundamentals/custom-security-attributes-overview.md)
+- [What are custom security attributes in Microsoft Entra ID? (Preview)](../active-directory/fundamentals/custom-security-attributes-overview.md)
- [Azure role assignment condition format and syntax (preview)](conditions-format.md) - [Example Azure role assignment conditions for Blob Storage (preview)](../storage/blobs/storage-auth-abac-examples.md?toc=/azure/role-based-access-control/toc.json)
role-based-access-control Conditions Faq https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-faq.md
You can use the `Exists` operator with any ABAC attribute, but it is only suppor
If you add three or more expressions for a targeted action, you must define the logical grouping of those expressions in the code editor, Azure PowerShell, or Azure CLI. A logical grouping of `a AND b OR c` can be either `(a AND b) OR c` or `a AND (b OR c )`.
-**Are conditions supported via Azure AD Privileged Identity Management (Azure AD PIM) for Azure resources?**
+**Are conditions supported via Microsoft Entra Privileged Identity Management (Microsoft Entra PIM) for Azure resources?**
Yes, for specific roles. For more information, see [Assign Azure resource roles in Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
role-based-access-control Conditions Format https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-format.md
Depending on the selected actions, the attribute might be found in different pla
> | Attribute source | Description | Code | > | | | | > | [Environment](#environment-attributes) | Indicates that the attribute is associated with the environment of the request, such as the network origin of the request or the current date and time.</br>***(Environment attributes are currently in preview.)*** | `@Environment` |
-> | [Principal](#principal-attributes) | Indicates that the attribute is an Azure AD custom security attribute on the principal, such as a user, enterprise application (service principal), or managed identity.</br>***(Principal attributes are currently in preview.)*** | `@Principal` |
+> | [Principal](#principal-attributes) | Indicates that the attribute is a Microsoft Entra custom security attribute on the principal, such as a user, enterprise application (service principal), or managed identity.</br>***(Principal attributes are currently in preview.)*** | `@Principal` |
> | [Request](#request-attributes) | Indicates that the attribute is part of the action request, such as setting the blob index tag. | `@Request` | > | [Resource](#resource-attributes) | Indicates that the attribute is a property of the resource, such as a container name. | `@Resource` |
The following table lists the supported environment attributes for conditions.
#### Principal attributes
-Principal attributes are Azure AD custom security attributes associated with the principal requesting access to a resource. The security principal can be a user, an enterprise application (a service principal), or a managed identity.
+Principal attributes are Microsoft Entra custom security attributes associated with the principal requesting access to a resource. The security principal can be a user, an enterprise application (a service principal), or a managed identity.
> [!IMPORTANT] > Principal attributes are currently in PREVIEW.
Principal attributes are Azure AD custom security attributes associated with the
To use principal attributes, you must have **all** of the following: -- Azure AD Premium P1 or P2 license-- Azure AD permissions for signed-in user, such as the [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) role-- Custom security attributes defined in Azure AD
+- Microsoft Entra ID P1 or P2 license
+- Microsoft Entra permissions for signed-in user, such as the [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) role
+- Custom security attributes defined in Microsoft Entra ID
For more information about custom security attributes, see: - [Allow read access to blobs based on tags and custom security attributes (Preview)](conditions-custom-security-attributes.md) - [Principal does not appear in Attribute source (Preview)](conditions-troubleshoot.md#symptomprincipal-does-not-appear-in-attribute-source)-- [Add or deactivate custom security attributes in Azure AD (Preview)](../active-directory/fundamentals/custom-security-attributes-add.md)
+- [Add or deactivate custom security attributes in Microsoft Entra ID (Preview)](../active-directory/fundamentals/custom-security-attributes-add.md)
#### Request attributes
role-based-access-control Conditions Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-overview.md
Some features of conditions are still in preview. The following table lists the
| Use [resource and request attributes](conditions-format.md#attributes) for specific combinations of Azure storage resources, access attribute types, and storage account performance tiers. For more information, see [Status of condition features in Azure Storage](../storage/blobs/storage-auth-abac.md#status-of-condition-features-in-azure-storage). | GA | October 2022 | | Use [custom security attributes on a principal](conditions-format.md#principal-attributes) in a condition | Preview | November 2021 |
-## Conditions and Azure AD PIM
+<a name='conditions-and-azure-ad-pim'></a>
-You can also add conditions to eligible role assignments using Azure AD Privileged Identity Management (Azure AD PIM) for Azure resources. With Azure AD PIM, your end users must activate an eligible role assignment to get permission to perform certain actions. Using conditions in Azure AD PIM enables you not only to limit a user's access to a resource using fine-grained conditions, but also to use Azure AD PIM to secure it with a time-bound setting, approval workflow, audit trail, and so on. For more information, see [Assign Azure resource roles in Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+## Conditions and Microsoft Entra PIM
+
+You can also add conditions to eligible role assignments using Microsoft Entra Privileged Identity Management (Microsoft Entra PIM) for Azure resources. With Microsoft Entra PIM, your end users must activate an eligible role assignment to get permission to perform certain actions. Using conditions in Microsoft Entra PIM enables you not only to limit a user's access to a resource using fine-grained conditions, but also to use Microsoft Entra PIM to secure it with a time-bound setting, approval workflow, audit trail, and so on. For more information, see [Assign Azure resource roles in Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
## Terminology
Here are some of the limits for conditions.
Here are the known issues with conditions: -- If you are using Azure AD Privileged Identity Management (PIM) and [custom security attributes](../active-directory/fundamentals/custom-security-attributes-overview.md), **Principal** does not appear in **Attribute source** when adding a condition.
+- If you are using Microsoft Entra Privileged Identity Management (PIM) and [custom security attributes](../active-directory/fundamentals/custom-security-attributes-overview.md), **Principal** does not appear in **Attribute source** when adding a condition.
## Next steps
role-based-access-control Conditions Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-prerequisites.md
Just like role assignments, to add or update conditions, you must be signed in t
> Principal attributes are currently in PREVIEW. > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-To use principal attributes ([custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-overview.md)), you must have **all** of the following:
+To use principal attributes ([custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-overview.md)), you must have **all** of the following:
-- Azure AD Premium P1 or P2 license
+- Microsoft Entra ID P1 or P2 license
- [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) at attribute set or tenant scope-- Custom security attributes defined in Azure AD
+- Custom security attributes defined in Microsoft Entra ID
For more information about custom security attributes, see: - [Principal does not appear in Attribute source](conditions-troubleshoot.md#symptomprincipal-does-not-appear-in-attribute-source)-- [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md)
+- [Add or deactivate custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-add.md)
## Next steps
role-based-access-control Conditions Role Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-role-assignments-portal.md
Once you have the Add role assignment condition page open, you can review the ba
- **Environment** (preview) indicates that the attribute is associated with the network environment over which the resource is accessed such as a private link, or the current date and time. - **Resource** indicates that the attribute is on the resource, such as container name. - **Request** indicates that the attribute is part of the action request, such as setting the blob index tag.
- - **Principal** (preview) indicates that the attribute is an Azure AD custom security attribute principal, such as a user, enterprise application (service principal), or managed identity.
+ - **Principal** (preview) indicates that the attribute is a Microsoft Entra custom security attribute principal, such as a user, enterprise application (service principal), or managed identity.
1. In the **Attribute** list, select an attribute for the left side of the expression.
role-based-access-control Conditions Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/conditions-troubleshoot.md
When you try to add a role assignment with a condition, **Principal** does not a
Instead, you see the message:
-To use principal (user) attributes, you must have all of the following: Azure AD Premium P1 or P2 license, Azure AD permissions (such as the [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) role), and custom security attributes defined in Azure AD.
+To use principal (user) attributes, you must have all of the following: Microsoft Entra ID P1 or P2 license, Microsoft Entra permissions (such as the [Attribute Assignment Administrator](../active-directory/roles/permissions-reference.md#attribute-assignment-administrator) role), and custom security attributes defined in Microsoft Entra ID.
![Screenshot showing principal message when adding a condition.](./media/conditions-troubleshoot/condition-principal-attribute-message.png)
To use principal (user) attributes, you must have all of the following: Azure AD
You don't meet the prerequisites. To use principal attributes, you must have **all** of the following: -- Azure AD Premium P1 or P2 license-- Azure AD permissions for the signed-in user to read at least one attribute set-- Custom security attributes defined in Azure AD
+- Microsoft Entra ID P1 or P2 license
+- Microsoft Entra permissions for the signed-in user to read at least one attribute set
+- Custom security attributes defined in Microsoft Entra ID
**Solution**
-1. Open **Azure Active Directory** > **Custom security attributes**.
+1. Open **Microsoft Entra ID** > **Custom security attributes**.
- If the **Custom security attributes** page is disabled, you don't have an Azure AD Premium P1 or P2 license. Open **Azure Active Directory** > **Overview** and check the license for your tenant.
+ If the **Custom security attributes** page is disabled, you don't have a Microsoft Entra ID P1 or P2 license. Open **Microsoft Entra ID** > **Overview** and check the license for your tenant.
![Screenshot that shows Custom security attributes page disabled in Azure portal.](./media/conditions-troubleshoot/attributes-disabled.png)
You don't meet the prerequisites. To use principal attributes, you must have **a
![Screenshot that shows Custom security attributes Get started page.](./media/conditions-troubleshoot/attributes-get-started.png)
-1. If custom security attributes have been defined, assign one of the following roles at tenant scope or attribute set scope. For more information, see [Manage access to custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-manage.md).
+1. If custom security attributes have been defined, assign one of the following roles at tenant scope or attribute set scope. For more information, see [Manage access to custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-manage.md).
- [Attribute Definition Reader](../active-directory/roles/permissions-reference.md#attribute-definition-reader) - [Attribute Assignment Reader](../active-directory/roles/permissions-reference.md#attribute-assignment-reader)
You don't meet the prerequisites. To use principal attributes, you must have **a
> [!IMPORTANT] > By default, [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) and other administrator roles do not have permissions to read, define, or assign custom security attributes.
-1. If custom security attributes haven't been defined yet, assign the [Attribute Definition Administrator](../active-directory/roles/permissions-reference.md#attribute-definition-administrator) role at tenant scope and add custom security attributes. For more information, see [Add or deactivate custom security attributes in Azure AD](../active-directory/fundamentals/custom-security-attributes-add.md).
+1. If custom security attributes haven't been defined yet, assign the [Attribute Definition Administrator](../active-directory/roles/permissions-reference.md#attribute-definition-administrator) role at tenant scope and add custom security attributes. For more information, see [Add or deactivate custom security attributes in Microsoft Entra ID](../active-directory/fundamentals/custom-security-attributes-add.md).
When finished, you should be able to read at least one attribute set. **Principal** should now appear in the **Attribute source** list when you add a role assignment with a condition.
You don't meet the prerequisites. To use principal attributes, you must have **a
### Symptom - Principal does not appear in Attribute source when using PIM
-When you try to add a role assignment with a condition using [Azure AD Privileged Identity Management (PIM)](../active-directory/privileged-identity-management/pim-configure.md), **Principal** does not appear in the **Attribute source** list.
+When you try to add a role assignment with a condition using [Microsoft Entra Privileged Identity Management (PIM)](../active-directory/privileged-identity-management/pim-configure.md), **Principal** does not appear in the **Attribute source** list.
![Screenshot showing Principal in Attribute source list when adding a condition using Privileged Identity Management.](./media/conditions-troubleshoot/condition-principal-attribute-source.png)
Disable history expansion with the command `set +H`. To re-enable history expans
- [Azure role assignment condition format and syntax](conditions-format.md) - [FAQ for Azure role assignment conditions](conditions-faq.md)-- [Troubleshoot custom security attributes in Azure AD (Preview)](../active-directory/fundamentals/custom-security-attributes-troubleshoot.md)
+- [Troubleshoot custom security attributes in Microsoft Entra ID (Preview)](../active-directory/fundamentals/custom-security-attributes-troubleshoot.md)
role-based-access-control Custom Roles Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles-portal.md
# Create or update Azure custom roles using the Azure portal
-If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription and resource group scopes. Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. This article describes how to create custom roles using the Azure portal.
+If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own Azure custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription and resource group scopes. Custom roles are stored in a Microsoft Entra directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API. This article describes how to create custom roles using the Azure portal.
## Prerequisites
If you prefer, you can specify most of your custom role values in a JSON file. Y
On the **Basics** tab, you specify the name, description, and baseline permissions for your custom role.
-1. In the **Custom role name** box, specify a name for the custom role. The name must be unique for the Azure AD directory. The name can include letters, numbers, spaces, and special characters.
+1. In the **Custom role name** box, specify a name for the custom role. The name must be unique for the Microsoft Entra directory. The name can include letters, numbers, spaces, and special characters.
1. In the **Description** box, specify an optional description for the custom role. This will become the tooltip for the custom role.
role-based-access-control Custom Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/custom-roles.md
If the [Azure built-in roles](built-in-roles.md) don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at management group, subscription, and resource group scopes.
-Custom roles can be shared between subscriptions that trust the same Azure AD tenant. There is a limit of **5,000** custom roles per tenant. (For Microsoft Azure operated by 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
+Custom roles can be shared between subscriptions that trust the same Microsoft Entra tenant. There is a limit of **5,000** custom roles per tenant. (For Microsoft Azure operated by 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.
## Steps to create a custom role
The following table describes what the custom role properties mean.
| Property | Required | Type | Description | | | | | |
-| `Name`</br>`roleName` | Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD tenant. This display name must be unique at the scope of the Azure AD tenant. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 512. |
+| `Name`</br>`roleName` | Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Microsoft Entra tenant. This display name must be unique at the scope of the Microsoft Entra tenant. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 512. |
| `Id`</br>`name` | Yes | String | The unique ID of the custom role. For Azure PowerShell and Azure CLI, this ID is automatically generated when you create a new role. | | `IsCustom`</br>`roleType` | Yes | String | Indicates whether this is a custom role. Set to `true` or `CustomRole` for custom roles. Set to `false` or `BuiltInRole` for built-in roles. | | `Description`</br>`description` | Yes | String | The description of the custom role. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 2048. |
role-based-access-control Deny Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments-portal.md
Follow these steps to list additional details about a deny assignment.
| **Deny assignment applies to** | Security principals that the deny assignment applies to. | | **Deny assignment excludes** | Security principals that are excluded from the deny assignment. |
- **System-Defined Principal** represents all users, groups, service principals, and managed identities in an Azure AD directory.
+ **System-Defined Principal** represents all users, groups, service principals, and managed identities in a Microsoft Entra directory.
1. To see a list of the permissions that are denied, click **Denied Permissions**.
role-based-access-control Deny Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/deny-assignments.md
Deny assignments follow a similar pattern as role assignments, but also have som
> | `Permissions.NotDataActions` | No | String[] | An array of strings that specify the data plane actions to exclude from the deny assignment. | > | `Scope` | No | String | A string that specifies the scope that the deny assignment applies to. | > | `DoNotApplyToChildScopes` | No | Boolean | Specifies whether the deny assignment applies to child scopes. Default value is false. |
-> | `Principals[i].Id` | Yes | String[] | An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. Set to an empty GUID `00000000-0000-0000-0000-000000000000` to represent all principals. |
+> | `Principals[i].Id` | Yes | String[] | An array of Microsoft Entra principal object IDs (user, group, service principal, or managed identity) to which the deny assignment applies. Set to an empty GUID `00000000-0000-0000-0000-000000000000` to represent all principals. |
> | `Principals[i].Type` | No | String[] | An array of object types represented by Principals[i].Id. Set to `SystemDefined` to represent all principals. |
-> | `ExcludePrincipals[i].Id` | No | String[] | An array of Azure AD principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply. |
+> | `ExcludePrincipals[i].Id` | No | String[] | An array of Microsoft Entra principal object IDs (user, group, service principal, or managed identity) to which the deny assignment does not apply. |
> | `ExcludePrincipals[i].Type` | No | String[] | An array of object types represented by ExcludePrincipals[i].Id. | > | `IsSystemProtected` | No | Boolean | Specifies whether this deny assignment was created by Azure and cannot be edited or deleted. Currently, all deny assignments are system protected. | ## The All Principals principal
-To support deny assignments, a system-defined principal named *All Principals* has been introduced. This principal represents all users, groups, service principals, and managed identities in an Azure AD directory. If the principal ID is a zero GUID `00000000-0000-0000-0000-000000000000` and the principal type is `SystemDefined`, the principal represents all principals. In Azure PowerShell output, All Principals looks like the following:
+To support deny assignments, a system-defined principal named *All Principals* has been introduced. This principal represents all users, groups, service principals, and managed identities in a Microsoft Entra directory. If the principal ID is a zero GUID `00000000-0000-0000-0000-000000000000` and the principal type is `SystemDefined`, the principal represents all principals. In Azure PowerShell output, All Principals looks like the following:
```azurepowershell Principals : {
role-based-access-control Elevate Access Global Admin https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/elevate-access-global-admin.md
Title: Elevate access to manage all Azure subscriptions and management groups
-description: Describes how to elevate access for a Global Administrator to manage all subscriptions and management groups in Azure Active Directory using the Azure portal or REST API.
+description: Describes how to elevate access for a Global Administrator to manage all subscriptions and management groups in Microsoft Entra ID using the Azure portal or REST API.
# Elevate access to manage all Azure subscriptions and management groups
-As a Global Administrator in Azure Active Directory (Azure AD), you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups.
+As a Global Administrator in Microsoft Entra ID, you might not have access to all subscriptions and management groups in your directory. This article describes the ways that you can elevate your access to all subscriptions and management groups.
[!INCLUDE [gdpr-dsr-and-stp-note](../../includes/gdpr-dsr-and-stp-note.md)]
If you are a Global Administrator, there might be times when you want to do the
## How does elevated access work?
-Azure AD and Azure resources are secured independently from one another. That is, Azure AD role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Azure AD. However, if you are a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) in Azure AD, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.
+Microsoft Entra ID and Azure resources are secured independently from one another. That is, Microsoft Entra role assignments do not grant access to Azure resources, and Azure role assignments do not grant access to Microsoft Entra ID. However, if you are a [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) in Microsoft Entra ID, you can assign yourself access to all Azure subscriptions and management groups in your directory. Use this capability if you don't have access to Azure subscription resources, such as virtual machines or storage accounts, and you want to use your Global Administrator privilege to gain access to those resources.
When you elevate your access, you will be assigned the [User Access Administrator](built-in-roles.md#user-access-administrator) role in Azure at root scope (`/`). This allows you to view all resources and assign access in any subscription or management group in the directory. User Access Administrator role assignments can be removed using Azure PowerShell, Azure CLI, or the REST API.
Follow these steps to elevate access for a Global Administrator using the Azure
1. Sign in to the [Azure portal](https://portal.azure.com) as a Global Administrator.
- If you are using Azure AD Privileged Identity Management, [activate your Global Administrator role assignment](../active-directory/privileged-identity-management/pim-how-to-activate-role.md).
+ If you are using Microsoft Entra Privileged Identity Management, [activate your Global Administrator role assignment](../active-directory/privileged-identity-management/pim-how-to-activate-role.md).
-1. Open **Azure Active Directory**.
+1. Open **Microsoft Entra ID**.
1. Under **Manage**, select **Properties**.
- ![Select Properties for Azure Active Directory properties - screenshot](./media/elevate-access-global-admin/azure-active-directory-properties.png)
+ ![Select Properties for Microsoft Entra properties - screenshot](./media/elevate-access-global-admin/azure-active-directory-properties.png)
1. Under **Access management for Azure resources**, set the toggle to **Yes**. ![Access management for Azure resources - screenshot](./media/elevate-access-global-admin/aad-properties-global-admin-setting.png)
- When you set the toggle to **Yes**, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Azure AD directory. This toggle is only available to users who are assigned the Global Administrator role in Azure AD.
+ When you set the toggle to **Yes**, you are assigned the User Access Administrator role in Azure RBAC at root scope (/). This grants you permission to assign roles in all Azure subscriptions and management groups associated with this Microsoft Entra directory. This toggle is only available to users who are assigned the Global Administrator role in Microsoft Entra ID.
- When you set the toggle to **No**, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Azure AD directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.
+ When you set the toggle to **No**, the User Access Administrator role in Azure RBAC is removed from your user account. You can no longer assign roles in all Azure subscriptions and management groups that are associated with this Microsoft Entra directory. You can view and manage only the Azure subscriptions and management groups to which you have been granted access.
> [!NOTE] > If you're using [Privileged Identity Management](../active-directory/privileged-identity-management/pim-configure.md), deactivating your role assignment does not change the **Access management for Azure resources** toggle to **No**. To maintain least privileged access, we recommend that you set this toggle to **No** before you deactivate your role assignment.
To remove the User Access Administrator role assignment at root scope (`/`), fol
1. Sign in as the same user that was used to elevate access.
-1. In the navigation list, click **Azure Active Directory** and then click **Properties**.
+1. In the navigation list, click **Microsoft Entra ID** and then click **Properties**.
1. Set the **Access management for Azure resources** toggle back to **No**. Since this is a per-user setting, you must be signed in as the same user as was used to elevate access.
When you call `elevateAccess`, you create a role assignment for yourself, so to
## View elevate access log entries in the Directory Activity logs
-When access is elevated, an entry is added to the logs. As a Global Administrator in Azure AD, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
+When access is elevated, an entry is added to the logs. As a Global Administrator in Microsoft Entra ID, you might want to check when access was elevated and who did it. Elevate access log entries do not appear in the standard activity logs, but instead appear in the Directory Activity logs. This section describes different ways that you can view the elevate access log entries.
### View elevate access log entries using the Azure portal
When access is elevated, an entry is added to the logs. As a Global Administrato
If you want to be able to periodically get the elevate access log entries, you can delegate access to a group and then use Azure CLI.
-1. Open **Azure Active Directory** > **Groups**.
+1. Open **Microsoft Entra ID** > **Groups**.
1. Create a new security group and note the group object ID.
role-based-access-control Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/policy-reference.md
Title: Built-in policy definitions for Azure RBAC description: Lists Azure Policy built-in policy definitions for Azure RBAC. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
role-based-access-control Rbac And Directory Admin Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/rbac-and-directory-admin-roles.md
Title: "Azure roles, Azure AD roles, and classic subscription administrator roles"
-description: Describes the different roles in Azure - Azure roles, and Azure Active Directory (Azure AD) roles, and classic subscription administrator roles
+ Title: "Azure roles, Microsoft Entra roles, and classic subscription administrator roles"
+description: Describes the different roles in Azure - Azure roles, and Microsoft Entra roles, and classic subscription administrator roles
documentationcenter: ''
-# Azure roles, Azure AD roles, and classic subscription administrator roles
+# Azure roles, Microsoft Entra roles, and classic subscription administrator roles
If you're new to Azure, you may find it a little challenging to understand all the different roles in Azure. This article helps explain the following roles and when you would use each: - Azure roles-- Azure Active Directory (Azure AD) roles
+- Microsoft Entra roles
- Classic subscription administrator roles ## How the roles are related
-To better understand roles in Azure, it helps to know some of the history. When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. Later, Azure role-based access control (Azure RBAC) was added. Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. Azure RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. To manage resources in Azure AD, such as users, groups, and domains, there are several Azure AD roles.
+To better understand roles in Azure, it helps to know some of the history. When Azure was initially released, access to resources was managed with just three administrator roles: Account Administrator, Service Administrator, and Co-Administrator. Later, Azure role-based access control (Azure RBAC) was added. Azure RBAC is a newer authorization system that provides fine-grained access management to Azure resources. Azure RBAC includes many built-in roles, can be assigned at different scopes, and allows you to create your own custom roles. To manage resources in Microsoft Entra ID, such as users, groups, and domains, there are several Microsoft Entra roles.
-The following diagram is a high-level view of how the Azure roles, Azure AD roles, and classic subscription administrator roles are related.
+The following diagram is a high-level view of how the Azure roles, Microsoft Entra roles, and classic subscription administrator roles are related.
:::image type="content" source="./media/rbac-and-directory-admin-roles/rbac-admin-roles.png" alt-text="Diagram of the different roles in Azure." lightbox="./media/rbac-and-directory-admin-roles/rbac-admin-roles.png":::
When you click the **Roles** tab, you'll see the list of built-in and custom rol
For more information, see [Assign Azure roles using the Azure portal](role-assignments-portal.md).
-## Azure AD roles
+<a name='azure-ad-roles'></a>
-[Azure AD roles](../active-directory/roles/custom-overview.md) are used to manage Azure AD resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following table describes a few of the more important Azure AD roles.
+## Microsoft Entra roles
-| Azure AD role | Permissions | Notes |
+[Microsoft Entra roles](../active-directory/roles/custom-overview.md) are used to manage Microsoft Entra resources in a directory such as create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains. The following table describes a few of the more important Microsoft Entra roles.
+
+| Microsoft Entra role | Permissions | Notes |
| | | |
-| [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) | <ul><li>Manage access to all administrative features in Azure Active Directory, as well as services that federate to Azure Active Directory</li><li>Assign administrator roles to others</li><li>Reset the password for any user and all other administrators</li></ul> | The person who signs up for the Azure Active Directory tenant becomes a Global Administrator. |
+| [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) | <ul><li>Manage access to all administrative features in Microsoft Entra ID, as well as services that federate to Microsoft Entra ID</li><li>Assign administrator roles to others</li><li>Reset the password for any user and all other administrators</li></ul> | The person who signs up for the Microsoft Entra tenant becomes a Global Administrator. |
| [User Administrator](../active-directory/roles/permissions-reference.md#user-administrator) | <ul><li>Create and manage all aspects of users and groups</li><li>Manage support tickets</li><li>Monitor service health</li><li>Change passwords for users, Helpdesk administrators, and other User Administrators</li></ul> | | | [Billing Administrator](../active-directory/roles/permissions-reference.md#billing-administrator) | <ul><li>Make purchases</li><li>Manage subscriptions</li><li>Manage support tickets</li><li>Monitors service health</li></ul> | |
-In the Azure portal, you can see the list of Azure AD roles on the **Roles and administrators** page. For a list of all the Azure AD roles, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).
+In the Azure portal, you can see the list of Microsoft Entra roles on the **Roles and administrators** page. For a list of all the Microsoft Entra roles, see [Administrator role permissions in Microsoft Entra ID](../active-directory/roles/permissions-reference.md).
+
+<a name='differences-between-azure-roles-and-azure-ad-roles'></a>
-## Differences between Azure roles and Azure AD roles
+## Differences between Azure roles and Microsoft Entra roles
-At a high level, Azure roles control permissions to manage Azure resources, while Azure AD roles control permissions to manage Azure Active Directory resources. The following table compares some of the differences.
+At a high level, Azure roles control permissions to manage Azure resources, while Microsoft Entra roles control permissions to manage Microsoft Entra resources. The following table compares some of the differences.
-| Azure roles | Azure AD roles |
+| Azure roles | Microsoft Entra roles |
| | |
-| Manage access to Azure resources | Manage access to Azure Active Directory resources |
+| Manage access to Azure resources | Manage access to Microsoft Entra resources |
| Supports custom roles | Supports custom roles | | Scope can be specified at multiple levels (management group, subscription, resource group, resource) | [Scope](../active-directory/roles/custom-overview.md#scope) can be specified at the tenant level (organization-wide), administrative unit, or on an individual object (for example, a specific application) | | Role information can be accessed in Azure portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, REST API | Role information can be accessed in the Azure admin portal, Microsoft 365 admin center, Microsoft Graph, AzureAD PowerShell |
-### Do Azure roles and Azure AD roles overlap?
+<a name='do-azure-roles-and-azure-ad-roles-overlap'></a>
+
+### Do Azure roles and Microsoft Entra roles overlap?
-By default, Azure roles and Azure AD roles don't span Azure and Azure AD. However, if a Global Administrator elevates their access by choosing the **Access management for Azure resources** switch in the Azure portal, the Global Administrator will be granted the [User Access Administrator](built-in-roles.md#user-access-administrator) role (an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. For more information, see [Elevate access to manage all Azure subscriptions and management groups](elevate-access-global-admin.md).
+By default, Azure roles and Microsoft Entra roles don't span Azure and Microsoft Entra ID. However, if a Global Administrator elevates their access by choosing the **Access management for Azure resources** switch in the Azure portal, the Global Administrator will be granted the [User Access Administrator](built-in-roles.md#user-access-administrator) role (an Azure role) on all subscriptions for a particular tenant. The User Access Administrator role enables the user to grant other users access to Azure resources. This switch can be helpful to regain access to a subscription. For more information, see [Elevate access to manage all Azure subscriptions and management groups](elevate-access-global-admin.md).
-Several Azure AD roles span Azure AD and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you're a member of the Global Administrator role, you have global administrator capabilities in Azure AD and Microsoft 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.
+Several Microsoft Entra roles span Microsoft Entra ID and Microsoft 365, such as the Global Administrator and User Administrator roles. For example, if you're a member of the Global Administrator role, you have global administrator capabilities in Microsoft Entra ID and Microsoft 365, such as making changes to Microsoft Exchange and Microsoft SharePoint. However, by default, the Global Administrator doesn't have access to Azure resources.
## Classic subscription administrator roles
Account Administrator, Service Administrator, and Co-Administrator are the three
| | | | | | Account Administrator | 1 per Azure account | <ul><li>Can access the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade) and manage billing</li><li>Manage billing for all subscriptions in the account</li><li>Create new subscriptions</li><li>Cancel subscriptions</li><li>Change the billing for a subscription</li><li>Change the Service Administrator</li><li>Can't cancel subscriptions unless they have the Service Administrator or subscription Owner role</li></ul> | Conceptually, the billing owner of the subscription. | | Service Administrator | 1 per Azure subscription | <ul><li>Manage services in the [Azure portal](https://portal.azure.com)</li><li>Cancel the subscription</li><li>Assign users to the Co-Administrator role</li></ul> | By default, for a new subscription, the Account Administrator is also the Service Administrator.<br>The Service Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope.<br>The Service Administrator has full access to the Azure portal. |
-| Co-Administrator | 200 per subscription | <ul><li>Same access privileges as the Service Administrator, but canΓÇÖt change the association of subscriptions to Azure AD directories</li><li>Assign users to the Co-Administrator role, but can't change the Service Administrator</li></ul> | The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. |
+| Co-Administrator | 200 per subscription | <ul><li>Same access privileges as the Service Administrator, but canΓÇÖt change the association of subscriptions to Microsoft Entra directories</li><li>Assign users to the Co-Administrator role, but can't change the Service Administrator</li></ul> | The Co-Administrator has the equivalent access of a user who is assigned the Owner role at the subscription scope. |
In the Azure portal, you can manage Co-Administrators or view the Service Administrator by using the **Classic administrators** tab.
An Azure account is used to establish a billing relationship. An Azure account i
Azure subscriptions help you organize access to Azure resources. They also help you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing and payment setup, so you can have different subscriptions and different plans by office, department, project, and so on. Every service belongs to a subscription, and the subscription ID may be required for programmatic operations.
-Each subscription is associated with an Azure AD directory. To find the directory the subscription is associated with, open **Subscriptions** in the Azure portal and then select a subscription to see the directory.
+Each subscription is associated with a Microsoft Entra directory. To find the directory the subscription is associated with, open **Subscriptions** in the Azure portal and then select a subscription to see the directory.
Accounts and subscriptions are managed in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade). ## Next steps - [Assign Azure roles using the Azure portal](role-assignments-portal.md)-- [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md)-- [Roles for Microsoft 365 services in Azure Active Directory](../active-directory/roles/m365-workload-docs.md)
+- [Assign Microsoft Entra roles to users](../active-directory/roles/manage-roles-portal.md)
+- [Roles for Microsoft 365 services in Microsoft Entra ID](../active-directory/roles/m365-workload-docs.md)
role-based-access-control Role Assignments Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-cli.md
You can assign a role to a user, group, service principal, or managed identity.
**User**
-For an Azure AD user, get the user principal name, such as *patlong\@contoso.com* or the user object ID. To get the object ID, you can use [az ad user show](/cli/azure/ad/user#az-ad-user-show).
+For a Microsoft Entra user, get the user principal name, such as *patlong\@contoso.com* or the user object ID. To get the object ID, you can use [az ad user show](/cli/azure/ad/user#az-ad-user-show).
```azurecli az ad user show --id "{principalName}" --query "id" --output tsv
az ad user show --id "{principalName}" --query "id" --output tsv
**Group**
-For an Azure AD group, you need the group object ID. To get the object ID, you can use [az ad group show](/cli/azure/ad/group#az-ad-group-show) or [az ad group list](/cli/azure/ad/group#az-ad-group-list).
+For a Microsoft Entra group, you need the group object ID. To get the object ID, you can use [az ad group show](/cli/azure/ad/group#az-ad-group-show) or [az ad group list](/cli/azure/ad/group#az-ad-group-list).
```azurecli az ad group show --group "{groupName}" --query "id" --output tsv
az ad group show --group "{groupName}" --query "id" --output tsv
**Service principal**
-For an Azure AD service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use [az ad sp list](/cli/azure/ad/sp#az-ad-sp-list). For a service principal, use the object ID and **not** the application ID.
+For a Microsoft Entra service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use [az ad sp list](/cli/azure/ad/sp#az-ad-sp-list). For a service principal, use the object ID and **not** the application ID.
```azurecli az ad sp list --all --query "[].{displayName:displayName, id:id}" --output tsv
role-based-access-control Role Assignments External Users https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-external-users.md
# Assign Azure roles to external guest users using the Azure portal
-[Azure role-based access control (Azure RBAC)](overview.md) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in [Azure Active Directory B2B](../active-directory/external-identities/what-is-b2b.md) to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment.
+[Azure role-based access control (Azure RBAC)](overview.md) allows better security management for large organizations and for small and medium-sized businesses working with external collaborators, vendors, or freelancers that need access to specific resources in your environment, but not necessarily to the entire infrastructure or any billing-related scopes. You can use the capabilities in [Microsoft Entra B2B](../active-directory/external-identities/what-is-b2b.md) to collaborate with external guest users and you can use Azure RBAC to grant just the permissions that guest users need in your environment.
## Prerequisites
Here are a couple example scenarios when you might invite guest users to your or
## Permission differences between member users and guest users
-Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). For example, members user can read almost all directory information while guest users have restricted directory permissions. For more information about member users and guest users, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
+Native members of a directory (member users) have different permissions than users invited from another directory as a B2B collaboration guest (guest users). For example, members user can read almost all directory information while guest users have restricted directory permissions. For more information about member users and guest users, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).
## Add a guest user to your directory
-Follow these steps to add a guest user to your directory using the Azure Active Directory page.
+Follow these steps to add a guest user to your directory using the Microsoft Entra ID page.
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Make sure your organization's external collaboration settings are configured such that you're allowed to invite guests. For more information, see [Configure external collaboration settings](../active-directory/external-identities/external-collaboration-settings-configure.md).
-1. Click **Azure Active Directory** > **Users** > **New guest user**.
+1. Click **Microsoft Entra ID** > **Users** > **New guest user**.
![Screenshot of New guest user feature in Azure portal.](./media/role-assignments-external-users/invite-guest-user.png)
-1. Follow the steps to add a new guest user. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory).
+1. Follow the steps to add a new guest user. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md#add-guest-users-to-the-directory).
After you add a guest user to the directory, you can either send the guest user a direct link to a shared app, or the guest user can click the accept invitation link in the invitation email.
For the guest user to be able to access your directory, they must complete the i
![Screenshot of guest user invite review permissions.](./media/role-assignments-external-users/invite-review-permissions.png)
-For more information about the invitation process, see [Azure Active Directory B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
+For more information about the invitation process, see [Microsoft Entra B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
## Assign a role to a guest user
If the guest user is not yet in your directory, you can invite the user directly
1. Send the invitation link to the guest user to complete the invitation process.
- For more information about the invitation process, see [Azure Active Directory B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
+ For more information about the invitation process, see [Microsoft Entra B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
## Remove a guest user from your directory
Before you remove a guest user from a directory, you should first remove any rol
1. If the guest user has a Co-Administrator assignment, add a check mark next to the guest user and click **Remove**.
-1. In the left navigation bar, click **Azure Active Directory** > **Users**.
+1. In the left navigation bar, click **Microsoft Entra ID** > **Users**.
1. Click the guest user you want to remove.
Before you remove a guest user from a directory, you should first remove any rol
### Guest user cannot browse the directory
-Guest users have restricted directory permissions. For example, guest users cannot browse the directory and cannot search for groups or applications. For more information, see [What are the default user permissions in Azure Active Directory?](../active-directory/fundamentals/users-default-permissions.md).
+Guest users have restricted directory permissions. For example, guest users cannot browse the directory and cannot search for groups or applications. For more information, see [What are the default user permissions in Microsoft Entra ID?](../active-directory/fundamentals/users-default-permissions.md).
![Screenshot of guest user cannot browse users in a directory.](./media/role-assignments-external-users/directory-no-users.png)
-If a guest user needs additional privileges in the directory, you can assign an Azure AD role to the guest user. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Azure AD. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
+If a guest user needs additional privileges in the directory, you can assign a Microsoft Entra role to the guest user. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
![Screenshot of assigning Directory Readers role.](./media/role-assignments-external-users/directory-roles.png)
Guest users have restricted directory permissions. Even if a guest user is an [O
![Screenshot of guest user cannot browse security principals to assign roles.](./media/role-assignments-external-users/directory-no-browse.png)
-If the guest user knows someone's exact sign-in name in the directory, they can grant access. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Azure AD. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
+If the guest user knows someone's exact sign-in name in the directory, they can grant access. If you really want a guest user to have full read access to your directory, you can add the guest user to the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
### Guest user cannot register applications or create service principals
-Guest users have restricted directory permissions. If a guest user needs to be able to register applications or create service principals, you can add the guest user to the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role in Azure AD. For more information, see [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
+Guest users have restricted directory permissions. If a guest user needs to be able to register applications or create service principals, you can add the guest user to the [Application Developer](../active-directory/roles/permissions-reference.md#application-developer) role in Microsoft Entra ID. For more information, see [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md).
![Screenshot of guest user cannot register applications.](./media/role-assignments-external-users/directory-access-denied.png) ### Guest user does not see the new directory
-If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their **Directories** page, make sure the guest user has completed the invitation process. For more information about the invitation process, see [Azure Active Directory B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
+If a guest user has been granted access to a directory, but they do not see the new directory listed in the Azure portal when they try to switch in their **Directories** page, make sure the guest user has completed the invitation process. For more information about the invitation process, see [Microsoft Entra B2B collaboration invitation redemption](../active-directory/external-identities/redemption-experience.md).
### Guest user does not see resources
If a guest user has been granted access to a directory, but they do not see the
## Next steps -- [Add Azure Active Directory B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md)-- [Properties of an Azure Active Directory B2B collaboration user](../active-directory/external-identities/user-properties.md)-- [The elements of the B2B collaboration invitation email - Azure Active Directory](../active-directory/external-identities/invitation-email-elements.md)
+- [Add Microsoft Entra B2B collaboration users in the Azure portal](../active-directory/external-identities/add-users-administrator.md)
+- [Properties of a Microsoft Entra B2B collaboration user](../active-directory/external-identities/user-properties.md)
+- [The elements of the B2B collaboration invitation email - Microsoft Entra ID](../active-directory/external-identities/invitation-email-elements.md)
role-based-access-control Role Assignments List Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-list-portal.md
A quick way to see the roles assigned to a user or group in a subscription is to
1. In the Azure portal, select **All services** from the Azure portal menu.
-1. Select **Azure Active Directory** and then select **Users** or **Groups**.
+1. Select **Microsoft Entra ID** and then select **Users** or **Groups**.
1. Click the user or group you want list the role assignments for.
role-based-access-control Role Assignments Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-portal.md
[!INCLUDE [Azure RBAC definition grant access](../../includes/role-based-access-control/definition-grant.md)] This article describes how to assign roles using the Azure portal.
-If you need to assign administrator roles in Azure Active Directory, see [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md).
+If you need to assign administrator roles in Microsoft Entra ID, see [Assign Microsoft Entra roles to users](../active-directory/roles/manage-roles-portal.md).
## Prerequisites
If you need to assign administrator roles in Azure Active Directory, see [Assign
## Step 4: Select who needs access
-1. On the **Members** tab, select **User, group, or service principal** to assign the selected role to one or more Azure AD users, groups, or service principals (applications).
+1. On the **Members** tab, select **User, group, or service principal** to assign the selected role to one or more Microsoft Entra users, groups, or service principals (applications).
![Screenshot of Add role assignment page with Members tab.](./media/shared/members.png)
role-based-access-control Role Assignments Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-powershell.md
You can assign a role to a user, group, service principal, or managed identity.
**User**
-For an Azure AD user, get the user principal name, such as *patlong\@contoso.com* or the user object ID. To get the object ID, you can use [Get-AzADUser](/powershell/module/az.resources/get-azaduser).
+For a Microsoft Entra user, get the user principal name, such as *patlong\@contoso.com* or the user object ID. To get the object ID, you can use [Get-AzADUser](/powershell/module/az.resources/get-azaduser).
```azurepowershell Get-AzADUser -StartsWith <userName>
Get-AzADUser -StartsWith <userName>
**Group**
-For an Azure AD group, you need the group object ID. To get the object ID, you can use [Get-AzADGroup](/powershell/module/az.resources/get-azadgroup).
+For a Microsoft Entra group, you need the group object ID. To get the object ID, you can use [Get-AzADGroup](/powershell/module/az.resources/get-azadgroup).
```azurepowershell Get-AzADGroup -SearchString <groupName>
Get-AzADGroup -SearchString <groupName>
**Service principal**
-For an Azure AD service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use [Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal). For a service principal, use the object ID and **not** the application ID.
+For a Microsoft Entra service principal (identity used by an application), you need the service principal object ID. To get the object ID, you can use [Get-AzADServicePrincipal](/powershell/module/az.resources/get-azadserviceprincipal). For a service principal, use the object ID and **not** the application ID.
```azurepowershell Get-AzADServicePrincipal -SearchString <principalName>
role-based-access-control Role Assignments Steps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments-steps.md
You first need to determine who needs access. You can assign a role to a user, g
![Security principal for a role assignment](./media/shared/rbac-security-principal.png) -- User - An individual who has a profile in Azure Active Directory. You can also assign roles to users in other tenants. For information about users in other organizations, see [Azure Active Directory B2B](../active-directory/external-identities/what-is-b2b.md).-- Group - A set of users created in Azure Active Directory. When you assign a role to a group, all users within that group have that role.
+- User - An individual who has a profile in Microsoft Entra ID. You can also assign roles to users in other tenants. For information about users in other organizations, see [Microsoft Entra B2B](../active-directory/external-identities/what-is-b2b.md).
+- Group - A set of users created in Microsoft Entra ID. When you assign a role to a group, all users within that group have that role.
- Service principal - A security identity used by applications or services to access specific Azure resources. You can think of it as a *user identity* (username and password or certificate) for an application.-- Managed identity - An identity in Azure Active Directory that is automatically managed by Azure. You typically use [managed identities](../active-directory/managed-identities-azure-resources/overview.md) when developing cloud applications to manage the credentials for authenticating to Azure services.
+- Managed identity - An identity in Microsoft Entra ID that is automatically managed by Azure. You typically use [managed identities](../active-directory/managed-identities-azure-resources/overview.md) when developing cloud applications to manage the credentials for authenticating to Azure services.
## Step 2: Select the appropriate role
To assign roles, you must be signed in with a user that is assigned a role that
If your user account doesn't have permission to assign a role within your subscription, you see an error message that your account "does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'." In this case, contact the administrators of your subscription as they can assign the permissions on your behalf.
-If you are using a service principal to assign roles, you might get the error "Insufficient privileges to complete the operation." This error is likely because Azure is attempting to look up the assignee identity in Azure Active Directory (Azure AD) and the service principal cannot read Azure AD by default. In this case, you need to grant the service principal permissions to read data in the directory. Alternatively, if you are using Azure CLI, you can create the role assignment by using the assignee object ID to skip the Azure AD lookup. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md).
+If you are using a service principal to assign roles, you might get the error "Insufficient privileges to complete the operation." This error is likely because Azure is attempting to look up the assignee identity in Microsoft Entra ID and the service principal cannot read Microsoft Entra ID by default. In this case, you need to grant the service principal permissions to read data in the directory. Alternatively, if you are using Azure CLI, you can create the role assignment by using the assignee object ID to skip the Microsoft Entra lookup. For more information, see [Troubleshoot Azure RBAC](troubleshooting.md).
## Step 5: Assign role
Check out the following articles for detailed steps for how to assign roles.
## Next steps -- [Tutorial: Grant a user access to Azure resources using the Azure portal](quickstart-assign-role-user-portal.md)
+- [Tutorial: Grant a user access to Azure resources using the Azure portal](quickstart-assign-role-user-portal.md)
role-based-access-control Role Assignments https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-assignments.md
A role assignment has several components, including:
For example, you can use Azure RBAC to assign roles like: - User Sally has owner access to the storage account *contoso123* in the resource group *ContosoStorage*.-- Everybody in the Cloud Administrators group in Azure Active Directory has reader access to all resources in the resource group *ContosoStorage*.
+- Everybody in the Cloud Administrators group in Microsoft Entra ID has reader access to all resources in the resource group *ContosoStorage*.
- The managed identity associated with an application is allowed to restart virtual machines within Contoso's subscription. The following shows an example of the properties in a role assignment when displayed using [Azure PowerShell](role-assignments-list-powershell.md):
The following table describes what the role assignment properties mean.
| `Scope`<br />`scope` | The Azure resource identifier that the role assignment is scoped to. | | `RoleDefinitionId`<br />`roleDefinitionId` | The unique ID of the role. | | `RoleDefinitionName`<br />`roleDefinitionName` | The name of the role. |
-| `ObjectId`<br />`principalId` | The Azure Active Directory (Azure AD) object identifier for the principal who has the role assigned. |
-| `ObjectType`<br />`principalType` | The type of Azure AD object that the principal represents. Valid values include `User`, `Group`, and `ServicePrincipal`. |
+| `ObjectId`<br />`principalId` | The Microsoft Entra object identifier for the principal who has the role assigned. |
+| `ObjectType`<br />`principalType` | The type of Microsoft Entra object that the principal represents. Valid values include `User`, `Group`, and `ServicePrincipal`. |
| `DisplayName` | For role assignments for users, the display name of the user. | | `SignInName`<br />`principalName` | The unique principal name (UPN) of the user, or the name of the application associated with the service principal. | | `Description`<br />`description` | The description of the role assignment. |
For more information about role definitions, see [Understand role definitions](r
## Principal
-Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Azure Active Directory (Azure AD) tenant. You can assign a role to any principal. Use the Azure AD *object ID* to identify the principal that you want to assign the role to.
+Principals include users, security groups, managed identities, workload identities, and service principals. Principals are created and managed in your Microsoft Entra tenant. You can assign a role to any principal. Use the Microsoft Entra ID *object ID* to identify the principal that you want to assign the role to.
When you create a role assignment by using Azure PowerShell, the Azure CLI, Bicep, or another infrastructure as code (IaC) technology, you specify the *principal type*. Principal types include *User*, *Group*, and *ServicePrincipal*. It's important to specify the correct principal type. Otherwise, you might get intermittent deployment errors, especially when you work with service principals and managed identities.
When you create a role assignment by using Azure PowerShell, the Azure CLI, Bice
A role assignment's resource name must be a globally unique identifier (GUID).
-Role assignment resource names must be unique within the Azure Active Directory tenant, even if the scope of the role assignment is narrower.
+Role assignment resource names must be unique within the Microsoft Entra tenant, even if the scope of the role assignment is narrower.
> [!TIP] > When you create a role assignment by using the Azure portal, Azure PowerShell, or the Azure CLI, the creation process gives the role assignment a unique name for you automatically.
Role assignment resource names must be unique within the Azure Active Directory
### Resource deletion behavior
-When you delete a user, group, service principal, or managed identity from Azure AD, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.
+When you delete a user, group, service principal, or managed identity from Microsoft Entra ID, it's a good practice to delete any role assignments. They aren't deleted automatically. Any role assignments that refer to a deleted principal ID become invalid.
If you try to reuse a role assignment's name for another role assignment, the deployment will fail. This issue is more likely to occur when you use Bicep or an Azure Resource Manager template (ARM template) to deploy your role assignments, because you have to explicitly set the role assignment name when you use these tools. To work around this behavior, you should either remove the old role assignment before you recreate it, or ensure that you use a unique name when you deploy a new role assignment.
role-based-access-control Role Definitions List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions-list.md
ms.devlang: azurecli
A role definition is a collection of permissions that can be performed, such as read, write, and delete. It's typically just called a role. [Azure role-based access control (Azure RBAC)](overview.md) has over 120 [built-in roles](built-in-roles.md) or you can create your own custom roles. This article describes how to list the built-in and custom roles that you can use to grant access to Azure resources.
-To see the list of administrator roles for Azure Active Directory, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).
+To see the list of administrator roles for Microsoft Entra ID, see [Administrator role permissions in Microsoft Entra ID](../active-directory/roles/permissions-reference.md).
## Azure portal
role-based-access-control Role Definitions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/role-definitions.md
Role-based access control for control plane actions is specified in the `Actions
- Create, update, or delete a blob container - Delete a resource group and all of its resources
-Control plane access is not inherited to your data plane provided that the container authentication method is set to "Azure AD User Account" and not "Access Key". This separation prevents roles with wildcards (`*`) from having unrestricted access to your data. For example, if a user has a [Reader](built-in-roles.md#reader) role on a subscription, then they can view the storage account, but by default they can't view the underlying data.
+Control plane access is not inherited to your data plane provided that the container authentication method is set to **Azure AD User Account** and not **Access Key**. This separation prevents roles with wildcards (`*`) from having unrestricted access to your data. For example, if a user has a [Reader](built-in-roles.md#reader) role on a subscription, then they can view the storage account, but by default they can't view the underlying data.
Previously, role-based access control was not used for data actions. Authorization for data actions varied across resource providers. The same role-based access control authorization model used for control plane actions has been extended to data plane actions.
role-based-access-control Transfer Subscription https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/transfer-subscription.md
Title: Transfer an Azure subscription to a different Azure AD directory
-description: Learn how to transfer an Azure subscription and known related resources to a different Azure Active Directory (Azure AD) directory.
+ Title: Transfer an Azure subscription to a different Microsoft Entra directory
+description: Learn how to transfer an Azure subscription and known related resources to a different Microsoft Entra directory.
Last updated 09/28/2023
-# Transfer an Azure subscription to a different Azure AD directory
+# Transfer an Azure subscription to a different Microsoft Entra directory
-Organizations might have several Azure subscriptions. Each subscription is associated with a particular Azure Active Directory (Azure AD) directory. To make management easier, you might want to transfer a subscription to a different Azure AD directory. When you transfer a subscription to a different Azure AD directory, some resources are not transferred to the target directory. For example, all role assignments and custom roles in Azure role-based access control (Azure RBAC) are **permanently** deleted from the source directory and are not transferred to the target directory.
+Organizations might have several Azure subscriptions. Each subscription is associated with a particular Microsoft Entra directory. To make management easier, you might want to transfer a subscription to a different Microsoft Entra directory. When you transfer a subscription to a different Microsoft Entra directory, some resources are not transferred to the target directory. For example, all role assignments and custom roles in Azure role-based access control (Azure RBAC) are **permanently** deleted from the source directory and are not transferred to the target directory.
-This article describes the basic steps you can follow to transfer a subscription to a different Azure AD directory and re-create some of the resources after the transfer.
+This article describes the basic steps you can follow to transfer a subscription to a different Microsoft Entra directory and re-create some of the resources after the transfer.
If you want to instead **block** the transfer of subscriptions to different directories in your organization, you can configure a subscription policy. For more information, see [Manage Azure subscription policies](../cost-management-billing/manage/manage-azure-subscription-policy.md). > [!NOTE]
-> For Azure Cloud Solution Providers (CSP) subscriptions, changing the Azure AD directory for the subscription isn't supported.
+> For Azure Cloud Solution Providers (CSP) subscriptions, changing the Microsoft Entra directory for the subscription isn't supported.
## Overview
-Transferring an Azure subscription to a different Azure AD directory is a complex process that must be carefully planned and executed. Many Azure services require security principals (identities) to operate normally or even manage other Azure resources. This article tries to cover most of the Azure services that depend heavily on security principals, but is not comprehensive.
+Transferring an Azure subscription to a different Microsoft Entra directory is a complex process that must be carefully planned and executed. Many Azure services require security principals (identities) to operate normally or even manage other Azure resources. This article tries to cover most of the Azure services that depend heavily on security principals, but is not comprehensive.
> [!IMPORTANT] > In some scenarios, transferring a subscription might require downtime to complete the process. Careful planning is required to assess whether downtime will be required for your transfer.
The following diagram shows the basic steps you must follow when you transfer a
The following are some reasons why you might want to transfer a subscription: -- Because of a company merger or acquisition, you want to manage an acquired subscription in your primary Azure AD directory.-- Someone in your organization created a subscription and you want to consolidate management to a particular Azure AD directory.
+- Because of a company merger or acquisition, you want to manage an acquired subscription in your primary Microsoft Entra directory.
+- Someone in your organization created a subscription and you want to consolidate management to a particular Microsoft Entra directory.
- You have applications that depend on a particular subscription ID or URL and it isn't easy to modify the application configuration or code.-- A portion of your business has been split into a separate company and you need to move some of your resources into a different Azure AD directory.-- You want to manage some of your resources in a different Azure AD directory for security isolation purposes.
+- A portion of your business has been split into a separate company and you need to move some of your resources into a different Microsoft Entra directory.
+- You want to manage some of your resources in a different Microsoft Entra directory for security isolation purposes.
### Alternate approaches
Several Azure resources have a dependency on a subscription or a directory. Depe
| System-assigned managed identities | Yes | Yes | [List managed identities](#list-role-assignments-for-managed-identities) | You must disable and re-enable the managed identities. You must re-create the role assignments. | | User-assigned managed identities | Yes | Yes | [List managed identities](#list-role-assignments-for-managed-identities) | You must delete, re-create, and attach the managed identities to the appropriate resource. You must re-create the role assignments. | | Azure Key Vault | Yes | Yes | [List Key Vault access policies](#list-key-vaults) | You must update the tenant ID associated with the key vaults. You must remove and add new access policies. |
-| Azure SQL databases with Azure AD authentication integration enabled | Yes | No | [Check Azure SQL databases with Azure AD authentication](#list-azure-sql-databases-with-azure-ad-authentication) | You cannot transfer an Azure SQL database with Azure AD authentication enabled to a different directory. For more information, see [Use Azure Active Directory authentication](/azure/azure-sql/database/authentication-aad-overview). |
-| Azure database for MySQL with Azure AD authentication integration enabled | Yes | No | | You cannot transfer an Azure database for MySQL (Single and Flexible server) with Azure AD authentication enabled to a different directory. |
+| Azure SQL databases with Microsoft Entra authentication integration enabled | Yes | No | [Check Azure SQL databases with Microsoft Entra authentication](#list-azure-sql-databases-with-azure-ad-authentication) | You cannot transfer an Azure SQL database with Microsoft Entra authentication enabled to a different directory. For more information, see [Use Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview). |
+| Azure database for MySQL with Microsoft Entra authentication integration enabled | Yes | No | | You cannot transfer an Azure database for MySQL (Single and Flexible server) with Microsoft Entra authentication enabled to a different directory. |
| Azure Storage and Azure Data Lake Storage Gen2 | Yes | Yes | | You must re-create any ACLs. | | Azure Data Lake Storage Gen1 | Yes | Yes | | You must re-create any ACLs. | | Azure Files | Yes | Yes | | You must re-create any ACLs. |
Several Azure resources have a dependency on a subscription or a directory. Depe
| Azure Managed Disks | Yes | Yes | | If you are using Disk Encryption Sets to encrypt Managed Disks with customer-managed keys, you must disable and re-enable the system-assigned identities associated with Disk Encryption Sets. And you must re-create the role assignments i.e. again grant required permissions to Disk Encryption Sets in the Key Vaults. | | Azure Kubernetes Service | Yes | No | | You cannot transfer your AKS cluster and its associated resources to a different directory. For more information, see [Frequently asked questions about Azure Kubernetes Service (AKS)](../aks/faq.md) | | Azure Policy | Yes | No | All Azure Policy objects, including custom definitions, assignments, exemptions, and compliance data. | You must [export](../governance/policy/how-to/export-resources.md), import, and re-assign definitions. Then, create new policy assignments and any needed [policy exemptions](../governance/policy/concepts/exemption-structure.md). |
-| Azure Active Directory Domain Services | Yes | No | | You cannot transfer an Azure AD Domain Services managed domain to a different directory. For more information, see [Frequently asked questions (FAQs) about Azure Active Directory (AD) Domain Services](../active-directory-domain-services/faqs.yml) |
+| Microsoft Entra Domain Services | Yes | No | | You cannot transfer a Microsoft Entra Domain Services managed domain to a different directory. For more information, see [Frequently asked questions (FAQs) about Microsoft Entra Domain Services](../active-directory-domain-services/faqs.yml) |
| App registrations | Yes | Yes | | | | Microsoft Dev Box | Yes | No | | You cannot transfer a dev box and its associated resources to a different directory. Once a subscription moves to another tenant, you will not be able to perform any actions on your dev box | | Azure Deployment Environments | Yes | No | | You cannot transfer an environment and its associated resources to a different directory. Once a subscription moves to another tenant, you will not be able to perform any actions on your environment | | Azure Service Bus | Yes | Yes | |You must delete, re-create, and attach the managed identities to the appropriate resource. You must re-create the role assignments. |
-| Azure Synapse Analytics Workspace | Yes | Yes | | You must update the tenant ID associated with the Synapse Analytics Workspace. If the workspace is associated with a Git repository, you must update the [workspace's Git configuration](../synapse-analytics/cicd/source-control.md#switch-to-a-different-git-repository). For more information, see [Recovering Synapse Analytics workspace after transferring a subscription to a different Azure AD directory (tenant)](../synapse-analytics/how-to-recover-workspace-after-tenant-move.md). |
+| Azure Synapse Analytics Workspace | Yes | Yes | | You must update the tenant ID associated with the Synapse Analytics Workspace. If the workspace is associated with a Git repository, you must update the [workspace's Git configuration](../synapse-analytics/cicd/source-control.md#switch-to-a-different-git-repository). For more information, see [Recovering Synapse Analytics workspace after transferring a subscription to a different Microsoft Entra directory (tenant)](../synapse-analytics/how-to-recover-workspace-after-tenant-move.md). |
> [!WARNING] > If you are using encryption at rest for a resource, such as a storage account or SQL database, that has a dependency on a key vault that is being transferred, it can lead to an unrecoverable scenario. If you have this situation, you should take steps to use a different key vault or temporarily disable customer-managed keys to avoid this unrecoverable scenario.
Managed identities do not get updated when a subscription is transferred to anot
### List key vaults
-When you create a key vault, it is automatically tied to the default Azure Active Directory tenant ID for the subscription in which it is created. All access policy entries are also tied to this tenant ID. For more information, see [Moving an Azure Key Vault to another subscription](../key-vault/general/move-subscription.md).
+When you create a key vault, it is automatically tied to the default Microsoft Entra tenant ID for the subscription in which it is created. All access policy entries are also tied to this tenant ID. For more information, see [Moving an Azure Key Vault to another subscription](../key-vault/general/move-subscription.md).
> [!WARNING] > If you are using encryption at rest for a resource, such as a storage account or SQL database, that has a dependency on a key vault that is being transferred, it can lead to an unrecoverable scenario. If you have this situation, you should take steps to use a different key vault or temporarily disable customer-managed keys to avoid this unrecoverable scenario.
When you create a key vault, it is automatically tied to the default Azure Activ
az keyvault show --name MyKeyVault ```
-### List Azure SQL databases with Azure AD authentication
+<a name='list-azure-sql-databases-with-azure-ad-authentication'></a>
-- Use [az sql server ad-admin list](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-list) and the [az graph](/cli/azure/graph) extension to see if you are using Azure SQL databases with Azure AD authentication integration enabled. For more information, see [Configure and manage Azure Active Directory authentication with SQL](/azure/azure-sql/database/authentication-aad-configure).
+### List Azure SQL databases with Microsoft Entra authentication
+
+- Use [az sql server ad-admin list](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-list) and the [az graph](/cli/azure/graph) extension to see if you are using Azure SQL databases with Microsoft Entra authentication integration enabled. For more information, see [Configure and manage Microsoft Entra authentication with SQL](/azure/azure-sql/database/authentication-aad-configure).
```azurecli az sql server ad-admin list --ids $(az graph query -q "resources | where type == 'microsoft.sql/servers' | project id" --query data[*].[id] -o tsv)
When you create a key vault, it is automatically tied to the default Azure Activ
subscriptionId=$(az account show --output tsv --query id) ```
-1. Use the [az graph](/cli/azure/graph) extension to list other Azure resources with known Azure AD directory dependencies (in `bash`).
+1. Use the [az graph](/cli/azure/graph) extension to list other Azure resources with known Microsoft Entra directory dependencies (in `bash`).
```azurecli az graph query -q 'resources
In this step, you transfer the subscription from the source directory to the tar
1. Transfer the subscription to a different directory.
- - If you want to keep the current billing ownership, follow the steps in [Associate or add an Azure subscription to your Azure Active Directory tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
- - If you want to also transfer the billing ownership, follow the steps in [Transfer billing ownership of an Azure subscription to another account](../cost-management-billing/manage/billing-subscription-transfer.md). To transfer the subscription to a different directory, you must check the **Subscription Azure AD tenant** check box.
+ - If you want to keep the current billing ownership, follow the steps in [Associate or add an Azure subscription to your Microsoft Entra tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md).
+ - If you want to also transfer the billing ownership, follow the steps in [Transfer billing ownership of an Azure subscription to another account](../cost-management-billing/manage/billing-subscription-transfer.md). To transfer the subscription to a different directory, you must check the **Subscription Microsoft Entra tenant** check box.
1. Once you finish transferring the subscription, return back to this article to re-create the resources in the target directory.
If your intent is to remove access from users in the source directory so that th
- [Transfer billing ownership of an Azure subscription to another account](../cost-management-billing/manage/billing-subscription-transfer.md) - [Transfer Azure subscriptions between subscribers and CSPs](../cost-management-billing/manage/transfer-subscriptions-subscribers-csp.md)-- [Associate or add an Azure subscription to your Azure Active Directory tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
+- [Associate or add an Azure subscription to your Microsoft Entra tenant](../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
- [Azure Lighthouse in enterprise scenarios](../lighthouse/concepts/enterprise.md)
role-based-access-control Troubleshoot Limits https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshoot-limits.md
To reduce the number of role assignments in the subscription, add principals (us
1. Run the following query to get the role assignments with the same role and at the same scope, but for different principals.
- This query checks active role assignments and doesn't consider eligible role assignments in [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+ This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
[!INCLUDE [resource-graph-query-authorization-same-role-scope](../governance/includes/resource-graph/query/authorization-same-role-scope.md)]
To reduce the number of role assignments in the subscription, add principals (us
1. Use **AllPrincipals** to get the list of the principal IDs with the same role assignment.
-1. Create an Azure AD group. For more information, see [Manage Azure Active Directory groups and group membership](../active-directory/fundamentals/how-to-manage-groups.md).
+1. Create a Microsoft Entra group. For more information, see [Manage Microsoft Entra groups and group membership](../active-directory/fundamentals/how-to-manage-groups.md).
1. Add the principals from **AllPrincipals** to the group.
- For information about how to add principals in bulk, see [Bulk add group members in Azure Active Directory](../active-directory/enterprise-users/groups-bulk-import-members.md).
+ For information about how to add principals in bulk, see [Bulk add group members in Microsoft Entra ID](../active-directory/enterprise-users/groups-bulk-import-members.md).
1. Assign the role to the group you created at the same scope. For more information, see [Assign Azure roles using the Azure portal](role-assignments-portal.md).
To reduce the number of role assignments in the subscription, remove redundant r
1. Run the following query to get the role assignments with the same role and same principal, but at different scopes.
- This query checks active role assignments and doesn't consider eligible role assignments in [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+ This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
[!INCLUDE [resource-graph-query-authorization-same-role-principal](../governance/includes/resource-graph/query/authorization-same-role-principal.md)]
To reduce the number of role assignments in the subscription, replace multiple b
1. Run the following query to get role assignments with the same principal and same scope, but with different built-in roles.
- This query checks active role assignments and doesn't consider eligible role assignments in [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+ This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
[!INCLUDE [resource-graph-query-authorization-same-principal-scope](../governance/includes/resource-graph/query/authorization-same-principal-scope.md)]
To reduce the number of role assignments in the subscription, replace multiple b
### Solution 4 - Make role assignments eligible
-To reduce the number of role assignments in the subscription and you have Azure AD Premium P2, make role assignments eligible in [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md) instead of permanently assigned.
+To reduce the number of role assignments in the subscription and you have Microsoft Entra ID P2, make role assignments eligible in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md) instead of permanently assigned.
### Solution 5 - Add an additional subscription
Follow these steps to find and delete unused Azure custom roles.
1. Run the following query to get all custom roles that don't have any role assignments:
- This query checks active role assignments and doesn't consider eligible role assignments in [Azure AD Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
+ This query checks active role assignments and doesn't consider eligible role assignments in [Microsoft Entra Privileged Identity Management](../active-directory/privileged-identity-management/pim-resource-roles-assign-roles.md).
[!INCLUDE [resource-graph-query-authorization-unused-custom-roles](../governance/includes/resource-graph/query/authorization-unused-custom-roles.md)]
role-based-access-control Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/troubleshooting.md
az role assignment create --assignee "userupn" --role "Contributor" --scope "/s
**Cause**
-It's likely Azure CLI is attempting to look up the assignee identity in Azure AD and the service principal can't read Azure AD by default.
+It's likely Azure CLI is attempting to look up the assignee identity in Microsoft Entra ID and the service principal can't read Microsoft Entra ID by default.
**Solution** There are two ways to potentially resolve this error. The first way is to assign the [Directory Readers](../active-directory/roles/permissions-reference.md#directory-readers) role to the service principal so that it can read data in the directory.
-The second way to resolve this error is to create the role assignment by using the `--assignee-object-id` parameter instead of `--assignee`. By using `--assignee-object-id`, Azure CLI will skip the Azure AD lookup. You'll need to get the object ID of the user, group, or application that you want to assign the role to. For more information, see [Assign Azure roles using Azure CLI](role-assignments-cli.md#assign-a-role-for-a-new-service-principal-at-a-resource-group-scope).
+The second way to resolve this error is to create the role assignment by using the `--assignee-object-id` parameter instead of `--assignee`. By using `--assignee-object-id`, Azure CLI will skip the Microsoft Entra lookup. You'll need to get the object ID of the user, group, or application that you want to assign the role to. For more information, see [Assign Azure roles using Azure CLI](role-assignments-cli.md#assign-a-role-for-a-new-service-principal-at-a-resource-group-scope).
```azurecli az role assignment create --assignee-object-id 11111111-1111-1111-1111-111111111111 --role "Contributor" --scope "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}"
Assign an [Azure built-in role](built-in-roles.md) with write permissions for th
**Cause**
-When you transfer an Azure subscription to a different Azure AD directory, all role assignments are **permanently** deleted from the source Azure AD directory and aren't migrated to the target Azure AD directory.
+When you transfer an Azure subscription to a different Microsoft Entra directory, all role assignments are **permanently** deleted from the source Microsoft Entra directory and aren't migrated to the target Microsoft Entra directory.
**Solution**
-You must re-create your role assignments in the target directory. You also have to manually recreate managed identities for Azure resources. For more information, see [Transfer an Azure subscription to a different Azure AD directory](transfer-subscription.md) and [FAQs and known issues with managed identities](../active-directory/managed-identities-azure-resources/known-issues.md).
+You must re-create your role assignments in the target directory. You also have to manually recreate managed identities for Azure resources. For more information, see [Transfer an Azure subscription to a different Microsoft Entra directory](transfer-subscription.md) and [FAQs and known issues with managed identities](../active-directory/managed-identities-azure-resources/known-issues.md).
### Symptom - Unable to access subscription after transferring a subscription **Solution**
-If you're an Azure AD Global Administrator and you don't have access to a subscription after it was transferred between directories, use the **Access management for Azure resources** toggle to temporarily [elevate your access](elevate-access-global-admin.md) to get access to the subscription.
+If you're a Microsoft Entra Global Administrator and you don't have access to a subscription after it was transferred between directories, use the **Access management for Azure resources** toggle to temporarily [elevate your access](elevate-access-global-admin.md) to get access to the subscription.
## Classic subscription administrators
role-based-access-control Tutorial Role Assignments Group Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-group-powershell.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To complete this tutorial, you will need: -- Permissions to create groups in Azure Active Directory (or have an existing group)
+- Permissions to create groups in Microsoft Entra ID (or have an existing group)
- [Azure Cloud Shell](../cloud-shell/quickstart-powershell.md) ## Role assignments
role-based-access-control Tutorial Role Assignments User Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/role-based-access-control/tutorial-role-assignments-user-powershell.md
If you don't have an Azure subscription, create a [free account](https://azure.m
To complete this tutorial, you will need: -- Permissions to create users in Azure Active Directory (or have an existing user)
+- Permissions to create users in Microsoft Entra ID (or have an existing user)
- [Azure Cloud Shell](../cloud-shell/quickstart-powershell.md) ## Role assignments
sap High Availability Zones https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sap/workloads/high-availability-zones.md
Azure regions where such an active/active deployment could be possible without s
- East US (two of the three zones) - East US2 (all three zones) - Germany West Central (all three zones)
+- Israel Central (all three zones)
+- Italy North (two of the three zones)
- Korea Central (all three zones)
+- Poland Central (all three zones)
- Qatar Central (all three zones) - North Europe (all three zones)
+- Norway East (two of the three zones)
+- South Africa North (two of the three)
- South Central US (all three zones) - Southeast Asia (all three zones) - Sweden Central (all three zones)
Azure regions where the active/active SAP deployment architecture across zones m
- Canada Central - France Central - Japan East-- Norway East-- South Africa North Though for your individual workload, it might work. Therefore, you should test before you decide for an architecture. Azure is constantly working to improve quality and latency of its networks. Measurements conducted years back might not reflect current conditions anymore.
search Cognitive Search Aml Skill https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-aml-skill.md
Last updated 12/01/2022
The **AML** skill allows you to extend AI enrichment with a custom [Azure Machine Learning](../machine-learning/overview-what-is-azure-machine-learning.md) (AML) model. Once an AML model is [trained and deployed](../machine-learning/concept-azure-machine-learning-architecture.md#workspace), an **AML** skill integrates it into AI enrichment.
-Like built-in skills, an **AML** skill has inputs and outputs. The inputs are sent to your deployed AML service as a JSON object, which outputs a JSON payload as a response along with a success status code. The response is expected to have the outputs specified by your **AML** skill. Any other response is considered an error and no enrichments are performed.
+Like built-in skills, an **AML** skill has inputs and outputs. The inputs are sent to your deployed AML online endpoint as a JSON object, which outputs a JSON payload as a response along with a success status code. The response is expected to have the outputs specified by your **AML** skill. Any other response is considered an error and no enrichments are performed.
> [!NOTE]
-> The indexer will retry twice for certain standard HTTP status codes returned from the AML service. These HTTP status codes are:
+> The indexer will retry twice for certain standard HTTP status codes returned from the AML online endpoint. These HTTP status codes are:
> * `503 Service Unavailable` > * `429 Too Many Requests` ## Prerequisites * An [AML workspace](../machine-learning/concept-workspace.md)
-* An [Azure Kubernetes Service AML compute target](../machine-learning/concept-compute-target.md) in this workspace with a [deployed model](../machine-learning/v1/how-to-deploy-azure-kubernetes-service.md)
- * The [compute target should have SSL enabled](../machine-learning/how-to-secure-web-service.md#deploy-on-azure-kubernetes-service). Azure Cognitive Search only allows access to **https** endpoints
- * Self-signed certificates may not be used.
+* An [Online endpoints (real-time)](../machine-learning/concept-endpoints-online.md) in this workspace.
## @odata.type Microsoft.Skills.Custom.AmlSkill ## Skill parameters
-Parameters are case-sensitive. Which parameters you choose to use depends on what [authentication your AML service requires, if any](#WhatSkillParametersToUse)
+Parameters are case-sensitive. Which parameters you choose to use depends on what [authentication your AML online endpoint requires, if any](#WhatSkillParametersToUse)
| Parameter name | Description | |--|-|
-| `uri` | (Required for [no authentication or key authentication](#WhatSkillParametersToUse)) The [scoring URI of the AML service](../machine-learning/v1/how-to-consume-web-service.md) to which the _JSON_ payload will be sent. Only the **https** URI scheme is allowed. |
-| `key` | (Required for [key authentication](#WhatSkillParametersToUse)) The [key for the AML service](../machine-learning/v1/how-to-consume-web-service.md#authentication-with-keys). |
-| `resourceId` | (Required for [token authentication](#WhatSkillParametersToUse)). The Azure Resource Manager resource ID of the AML service. It should be in the format subscriptions/{guid}/resourceGroups/{resource-group-name}/Microsoft.MachineLearningServices/workspaces/{workspace-name}/services/{service_name}. |
-| `region` | (Optional for [token authentication](#WhatSkillParametersToUse)). The [region](https://azure.microsoft.com/global-infrastructure/regions/) the AML service is deployed in. |
+| `uri` | (Required for [key authentication](#WhatSkillParametersToUse)) The [scoring URI of the AML online endpoint](../machine-learning/how-to-authenticate-online-endpoint.md) to which the _JSON_ payload is sent. Only the **https** URI scheme is allowed. |
+| `key` | (Required for [key authentication](#WhatSkillParametersToUse)) The [key for the AML online endpoint](../machine-learning/how-to-authenticate-online-endpoint.md). |
+| `resourceId` | (Required for [token authentication](#WhatSkillParametersToUse)). The Azure Resource Manager resource ID of the AML online endpoint. It should be in the format subscriptions/{guid}/resourceGroups/{resource-group-name}/Microsoft.MachineLearningServices/workspaces/{workspace-name}/onlineendpoints/{endpoint_name}. |
+| `region` | (Optional for [token authentication](#WhatSkillParametersToUse)). The [region](https://azure.microsoft.com/global-infrastructure/regions/) the AML online endpoint is deployed in. |
| `timeout` | (Optional) When specified, indicates the timeout for the http client making the API call. It must be formatted as an XSD "dayTimeDuration" value (a restricted subset of an [ISO 8601 duration](https://www.w3.org/TR/xmlschema11-2/#dayTimeDuration) value). For example, `PT60S` for 60 seconds. If not set, a default value of 30 seconds is chosen. The timeout can be set to a maximum of 230 seconds and a minimum of 1 second. |
-| `degreeOfParallelism` | (Optional) When specified, indicates the number of calls the indexer will make in parallel to the endpoint you have provided. You can decrease this value if your endpoint is failing under too high of a request load, or raise it if your endpoint is able to accept more requests and you would like an increase in the performance of the indexer. If not set, a default value of 5 is used. The degreeOfParallelism can be set to a maximum of 10 and a minimum of 1.
+| `degreeOfParallelism` | (Optional) When specified, indicates the number of calls the indexer makes in parallel to the endpoint you have provided. You can decrease this value if your endpoint is failing under too high of a request load. You can raise it if your endpoint is able to accept more requests and you would like an increase in the performance of the indexer. If not set, a default value of 5 is used. The degreeOfParallelism can be set to a maximum of 10 and a minimum of 1.
<a name="WhatSkillParametersToUse"></a> ## What skill parameters to use
-Which AML skill parameters are required depends on what authentication your AML service uses, if any. AML services provide three authentication options:
+Which AML skill parameters are required depends on what authentication your AML online endpoint uses, if any. AML online endpoints provide two authentication options:
-* [Key-Based Authentication](../machine-learning/v1/how-to-authenticate-web-service.md#key-based-authentication). A static key is provided to authenticate scoring requests from AML skills
+* [Key-Based Authentication](../machine-learning/how-to-authenticate-online-endpoint.md). A static key is provided to authenticate scoring requests from AML skills
* Use the _uri_ and _key_ parameters
-* [Token-Based Authentication](../machine-learning/v1/how-to-authenticate-web-service.md#token-based-authentication). The AML service is [deployed using token based authentication](../machine-learning/v1/how-to-authenticate-web-service.md#token-based-authentication). The Azure Cognitive Search service's [managed identity](../active-directory/managed-identities-azure-resources/overview.md) is granted the [Reader Role](../machine-learning/how-to-assign-roles.md) in the AML service's workspace. The AML skill then uses the Azure Cognitive Search service's managed identity to authenticate against the AML service, with no static keys required.
+* [Token-Based Authentication](../machine-learning/how-to-authenticate-online-endpoint.md). The AML online endpoint is [deployed using token based authentication](../machine-learning/how-to-authenticate-online-endpoint.md). The Azure Cognitive Search service's [managed identity](../active-directory/managed-identities-azure-resources/overview.md) must be enabled. The AML skill then uses the Azure Cognitive Search service's managed identity to authenticate against the AML online endpoint, with no static keys required. The identity must be assigned owner or contributor role.
* Use the _resourceId_ parameter.
- * If the Azure Cognitive Search service is in a different region from the AML workspace, use the _region_ parameter to set the region the AML service was deployed in
-* No Authentication. No authentication is required to use the AML service
- * Use the _uri_ parameter
+ * If the Azure Cognitive Search service is in a different region from the AML workspace, use the _region_ parameter to set the region the AML online endpoint was deployed in
## Skill inputs
-There are no "predefined" inputs for this skill. You can choose one or more fields that would be already available at the time of this skill's execution as inputs and the _JSON_ payload sent to the AML service will have different fields.
+There are no "predefined" inputs for this skill. You can choose one or more fields that would be already available at the time of this skill's execution as inputs and the _JSON_ payload sent to the AML online endpoint will have different fields.
## Skill outputs
-There are no "predefined" outputs for this skill. Depending on the response your AML service will return, add output fields so that they can be picked up from the _JSON_ response.
+There are no "predefined" outputs for this skill. Depending on the response your AML online endpoint returns, add output fields so that they can be picked up from the _JSON_ response.
## Sample definition
There are no "predefined" outputs for this skill. Depending on the response your
## Sample input JSON structure
-This _JSON_ structure represents the payload that will be sent to your AML service. The top-level fields of the structure will correspond to the "names" specified in the `inputs` section of the skill definition. The value of those fields will be from the `source` of those fields (which could be from a field in the document, or potentially from another skill)
+This _JSON_ structure represents the payload that is sent to your AML online endpoint. The top-level fields of the structure correspond to the "names" specified in the `inputs` section of the skill definition. The values of those fields are from the `source` of those fields (which could be from a field in the document, or potentially from another skill)
```json {
This _JSON_ structure represents the payload that will be sent to your AML servi
## Sample output JSON structure
-The output corresponds to the response returned from your AML service. The AML service should only return a _JSON_ payload (verified by looking at the `Content-Type` response header) and should be an object where the fields are enrichments matching the "names" in the `output` and whose value is considered the enrichment.
+The output corresponds to the response returned from your AML online endpoint. The AML online endpoint should only return a _JSON_ payload (verified by looking at the `Content-Type` response header) and should be an object where the fields are enrichments matching the "names" in the `output` and whose value is considered the enrichment.
```json {
The output corresponds to the response returned from your AML service. The AML s
``` ## Error cases
-In addition to your AML being unavailable or sending out non-successful status codes, the following are considered erroneous cases:
+In addition to your AML being unavailable or sending out nonsuccessful status codes, the following are considered erroneous cases:
-* If the AML service returns a success status code but the response indicates that it is not `application/json`, then the response is considered invalid and no enrichments will be performed.
-* If the AML service returns invalid json
+* If the AML online endpoint returns a success status code but the response indicates that it isn't `application/json`, then the response is considered invalid and no enrichments are performed.
+* If the AML online endpoint returns invalid json
-For cases when the AML service is unavailable or returns an HTTP error, a friendly error with any available details about the HTTP error will be added to the indexer execution history.
+For cases when the AML online endpoint is unavailable or returns an HTTP error, a friendly error with any available details about the HTTP error will be added to the indexer execution history.
## See also + [How to define a skillset](cognitive-search-defining-skillset.md)
-+ [AML Service troubleshooting](../machine-learning/v1/how-to-troubleshoot-deployment.md)
++ [AML online endpoint troubleshooting](../machine-learning/how-to-troubleshoot-online-endpoints.md)
search Cognitive Search Concept Image Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-concept-image-scenarios.md
Images are either standalone binary files or embedded in documents (PDF, RTF, an
Azure Blob Storage is the most frequently used storage for image processing in Cognitive Search. There are three main tasks related to retrieving images from a blob container:
-+ Enable access to content in the container. If you're using a full access connection string that includes a key, the key gives you permission to the content. Alternatively, you can [authenticate using Azure Active Directory (Azure AD)](search-howto-managed-identities-data-sources.md) or [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md).
++ Enable access to content in the container. If you're using a full access connection string that includes a key, the key gives you permission to the content. Alternatively, you can [authenticate using Microsoft Entra ID](search-howto-managed-identities-data-sources.md) or [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md). + [Create a data source](search-howto-indexing-azure-blob-storage.md) of type "azureblob" that connects to the blob container storing your files.
search Cognitive Search Custom Skill Interface https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-custom-skill-interface.md
The URI is the HTTPS endpoint of your function or app. When setting the URI, mak
If instead your function or app uses Azure managed identities and Azure roles for authentication and authorization, the custom skill can include an authentication token on the request. The following points describe the requirements for this approach:
-+ The search service, which sends the request on the indexer's behalf, must be [configured to use a managed identity](search-howto-managed-identities-data-sources.md) (either system or user-assigned) so that the caller can be authenticated by Azure Active Directory.
++ The search service, which sends the request on the indexer's behalf, must be [configured to use a managed identity](search-howto-managed-identities-data-sources.md) (either system or user-assigned) so that the caller can be authenticated by Microsoft Entra ID.
-+ Your function or app must be [configured for Azure Active Directory](../app-service/configure-authentication-provider-aad.md).
++ Your function or app must be [configured for Microsoft Entra ID](../app-service/configure-authentication-provider-aad.md). + Your [custom skill definition](cognitive-search-custom-skill-web-api.md) must include an "authResourceId" property. This property takes an application (client) ID, in a [supported format](../active-directory/develop/security-best-practices-for-app-registration.md#application-id-uri): `api://<appId>`.
search Cognitive Search Custom Skill Web Api https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-custom-skill-web-api.md
Parameters are case-sensitive.
| Parameter name | Description | |--|-| | `uri` | The URI of the Web API to which the JSON payload will be sent. Only the **https** URI scheme is allowed. |
-| `authResourceId` | (Optional) A string that if set, indicates that this skill should use a managed identity on the connection to the function or app hosting the code. The value of this property is the application (client) ID of the function or app's registration in Azure Active Directory. This value will be used to scope the authentication token retrieved by the indexer, and will be sent along with the custom Web skill API request to the function or app. Setting this property requires that your search service is [configured for managed identity](search-howto-managed-identities-data-sources.md) and your Azure function app is [configured for an Azure AD login](../app-service/configure-authentication-provider-aad.md). |
+| `authResourceId` | (Optional) A string that if set, indicates that this skill should use a managed identity on the connection to the function or app hosting the code. The value of this property is the application (client) ID of the function or app's registration in Microsoft Entra ID. This value will be used to scope the authentication token retrieved by the indexer, and will be sent along with the custom Web skill API request to the function or app. Setting this property requires that your search service is [configured for managed identity](search-howto-managed-identities-data-sources.md) and your Azure function app is [configured for a Microsoft Entra login](../app-service/configure-authentication-provider-aad.md). |
| `httpMethod` | The method to use while sending the payload. Allowed methods are `PUT` or `POST` | | `httpHeaders` | A collection of key-value pairs where the keys represent header names and values represent header values that will be sent to your Web API along with the payload. The following headers are prohibited from being in this collection: `Accept`, `Accept-Charset`, `Accept-Encoding`, `Content-Length`, `Content-Type`, `Cookie`, `Host`, `TE`, `Upgrade`, `Via`. | | `timeout` | (Optional) When specified, indicates the timeout for the http client making the API call. It must be formatted as an XSD "dayTimeDuration" value (a restricted subset of an [ISO 8601 duration](https://www.w3.org/TR/xmlschema11-2/#dayTimeDuration) value). For example, `PT60S` for 60 seconds. If not set, a default value of 30 seconds is chosen. The timeout can be set to a maximum of 230 seconds and a minimum of 1 second. |
search Cognitive Search Defining Skillset https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-defining-skillset.md
The end result of an enrichment pipeline is textual content in either a search i
All skills have a type, context, inputs, and outputs. A skill might optionally have a name and description. The following example shows two unrelated [built-in skills](cognitive-search-predefined-skills.md) so that you can compare the basic structure. ```json
-"skills":[
- {
- "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
- "name": "#1",
- "description": "This skill detects organizations in the source content",
- "context": "/document",
- "categories": [ "Organization" ],
- "inputs": [
- {
- "name": "text",
- "source": "/document/content"
- }
- ],
- "outputs": [
- {
- "name": "organizations",
- "targetName": "orgs"
- }
- ]
- },
- {
- "name": "#2",
- "description": "This skill detects corporate logos in the source files",
- "@odata.type": "#Microsoft.Skills.Vision.ImageAnalysisSkill",
- "context": "/document/normalized_images/*",
- "visualFeatures": [
- "brands"
- ],
- "inputs": [
- {
- "name": "image",
- "source": "/document/normalized_images/*"
- }
- ],
- "outputs": [
- {
- "name": "brands"
- }
- ]
- }
+"skills": [
+ {
+ "@odata.type": "#Microsoft.Skills.Text.V3.EntityRecognitionSkill",
+ "name": "#1",
+ "description": "This skill detects organizations in the source content",
+ "context": "/document",
+ "categories": [
+ "Organization"
+ ],
+ "inputs": [
+ {
+ "name": "text",
+ "source": "/document/content"
+ }
+ ],
+ "outputs": [
+ {
+ "name": "organizations",
+ "targetName": "orgs"
+ }
+ ]
+ },
+ {
+ "name": "#2",
+ "description": "This skill detects corporate logos in the source files",
+ "@odata.type": "#Microsoft.Skills.Vision.ImageAnalysisSkill",
+ "context": "/document/normalized_images/*",
+ "visualFeatures": [
+ "brands"
+ ],
+ "inputs": [
+ {
+ "name": "image",
+ "source": "/document/normalized_images/*"
+ }
+ ],
+ "outputs": [
+ {
+ "name": "brands"
+ }
+ ]
+ }
] ```
search Cognitive Search Output Field Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-output-field-mapping.md
The result is the following sample search document, similar to the original in A
An alternative rendering in a search index is to flatten individual nodes in the source's nested structure into a string collection in a search index.
-To accomplish this task, you'll need an `outputFieldMapping` that maps an in-memory node to a string collection in the index. Although output field mappings primarily apply to skill outputs, you can also use them to address nodes after ["document cracking"](search-indexer-overview.md#stage-1-document-cracking) where the indexer opens a source document and reads it into memory.
+To accomplish this task, you'll need an `outputFieldMappings` that maps an in-memory node to a string collection in the index. Although output field mappings primarily apply to skill outputs, you can also use them to address nodes after ["document cracking"](search-indexer-overview.md#stage-1-document-cracking) where the indexer opens a source document and reads it into memory.
Below is a sample index definition in Cognitive Search, using string collections to receive flattened output:
search Cognitive Search Skill Textsplit https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/cognitive-search-skill-textsplit.md
Parameters are case-sensitive.
| Parameter name | Description | |--|-| | `textSplitMode` | Either `pages` or `sentences` |
-| `maximumPageLength` | Only applies if `textSplitMode` is set to `pages`. This refers to the maximum page length in characters as measured by `String.Length`. The minimum value is 300, the maximum is 100000, and the default value is 5000. The algorithm will do its best to break the text on sentence boundaries, so the size of each chunk may be slightly less than `maximumPageLength`. |
-| `defaultLanguageCode` | (optional) One of the following language codes: `am, bs, cs, da, de, en, es, et, fr, he, hi, hr, hu, fi, id, is, it, ja, ko, lv, no, nl, pl, pt-PT, pt-BR, ru, sk, sl, sr, sv, tr, ur, zh-Hans`. Default is English (en). Few things to consider:<ul><li>Providing a language code is useful to avoid cutting a word in half for non-whitespace languages such as Chinese, Japanese, and Korean.</li><li>If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), the default of English (en) should be sufficient. </li></ul> |
+| `maximumPageLength` | Only applies if `textSplitMode` is set to `pages`. This parameter refers to the maximum page length in characters as measured by `String.Length`. The minimum value is 300, the maximum is 50000, and the default value is 5000. The algorithm does its best to break the text on sentence boundaries, so the size of each chunk may be slightly less than `maximumPageLength`. |
+| `pageOverlapLength` | Only applies if `textSplitMode` is set to `pages`. If it's specificied (needs to be >= 0), (n+1)th page starts with this number of characters from the end of the nth page. If it's set to 0, it should behave the same as if this value isn't set. |
+| `maximumPagesToTake` | Only applies if `textSplitMode` is set to `pages`. Number of pages to return. Default (0) to all pages. It can be used if only a partial number of pages is needed.
+| `defaultLanguageCode` | (optional) One of the following language codes: `am, bs, cs, da, de, en, es, et, fr, he, hi, hr, hu, fi, id, is, it, ja, ko, lv, no, nl, pl, pt-PT, pt-BR, ru, sk, sl, sr, sv, tr, ur, zh-Hans`. Default is English (en). Few things to consider:<ul><li>Providing a language code is useful to avoid cutting a word in half for nonwhitespace languages such as Chinese, Japanese, and Korean.</li><li>If you don't know the language (that is, you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), the default of English (en) should be sufficient. </li></ul> |
## Skill Inputs
Parameters are case-sensitive.
| Parameter name | Description | |-|| | `text` | The text to split into substring. |
-| `languageCode` | (Optional) Language code for the document. If you do not know the language (i.e. you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), it is safe to remove this input. If the language is not in the supported list for the `defaultLanguageCode` parameter above, a warning will be emitted and the text will not be split. |
+| `languageCode` | (Optional) Language code for the document. If you don't know the language (that is, you need to split the text for input into the [LanguageDetectionSkill](cognitive-search-skill-language-detection.md)), it's safe to remove this input. If the language isn't in the supported list for the `defaultLanguageCode` parameter above, a warning is emitted and the text won't be split. |
## Skill Outputs
Parameters are case-sensitive.
"@odata.type": "#Microsoft.Skills.Text.SplitSkill", "textSplitMode" : "pages", "maximumPageLength": 1000,
+ "pageOverlapLength": 100,
+ "maximumPagesToTake": 1,
"defaultLanguageCode": "en", "inputs": [ {
Parameters are case-sensitive.
"recordId": "1", "data": { "textItems": [
- "This is the loan…",
- "On the second page we…"
+ "This is the loan...Here is the overlap part...",
+ "Here is the overlap part...On the second page we..."
] } },
Parameters are case-sensitive.
"recordId": "2", "data": { "textItems": [
- "This is the second document...",
- "On the second page of the second doc…"
+ "This is the second document...Here is the overlap part...",
+ "Here is the overlap part...On the second page of the second doc..."
] } }
Parameters are case-sensitive.
``` ## Error cases
-If a language is not supported, a warning is generated.
++ If a language isn't supported, a warning is generated. ## See also
search Hybrid Search How To Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/hybrid-search-how-to-query.md
+
+ Title: Hybrid query how-to
+
+description: Learn how to build queries for hybrid search.
+++++ Last updated : 10/10/2023++
+# Create a hybrid query in Azure Cognitive Search
+
+> [!IMPORTANT]
+> Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).
+
+Hybrid search consists of keyword queries and vector queries in a single search request.
+
+The response includes the top results ordered by search score. Both vector queries and free text queries are assigned an initial search score from their respecitive scoring or similarity algorithms. Those scores are merged using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md) to return a single ranked result set.
+
+## Prerequisites
+++ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For services created prior to January 2019, there is a small subset which won't support vector search. If an index containing vector fields fails to be created or updated, this is an indicator. In this situation, a new service must be created.+++ A search index containing vector and non-vector fields. See [Create an index](search-how-to-create-search-index.md) and [Add vector fields to a search index](vector-search-how-to-create-index.md).+++ Use REST API version **2023-07-01-Preview**, the [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr/tree/main), or Search Explorer in the Azure portal.+++ (Optional) If you want to also use [semantic search (preview)](semantic-search-overview.md) and vector search together, your search service must be Basic tier or higher, with [semantic search enabled](semantic-how-to-enable-disable.md).+
+## Limitations
+
+Cognitive Search doesn't provide built-in vectorization of the query input string. Encoding (text-to-vector) of the query string requires that you pass the query string to an embedding model for vectorization. You would then pass the response to the search engine for similarity search over vector fields.
+
+All results are returned in plain text, including vectors. If you use Search Explorer in the Azure portal to query an index that contains vectors, the numeric vectors are returned in plain text. Because numeric vectors aren't useful in search results, choose other fields in the index as a proxy for the vector match. For example, if an index has "descriptionVector" and "descriptionText" fields, the query can match on "descriptionVector" but the search result shows "descriptionText". Use the `select` parameter to specify only human-readable fields in the results.
+
+## Hybrid query request
+
+A hybrid query combines full text search and vector search, where the `"search"` parameter takes a query string and `"vectors.value"` takes the vector query. The search engine runs full text and vector queries in parallel. All matches are evaluated for relevance using Reciprocal Rank Fusion (RRF) and a single result set is returned in the response.
+
+Hybrid queries are useful because they add support for all query capabilities, including orderby and [semantic search](semantic-how-to-query-request.md). For example, in addition to the vector query, you could search over people or product names or titles, scenarios for which similarity search isn't a good fit.
+
+The following example is from the [Postman collection of REST APIs](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python) that demonstrate hybrid query configurations.
+
+```http
+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview
+Content-Type: application/json
+api-key: {{admin-api-key}}
+{
+ "vectors": [{
+ "value": [
+ -0.009154141,
+ 0.018708462,
+ . . .
+ -0.02178128,
+ -0.00086512347
+ ],
+ "fields": "contentVector",
+ "k": 10
+ }],
+ "search": "what azure services support full text search",
+ "select": "title, content, category",
+ "top": "10"
+}
+```
+
+## Hybrid search with filter
+
+This example adds a filter, which is applied to the "filterable" nonvector fields of the search index.
+
+```http
+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
+Content-Type: application/json
+api-key: {{admin-api-key}}
+{
+ "vectors": [
+ {
+ "value": [
+ -0.009154141,
+ 0.018708462,
+ . . .
+ -0.02178128,
+ -0.00086512347
+ ],
+ "fields": "contentVector",
+ "k": 10
+ }
+ ],
+ "search": "what azure services support full text search",
+ "filter": "category eq 'Databases'",
+ "top": "10"
+}
+```
+
+## Semantic hybrid search
+
+Assuming that you've [enabled semantic search](semantic-how-to-enable-disable.md) and your index definition includes a [semantic configuration](semantic-how-to-query-request.md), you can formulate a query that includes vector search, plus keyword search with semantic ranking, caption, answers, and spell check.
+
+```http
+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
+Content-Type: application/json
+api-key: {{admin-api-key}}
+{
+ "vectors": [
+ {
+ "value": [
+ -0.009154141,
+ 0.018708462,
+ . . .
+ -0.02178128,
+ -0.00086512347
+ ],
+ "fields": "contentVector",
+ "k": 10
+ }
+ ],
+ "search": "what azure services support full text search",
+ "select": "title, content, category",
+ "queryType": "semantic",
+ "semanticConfiguration": "my-semantic-config",
+ "queryLanguage": "en-us",
+ "captions": "extractive",
+ "answers": "extractive",
+ "top": "10"
+}
+```
+
+## Semantic hybrid search with filter
+
+Here's the last query in the collection. It's the same semantic hybrid query as the previous example, but with a filter.
+
+```http
+POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
+Content-Type: application/json
+api-key: {{admin-api-key}}
+{
+ "vectors": [
+ {
+ "value": [
+ -0.009154141,
+ 0.018708462,
+ . . .
+ -0.02178128,
+ -0.00086512347
+ ],
+ "fields": "contentVector",
+ "k": 10
+ }
+ ],
+ "search": "what azure services support full text search",
+ "select": "title, content, category",
+ "queryType": "semantic",
+ "semanticConfiguration": "my-semantic-config",
+ "queryLanguage": "en-us",
+ "captions": "extractive",
+ "answers": "extractive",
+ "filter": "category eq 'Databases'",
+ "top": "10"
+}
+```
+
+**Key points:**
+++ Vector search is specified through the vector "vector.value" property. Keyword search is specified through "search" property.+++ In a hybrid search, you can integrate vector search with full text search over keywords. Filters, spell check, and semantic ranking apply to textual content only, and not vectors. In this final query, there's no semantic "answer" because the system didn't produce one that was sufficiently strong.+
+## Configure a query response
+
+When you're setting up the hybrid query, think about the response structure. The response is a flattened rowset. Parameters on the query determine which fields are in each row and how many rows are in the response. The search engine ranks the matching documents and returns the most relevant results.
+
+### Fields in a response
+
+Search results are composed of "retrievable" fields from your search index. A result is either:
+++ All "retrievable" fields (a REST API default).++ Fields explicitly listed in a "select" parameter on the query. +
+The examples in this article used a "select" statement to specify text (non-vector) fields in the response.
+
+> [!NOTE]
+> Vectors aren't designed for readability, so avoid returning them in the response. Instead, choose non-vector fields that are representative of the search document. For example, if the query targets a "descriptionVector" field, return an equivalent text field if you have one ("description") in the response.
+
+### Number of results
+
+A query might match to any number of documents, as many as all of them if the search criteria are weak (for example "search=*" for a null query). Because it's seldom practical to return unbounded results, you should specify a maximum for the response:
+++ `"k": n` results for vector-only queries++ `"top": n` results for hybrid queries that include a "search" parameter+
+Both "k" and "top" are optional. Unspecified, the default number of results in a response is 50. You can set "top" and "skip" to [page through more results](search-pagination-page-layout.md#paging-results) or change the default.
+
+### Ranking
+
+Multiple sets are created for hybrid queries, with or without the optional semantic reranking capabilities of [semantic search](semantic-search-overview.md). Ranking of results is computed by Reciprocal Rank Fusion (RRF).
+
+In this section, compare the responses between single vector search and simple hybrid search for the top result. The different ranking algorithms, HNSW's similarity metric and RRF is this case, produce scores that have different magnitudes. This behavior is by design. RRF scores can appear quite low, even with a high similarity match. Lower scores are a characteristic of the RRF algorithm. In a hybrid query with RRF, more of the reciprocal of the ranked documents are included in the results, given the relatively smaller score of the RRF ranked documents, as opposed to pure vector search.
+
+**Single Vector Search**: Results ordered by cosine similarity (default vector similarity distance function).
+
+```json
+{
+ "@search.score": 0.8851871,
+ "title": "Azure Cognitive Search",
+ "content": "Azure Cognitive Search is a fully managed search-as-a-service that enables you to build rich search experiences for your applications. It provides features like full-text search, faceted navigation, and filters. Azure Cognitive Search supports various data sources, such as Azure SQL Database, Azure Blob Storage, and Azure Cosmos DB. You can use Azure Cognitive Search to index your data, create custom scoring profiles, and integrate with other Azure services. It also integrates with other Azure services, such as Azure Cognitive Services and Azure Machine Learning.",
+ "category": "AI + Machine Learning"
+},
+```
+
+**Hybrid Search**: Combined keyword and vector search results using Reciprocal Rank Fusion.
+
+```json
+{
+ "@search.score": 0.03333333507180214,
+ "title": "Azure Cognitive Search",
+ "content": "Azure Cognitive Search is a fully managed search-as-a-service that enables you to build rich search experiences for your applications. It provides features like full-text search, faceted navigation, and filters. Azure Cognitive Search supports various data sources, such as Azure SQL Database, Azure Blob Storage, and Azure Cosmos DB. You can use Azure Cognitive Search to index your data, create custom scoring profiles, and integrate with other Azure services. It also integrates with other Azure services, such as Azure Cognitive Services and Azure Machine Learning.",
+ "category": "AI + Machine Learning"
+},
+```
+
+## Next steps
+
+As a next step, we recommend reviewing the demo code for [Python](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python), [C#](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-dotnet) or [JavaScript](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-javascript).
search Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/policy-reference.md
Title: Built-in policy definitions for Azure Cognitive Search description: Lists Azure Policy built-in policy definitions for Azure Cognitive Search. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
search Retrieval Augmented Generation Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/retrieval-augmented-generation-overview.md
There's no query type in Cognitive Search - not even semantic or vector search -
| [Filters](search-filters.md) and [facets](search-faceted-navigation.md) | Applies to text or numeric (non-vector) fields only. Reduces the search surface area based on inclusion or exclusion criteria. | Adds precision to your queries. | | [Semantic ranking](semantic-how-to-query-request.md) | Re-ranks a BM25 result set using semantic models. Produces short-form captions and answers that are useful as LLM inputs. | Easier than scoring profiles, and depending on your content, a more reliable technique for relevance tuning. | [Vector search](vector-search-how-to-query.md) | Query execution over vector fields for similarity search, where the query string is one or more vectors. | Vectors can represent all types of content, in any language. |
-| [Hybrid search](hybrid-search-overview.md) | Combines any or all of the above query techniques. Vector and non-vector queries execute in parallel and are returned in a unified result set. | The most significant gains in precision and recall are through hybrid queries. |
+| [Hybrid search](hybrid-search-how-to-query.md) | Combines any or all of the above query techniques. Vector and non-vector queries execute in parallel and are returned in a unified result set. | The most significant gains in precision and recall are through hybrid queries. |
### Structure the query response
search Samples Dotnet https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/samples-dotnet.md
The following samples are also published by the Cognitive Search team, but aren'
| [Check storage](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/check-storage-usage/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Invokes an Azure function that checks search service storage on a schedule. | | [Export an index](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/export-dat) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | C# console app that partitions and export a large index. | | [Backup and restore an index](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/index-backup-restore/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | C# console app that copies an index from one service to another, and in the process, creates JSON files on your computer with the index schema and documents.|
-| [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Source code demonstrating indexer connections and indexing of Azure Data Lake Gen2 files and folders that are secured through Azure AD and role-based access controls. |
+| [Index Data Lake Gen2 using Microsoft Entra ID](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Source code demonstrating indexer connections and indexing of Azure Data Lake Gen2 files and folders that are secured through Microsoft Entra ID and role-based access controls. |
| [Search aggregations](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/search-aggregations/README.md) | [azure-search-dotnet-utilities](https://github.com/Azure-Samples/azure-search-dotnet-utilities) | Proof-of-concept source code that demonstrates how to obtain aggregations from a search index and then filter by them. | | [Power Skills](https://github.com/Azure-Samples/azure-search-power-skills/blob/main/README.md) | [azure-search-power-skills](https://github.com/Azure-Samples/azure-search-power-skills) | Source code for consumable custom skills that you can incorporate in your won solutions. |
search Search Api Preview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-api-preview.md
Preview features that transition to general availability are removed from this l
| [**Vector search**](vector-search-overview.md) | Vector search | Adds vector fields to a search index for similarity search scenarios over vector representations of text, image, and multilingual content. | Public preview using the [Search REST API 2023-07-01-Preview](/rest/api/searchservice/index-preview) and Azure portal. | | [**Search REST API 2023-07-01-Preview**](/rest/api/searchservice/index-preview) | Vector search | Modifies [Create or Update Index](/rest/api/searchservice/preview-api/create-or-update-index) to include a new data type for vector search fields. It also adds query parameters for queries composed of vector data (embeddings) | Public preview, [Search REST API 2023-07-01-Preview](/rest/api/searchservice/index-preview). Announced in June 2023. | | [**Azure Files indexer**](search-file-storage-integration.md) | Indexer data source | Adds REST API support for creating indexers for [Azure Files](https://azure.microsoft.com/services/storage/files/) | Public preview, [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview). Announced in November 2021. |
-| [**Search REST API 2021-04-30-Preview**](/rest/api/searchservice/index-preview) | Security | Modifies [Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) to support managed identities under Azure Active Directory, for indexers that connect to external data sources. | Public preview, [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview). Announced in May 2021. |
+| [**Search REST API 2021-04-30-Preview**](/rest/api/searchservice/index-preview) | Security | Modifies [Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) to support managed identities under Microsoft Entra ID, for indexers that connect to external data sources. | Public preview, [Search REST API 2021-04-30-Preview](/rest/api/searchservice/index-preview). Announced in May 2021. |
| [**Management REST API 2021-04-01-Preview**](/rest/api/searchmanagement/) | Security | Modifies [Create or Update Service](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update) to support new [DataPlaneAuthOptions](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#dataplaneauthoptions). | Public preview, [Management REST API](/rest/api/searchmanagement/), API version 2021-04-01-Preview. Announced in May 2021. | | [**Reset Documents**](search-howto-run-reset-indexers.md) | Indexer | Reprocesses individually selected search documents in indexer workloads. | Use the [Reset Documents REST API](/rest/api/searchservice/preview-api/reset-documents), API versions 2021-04-30-Preview or 2020-06-30-Preview. | | [**SharePoint Indexer**](search-howto-index-sharepoint-online.md) | Indexer data source | New data source for indexer-based indexing of SharePoint content. | [Sign up](https://aka.ms/azure-cognitive-search/indexer-preview) is required so that support can be enabled for your subscription on the backend. Configure this data source using [Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source), API versions 2021-04-30-Preview or 2020-06-30-Preview, or the Azure portal. |
search Search Data Sources Gallery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-data-sources-gallery.md
Our Confluence (Cloud Version) Connector is an enterprise grade indexing connect
-### Azure AD
+<a name='azure-ad'></a>
+
+### Microsoft Entra ID
by [BA Insight](https://www.bainsight.com)
-The BA Insight Azure Active Directory Connector makes it possible to surface content from your Azure Active Directory tenancy into a single consolidated search index, along with content from other repositories, making searches such as employee look-up or expertise locator a reality.
+The BA Insight Microsoft Entra Connector makes it possible to surface content from your Microsoft Entra tenancy into a single consolidated search index, along with content from other repositories, making searches such as employee look-up or expertise locator a reality.
[More details](https://www.bainsight.com/connectors/azure-active-directory-connector-for-sharepoint-azure-elasticsearch/)
The BA Insight Azure Active Directory Connector makes it possible to surface con
-### Azure AD
+<a name='azure-ad'></a>
+
+### Microsoft Entra ID
by [Raytion](https://www.raytion.com/contact)
-Secure enterprise search connector for reliably indexing content from Microsoft Azure Active Directory (Azure AD) and intelligently searching it with Azure Cognitive Search. It indexes objects from Azure AD via the Microsoft Graph API. The connector can be used for ingesting principals into Cognitive Search in near real time to implement use cases like expert search, equipment search, and location search or to provide early-binding security trimming in conjunction with custom data sources. The connector supports federated authentication against Microsoft 365.
+Secure enterprise search connector for reliably indexing content from Microsoft Entra ID and intelligently searching it with Azure Cognitive Search. It indexes objects from Microsoft Entra ID via the Microsoft Graph API. The connector can be used for ingesting principals into Cognitive Search in near real time to implement use cases like expert search, equipment search, and location search or to provide early-binding security trimming in conjunction with custom data sources. The connector supports federated authentication against Microsoft 365.
[More details](https://www.raytion.com/connectors/raytion-azure-ad-connector)
search Search Features List https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-features-list.md
There's feature parity in all Azure public, private, and sovereign clouds, but s
|-|-| | Data encryption | [**Microsoft-managed encryption-at-rest**](search-security-overview.md#encryption) is built into the internal storage layer and is irrevocable. <br/><br/>[**Customer-managed encryption keys**](search-security-manage-encryption-keys.md) that you create and manage in Azure Key Vault can be used for supplemental encryption of indexes and synonym maps. For services created after August 1 2020, CMK encryption extends to data on temporary disks, for full double encryption of indexed content.| | Endpoint protection | [**IP rules for inbound firewall support**](service-configure-firewall.md) allows you to set up IP ranges over which the search service will accept requests.<br/><br/>[**Create a private endpoint**](service-create-private-endpoint.md) using Azure Private Link to force all requests through a virtual network. |
-| Inbound access | [**Azure role-based access control**](search-security-rbac.md) assigns roles to users and groups in Azure Active Directory for controlled access to search content and operations. You can also use [**key-based authentication**](search-security-api-keys.md) if you don't have an Azure tenant.|
+| Inbound access | [**Azure role-based access control**](search-security-rbac.md) assigns roles to users and groups in Microsoft Entra ID for controlled access to search content and operations. You can also use [**key-based authentication**](search-security-api-keys.md) if you don't have an Azure tenant.|
| Outbound security (indexers) | [**Data access through private endpoints**](search-indexer-howto-access-private.md) allows an indexer to connect to Azure resources that are protected through Azure Private Link.<br/><br/>[**Data access using a trusted identity**](search-howto-managed-identities-data-sources.md) means that connection strings to external data sources can omit user names and passwords. When an indexer connects to the data source, the resource allows the connection if the search service was previously registered as a trusted service. | ## Portal features
search Search Get Started Semantic https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-semantic.md
Last updated 06/09/2023
-# Quickstart: Use semantic search with an existing index
+# Quickstart: Semantic search with .NET or Python
> [!IMPORTANT] > Semantic search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through Azure portal, preview REST APIs, and beta SDKs. This feature is billable. See [Availability and pricing](semantic-search-overview.md#availability-and-pricing).
search Search Get Started Vector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-get-started-vector.md
Previously updated : 07/07/2023 Last updated : 10/10/2023
-# Quickstart: Use preview REST APIs for vector search queries
+# Quickstart: Vector search using REST APIs
> [!IMPORTANT] > Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).
-Get started with vector search in Azure Cognitive Search using the **2023-07-01-Preview** REST APIs that create, load, and query a search index. Search indexes now support vector fields in the fields collection. When querying the search index, you can build vector-only queries, or create hybrid queries that target vector fields *and* textual fields configured for filters, sorts, facets, and semantic ranking.
+Get started with vector search in Azure Cognitive Search using the **2023-07-01-Preview** REST APIs that create, load, and query a search index.
+
+Search indexes now support vector fields in the fields collection. When querying the search index, you can build vector-only queries, or create hybrid queries that target vector fields *and* textual fields configured for filters, sorts, facets, and semantic ranking.
+
+> [!NOTE]
+> This quickstart has been updated to use the fictitious hotels sample data set. Looking for the previous quickstart that used Azure product descriptions? See this [Postman collection](https://github.com/Azure/cognitive-search-vector-pr/tree/main/postman-collection) and review the example queries in [Create a vector query](vector-search-how-to-query.md) and [Create a hybrid query](hybrid-search-how-to-query.md).
## Prerequisites
Get started with vector search in Azure Cognitive Search using the **2023-07-01-
+ An Azure subscription. [Create one for free](https://azure.microsoft.com/free/).
-+ Azure Cognitive Search, in any region and on any tier. However, if you want to also use [semantic search](semantic-search-overview.md), as shown in the last two examples, your search service must be Basic tier or higher, with [semantic search enabled](semantic-how-to-enable-disable.md).
++ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For a small subset of services created prior to January 2019, an index containing vector fields will fail on creation. In this situation, a new service must be created.
- Most existing services support vector search. For a small subset of services created prior to January 2019, an index containing vector fields will fail on creation. In this situation, a new service must be created.
+ For the optional [semantic search](semantic-search-overview.md) shown in the last example, your search service must be Basic tier or higher, with [semantic search enabled](semantic-how-to-enable-disable.md).
-+ [Sample Postman collection](https://github.com/Azure/cognitive-search-vector-pr/tree/main/postman-collection), with requests targeting the **2023-07-01-preview** API version of Azure Cognitive Search.
++ [Sample Postman collection](https://github.com/Azure-Samples/azure-search-postman-samples/tree/main/Quickstart-vectors), with requests targeting the **2023-07-01-preview** API version of Azure Cognitive Search.
-+ Optional. To use the "Create Query Embeddings" request, you need [Azure OpenAI](https://aka.ms/oai/access) with a deployment of **text-embedding-ada-002**. For this request, provide your Azure OpenAI endpoint, key, model deployment name, and API version in the collection variables.
++ Optional. The Postman collection includes a **Generate Embedding** request that can generate vectors from text. To send this request, you need [Azure OpenAI](https://aka.ms/oai/access) with a deployment of **text-embedding-ada-002**. For this request only, provide your Azure OpenAI endpoint, Azure OpenAI key, model deployment name, and API version in the collection variables. ## About the sample data and queries
-Sample data consists of text and vector descriptions of 108 Azure services, generated from ChatGPT in Azure OpenAI.
+Sample data consists of text and vector descriptions for seven fictitious hotels.
+ Textual data is used for keyword search, semantic ranking, and capabilities that depend on text (filters, facets, and sorting).
-+ Vector data (text embeddings) is used for vector search. Currently, Cognitive Search doesn't generate vectors for you. For this quickstart, vector data was generated previously and copied into the "Upload Documents" request and into the query requests.
++ Vector data (text embeddings) is used for vector search. Currently, Cognitive Search doesn't generate vectors for you. For this quickstart, vector data was generated separately and copied into the "Upload Documents" request and into the query requests.
- For documents, we generated vector data using demo code that calls Azure OpenAI for the embeddings. Samples are currently using beta versions of the Azure SDKs and are available in [Python](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python), [C#](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-dotnet), and [JavaScript](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-javascript).
+For vector queries, we used the **Generate Embedding** request that calls Azure OpenAI and outputs embeddings for a search string. If you want to formulate your own vector queries against the sample data, provide your Azure OpenAI connection information in the Postman collection variables. Your Azure OpenAI service must have a deployment of an embedding model that's identical to the one used to generate embeddings in your search corpus.
- For queries, we used the "Create Query Embeddings" request that calls Azure OpenAI and outputs embeddings for a search string. If you want to formulate your own vector queries against the sample data of 108 Azure services, provide your Azure OpenAI connection information in the Postman collection variables. Your Azure OpenAI service must have a deployment of an embedding model that's identical to the one used to generate embeddings in your search corpus. For this quickstart, the following parameters were used:
+For this quickstart, the following parameters were used:
- + Model name: **text-embedding-ada-002**
- + Model version: **2**
- + API version: **2023-05-15**.
++ Model name: **text-embedding-ada-002**++ Model version: **2**++ API version: **2023-08-01-preview**. ## Set up your project If you're unfamiliar with Postman, see [this quickstart](search-get-started-rest.md) for instructions on how to import collections and set variables.
-1. [Fork or clone the repository](https://github.com/Azure/cognitive-search-vector-pr).
+1. [Fork or clone the azure-search-postman-samples repository](https://github.com/Azure-Samples/azure-search-postman-samples).
-1. Start Postman and import the collection `Vector Search QuickStart.postman_collection v1.0.json`.
+1. Start Postman and import the collection `AzureSearchQuickstartVectors.postman_collection.json`.
1. Right-click the collection name and select **Edit** to set the collection's variables to valid values for Azure Cognitive Search and Azure OpenAI.
If you're unfamiliar with Postman, see [this quickstart](search-get-started-rest
| openai-api-key | *optional. Set this value if you want to generate embeddings. Find this value in Azure portal.* | | openai-service-name | *optional. Set this value if you want to generate embeddings. Find this value in Azure portal.* | | openai-deployment-name | text-embedding-ada-002 |
- | openai-api-version | 2023-05-15 |
+ | openai-api-version | 2023-08-01-preview |
1. Save your changes.
You're now ready to send the requests to your search service. For each request,
Use the [Create or Update Index](/rest/api/searchservice/preview-api/create-or-update-index) REST API for this request.
-The index schema is organized around a product catalog scenario. Sample data consists of titles, categories, and descriptions of 108 Azure services. This schema includes fields for vector and traditional keyword search, with configurations for vector and semantic search.
+The index schema is organized around hotels content. Sample data consists of the names, descriptions, and locations of seven fictitious hotels. This schema includes fields for vector and traditional keyword search, with configurations for vector and semantic search.
+
+The following example is a subset of the full index. We trimmed the definition so that you can focus on field definitions, vector configuration, and optional semantic configuration.
```http PUT https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}?api-version={{api-version}} Content-Type: application/json api-key: {{admin-api-key}} {
- "name": "{{index-name}}",
+ "name": "hotels-vector-quickstart",
"fields": [ {
- "name": "id",
- "type": "Edm.String",
- "key": true,
- "filterable": true
- },
- {
- "name": "category",
+ "name": "HotelId",
"type": "Edm.String",
- "filterable": true,
- "searchable": true,
- "retrievable": true
+ "searchable": false,
+ "filterable": true,
+ "retrievable": true,
+ "sortable": false,
+ "facetable": false,
+ "key": true
}, {
- "name": "title",
+ "name": "HotelName",
"type": "Edm.String",
- "searchable": true,
- "retrievable": true
+ "searchable": true,
+ "filterable": false,
+ "retrievable": true,
+ "sortable": true,
+ "facetable": false
}, {
- "name": "titleVector",
+ "name": "HotelNameVector",
"type": "Collection(Edm.Single)",
- "searchable": true,
+ "searchable": true,
"retrievable": true, "dimensions": 1536,
- "vectorSearchConfiguration": "vectorConfig"
+ "vectorSearchConfiguration": "my-vector-config"
}, {
- "name": "content",
+ "name": "Description",
"type": "Edm.String",
- "searchable": true,
- "retrievable": true
+ "searchable": true,
+ "filterable": false,
+ "retrievable": true,
+ "sortable": false,
+ "facetable": false
}, {
- "name": "contentVector",
+ "name": "DescriptionVector",
"type": "Collection(Edm.Single)",
- "searchable": true,
+ "searchable": true,
"retrievable": true, "dimensions": 1536,
- "vectorSearchConfiguration": "vectorConfig"
+ "vectorSearchConfiguration": "my-vector-config"
+ },
+ {
+ "name": "Category", "type": "Edm.String",
+ "searchable": true,
+ "filterable": true,
+ "retrievable": true,
+ "sortable": true,
+ "facetable": true
+ },
+ {
+ "name": "Address",
+ "type": "Edm.ComplexType",
+ "fields": [
+ {
+ "name": "City", "type": "Edm.String",
+ "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true
+ },
+ {
+ "name": "StateProvince", "type": "Edm.String",
+ "searchable": true, "filterable": true, "retrievable": true, "sortable": true, "facetable": true
+ }
+ ]
+ },
+ {
+ "name": "Location",
+ "type": "Edm.GeographyPoint",
+ "searchable": false,
+ "filterable": true,
+ "retrievable": true,
+ "sortable": true,
+ "facetable": false
} ],
- "corsOptions": {
- "allowedOrigins": [
- "*"
- ],
- "maxAgeInSeconds": 60
- },
"vectorSearch": { "algorithmConfigurations": [ {
- "name": "vectorConfig",
- "kind": "hnsw"
+ "name": "my-vector-config",
+ "kind": "hnsw",
+ "hnswParameters":
+ {
+ "m": 4,
+ "efConstruction": 400,
+ "efSearch": 500,
+ "metric": "cosine"
+ }
} ] },
api-key: {{admin-api-key}}
"name": "my-semantic-config", "prioritizedFields": { "titleField": {
- "fieldName": "title"
+ "fieldName": "HotelName"
}, "prioritizedContentFields": [
- {
- "fieldName": "content"
- }
+ { "fieldName": "Description" }
],
- "prioritizedKeywordsFields": []
+ "prioritizedKeywordsFields": [
+ { "fieldName": "Tags" }
+ ]
} } ]
You should get a status HTTP 201 success.
**Key points:**
-+ The "fields" collection includes a required key field, a category field, and pairs of fields (such as "title", "titleVector") for keyword and vector search. Colocating vector and non-vector fields in the same index enables hybrid queries. For instance, you can combine filters, keyword search with semantic ranking, and vectors into a single query operation.
++ The `"fields"` collection includes a required key field, text and vector fields (such as `"Description"`, `"DescriptionVector"`) for keyword and vector search. Colocating vector and non-vector fields in the same index enables hybrid queries. For instance, you can combine filters, keyword search with semantic ranking, and vectors into a single query operation. + Vector fields must be `"type": "Collection(Edm.Single)"` with `"dimensions"` and `"vectorSearchConfiguration"` properties. See [this article](/rest/api/searchservice/preview-api/create-or-update-index) for property descriptions.
-+ The "vectorSearch" object is an array of algorithm configurations used by vector fields. Currently, only HNSW is supported. HNSW is a graph-based Approximate Nearest Neighbors (ANN) algorithm optimized for high-recall, low-latency applications.
++ The `"vectorSearch"` section is an array of algorithm configurations used by vector fields. Currently, only HNSW is supported. HNSW is a graph-based Approximate Nearest Neighbors (ANN) algorithm optimized for high-recall, low-latency applications.
-+ [Optional]: The "semanticSearch" configuration enables reranking of search results. You can rerank results in queries of type "semantic" for string fields that are specified in the configuration. See [Semantic Search overview](semantic-search-overview.md) to learn more.
++ [Optional]: The `"semantic"` configuration enables reranking of search results. You can rerank results in queries of type `"semantic"` for string fields that are specified in the configuration. See [Semantic Search overview](semantic-search-overview.md) to learn more. ## Upload documents Use the [Add, Update, or Delete Documents](/rest/api/searchservice/preview-api/add-update-delete-documents) REST API for this request.
-For readability, the following example shows a subset of documents and embeddings. The body of the Upload Documents request consists of 108 documents, each with a full set of embeddings for "titleVector" and "contentVector".
+For readability, the following excerpt shows just the fields used in queries, minus the vector values associated with `DescriptionVector`. Each vector field contains 1536 embeddings, so those values are omitted for readability.
```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/index?api-version={{api-version}}
api-key: {{admin-api-key}}
{ "value": [ {
- "id": "1",
- "title": "Azure App Service",
- "content": "Azure App Service is a fully managed platform for building, deploying, and scaling web apps. You can host web apps, mobile app backends, and RESTful APIs. It supports a variety of programming languages and frameworks, such as .NET, Java, Node.js, Python, and PHP. The service offers built-in auto-scaling and load balancing capabilities. It also provides integration with other Azure services, such as Azure DevOps, GitHub, and Bitbucket.",
- "category": "Web",
- "titleVector": [
- -0.02250031754374504,
- . . .
- ],
- "contentVector": [
- -0.024740582332015038,
- . . .
+ "@search.action": "mergeOrUpload",
+ "HotelId": "1",
+ "HotelName": "Secret Point Motel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "The hotel is ideally located on the main commercial artery of the city
+ in the heart of New York.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Boutique",
+ "Tags": [
+ "pool",
+ "air conditioning",
+ "concierge"
],
- "@search.action": "upload"
}, {
- "id": "2",
- "title": "Azure Functions",
- "content": "Azure Functions is a serverless compute service that enables you to run code on-demand without having to manage infrastructure. It allows you to build and deploy event-driven applications that automatically scale with your workload. Functions support various languages, including C#, F#, Node.js, Python, and Java. It offers a variety of triggers and bindings to integrate with other Azure services and external services. You only pay for the compute time you consume.",
- "category": "Compute",
- "titleVector": [
- -0.020159931853413582,
- . . .
- ],
- "contentVector": [
- -0.02780858241021633,,
- . . .
+ "@search.action": "mergeOrUpload",
+ "HotelId": "2",
+ "HotelName": "Twin Dome Hotel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "The hotel is situated in a nineteenth century plaza, which has been
+ expanded and renovated to the highest architectural standards to create a modern,
+ functional and first-class hotel in which art and unique historical elements
+ coexist with the most modern comforts.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Boutique",
+ "Tags": [
+ "pool",
+ "air conditioning",
+ "free wifi",
+ "concierge"
+ ]
+ },
+ {
+ "@search.action": "mergeOrUpload",
+ "HotelId": "3",
+ "HotelName": "Triple Landscape Hotel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "The Hotel stands out for its gastronomic excellence under the management of
+ William Dough, who advises on and oversees all of the HotelΓÇÖs restaurant services.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Resort and Spa",
+ "Tags": [
+ "air conditioning",
+ "bar",
+ "continental breakfast"
+ ]
+ }
+ {
+ "@search.action": "mergeOrUpload",
+ "HotelId": "4",
+ "HotelName": "Sublime Cliff Hotel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "Sublime Cliff Hotel is located in the heart of the historic center of
+ Sublime in an extremely vibrant and lively area within short walking distance to
+ the sites and landmarks of the city and is surrounded by the extraordinary beauty
+ of churches, buildings, shops and monuments.
+ Sublime Cliff is part of a lovingly restored 1800 palace.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Boutique",
+ "Tags": [
+ "concierge",
+ "view",
+ "24-hour front desk service"
+ ]
+ },
+ {
+ "@search.action": "mergeOrUpload",
+ "HotelId": "13",
+ "HotelName": "Historic Lion Resort",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "Unmatched Luxury. Visit our downtown hotel to indulge in luxury
+ accommodations. Moments from the stadium, we feature the best in comfort",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Resort and Spa",
+ "Tags": [
+ "view",
+ "free wifi",
+ "pool"
+ ]
+ },
+ {
+ "@search.action": "mergeOrUpload",
+ "HotelId": "48",
+ "HotelName": "Nordick's Hotel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "Only 90 miles (about 2 hours) from the nation's capital and nearby
+ most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring
+ the caverns? It's all nearby and we have specially priced packages to help make
+ our B&B your home base for fun while visiting the valley.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Boutique",
+ "Tags": [
+ "continental breakfast",
+ "air conditioning",
+ "free wifi"
],
- "@search.action": "upload"
+ },
+ {
+ "@search.action": "mergeOrUpload",
+ "HotelId": "49",
+ "HotelName": "Old Carrabelle Hotel",
+ "HotelNameVector": [VECTOR ARRAY OMITTED],
+ "Description":
+ "Spacious rooms, glamorous suites and residences, rooftop pool, walking
+ access to shopping, dining, entertainment and the city center.",
+ "DescriptionVector": [VECTOR ARRAY OMITTED],
+ "Category": "Luxury",
+ "Tags": [
+ "air conditioning",
+ "laundry service",
+ "24-hour front desk service"
+ ]
}
- . . .
] } ```
api-key: {{admin-api-key}}
## Run queries
-Use the [Search Documents](/rest/api/searchservice/preview-api/search-documents) REST API for this request. Public preview has several limitations. POST is required for this preview and the API version must be 2023-07-01-Preview.
+Use the [Search Documents](/rest/api/searchservice/preview-api/search-documents) REST API for query request. Public preview has specific requirements for using POST on the queries. Also, the API version must be 2023-07-01-Preview.
-There are several queries to demonstrate the patterns. We use the same query string (*"what Azure services support full text search"*) across all of them so that you can compare results and relevance.
+There are several queries to demonstrate various patterns.
+ [Single vector search](#single-vector-search) + [Single vector search with filter](#single-vector-search-with-filter)
-+ [Cross-field vector search](#cross-field-vector-search)
-+ [Multi-query vector search](#multi-query-vector-search)
+ [Hybrid search](#hybrid-search)
-+ [Hybrid search with filter](#hybrid-search-with-filter)
-+ [Semantic hybrid search](#semantic-hybrid-search)
+ [Semantic hybrid search with filter](#semantic-hybrid-search-with-filter)
+The queries in this section are based on two strings:
+++ search string: *"historic hotel walk to restaurants and shopping"*++ vector query string (vectorized into a mathematical representation): *"classic lodging near running trails, eateries, retail"*+
+The vector query string is semantically similar to the search string, but has terms that don't exist in the search index. If you do a keyword search for "classic lodging near running trails, eateries, retail", results are zero. We use this example to show you can get relevant results even if there are no matching terms.
+ ### Single vector search
-In this vector query, which is shortened for brevity, the "value" contains the vectorized text of the query input, "fields" determines which vector fields are searched, and "k" specifies the number of nearest neighbors to return.
+In this vector query, which is shortened for brevity, the `"value"` contains the vectorized text of the query input, `"fields"` determines which vector fields are searched, and `"k"` specifies the number of nearest neighbors to return.
-Recall that the vector query was generated from this string: `"what Azure services support full text search"`. The search targets the `contentVector` field.
+The vector query string is *"classic lodging near running trails, eateries, retail"* - vectorized into 1536 embeddings for this query.
```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}} Content-Type: application/json api-key: {{admin-api-key}} {
+ "count": true,
+ "select": "HotelId, HotelName, Description, Category",
"vectors": [ {
- "value": [
- -0.009154141,
- 0.018708462,
+ "value": [0.01944167, 0.0040178085
. . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 5
+ 010858015, -0.017496133],
+ "fields": "DescriptionVector",
+ "k": 7
} ] } ```
-The response includes 5 results, and each result provides a search score, title, content, and category. In a similarity search, the response will always include "k" results ordered by the value similarity score.
-
-### Single vector search with filter
-
-You can add filters, but the filters are applied to the non-vector content in your index. In this example, the filter applies to the "category" field.
-
-The response is 10 Azure services, with a search score, title, and category for each one. Notice the `select` property. It's used to select specific fields for the response.
+The response for the vector equivalent of "classic lodging near running trails, eateries, retail" includes seven results. Each result provides a search score and the fields listed in `"select"`. In a similarity search, the response always includes `"k"` results ordered by the value similarity score.
```http
-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
-Content-Type: application/json
-api-key: {{admin-api-key}}
{
- "vectors": [
+ "@odata.context": "https://heidist-srch-eastus.search.windows.net/indexes('hotels-vector-quickstart')/$metadata#docs(*)",
+ "@odata.count": 7,
+ "value": [
{
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
+ "@search.score": 0.857736,
+ "HotelName": "Nordick's Motel",
+ "Description": "Only 90 miles (about 2 hours) from the nation's capital and nearby most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring the caverns? It's all nearby and we have specially priced packages to help make our B&B your home base for fun while visiting the valley."
},
- ],
- "select": "title, content, category",
- "filter": "category eq 'Databases'"
+ {
+ "@search.score": 0.8399129,
+ "HotelName": "Old Carrabelle Hotel",
+ "Description": "Spacious rooms, glamorous suites and residences, rooftop pool, walking access to shopping, dining, entertainment and the city center."
+ },
+ {
+ "@search.score": 0.8383954,
+ "HotelName": "Historic Lion Resort",
+ "Description": "Unmatched Luxury. Visit our downtown hotel to indulge in luxury accommodations. Moments from the stadium, we feature the best in comfort"
+ },
+ {
+ "@search.score": 0.8254346,
+ "HotelName": "Sublime Cliff Hotel",
+ "Description": "Sublime Cliff Hotel is located in the heart of the historic center of Sublime in an extremely vibrant and lively area within short walking distance to the sites and landmarks of the city and is surrounded by the extraordinary beauty of churches, buildings, shops and monuments. Sublime Cliff is part of a lovingly restored 1800 palace."
+ },
+ {
+ "@search.score": 0.82380056,
+ "HotelName": "Secret Point Hotel",
+ "Description": "The hotel is ideally located on the main commercial artery of the city in the heart of New York."
+ },
+ {
+ "@search.score": 0.81514084,
+ "HotelName": "Twin Dome Hotel",
+ "Description": "The hotel is situated in a nineteenth century plaza, which has been expanded and renovated to the highest architectural standards to create a modern, functional and first-class hotel in which art and unique historical elements coexist with the most modern comforts."
+ },
+ {
+ "@search.score": 0.8133763,
+ "HotelName": "Triple Landscape Hotel",
+ "Description": "The Hotel stands out for its gastronomic excellence under the management of William Dough, who advises on and oversees all of the HotelΓÇÖs restaurant services."
+ }
+ ]
} ```
-### Cross-field vector search
+### Single vector search with filter
-A cross-field vector query sends a single query across multiple vector fields in your search index. This query example looks for similarity in both "titleVector" and "contentVector" and displays scores using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md):
+You can add filters, but the filters are applied to the non-vector content in your index. In this example, the filter applies to the `"Tags"` field, filtering out any hotels that don't provide free WIFI.
```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}} Content-Type: application/json api-key: {{admin-api-key}} {
+ "count": true,
+ "select": "HotelName, Tags, Description",
+ "filter": "Tags/any(tag: tag eq 'free wifi')",
"vectors": [ {
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "titleVector, contentVector",
- "k": 5
- }
+ "value": [ VECTOR OMITTED ],
+ "fields": "DescriptionVector",
+ "k": 7
+ },
] }
-```
+```
-### Multi-query vector search
-
-Multi-query vector search sends multiple queries across multiple vector fields in your search index. This query example looks for similarity in both `titleVector` and `contentVector`, but sends in two different query embeddings respectively. This scenario is ideal for multi-modal use cases where you want to search over a `textVector` field and an `imageVector` field. You can also use this scenario if you have different embedding models with different dimensions in your search index. This also displays scores using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md).
+Response for the same vector query, with a post-processing filter, returns three hotels having free WIFI.
```http
-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
-Content-Type: application/json
-api-key: {{admin-api-key}}
{
- "vectors": [
+
+ "@odata.count": 3,
+ "value": [
{
- "value": [
- -0.01234823,
- 0.018708462,
- . . .
- -0.99456344,
- -0.00084123
- ],
- "fields": "contentVector",
- "k": 5
+ "@search.score": 0.857736,
+ "HotelName": "Nordick's Motel",
+ "Description": "Only 90 miles (about 2 hours) from the nation's capital and nearby most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring the caverns? It's all nearby and we have specially priced packages to help make our B&B your home base for fun while visiting the valley.",
+ "Tags": [
+ "continental breakfast",
+ "air conditioning",
+ "free wifi"
+ ]
}, {
- "value": [
- -0.43725224,
- 0.000234324,
- . . .
- -0.99912342,
- -0.01239130
- ],
- "fields": "contentVector",
- "k": 5
+ "@search.score": 0.8383954,
+ "HotelName": "Historic Lion Resort",
+ "Description": "Unmatched Luxury. Visit our downtown hotel to indulge in luxury accommodations. Moments from the stadium, we feature the best in comfort",
+ "Tags": [
+ "view",
+ "free wifi",
+ "pool"
+ ]
+ },
+ {
+ "@search.score": 0.81514084,
+ "HotelName": "Twin Dome Hotel",
+ "Description": "The hotel is situated in a nineteenth century plaza, which has been expanded and renovated to the highest architectural standards to create a modern, functional and first-class hotel in which art and unique historical elements coexist with the most modern comforts.",
+ "Tags": [
+ "pool",
+ "free wifi",
+ "concierge"
+ ]
} ] }
api-key: {{admin-api-key}}
### Hybrid search
-Hybrid search consists of keyword queries and vector queries in a single search request.
+Hybrid search consists of keyword queries and vector queries in a single search request. This example runs the vector query and full text search concurrently:
-The response includes the top 10 ordered by search score. Both vector queries and free text queries are assigned a search score according to the scoring or similarity functions configured on the fields (BM25 for text fields). The scores are merged using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md) to weight each document with the inverse of its position in the ranked result set.
++ search string: *"historic hotel walk to restaurants and shopping"*++ vector query string (vectorized into a mathematical representation): *"classic lodging near running trails, eateries, retail"* ```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}} Content-Type: application/json api-key: {{admin-api-key}} {
+ "count": true,
+ "search": "historic hotel walk to restaurants and shopping",
+ "select": "HotelName, Description",
+ "top": 7,
"vectors": [ {
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
+ "value": [ VECTOR OMITTED],
+ "k": 7,
+ "fields": "DescriptionVector"
}
- ],
- "search": "what azure services support full text search",
- "top": "10"
+ ]
} ```
-Compare the responses between Single Vector Search and Simple Hybrid Search for the top result. The different ranking algorithms, HNSW's similarity metric and RRF respectively, produce scores that have different magnitudes. This is by design. Note that RRF scores may appear quite low, even with a high similarity match. This is a characteristic of the RRF algorithm. When using hybrid search and RRF, more of the reciprocal of the ranked documents are included in the results, given the relatively smaller score of the RRF ranked documents, as opposed to pure vector search.
-
-**Single Vector Search**: Results ordered by cosine similarity (default vector similarity distance function).
+Because this is a hybrid query, results are RRF-ranked. RRF evaluates search scores from various search results, takes the inverse, and then merges and sorts the combined results. The `top` number of results are returned.
-```json
+```http
{
- "@search.score": 0.8851871,
- "title": "Azure Cognitive Search",
- "content": "Azure Cognitive Search is a fully managed search-as-a-service that enables you to build rich search experiences for your applications. It provides features like full-text search, faceted navigation, and filters. Azure Cognitive Search supports various data sources, such as Azure SQL Database, Azure Blob Storage, and Azure Cosmos DB. You can use Azure Cognitive Search to index your data, create custom scoring profiles, and integrate with other Azure services. It also integrates with other Azure services, such as Azure Cognitive Services and Azure Machine Learning.",
- "category": "AI + Machine Learning"
-},
+ "@odata.count": 7,
+ "value": [
+ {
+ "@search.score": 0.03279569745063782,
+ "HotelName": "Historic Lion Resort",
+ "Description": "Unmatched Luxury. Visit our downtown hotel to indulge in luxury accommodations. Moments from the stadium, we feature the best in comfort"
+ },
+ {
+ "@search.score": 0.03226646035909653,
+ "HotelName": "Sublime Cliff Hotel",
+ "Description": "Sublime Cliff Hotel is located in the heart of the historic center of Sublime in an extremely vibrant and lively area within short walking distance to the sites and landmarks of the city and is surrounded by the extraordinary beauty of churches, buildings, shops and monuments. Sublime Cliff is part of a lovingly restored 1800 palace."
+ },
+ {
+ "@search.score": 0.03226646035909653,
+ "HotelName": "Old Carrabelle Hotel",
+ "Description": "Spacious rooms, glamorous suites and residences, rooftop pool, walking access to shopping, dining, entertainment and the city center."
+ },
+ {
+ "@search.score": 0.03205128386616707,
+ "HotelName": "Nordick's Motel",
+ "Description": "Only 90 miles (about 2 hours) from the nation's capital and nearby most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring the caverns? It's all nearby and we have specially priced packages to help make our B&B your home base for fun while visiting the valley."
+ },
+ {
+ "@search.score": 0.03128054738044739,
+ "HotelName": "Triple Landscape Hotel",
+ "Description": "The Hotel stands out for its gastronomic excellence under the management of William Dough, who advises on and oversees all of the HotelΓÇÖs restaurant services."
+ },
+ {
+ "@search.score": 0.03100961446762085,
+ "HotelName": "Twin Dome Hotel",
+ "Description": "The hotel is situated in a nineteenth century plaza, which has been expanded and renovated to the highest architectural standards to create a modern, functional and first-class hotel in which art and unique historical elements coexist with the most modern comforts."
+ },
+ {
+ "@search.score": 0.03077651560306549,
+ "HotelName": "Secret Point Hotel",
+ "Description": "The hotel is ideally located on the main commercial artery of the city in the heart of New York."
+ }
+ ]
+}
```
-**Hybrid Search**: Combined keyword and vector search results using Reciprocal Rank Fusion.
+Because RRF merges results, it helps to review the inputs. The following results are from just the full text query. Top two results are Sublime Cliff Hotel and History Lion Resort, with Sublime Cliff Hotel having a much stronger relevance score.
-```json
-{
- "@search.score": 0.03333333507180214,
- "title": "Azure Cognitive Search",
- "content": "Azure Cognitive Search is a fully managed search-as-a-service that enables you to build rich search experiences for your applications. It provides features like full-text search, faceted navigation, and filters. Azure Cognitive Search supports various data sources, such as Azure SQL Database, Azure Blob Storage, and Azure Cosmos DB. You can use Azure Cognitive Search to index your data, create custom scoring profiles, and integrate with other Azure services. It also integrates with other Azure services, such as Azure Cognitive Services and Azure Machine Learning.",
- "category": "AI + Machine Learning"
-},
+```http
+ {
+ "@search.score": 2.2626662,
+ "HotelName": "Sublime Cliff Hotel",
+ "Description": "Sublime Cliff Hotel is located in the heart of the historic center of Sublime in an extremely vibrant and lively area within short walking distance to the sites and landmarks of the city and is surrounded by the extraordinary beauty of churches, buildings, shops and monuments. Sublime Cliff is part of a lovingly restored 1800 palace."
+ },
+ {
+ "@search.score": 0.86421645,
+ "HotelName": "Historic Lion Resort",
+ "Description": "Unmatched Luxury. Visit our downtown hotel to indulge in luxury accommodations. Moments from the stadium, we feature the best in comfort"
+ },
```
-### Hybrid search with filter
-
-This example adds a filter, which is applied to the nonvector content of the search index.
+In the vector-only query, Sublime Cliff Hotel drops to position four. But Historic Lion, which was second in full text search and third in vector search, doesn't experience the same range of fluctuation and thus appears as a top match in a homogenized result set.
```http
-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
-Content-Type: application/json
-api-key: {{admin-api-key}}
-{
- "vectors": [
+ "value": [
{
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
+ "@search.score": 0.857736,
+ "HotelId": "48",
+ "HotelName": "Nordick's Motel",
+ "Description": "Only 90 miles (about 2 hours) from the nation's capital and nearby most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring the caverns? It's all nearby and we have specially priced packages to help make our B&B your home base for fun while visiting the valley.",
+ "Category": "Boutique"
+ },
+ {
+ "@search.score": 0.8399129,
+ "HotelId": "49",
+ "HotelName": "Old Carrabelle Hotel",
+ "Description": "Spacious rooms, glamorous suites and residences, rooftop pool, walking access to shopping, dining, entertainment and the city center.",
+ "Category": "Luxury"
+ },
+ {
+ "@search.score": 0.8383954,
+ "HotelId": "13",
+ "HotelName": "Historic Lion Resort",
+ "Description": "Unmatched Luxury. Visit our downtown hotel to indulge in luxury accommodations. Moments from the stadium, we feature the best in comfort",
+ "Category": "Resort and Spa"
+ },
+ {
+ "@search.score": 0.8254346,
+ "HotelId": "4",
+ "HotelName": "Sublime Cliff Hotel",
+ "Description": "Sublime Cliff Hotel is located in the heart of the historic center of Sublime in an extremely vibrant and lively area within short walking distance to the sites and landmarks of the city and is surrounded by the extraordinary beauty of churches, buildings, shops and monuments. Sublime Cliff is part of a lovingly restored 1800 palace.",
+ "Category": "Boutique"
+ },
+ {
+ "@search.score": 0.82380056,
+ "HotelId": "1",
+ "HotelName": "Secret Point Hotel",
+ "Description": "The hotel is ideally located on the main commercial artery of the city in the heart of New York.",
+ "Category": "Boutique"
+ },
+ {
+ "@search.score": 0.81514084,
+ "HotelId": "2",
+ "HotelName": "Twin Dome Hotel",
+ "Description": "The hotel is situated in a nineteenth century plaza, which has been expanded and renovated to the highest architectural standards to create a modern, functional and first-class hotel in which art and unique historical elements coexist with the most modern comforts.",
+ "Category": "Boutique"
+ },
+ {
+ "@search.score": 0.8133763,
+ "HotelId": "3",
+ "HotelName": "Triple Landscape Hotel",
+ "Description": "The Hotel stands out for its gastronomic excellence under the management of William Dough, who advises on and oversees all of the HotelΓÇÖs restaurant services.",
+ "Category": "Resort and Spa"
}
- ],
- "search": "what azure services support full text search",
- "filter": "category eq 'Databases'",
- "top": "10"
-}
+ ]
```
-### Semantic hybrid search
+### Semantic hybrid search with filter
-Assuming that you've [enabled semantic search](semantic-how-to-enable-disable.md) and your index definition includes a [semantic configuration](semantic-how-to-query-request.md), you can formulate a query that includes vector search, plus keyword search with semantic ranking, caption, answers, and spell check.
+Here's the last query in the collection: a hybrid query, with semantic ranking, filtered to show just those hotels within a 500-kilometer radius of Washington D.C.
```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}} Content-Type: application/json api-key: {{admin-api-key}} {
+ "count": true,
+ "search": "historic hotel walk to restaurants and shopping",
+ "select": "HotelId, HotelName, Category, Description,Address/City, Address/StateProvince",
+ "filter": "geo.distance(Location, geography'POINT(-77.03241 38.90166)') le 500",
+ "facets": [ "Address/StateProvince"],
+ "top": 7,
+ "queryType": "semantic",
+ "queryLanguage": "en-us",
+ "answers": "extractive|count-3",
+ "captions": "extractive|highlight-true",
+ "semanticConfiguration": "my-semantic-config",
"vectors": [ {
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
+ "value": [ VECTOR OMITTED ],
+ "k": 7,
+ "fields": "DescriptionVector"
}
- ],
- "search": "what azure services support full text search",
- "select": "title, content, category",
- "queryType": "semantic",
- "semanticConfiguration": "my-semantic-config",
- "queryLanguage": "en-us",
- "captions": "extractive",
- "answers": "extractive",
- "top": "10"
+ ]
} ```
-### Semantic hybrid search with filter
+Response is three hotels, filtered by location and faceted by StateProvince, semantically ranked to promote results that are closest to the search string query ("historic hotel walk to restaurants and shopping").
-Here's the last query in the collection. It's the same semantic hybrid query as the previous example, but with a filter.
+Now, Old Carabelle Hotel moves into the top spot. Without semantic ranking, Nordick's Hotel is number one. With semantic ranking, the machine comprehension models recognize that "historic" applies to hotel, within walking distance to dining (restaurants) and shopping.
```http
-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version={{api-version}}
-Content-Type: application/json
-api-key: {{admin-api-key}}
{
- "vectors": [
+ "@odata.count": 3,
+ "@search.facets": {
+ "Address/StateProvince": [
+ {
+ "count": 1,
+ "value": "NY"
+ },
+ {
+ "count": 1,
+ "value": "VA"
+ }
+ ]
+ },
+ "@search.answers": [],
+ "value": [
{
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
+ "@search.score": 0.03306011110544205,
+ "@search.rerankerScore": 2.5094974040985107,
+ "HotelId": "49",
+ "HotelName": "Old Carrabelle Hotel",
+ "Description": "Spacious rooms, glamorous suites and residences, rooftop pool, walking access to shopping, dining, entertainment and the city center.",
+ "Category": "Luxury",
+ "Address": {
+ "City": "Arlington",
+ "StateProvince": "VA"
+ }
+ },
+ {
+ "@search.score": 0.03306011110544205,
+ "@search.rerankerScore": 2.0370211601257324,
+ "HotelId": "48",
+ "HotelName": "Nordick's Motel",
+ "Description": "Only 90 miles (about 2 hours) from the nation's capital and nearby most everything the historic valley has to offer. Hiking? Wine Tasting? Exploring the caverns? It's all nearby and we have specially priced packages to help make our B&B your home base for fun while visiting the valley.",
+ "Category": "Boutique",
+ "Address": {
+ "City": "Washington D.C.",
+ "StateProvince": null
+ }
+ },
+ {
+ "@search.score": 0.032258063554763794,
+ "@search.rerankerScore": 1.6706111431121826,
+ "HotelId": "1",
+ "HotelName": "Secret Point Hotel",
+ "Description": "The hotel is ideally located on the main commercial artery of the city in the heart of New York.",
+ "Category": "Boutique",
+ "Address": {
+ "City": "New York",
+ "StateProvince": "NY"
+ }
}
- ],
- "search": "what azure services support full text search",
- "select": "title, content, category",
- "queryType": "semantic",
- "semanticConfiguration": "my-semantic-config",
- "queryLanguage": "en-us",
- "captions": "extractive",
- "answers": "extractive",
- "filter": "category eq 'Databases'",
- "top": "10"
+ ]
} ``` **Key points:**
-+ Vector search is specified through the vector "vector.value" property. Keyword search is specified through "search" property.
++ Vector search is specified through the vector `"vectors.value"` property. Keyword search is specified through `"search"` property.+++ In a hybrid search, you can integrate vector search with full text search over keywords. Filters, spell check, and semantic ranking apply to textual content only, and not vectors. In this final query, there's no semantic `"answer"` because the system didn't produce one that was sufficiently strong.
-+ In a hybrid search, you can integrate vector search with full text search over keywords. Filters, spell check, and semantic ranking apply to textual content only, and not vectors. In this final query, there's no semantic "answer" because the system didn't produce one that was sufficiently strong.
++ Actual results include more detail, including semantic captions and highlights. Results have been modified for readability. You should run the request in the Postman collection to get the full structure of the response. ## Clean up
Azure Cognitive Search is a billable resource. If it's no longer needed, delete
## Next steps As a next step, we recommend reviewing the demo code for [Python](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python), [C#](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-dotnet), or [JavaScript](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-javascript).--
search Search Howto Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-aad.md
Title: Configure search apps for Azure AD
+ Title: Configure search apps for Microsoft Entra ID
-description: Acquire a token from Azure Active Directory to authorize search requests to an app built on Azure Cognitive Search.
+description: Acquire a token from Microsoft Entra ID to authorize search requests to an app built on Azure Cognitive Search.
Last updated 05/09/2023
-# Authorize access to a search app using Azure Active Directory
+# Authorize access to a search app using Microsoft Entra ID
-Search applications that are built on Azure Cognitive Search can now use the [Microsoft identity platform](../active-directory/develop/v2-overview.md) for authenticated and authorized access. On Azure, the identity provider is Azure Active Directory (Azure AD). A key [benefit of using Azure AD](../active-directory/develop/how-to-integrate.md#benefits-of-integration) is that your credentials and API keys no longer need to be stored in your code. Azure AD authenticates the security principal (a user, group, or service) running the application. If authentication succeeds, Azure AD returns the access token to the application, and the application can then use the access token to authorize requests to Azure Cognitive Search.
+Search applications that are built on Azure Cognitive Search can now use the [Microsoft identity platform](../active-directory/develop/v2-overview.md) for authenticated and authorized access. On Azure, the identity provider is Microsoft Entra ID. A key [benefit of using Microsoft Entra ID](../active-directory/develop/how-to-integrate.md#benefits-of-integration) is that your credentials and API keys no longer need to be stored in your code. Microsoft Entra authenticates the security principal (a user, group, or service) running the application. If authentication succeeds, Microsoft Entra ID returns the access token to the application, and the application can then use the access token to authorize requests to Azure Cognitive Search.
-This article shows you how to configure your client for Azure AD:
+This article shows you how to configure your client for Microsoft Entra ID:
+ For authentication, you'll create a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the security principle. You could also use a different type of service principal object, but this article uses managed identities because they eliminate the need to manage credentials. + For authorization, you'll assign an Azure role to the managed identity that grants permissions to run queries or manage indexing jobs.
-+ Update your client code to call [`TokenCredential()`](/dotnet/api/azure.core.tokencredential). For example, you can get started with new SearchClient(endpoint, new `DefaultAzureCredential()`) to authenticate via an Azure AD using [Azure.Identity](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md).
++ Update your client code to call [`TokenCredential()`](/dotnet/api/azure.core.tokencredential). For example, you can get started with new SearchClient(endpoint, new `DefaultAzureCredential()`) to authenticate via a Microsoft Entra ID using [Azure.Identity](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/README.md). ## Configure role-based access for data plane
When you enable role-based access control in the portal, the failure mode will b
Use the Management REST API version 2022-09-01, [Create or Update Service](/rest/api/searchmanagement/2022-09-01/services/create-or-update), to configure your service.
-All calls to the Management REST API are authenticated through Azure Active Directory, with Contributor or Owner permissions. For help setting up authenticated requests in Postman, see [Manage Azure Cognitive Search using REST](search-manage-rest.md).
+All calls to the Management REST API are authenticated through Microsoft Entra ID, with Contributor or Owner permissions. For help setting up authenticated requests in Postman, see [Manage Azure Cognitive Search using REST](search-manage-rest.md).
1. Get service settings so that you can review the current configuration.
You can assign multiple roles, such as Search Service Contributor and Search Ind
You can also [assign roles using PowerShell](search-security-rbac.md#assign-roles).
-## Set up Azure AD authentication in your client
+<a name='set-up-azure-ad-authentication-in-your-client'></a>
+
+## Set up Microsoft Entra authentication in your client
Once you have a managed identity and a role assignment on the search service, you're ready to add code to your application to authenticate the security principal and acquire an OAuth 2.0 token.
Use the following client libraries for role-based access control:
+ [azure.search.documents (Azure SDK for Python) version 11.3](https://pypi.org/project/azure-search-documents/) > [!NOTE]
-> To learn more about the OAuth 2.0 code grant flow used by Azure AD, see [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).
+> To learn more about the OAuth 2.0 code grant flow used by Microsoft Entra ID, see [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md).
### [**.NET SDK**](#tab/aad-dotnet)
User-assigned managed identities work only in Azure environments. If you run thi
You should now be able to run the project from Visual Studio on your local system, using role-based access control for authorization. > [!NOTE]
-> The Azure.Identity documentation has more details about `DefaultAzureCredential` and using [Azure AD authentication with the Azure SDK for .NET](/dotnet/api/overview/azure/identity-readme). `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
+> The Azure.Identity documentation has more details about `DefaultAzureCredential` and using [Microsoft Entra authentication with the Azure SDK for .NET](/dotnet/api/overview/azure/identity-readme). `DefaultAzureCredential` is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
### [**REST API**](#tab/aad-rest)
Using an Azure SDK simplifies the OAuth 2.0 flow but you can also program direct
## See also + [Use Azure role-based access control in Azure Cognitive Search](search-security-rbac.md)
-+ [Authorize access to Azure Active Directory web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md)
-+ [Integrating with Azure Active Directory](../active-directory/develop/how-to-integrate.md#benefits-of-integration)
++ [Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow](../active-directory/develop/v2-oauth2-auth-code-flow.md)++ [Integrating with Microsoft Entra ID](../active-directory/develop/how-to-integrate.md#benefits-of-integration) + [Azure custom roles](../role-based-access-control/custom-roles.md)
search Search Howto Index Azure Data Lake Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-index-azure-data-lake-storage.md
In this article, learn how to configure an [**indexer**](search-indexer-overview
This article supplements [**Create an indexer**](search-howto-create-indexers.md) with information that's specific to indexing from ADLS Gen2. It uses the REST APIs to demonstrate a three-part workflow common to all indexers: create a data source, create an index, create an indexer. Data extraction occurs when you submit the Create Indexer request.
-For a code sample in C#, see [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.
+For a code sample in C#, see [Index Data Lake Gen2 using Microsoft Entra ID](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.
## Prerequisites
You can now [run the indexer](search-howto-run-reset-indexers.md), [monitor stat
+ [Change detection and deletion detection](search-howto-index-changed-deleted-blobs.md) + [Index large data sets](search-howto-large-index.md)
-+ [C# Sample: Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md)
++ [C# Sample: Index Data Lake Gen2 using Microsoft Entra ID](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md)
search Search Howto Index Sharepoint Online https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-index-sharepoint-online.md
The SharePoint indexer supports both [delegated and application](/graph/auth/aut
+ Application permissions, where the indexer runs under the identity of the SharePoint tenant with access to all sites and files within the SharePoint tenant. The indexer requires a [client secret](../active-directory/develop/v2-oauth2-client-creds-grant-flow.md) to access the SharePoint tenant. The indexer will also require [tenant admin approval](../active-directory/manage-apps/grant-admin-consent.md) before it can index any content.
-If your Azure Active Directory organization has [Conditional Access enabled](../active-directory/conditional-access/overview.md) and your administrator isn't able to grant any device access for Delegated permissions, you should consider Application permissions instead. For more information, see [Azure Active Directory Conditional Access policies](./search-indexer-troubleshooting.md#azure-active-directory-conditional-access-policies).
+If your Microsoft Entra organization has [Conditional Access enabled](../active-directory/conditional-access/overview.md) and your administrator isn't able to grant any device access for Delegated permissions, you should consider Application permissions instead. For more information, see [Microsoft Entra Conditional Access policies](./search-indexer-troubleshooting.md#azure-active-directory-conditional-access-policies).
-### Step 3: Create an Azure AD application
+<a name='step-3-create-an-azure-ad-application'></a>
-The SharePoint indexer will use this Azure Active Directory (Azure AD) application for authentication.
+### Step 3: Create a Microsoft Entra application
+
+The SharePoint indexer will use this Microsoft Entra application for authentication.
1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Search for or navigate to **Azure Active Directory**, then select **App registrations**.
+1. Search for or navigate to **Microsoft Entra ID**, then select **App registrations**.
1. Select **+ New registration**: 1. Provide a name for your app.
The SharePoint indexer will use this Azure Active Directory (Azure AD) applicati
1. Give admin consent.
- Tenant admin consent is required when using application API permissions. Some tenants are locked down in such a way that tenant admin consent is required for delegated API permissions as well. If either of these conditions apply, youΓÇÖll need to have a tenant admin grant consent for this Azure AD application before creating the indexer.
+ Tenant admin consent is required when using application API permissions. Some tenants are locked down in such a way that tenant admin consent is required for delegated API permissions as well. If either of these conditions apply, youΓÇÖll need to have a tenant admin grant consent for this Microsoft Entra application before creating the indexer.
- :::image type="content" source="media/search-howto-index-sharepoint-online/aad-app-grant-admin-consent.png" alt-text="Azure AD app grant admin consent":::
+ :::image type="content" source="media/search-howto-index-sharepoint-online/aad-app-grant-admin-consent.png" alt-text="Microsoft Entra app grant admin consent":::
1. Select the **Authentication** tab.
The SharePoint indexer will use this Azure Active Directory (Azure AD) applicati
1. Select **+ Add a platform**, then **Mobile and desktop applications**, then check `https://login.microsoftonline.com/common/oauth2/nativeclient`, then **Configure**.
- :::image type="content" source="media/search-howto-index-sharepoint-online/aad-app-authentication-configuration.png" alt-text="Azure AD app authentication configuration":::
+ :::image type="content" source="media/search-howto-index-sharepoint-online/aad-app-authentication-configuration.png" alt-text="Microsoft Entra app authentication configuration":::
-1. (Application API Permissions only) To authenticate to the Azure AD application using application permissions, the indexer requires a client secret.
+1. (Application API Permissions only) To authenticate to the Microsoft Entra application using application permissions, the indexer requires a client secret.
+ Select **Certificates & Secrets** from the menu on the left, then **Client secrets**, then **New client secret**.
For SharePoint indexing, the data source must have the following required proper
+ **name** is the unique name of the data source within your search service. + **type** must be "sharepoint". This value is case-sensitive.
-+ **credentials** provide the SharePoint endpoint and the Azure AD application (client) ID. An example SharePoint endpoint is `https://microsoft.sharepoint.com/teams/MySharePointSite`. You can get the endpoint by navigating to the home page of your SharePoint site and copying the URL from the browser.
++ **credentials** provide the SharePoint endpoint and the Microsoft Entra application (client) ID. An example SharePoint endpoint is `https://microsoft.sharepoint.com/teams/MySharePointSite`. You can get the endpoint by navigating to the home page of your SharePoint site and copying the URL from the browser. + **container** specifies which document library to index. More information on creating the container can be found in the [Controlling which documents are indexed](#controlling-which-documents-are-indexed) section of this document. To create a data source, call [Create Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) using preview API version `2020-06-30-Preview` or later.
There are a few steps to creating the indexer:
> [!NOTE]
-> If the Azure AD application requires admin approval and was not approved before logging in, you may see the following screen. [Admin approval](../active-directory/manage-apps/grant-admin-consent.md) is required to continue.
+> If the Microsoft Entra application requires admin approval and was not approved before logging in, you may see the following screen. [Admin approval](../active-directory/manage-apps/grant-admin-consent.md) is required to continue.
:::image type="content" source="media/search-howto-index-sharepoint-online/no-admin-approval-error.png" alt-text="Admin approval required"::: ### Step 7: Check the indexer status
search Search Howto Indexing Azure Blob Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-indexing-azure-blob-storage.md
Blob indexers are frequently used for both [AI enrichment](cognitive-search-conc
+ Blobs providing text content and metadata. If blobs contain binary content or unstructured text, consider adding [AI enrichment](cognitive-search-concept-intro.md) for image and natural language processing. Blob content canΓÇÖt exceed the [indexer limits](search-limits-quotas-capacity.md#indexer-limits) for your search service tier.
-+ A supported network configuration and data access. At a minimum, you'll need read permissions in Azure Storage. A storage connection string that includes an access key will give you read access to storage content. If instead you're using Azure AD logins and roles, make sure the [search service's managed identity](search-howto-managed-identities-data-sources.md) has **Storage Blob Data Reader** permissions.
++ A supported network configuration and data access. At a minimum, you'll need read permissions in Azure Storage. A storage connection string that includes an access key will give you read access to storage content. If instead you're using Microsoft Entra logins and roles, make sure the [search service's managed identity](search-howto-managed-identities-data-sources.md) has **Storage Blob Data Reader** permissions. By default, both search and storage accept requests from public IP addresses. If network security isn't an immediate concern, you can index blob data using just the connection string and read permissions. When you're ready to add network protections, see [Indexer access to content protected by Azure network security features](search-indexer-securing-resources.md) for guidance about data access.
search Search Howto Managed Identities Cosmos Db https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-managed-identities-cosmos-db.md
This article explains how to set up an indexer connection to an Azure Cosmos DB database using a managed identity instead of providing credentials in the connection string.'
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure Active Directory logins and require Azure role assignments to access data in Azure Cosmos DB.
+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure Cosmos DB.
## Prerequisites
search Search Howto Managed Identities Data Sources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-managed-identities-data-sources.md
Title: Connect using a managed identity
-description: Create a managed identity for your search service and use Azure Active Directory authentication and role-based-access controls for connections to other cloud services.
+description: Create a managed identity for your search service and use Microsoft Entra authentication and role-based-access controls for connections to other cloud services.
You can configure an Azure Cognitive Search service to connect to other Azure re
+ A search service at the [Basic tier or above](search-sku-tier.md).
-+ An Azure resource that accepts incoming requests from an Azure Active Directory login that has a valid role assignment.
++ An Azure resource that accepts incoming requests from a Microsoft Entra login that has a valid role assignment. ## Supported scenarios
-Cognitive Search can use a system-assigned or user-assigned managed identity on outbound connections to Azure resources. A system managed identity is indicated when a connection string is the unique resource ID of an Azure AD-aware service or application. A user-assigned managed identity is specified through an "identity" property.
+Cognitive Search can use a system-assigned or user-assigned managed identity on outbound connections to Azure resources. A system managed identity is indicated when a connection string is the unique resource ID of a Microsoft Entra ID-aware service or application. A user-assigned managed identity is specified through an "identity" property.
A search service uses Azure Storage as an indexer data source and as a data sink for debug sessions, enrichment caching, and knowledge store. For search features that write back to storage, the managed identity needs a contributor role assignment as described in the ["Assign a role"](#assign-a-role) section.
Once a managed identity is defined for the search service and given a role assig
[**Blob data source (system):**](search-howto-managed-identities-storage.md)
-An indexer data source includes a "credentials" property that determines how the connection is made to the data source. The following example shows a connection string specifying the unique resource ID of a storage account. Azure AD will authenticate the request using the system managed identity of the search service. Notice that the connection string doesn't include a container. In a data source definition, a container name is specified in the "container" property (not shown), not the connection string.
+An indexer data source includes a "credentials" property that determines how the connection is made to the data source. The following example shows a connection string specifying the unique resource ID of a storage account. Microsoft Entra ID will authenticate the request using the system managed identity of the search service. Notice that the connection string doesn't include a container. In a data source definition, a container name is specified in the "container" property (not shown), not the connection string.
```json "credentials": {
A custom skill targets the endpoint of an Azure function or app hosting custom c
+ [Security overview](search-security-overview.md) + [AI enrichment overview](cognitive-search-concept-intro.md) + [Indexers overview](search-indexer-overview.md)
-+ [Authenticate with Azure Active Directory](/azure/architecture/framework/security/design-identity-authentication)
-+ [About managed identities (Azure Active Directory)](../active-directory/managed-identities-azure-resources/overview.md)
++ [Authenticate with Microsoft Entra ID](/azure/architecture/framework/security/design-identity-authentication)++ [About managed identities (Microsoft Entra ID)](../active-directory/managed-identities-azure-resources/overview.md)
search Search Howto Managed Identities Sql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-managed-identities-sql.md
Last updated 09/19/2022
This article explains how to set up an indexer connection to Azure SQL Database using a managed identity instead of providing credentials in the connection string.
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure Active Directory logins and require Azure role assignments to access data in Azure SQL.
+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure SQL.
## Prerequisites * [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service.
-* [Assign an Azure admin role on SQL](/azure/azure-sql/database/authentication-aad-configure). The identity used on the indexer connection needs read permissions. You must be an Azure AD admin with a server in SQL Database or SQL Managed Instance to grant read permissions on a database.
+* [Assign an Azure admin role on SQL](/azure/azure-sql/database/authentication-aad-configure). The identity used on the indexer connection needs read permissions. You must be a Microsoft Entra admin with a server in SQL Database or SQL Managed Instance to grant read permissions on a database.
* You should be familiar with [indexer concepts](search-indexer-overview.md) and [configuration](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md).
Follow the below steps to assign the search service or user-assigned managed ide
![Connect to Visual Studio](./media/search-managed-identities/connect-with-visual-studio.png "Connect to Visual Studio")
-2. Authenticate with your Azure AD account
+2. Authenticate with your Microsoft Entra account
![Authenticate](./media/search-managed-identities/visual-studio-authenticate.png "Authenticate")
search Search Howto Managed Identities Storage https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-howto-managed-identities-storage.md
This article explains how to set up an indexer connection to an Azure Storage account using a managed identity instead of providing credentials in the connection string.
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure Active Directory logins and require Azure role assignments to access data in Azure Storage.
+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure Storage.
> [!NOTE] > If storage is network-protected and in the same region as your search service, you must use a system-assigned managed identity and either one of the following network options: [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md), or [connect using the resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances).
You can use a system-assigned managed identity or a user-assigned managed identi
* You should be familiar with [indexer concepts](search-indexer-overview.md) and [configuration](search-howto-indexing-azure-blob-storage.md). > [!TIP]
-> For a code example in C#, see [Index Data Lake Gen2 using Azure AD](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.
+> For a code example in C#, see [Index Data Lake Gen2 using Microsoft Entra ID](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md) on GitHub.
## Create the data source
Azure storage accounts can be further secured using firewalls and virtual networ
* [Azure Blob indexer](search-howto-indexing-azure-blob-storage.md) * [Azure Data Lake Storage Gen2 indexer](search-howto-index-azure-data-lake-storage.md) * [Azure Table indexer](search-howto-indexing-azure-tables.md)
-* [C# Example: Index Data Lake Gen2 using Azure AD (GitHub)](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md)
+* [C# Example: Index Data Lake Gen2 using Microsoft Entra ID (GitHub)](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/master/data-lake-gen2-acl-indexing/README.md)
search Search Index Azure Sql Managed Instance With Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-index-azure-sql-managed-instance-with-managed-identity.md
Last updated 02/17/2023
This article describes how to set up an Azure Cognitive Search indexer connection to [SQL Managed Instance](/azure/azure-sql/managed-instance/sql-managed-instance-paas-overview) using a managed identity instead of providing credentials in the connection string.
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Azure AD logins and require Azure role assignments to access data in SQL Managed Instance.
+You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in SQL Managed Instance.
Before learning more about this feature, it is recommended that you have an understanding of what an indexer is and how to set up an indexer for your data source. More information can be found at the following links:
Before learning more about this feature, it is recommended that you have an unde
* [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service.
-* Azure AD admin role on SQL Managed Instance:
+* Microsoft Entra admin role on SQL Managed Instance:
- To assign read permissions on SQL Managed Instance, you must be an Azure Global Admin with a SQL Managed Instance. See [Configure and manage Azure AD authentication with SQL Managed Instance](/azure/azure-sql/database/authentication-aad-configure) and follow the steps to provision an Azure AD admin (SQL Managed Instance).
+ To assign read permissions on SQL Managed Instance, you must be an Azure Global Admin with a SQL Managed Instance. See [Configure and manage Microsoft Entra authentication with SQL Managed Instance](/azure/azure-sql/database/authentication-aad-configure) and follow the steps to provision a Microsoft Entra admin (SQL Managed Instance).
* [Configure a public endpoint and network security group in SQL Managed Instance](search-howto-connecting-azure-sql-mi-to-azure-search-using-indexers.md) to allow connections from Azure Cognitive Search. If your Azure SQL Managed Instance is configured for private connections, [create a shared private link](search-indexer-how-to-access-private-sql.md) in Cognitive Search to allow the connection.
Follow these steps to assign the search service system managed identity permissi
- [Configure a point-to-site connection from on-premises](/azure/azure-sql/managed-instance/point-to-site-p2s-configure) - [Configure an Azure VM](/azure/azure-sql/managed-instance/connect-vm-instance-configure)
-1. Authenticate with your Azure AD account.
+1. Authenticate with your Microsoft Entra account.
:::image type="content" source="./media/search-index-azure-sql-managed-instance-with-managed-identity/sql-login.png" alt-text="Showing screenshot of the Connect to Server dialog.":::
In this step you will give your Azure Cognitive Search service permission to rea
4. Select **Reader** role.
-1. Leave **Assign access to** as **Azure AD user, group or service principal**.
+1. Leave **Assign access to** as **Microsoft Entra user, group or service principal**.
1. If you're using a system-assigned managed identity, search for your search service, then select it. If you're using a user-assigned managed identity, search for the name of the user-assigned managed identity, then select it. Select **Save**. Example for SQL Managed Instance using a system-assigned managed identity:
search Search Indexer Howto Access Trusted Service Exception https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-indexer-howto-access-trusted-service-exception.md
In Azure Cognitive Search, indexers that access Azure blobs can use the [trusted
## Check permissions
-A system managed identity is an Azure AD login. The assignment needs **Storage Blob Data Reader** at a minimum.
+A system managed identity is a Microsoft Entra login. The assignment needs **Storage Blob Data Reader** at a minimum.
1. In the left navigation pane under **Access Control**, view all role assignments and make sure that **Storage Blob Data Reader** is assigned to the search service system identity.
The easiest way to test the connection is by running the Import data wizard.
+ [Connect to other Azure resources using a managed identity](search-howto-managed-identities-data-sources.md) + [Azure Blob indexer](search-howto-indexing-azure-blob-storage.md) + [Azure Data Lake Storage Gen2 indexer](search-howto-index-azure-data-lake-storage.md)
-+ [Authenticate with Azure Active Directory](/azure/architecture/framework/security/design-identity-authentication)
-+ [About managed identities (Azure Active Directory)](../active-directory/managed-identities-azure-resources/overview.md)
++ [Authenticate with Microsoft Entra ID](/azure/architecture/framework/security/design-identity-authentication)++ [About managed identities (Microsoft Entra ID)](../active-directory/managed-identities-azure-resources/overview.md)
search Search Indexer Securing Resources https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-indexer-securing-resources.md
There are two options for supporting data access using the system identity:
- Configure a [resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances) in Azure Storage that admits inbound requests from an Azure resource.
-The above options depend on Azure Active Directory for authentication, which means that the connection must be made with an Azure AD login. Currently, only a Cognitive Search [system-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) is supported for same-region connections through a firewall.
+The above options depend on Microsoft Entra ID for authentication, which means that the connection must be made with a Microsoft Entra login. Currently, only a Cognitive Search [system-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) is supported for same-region connections through a firewall.
### Services in different regions
search Search Indexer Troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-indexer-troubleshooting.md
If your SQL database is on a [serverless compute tier](/azure/azure-sql/database
If the database is paused, the first login from your search service is expected to auto-resume the database, but returning an error stating that the database is unavailable with error code 40613. After the database is running, retry the login to establish connectivity.
-## Azure Active Directory Conditional Access policies
+<a name='azure-active-directory-conditional-access-policies'></a>
-When creating a SharePoint indexer, you will go through a step that requires you to sign in to your Azure AD app after providing a device code. If you receive a message that says `"Your sign-in was successful but your admin requires the device requesting access to be managed"` the indexer is likely being blocked from accessing the SharePoint document library due to a [Conditional Access](../active-directory/conditional-access/overview.md) policy.
+## Microsoft Entra Conditional Access policies
+
+When creating a SharePoint indexer, you will go through a step that requires you to sign in to your Microsoft Entra app after providing a device code. If you receive a message that says `"Your sign-in was successful but your admin requires the device requesting access to be managed"` the indexer is likely being blocked from accessing the SharePoint document library due to a [Conditional Access](../active-directory/conditional-access/overview.md) policy.
To update the policy to allow the indexer access to the document library, follow the below steps:
-1. Open the Azure portal and search **Azure AD Conditional Access**, then select **Policies** on the left menu. If you don't have access to view this page, you need to either find someone who has access or get access.
+1. Open the Azure portal and search **Microsoft Entra Conditional Access**, then select **Policies** on the left menu. If you don't have access to view this page, you need to either find someone who has access or get access.
1. Determine which policy is blocking the SharePoint indexer from accessing the document library. The policy that might be blocking the indexer includes the user account that you used to authenticate during the indexer creation step in the **Users and groups** section. The policy also might have **Conditions** that: * Restrict **Windows** platforms.
search Search Manage Rest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-manage-rest.md
All of the Management REST APIs have examples. If a task isn't covered in this a
## Create a security principal
-Management REST API calls are authenticated through Azure Active Directory (Azure AD). You'll need a security principal for your REST client, along with permissions to create and configure a resource. This section explains how to create a security principal and assign a role.
+Management REST API calls are authenticated through Microsoft Entra ID. You'll need a security principal for your REST client, along with permissions to create and configure a resource. This section explains how to create a security principal and assign a role.
> [!NOTE] > The following steps are borrowed from the [Azure REST APIs with Postman](https://blog.jongallant.com/2021/02/azure-rest-apis-postman-2021/) blog post.
The following steps are from [this blog post](https://blog.jongallant.com/2021/0
| Variable | Description | |-|-|
- | clientId | Provide the previously generated "appID" that you created in Azure AD. |
+ | clientId | Provide the previously generated "appID" that you created in Microsoft Entra ID. |
| clientSecret | Provide the "password" that was created for your client. | | tenantId | Provide the "tenant" that was returned in the previous step. | | subscriptionId | Provide the subscription ID for your subscription. |
search Search Query Create https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-query-create.md
Last updated 10/09/2023
-# How to create a full-text query in Azure Cognitive Search
+# Create a full-text query in Azure Cognitive Search
If you're building a query for [full text search](search-lucene-query-architecture.md), this article provides steps for setting up the request. It also introduces a query structure, and explains how field attributes and linguistic analyzers can impact query outcomes.
search Search Query Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-query-overview.md
Azure Cognitive Search supports query constructs for a broad range of scenarios,
## Types of queries
-| Query form | Parameter | Searchable content | Description |
+| Query form | Searchable content | Description |
||--|-|
-| [full text search](search-lucene-query-architecture.md) | `search` | Inverted indexes of tokenized terms. | Full text queries iterate over inverted indexes that are structured for fast scans, where a match can be found in potentially any field, within any number of search documents. Text is analyzed and tokenized for full text search.|
-| [Vector search](vector-search-overview.md) | `vectors` | Vector indexes of generated embeddings. | Vector queries iterate over vector fields in a search index. |
-| [Hybrid search](hybrid-search-overview.md) | `search`, `vectors` | All of the above, in a single search index. | Combines text search and vector search in a single query request. Text search works on plain text content in "searchable" and "filterable" fields. Vector search works on content in vector fields. |
-| Others | `filters`, `facets`, `search=''&queryType=full` | Plain text and alphanumeric content.| Raw content, extracted verbatim from source documents, supporting filters and pattern matching queries like geo-spatial search, fuzzy search, and fielded search. |
+| [full text search](search-lucene-query-architecture.md) | Inverted indexes of tokenized terms. | Full text queries iterate over inverted indexes that are structured for fast scans, where a match can be found in potentially any field, within any number of search documents. Text is analyzed and tokenized for full text search.|
+| [Vector search](vector-search-overview.md) | Vector indexes of generated embeddings. | Vector queries iterate over vector fields in a search index. |
+| [Hybrid search](hybrid-search-overview.md) | All of the above, in a single search index. | Combines text search and vector search in a single query request. Text search works on plain text content in "searchable" and "filterable" fields. Vector search works on content in vector fields. |
+| Others | Plain text and alphanumeric content.| Raw content, extracted verbatim from source documents, supporting filters and pattern matching queries like geo-spatial search, fuzzy search, and fielded search. |
-This article brings focus to queries that work on plain text and alphanumeric content, extracted intact from original source, used for filters and other specialized query forms.
+This article brings focus to the last category: queries that work on plain text and alphanumeric content, extracted intact from original source, used for filters and other specialized query forms.
## Autocomplete and suggested queries
search Search Security Api Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-api-keys.md
Best practices for using hard-coded keys in source files include:
+ During early development and proof-of-concept testing when security is looser, use sample or public data.
-+ For mature solutions or production scenarios, switch to [Azure Active Directory and role-based access](search-security-rbac.md) to eliminate the need for having hard-coded keys. Or, if you want to continue using API keys, be sure to always monitor [who has access to your API keys](#secure-api-keys) and [regenerate API keys](#regenerate-admin-keys) on a regular cadence.
++ For mature solutions or production scenarios, switch to [Microsoft Entra ID and role-based access](search-security-rbac.md) to eliminate the need for having hard-coded keys. Or, if you want to continue using API keys, be sure to always monitor [who has access to your API keys](#secure-api-keys) and [regenerate API keys](#regenerate-admin-keys) on a regular cadence. ### [**Portal**](#tab/portal-use)
search Search Security Manage Encryption Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-manage-encryption-keys.md
The following tools and services are used in this scenario.
+ [Azure Key Vault](../key-vault/general/overview.md), you can [create a key vault using the Azure portal](../key-vault/general/quick-create-portal.md), [Azure CLI](../key-vault//general/quick-create-cli.md), or [Azure PowerShell](../key-vault//general/quick-create-powershell.md). Create the resource in the same subscription as Azure Cognitive Search. The key vault must have **soft-delete** and **purge protection** enabled.
-+ [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md). If you don't have one, [set up a new tenant](../active-directory/develop/quickstart-create-new-tenant.md).
++ [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whatis.md). If you don't have one, [set up a new tenant](../active-directory/develop/quickstart-create-new-tenant.md). You should have a search client that can create the encrypted object. Into this code, you'll reference a key vault key and Active Directory registration information. This code could be a working app, or prototype code such as the [C# code sample DotNetHowToEncryptionUsingCMK](https://github.com/Azure-Samples/search-dotnet-getting-started/tree/master/DotNetHowToEncryptionUsingCMK).
Skip key generation if you already have a key in Azure Key Vault that you want t
You have several options for accessing the encryption key at run time. The simplest approach is to retrieve the key using the managed identity and permissions of your search service. You can use either a system or user-managed identity. Doing so allows you to omit the steps for application registration and application secrets, and simplifies the encryption key definition.
-Alternatively, you can create and register an Azure Active Directory application. The search service will provide the application ID on requests.
+Alternatively, you can create and register a Microsoft Entra application. The search service will provide the application ID on requests.
A managed identity enables your search service to authenticate to Azure Key Vault without storing credentials (ApplicationID or ApplicationSecret) in code. The lifecycle of this type of managed identity is tied to the lifecycle of your search service, which can only have one managed identity. For more information about how managed identities work, see [What are managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
Conditions that will prevent you from adopting this approach include:
### [**Register an app**](#tab/register-app)
-1. In the [Azure portal](https://portal.azure.com), find the Azure Active Directory resource for your subscription.
+1. In the [Azure portal](https://portal.azure.com), find the Microsoft Entra resource for your subscription.
1. On the left, under **Manage**, select **App registrations**, and then select **New registration**.
Encryption keys are added when you create an object. To add a customer-managed k
} ```
- The second example includes "accessCredentials", necessary if you registered an application in Azure AD:
+ The second example includes "accessCredentials", necessary if you registered an application in Microsoft Entra ID:
```json {
search Search Security Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-overview.md
You can review the [REST APIs](/rest/api/searchservice/) to understand the full
At a minimum, all inbound requests must be authenticated: + Key-based authentication is the default. Inbound requests that include a valid API key are accepted by the search service as originating from a trusted party.
-+ Alternatively, you can use Azure Active Directory and role-based access control for data plane operations.
++ Alternatively, you can use Microsoft Entra ID and role-based access control for data plane operations. Additionally, you can add [network security features](#service-access-and-authentication) to further restrict access to the endpoint. You can create either inbound rules in an IP firewall, or create private endpoints that fully shield your search service from the public internet.
The following list is a full enumeration of the outbound requests that can be ma
+ If you're using custom skills, custom skills connect to an external Azure function or app to run external code that's hosted off-service. The request for external processing is sent during skillset execution. + If you're using customer-managed keys, the service connects to an external Azure Key Vault for a customer-managed key used to encrypt and decrypt sensitive data.
-Outbound connections can be made using a resource's full access connection string that includes a key or a database login, or an Azure AD login ([a managed identity](search-howto-managed-identities-data-sources.md)) if you're using Azure Active Directory.
+Outbound connections can be made using a resource's full access connection string that includes a key or a database login, or a Microsoft Entra login ([a managed identity](search-howto-managed-identities-data-sources.md)) if you're using Microsoft Entra ID.
If your Azure resource is behind a firewall, you'll need to [create rules that admit search service requests](search-indexer-howto-access-ip-restricted.md). For resources protected by Azure Private Link, you can [create a shared private link](search-indexer-howto-access-private.md) that an indexer uses to make its connection.
Internal requests are secured and managed by Microsoft. You can't configure or c
Internal traffic consists of:
-+ Service-to-service calls for tasks like authentication and authorization through Azure Active Directory, resource logging sent to Azure Monitor, and private endpoint connections that utilize Azure Private Link.
++ Service-to-service calls for tasks like authentication and authorization through Microsoft Entra ID, resource logging sent to Azure Monitor, and private endpoint connections that utilize Azure Private Link. + Requests made to Azure AI services APIs for [built-in skills](cognitive-search-predefined-skills.md). + Requests made to the machine learning models that support [semantic search](semantic-search-overview.md#availability-and-pricing).
While this solution is the most secure, using more services is an added cost so
Once a request is admitted to the search service, it must still undergo authentication and authorization that determines whether the request is permitted. Cognitive Search supports two approaches:
-+ [Azure AD authentication](search-security-rbac.md) establishes the caller (and not the request) as the authenticated identity. An Azure role assignment determines the allowed operation.
++ [Microsoft Entra authentication](search-security-rbac.md) establishes the caller (and not the request) as the authenticated identity. An Azure role assignment determines the allowed operation. + [Key-based authentication](search-security-api-keys.md) is performed on the request (not the calling app or user) through an API key, where the key is a string composed of randomly generated numbers and letters that prove the request is from a trustworthy source. Keys are required on every request. Submission of a valid key is considered proof the request originates from a trusted entity.
In Azure Cognitive Search, Resource Manager is used to create or delete the serv
Content management refers to the objects created and hosted on a search service.
-+ For Azure AD authorization, [use Azure role assignments](search-security-rbac.md) to establish read-write access to your search service.
++ For Microsoft Entra authorization, [use Azure role assignments](search-security-rbac.md) to establish read-write access to your search service. + For key-based authorization, [an API key](search-security-api-keys.md) and a qualified endpoint determine access. An endpoint might be the service itself, the indexes collection, a specific index, a documents collection, or a specific document. When chained together, the endpoint, the operation (for example, a create or update request) and the type of key (admin or query) authorize access to content and operations.
If you require permissioned access over content in search results, there's a tec
| Approach | Description | |-|-| |[Security trimming based on identity filters](search-security-trimming-for-azure-search.md) | Documents the basic workflow for implementing user identity access control. It covers adding security identifiers to an index, and then explains filtering against that field to trim results of prohibited content. |
-|[Security trimming based on Azure Active Directory identities](search-security-trimming-for-azure-search-with-aad.md) | This article expands on the previous article, providing steps for retrieving identities from Azure Active Directory (Azure AD), one of the [free services](https://azure.microsoft.com/free/) in the Azure cloud platform. |
+|[Security trimming based on Microsoft Entra identities](search-security-trimming-for-azure-search-with-aad.md) | This article expands on the previous article, providing steps for retrieving identities from Microsoft Entra ID, one of the [free services](https://azure.microsoft.com/free/) in the Azure cloud platform. |
## Data residency
search Search Security Rbac https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-rbac.md
When you enable role-based access control in the portal, the failure mode is "ht
Use the Management REST API version 2022-09-01, [Create or Update Service](/rest/api/searchmanagement/2022-09-01/services/create-or-update), to configure your service.
-All calls to the Management REST API are authenticated through Azure Active Directory, with Contributor or Owner permissions. For help with setting up authenticated requests in Postman, see [Manage Azure Cognitive Search using REST](search-manage-rest.md).
+All calls to the Management REST API are authenticated through Microsoft Entra ID, with Contributor or Owner permissions. For help with setting up authenticated requests in Postman, see [Manage Azure Cognitive Search using REST](search-manage-rest.md).
1. Get service settings so that you can review the current configuration.
Role assignments in the portal are service-wide. If you want to [grant permissio
+ Search Index Data Contributor + Search Index Data Reader
-1. On the **Members** tab, select the Azure AD user or group identity.
+1. On the **Members** tab, select the Microsoft Entra user or group identity.
1. On the **Review + assign** tab, select **Review + assign** to assign the role.
Recall that you can only scope access to top-level resources, such as indexes, s
Use a client to test role assignments. Remember that roles are cumulative and inherited roles that are scoped to the subscription or resource group can't be deleted or denied at the resource (search service) level.
-Make sure that you [register your client application with Azure Active Directory](search-howto-aad.md) and have role assignments in place before testing access.
+Make sure that you [register your client application with Microsoft Entra ID](search-howto-aad.md) and have role assignments in place before testing access.
### [**Azure portal**](#tab/test-portal)
This approach assumes Postman as the REST client and uses a Postman collection a
| Variable | Description | |-|-|
- | clientId | Provide the previously generated "appID" that you created in Azure AD. |
+ | clientId | Provide the previously generated "appID" that you created in Microsoft Entra ID. |
| clientSecret | Provide the "password" that was created for your client. | | tenantId | Provide the "tenant" that was returned in the previous step. | | subscriptionId | Provide the subscription ID for your subscription. |
For more information on how to acquire a token for a specific environment, see [
1. Use [Azure.Identity for .NET](/dotnet/api/overview/azure/identity-readme) for token authentication. Microsoft recommends [`DefaultAzureCredential()`](/dotnet/api/azure.identity.defaultazurecredential) for most scenarios.
- + When obtaining the OAuth token, the scope is "https://search.azure.com/.default". The SDK requires the audience to be "https://search.azure.com". The ".default" is an Azure AD convention.
+ + When obtaining the OAuth token, the scope is "https://search.azure.com/.default". The SDK requires the audience to be "https://search.azure.com". The ".default" is a Microsoft Entra convention.
+ The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for "https://search.azure.com/.default".
For more information on how to acquire a token for a specific environment, see [
1. Use [Azure.Identity for JavaScript](/javascript/api/overview/azure/identity-readme) for token authentication.
-1. If you're using React, use `InteractiveBrowserCredential` for Azure AD authentication to Search. See [When to use `@azure/identity`](/javascript/api/overview/azure/identity-readme?view=azure-node-latest#when-to-use&preserve-view=true) for details.
+1. If you're using React, use `InteractiveBrowserCredential` for Microsoft Entra authentication to Search. See [When to use `@azure/identity`](/javascript/api/overview/azure/identity-readme?view=azure-node-latest#when-to-use&preserve-view=true) for details.
### [**Java**](#tab/test-java)
The PowerShell example shows the JSON syntax for creating a custom role that's a
## Disable API key authentication
-API keys can't be deleted, but they can be disabled on your service if you're using the Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader roles and Azure AD authentication. Disabling API keys causes the search service to refuse all data-related requests that pass an API key in the header.
+API keys can't be deleted, but they can be disabled on your service if you're using the Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader roles and Microsoft Entra authentication. Disabling API keys causes the search service to refuse all data-related requests that pass an API key in the header.
Owner or Contributor permissions are required to disable features.
To re-enable key authentication, rerun the last request, setting "disableLocalAu
## Conditional Access
-[Conditional Access](../active-directory/conditional-access/overview.md) is a tool in Azure Active Directory used to enforce organizational policies. By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure. When accessing an Azure Cognitive Search service using role-based access control, Conditional Access can enforce organizational policies.
+[Conditional Access](../active-directory/conditional-access/overview.md) is a tool in Microsoft Entra ID used to enforce organizational policies. By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure. When accessing an Azure Cognitive Search service using role-based access control, Conditional Access can enforce organizational policies.
To enable a Conditional Access policy for Azure Cognitive Search, follow the below steps: 1. [Sign in](https://portal.azure.com) to the Azure portal.
-1. Search for **Azure AD Conditional Access**.
+1. Search for **Microsoft Entra Conditional Access**.
1. Select **Policies**.
search Search Security Trimming For Azure Search With Aad https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-trimming-for-azure-search-with-aad.md
Title: Security filters to trim results using Active Directory
-description: Learn how to implement security privileges at the document level for Azure Cognitive Search search results, using security filters and Azure Active Directory (AD) identities.
+description: Learn how to implement security privileges at the document level for Azure Cognitive Search search results, using security filters and Microsoft Entra identities.
# Security filters for trimming Azure Cognitive Search results using Active Directory identities
-This article demonstrates how to use Azure Active Directory (AD) security identities together with filters in Azure Cognitive Search to trim search results based on user group membership.
+This article demonstrates how to use Microsoft Entra security identities together with filters in Azure Cognitive Search to trim search results based on user group membership.
This article covers the following tasks: > [!div class="checklist"]
-> - Create Azure AD groups and users
+> - Create Microsoft Entra groups and users
> - Associate the user with the group you have created > - Cache the new groups > - Index documents with associated groups
This article covers the following tasks:
Your index in Azure Cognitive Search must have a [security field](search-security-trimming-for-azure-search.md) to store the list of group identities having read access to the document. This use case assumes a one-to-one correspondence between a securable item (such as an individual's college application) and a security field specifying who has access to that item (admissions personnel).
-You must have Azure AD administrator permissions (Owner or administrator) to create users, groups, and associations.
+You must have Microsoft Entra administrator permissions (Owner or administrator) to create users, groups, and associations.
-Your application must also be registered with Azure AD as a multi-tenant app, as described in the following procedure.
+Your application must also be registered with Microsoft Entra ID as a multi-tenant app, as described in the following procedure.
-### Register your application with Azure Active Directory
+<a name='register-your-application-with-azure-active-directory'></a>
-This step integrates your application with Azure AD for the purpose of accepting sign-ins of user and group accounts. If you aren't a tenant admin in your organization, you might need to [create a new tenant](../active-directory/develop/quickstart-create-new-tenant.md) to perform the following steps.
+### Register your application with Microsoft Entra ID
-1. In [Azure portal](https://portal.azure.com), find the Azure Active Directory tenant.
+This step integrates your application with Microsoft Entra ID for the purpose of accepting sign-ins of user and group accounts. If you aren't a tenant admin in your organization, you might need to [create a new tenant](../active-directory/develop/quickstart-create-new-tenant.md) to perform the following steps.
+
+1. In [Azure portal](https://portal.azure.com), find the Microsoft Entra tenant.
1. On the left, under **Manage**, select **App registrations**, and then select **New registration**.
This step integrates your application with Azure AD for the purpose of accepting
- **Group.ReadWrite.All** - **User.ReadWrite.All**
- Microsoft Graph provides an API that allows programmatic access to Azure AD through a REST API. The code sample for this walkthrough uses the permissions to call the Microsoft Graph API for creating groups, users, and associations. The APIs are also used to cache group identifiers for faster filtering.
+ Microsoft Graph provides an API that allows programmatic access to Microsoft Entra ID through a REST API. The code sample for this walkthrough uses the permissions to call the Microsoft Graph API for creating groups, users, and associations. The APIs are also used to cache group identifiers for faster filtering.
1. Select **Grant admin consent for tenant** to complete the consent process. ## Create users and groups
-If you're adding search to an established application, you might have existing user and group identifiers in Azure AD. In this case, you can skip the next three steps.
+If you're adding search to an established application, you might have existing user and group identifiers in Microsoft Entra ID. In this case, you can skip the next three steps.
However, if you don't have existing users, you can use Microsoft Graph APIs to create the security principals. The following code snippets demonstrate how to generate identifiers, which become data values for the security field in your Azure Cognitive Search index. In our hypothetical college admissions application, this would be the security identifiers for admissions staff.
Dictionary<Group, List<User>> groups = new Dictionary<Group, List<User>>() { { g
### Step 4: Cache the groups identifiers
-Optionally, to reduce network latency, you can cache the user-group associations so that when a search request is issued, groups are returned from the cache, saving a roundtrip to Azure AD. You can use [Azure AD Batch API](/graph/json-batching) to send a single Http request with multiple users and build the cache.
+Optionally, to reduce network latency, you can cache the user-group associations so that when a search request is issued, groups are returned from the cache, saving a roundtrip to Microsoft Entra ID. You can use [Microsoft Entra Batch API](/graph/json-batching) to send a single Http request with multiple users and build the cache.
Microsoft Graph is designed to handle a high volume of requests. If an overwhelming number of requests occur, Microsoft Graph fails the request with HTTP status code 429. For more information, see [Microsoft Graph throttling](/graph/throttling).
The response includes a filtered list of documents, consisting of those that the
## Next steps
-In this walkthrough, you learned a pattern for using Azure AD sign-ins to filter documents in Azure Cognitive Search results, trimming the results of documents that don't match the filter provided on the request. For an alternative pattern that might be simpler, or to revisit other security features, see the following links.
+In this walkthrough, you learned a pattern for using Microsoft Entra sign-ins to filter documents in Azure Cognitive Search results, trimming the results of documents that don't match the filter provided on the request. For an alternative pattern that might be simpler, or to revisit other security features, see the following links.
- [Security filters for trimming results](search-security-trimming-for-azure-search.md) - [Security in Azure Cognitive Search](search-security-overview.md)
search Search Security Trimming For Azure Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-security-trimming-for-azure-search.md
You should get the documents back where `group_ids` contains either "group_id1"
This article described a pattern for filtering results based on user identity and the `search.in()` function. You can use this function to pass in principal identifiers for the requesting user to match against principal identifiers associated with each target document. When a search request is handled, the `search.in` function filters out search results for which none of the user's principals have read access. The principal identifiers can represent things like security groups, roles, or even the user's own identity.
-For an alternative pattern based on Azure Active Directory, or to revisit other security features, see the following links.
+For an alternative pattern based on Microsoft Entra ID, or to revisit other security features, see the following links.
* [Security filters for trimming results using Active Directory identities](search-security-trimming-for-azure-search-with-aad.md) * [Security in Azure Cognitive Search](search-security-overview.md)
search Search What Is Azure Search https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/search-what-is-azure-search.md
Key strengths include:
+ Data integration (crawlers) at the indexing layer. + AI and machine learning integration with Azure AI services, useful if you need to make unsearchable content full text-searchable.
-+ Security integration with Azure Active Directory for trusted connections, and with Azure Private Link integration to support private connections to a search index in no-internet scenarios.
++ Security integration with Microsoft Entra ID for trusted connections, and with Azure Private Link integration to support private connections to a search index in no-internet scenarios. + Linguistic and custom text analysis in 56 languages. + [Full search experience](search-features-list.md): rich query language, relevance tuning and semantic ranking, faceting, autocomplete queries and suggested results, and synonyms. + Azure scale, reliability, and world-class availability.
search Semantic How To Enable Disable https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/semantic-how-to-enable-disable.md
The free plan is capped at 1,000 queries per month. After the first 1,000 querie
To enable Semantic Search using the REST API, you can use the [Create or Update Service API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#searchsemanticsearch).
-Management REST API calls are authenticated through Azure Active Directory. See [Manage your Azure Cognitive Search service with REST APIs](search-manage-rest.md) for instructions on how to authenticate.
+Management REST API calls are authenticated through Microsoft Entra ID. See [Manage your Azure Cognitive Search service with REST APIs](search-manage-rest.md) for instructions on how to authenticate.
* Management REST API version 2021-04-01-Preview provides the semantic search property.
PATCH https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegrou
To reverse feature enablement, or for full protection against accidental usage and charges, you can disable semantic search using the [Create or Update Service API](/rest/api/searchmanagement/2021-04-01-preview/services/create-or-update#searchsemanticsearch) on your search service. After the feature is disabled, any requests that include the semantic query type will be rejected.
-Management REST API calls are authenticated through Azure Active Directory. See [Manage your Azure Cognitive Search service with REST APIs](search-manage-rest.md) for instructions on how to authenticate.
+Management REST API calls are authenticated through Microsoft Entra ID. See [Manage your Azure Cognitive Search service with REST APIs](search-manage-rest.md) for instructions on how to authenticate.
```http PATCH https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegroups/{{resource-group}}/providers/Microsoft.Search/searchServices/{{search-service-name}}?api-version=2021-04-01-Preview
search Service Configure Firewall https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/service-configure-firewall.md
For ping, the request will time out, but the IP address will be visible in the r
Providing IP addresses for clients ensures that the request isn't rejected outright, but for successful access to content and operations, authorization is also necessary. Use one of the following methodologies to authenticate your request: + [Key-based authentication](search-security-api-keys.md), where an admin or query API key is provided on the request
-+ [Role-based authorization](search-security-rbac.md), where the caller is a member of a security role on a search service, and the [registered app presents an OAuth token](search-howto-aad.md) from Azure Active Directory.
++ [Role-based authorization](search-security-rbac.md), where the caller is a member of a security role on a search service, and the [registered app presents an OAuth token](search-howto-aad.md) from Microsoft Entra ID. ## Next steps
search Tutorial Javascript Search Query Integration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/tutorial-javascript-search-query-integration.md
As a next step, you can extend this sample in several directions:
* Add [autocomplete](search-add-autocomplete-suggestions.md) for more typeahead. * Add or modify [facets](search-faceted-navigation.md) and [filters](search-filters.md).
-* Change the authentication and authorization model, using [Azure Active Directory](search-security-rbac.md) instead of [key-based authentication](search-security-api-keys.md).
+* Change the authentication and authorization model, using [Microsoft Entra ID](search-security-rbac.md) instead of [key-based authentication](search-security-api-keys.md).
* Change the [indexing methodology](search-what-is-data-import.md). Instead of pushing JSON to a search index, preload a blob container with the good-books dataset and [set up a blob indexer](search-howto-indexing-azure-blob-storage.md) to ingest the data. Knowing how to work with indexers gives you more options for data ingestion and [content enrichment](cognitive-search-concept-intro.md) during indexing.
search Vector Search How To Create Index https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/vector-search-how-to-create-index.md
Previously updated : 08/10/2023 Last updated : 10/10/2023 # Add vector fields to a search index
Last updated 08/10/2023
> [!IMPORTANT] > Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).
-In Azure Cognitive Search, vector data is indexed as *vector fields* in a [search index](search-what-is-an-index.md), using a *vector configuration* to specify the embedding space.
+In Azure Cognitive Search, vector data is indexed as *vector fields* in a [search index](search-what-is-an-index.md), using a *vector configuration* to specify the embedding space definition.
Follow these steps to index vector data:
Although you can add a field to an index, there's no portal (Import data wizard)
+ "Bi-directional link count" default is 4. The range is 4 to 10. Lower values should return less noise in the results. + "efConstruction" default is 400. The range is 100 to 1,000. It's the number of nearest neighbors used during indexing. + "efSearch default is 500. The range is 100 to 1,000. It's the number of nearest neighbors used during search.
- + "Similarity metric" should be "cosine" if you're using Azure OpenAI, otherwise use the similarity metric of the embedding model. Supported values are `cosine`, `dotProduct`, `euclidean`.
+ + "Similarity metric" should be "cosine" if you're using Azure OpenAI, otherwise use the similarity metric associated with the embedding model your're using. Supported values are `cosine`, `dotProduct`, `euclidean`.
- If you're familiar with HNSW parameters, you might be wondering about how to set the "k" number of nearest neighbors to return in the result. In Cognitive Search, that value is set on the [query request](vector-search-how-to-query.md).
+ If you're familiar with HNSW parameters, you might be wondering about how to set the `"k"` number of nearest neighbors to return in the result. In Cognitive Search, that value is set on the [query request](vector-search-how-to-query.md).
1. Select **Save** to save the vector configuration and the field definition.
In the following REST API example, "title" and "content" contain textual content
} ```
+ **Key points**:
+
+ + Name the configuration. The name must be unique within the index.
+ + "hnsw" is the Approximate Nearest Neighbors (ANN) algorithm used to create the proximity graph during indexing. Currently, only Hierarchical Navigable Small World (HNSW) is supported.
+ + "m" (bi-directional link count) default is 4. The range is 4 to 10. Lower values should return less noise in the results.
+ + "efConstruction" default is 400. The range is 100 to 1,000. It's the number of nearest neighbors used during indexing.
+ + "efSearch default is 500. The range is 100 to 1,000. It's the number of nearest neighbors used during search.
+ + "metric" should be "cosine" if you're using Azure OpenAI, otherwise use the similarity metric associated with the embedding model your're using. Supported values are `cosine`, `dotProduct`, `euclidean`.
+ 1. Add vector fields to the fields collection. You can store one generated embedding per document field. For each vector field: + Assign the `Collection(Edm.Single)` data type.
search Vector Search How To Query https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/search/vector-search-how-to-query.md
Previously updated : 08/10/2023 Last updated : 10/10/2023
-# How to query vector data in a search index
+# Create a vector query in Azure Cognitive Search
> [!IMPORTANT] > Vector search is in public preview under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). It's available through the Azure portal, preview REST API, and [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr#readme).
Last updated 08/10/2023
In Azure Cognitive Search, if you added vector fields to a search index, this article explains how to: > [!div class="checklist"]
-> + [Query vector fields](#query-syntax-for-vector-search).
-> + [Filter and query vector fields](#filter-and-vector-queries)
-> + [Combine vector, full text search, and semantic search in a hybrid query](#query-syntax-for-hybrid-search).
-> + [Query multiple vector fields at once](#query-syntax-for-vector-query-over-multiple-fields).
-> + [Run multiple vector queries in parallel](#query-syntax-for-multiple-vector-queries).
+> + [Query vector fields](#vector-query-request).
+> + [Filter a vector query](#vector-query-with-filter)
+> + [Query multiple vector fields at once](#multiple-vector-fields).
+> + [Run multiple vector queries in parallel](#multiple-vector-queries).
Code samples in the [cognitive-search-vector-pr](https://github.com/Azure/cognitive-search-vector-pr) repository demonstrate end-to-end workflows that include schema definition, vectorization, indexing, and queries.
Code samples in the [cognitive-search-vector-pr](https://github.com/Azure/cognit
+ Use REST API version **2023-07-01-Preview**, the [beta client libraries](https://github.com/Azure/cognitive-search-vector-pr/tree/main), or Search Explorer in the Azure portal.
-+ (Optional) If you want to also use [semantic search (preview)](semantic-search-overview.md) and vector search together, your search service must be Basic tier or higher, with [semantic search enabled](semantic-how-to-enable-disable.md).
- ## Limitations Cognitive Search doesn't provide built-in vectorization of the query input string. Encoding (text-to-vector) of the query string requires that you pass the query string to an embedding model for vectorization. You would then pass the response to the search engine for similarity search over vector fields.
-All results are returned in plain text, including vectors. If you use Search Explorer in the Azure portal to query an index that contains vectors, the numeric vectors are returned in plain text. Because numeric vectors aren't useful in search results, choose other fields in the index as a proxy for the vector match. For example, if an index has "descriptionVector" and "descriptionText" fields, the query can match on "descriptionVector" but the search result shows "descriptionText". Use the `select` parameter to specify only human-readable fields in the results.
+All results are returned in plain text, including vectors. If you use Search Explorer in the Azure portal to query an index that contains vectors, the numeric vectors are returned in plain text. Because numeric vectors aren't useful in search results, choose other fields in the index as a proxy for the vector match. For example, if an index has "descriptionVector" and "descriptionText" fields, the query can match on "descriptionVector" but the search result can show "descriptionText". Use the `select` parameter to specify only human-readable fields in the results.
## Check your index for vector fields
The actual response for this POST call to the deployment model includes 1536 emb
} ```
-## Query syntax for vector search
+## Vector query request
You can use the Azure portal, REST APIs, or the beta packages of the Azure SDKs to query vectors.
Be sure to the **JSON view** and formulate the query in JSON. The search bar in
### [**REST API**](#tab/rest-vector-query)
-In this vector query, which is shortened for brevity, the "value" contains the vectorized text of the query input. The "fields" property specifies which vector fields are searched. The "k" property specifies the number of nearest neighbors to return as top hits.
+In this single vector query, which is shortened for brevity, the "value" contains the vectorized text of the query input, "fields" determines which vector fields are searched, and "k" specifies the number of nearest neighbors to return.
-In the following example, the vector is a representation of this query string: `"what Azure services support full text search"`. The query request targets the "contentVector" field. The actual vector has 1536 embeddings. It's trimmed in this example for readability.
+In the following example, the vector is a representation of this query string: `"what Azure services support full text search"`. The query targets the "contentVector" field. The actual vector has 1536 embeddings. It's trimmed in this example for readability.
```http POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview
api-key: {{admin-api-key}}
} ```
-The response includes 5 matches, and each result provides a search score, title, content, and category. In a similarity search, the response always includes "k" matches, even if the similarity is weak. For indexes that have fewer than "k" documents, only those number of documents will be returned.
+The response includes five matches, and each result provides a search score, title, content, and category. In a similarity search, the response always includes "k" matches, even if the similarity is weak. For indexes that have fewer than "k" documents, only those number of documents will be returned.
Notice that "select" returns textual fields from the index. Although the vector field is "retrievable" in this example, its content isn't usable as a search result, so it's often excluded in the results.
-### Vector query response
+## Vector query response
Here's a modified example so that you can see the basic structure of a response from a pure vector query.
Here's a modified example so that you can see the basic structure of a response
-## Filter and vector queries
+## Vector query with filter
-A query request can include a vector query and a [filter expression](search-filters.md). Filters apply to text and numeric fields, and are useful for including or excluding search documents based on filter criteria. Although a vector field isn't filterable itself, you can attribute a text or numeric field in the same index as "filterable".
+A query request can include a vector query and a [filter expression](search-filters.md). Filters apply to "filterable" text and numeric fields, and are useful for including or excluding search documents based on filter criteria. Although a vector field isn't filterable itself, a query can include filters on other fields in the same index.
In contrast with full text search, a filter in a pure vector query is effectively processed as a post-query operation. The set of `"k"` nearest neighbors is retrieved, and then combined with the set of filtered results. As such, the value of `"k"` predetermines the surface over which the filter is applied. For `"k": 10`, the filter is applied to 10 most similar documents. For `"k": 100`, the filter iterates over 100 documents (assuming the index contains 100 documents that are sufficiently similar to the query).
api-key: {{admin-api-key}}
> [!TIP] > If you don't have source fields with text or numeric values, check for document metadata, such as LastModified or CreatedBy properties, that might be useful in a filter.
-## Query syntax for hybrid search
-
-A hybrid query combines full text search and vector search, where the `"search"` parameter takes a query string and `"vectors.value"` takes the vector query. The search engine runs full text and vector queries in parallel. All matches are evaluated for relevance using Reciprocal Rank Fusion (RRF) and a single result set is returned in the response.
-
-Hybrid queries are useful because they add support for filters, orderby, and [semantic search](semantic-how-to-query-request.md) For example, in addition to the vector query, you could search over people or product names or titles, scenarios for which similarity search isn't a good fit.
-
-The following example is from the [Postman collection of REST APIs](https://github.com/Azure/cognitive-search-vector-pr/tree/main/demo-python) that demonstrate query configurations. It shows a complete request that includes vector search, full text search with filters, and semantic search with captions and answers. Semantic search is an optional premium feature. It's not required for vector search or hybrid search. For content that includes rich descriptive text *and* vectors, it's possible to benefit from all of the search modalities in one request.
-
-```http
-POST https://{{search-service-name}}.search.windows.net/indexes/{{index-name}}/docs/search?api-version=2023-07-01-Preview
-Content-Type: application/json
-api-key: {{admin-api-key}}
-{
- "vectors": [{
- "value": [
- -0.009154141,
- 0.018708462,
- . . .
- -0.02178128,
- -0.00086512347
- ],
- "fields": "contentVector",
- "k": 10
- }],
- "search": "what azure services support full text search",
- "select": "title, content, category",
- "queryType": "semantic",
- "semanticConfiguration": "my-semantic-config",
- "queryLanguage": "en-us",
- "captions": "extractive",
- "answers": "extractive",
- "filter": "category eq 'Databases'",
- "top": "10"
-}
-```
-
-## Query syntax for vector query over multiple fields
+## Multiple vector fields
You can set the "vectors.fields" property to multiple vector fields. For example, the Postman collection has vector fields named "titleVector" and "contentVector". A single vector query executes over both the "titleVector" and "contentVector" fields, which must have the same embedding space since they share the same query vector.
api-key: {{admin-api-key}}
} ```
-## Query syntax for multiple vector queries
+## Multiple vector queries
+
+Multi-query vector search sends multiple queries across multiple vector fields in your search index. A common example of this query request is when using models such as [CLIP](https://openai.com/research/clip) for a multi-modal vector search where the same model can vectorize image and non-image content.
-You can issue a search request containing multiple query vectors using the "vectors" query parameter. The queries execute concurrently in the search index, each one looking for similarities in the target vector fields. The result set is a union of the documents that matched both vector queries. A common example of this query request is when using models such as [CLIP](https://openai.com/research/clip) for a multi-modal vector search where the same model can vectorize image and non-image content.
+The following query example looks for similarity in both `myImageVector` and `myTextVector`, but sends in two different query embeddings respectively. This scenario is ideal for multi-modal use cases where you want to search over different embedding spaces. This query produces a result that's scored using [Reciprocal Rank Fusion (RRF)](hybrid-search-ranking.md).
+ `vectors.value` property contains the vector query generated from the embedding model used to create image and text vectors in the search index. + `vectors.fields` contains the image vectors and text vectors in the search index. This is the searchable data.
Ranking of results is computed by either:
Azure OpenAI embedding models use cosine similarity, so if you're using Azure OpenAI embedding models, `cosine` is the recommended metric. Other supported ranking metrics include `euclidean` and `dotProduct`.
-Multiple sets are created if the query targets multiple vector fields, or if the query is a hybrid of vector and full text search, with or without the optional semantic reranking capabilities of [semantic search](semantic-search-overview.md). Within vector search, a vector query can only target one internal vector index. So for [multiple vector fields](#query-syntax-for-vector-query-over-multiple-fields) and [multiple vector queries](#query-syntax-for-multiple-vector-queries), the search engine generates multiple queries that target the respective vector indexes of each field. Output is a set of ranked results for each query, which are fused using RRF. For more information, see [Vector query execution and scoring](vector-search-ranking.md).
+Multiple sets are created if the query targets multiple vector fields, or if the query is a hybrid of vector and full text search, with or without the optional semantic reranking capabilities of [semantic search](semantic-search-overview.md). Within vector search, a vector query can only target one internal vector index. So for [multiple vector fields](#multiple-vector-fields) and [multiple vector queries](#multiple-vector-queries), the search engine generates multiple queries that target the respective vector indexes of each field. Output is a set of ranked results for each query, which are fused using RRF. For more information, see [Vector query execution and scoring](vector-search-ranking.md).
## Next steps
sentinel Best Practices Workspace Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/best-practices-workspace-architecture.md
When planning your Microsoft Sentinel workspace deployment, you must also design
For more information, see [Design your Microsoft Sentinel workspace architecture](design-your-workspace-architecture.md) and [Sample workspace designs](sample-workspace-designs.md) for common scenarios, and [Pre-deployment activities and prerequisites for deploying Microsoft Sentinel](prerequisites.md).
-See our video: [Architecting SecOps for Success: Best Practices for Deploying Microsoft Sentinel](https://youtu.be/DyL9MEMhqmI)
+See our video: [Architecting SecOps for Success: Best Practices for Deploying Microsoft Sentinel](https://youtu.be/DyL9MEMhqmI).
+
+This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Tenancy considerations
-While fewer workspaces are simpler to manage, you may have specific needs for multiple tenants and workspaces. For example, many organizations have a cloud environment that contains multiple [Azure Active Directory (Azure AD) tenants](../active-directory/develop/quickstart-create-new-tenant.md), resulting from mergers and acquisitions or due to identity separation requirements.
+While fewer workspaces are simpler to manage, you might have specific needs for multiple tenants and workspaces. For example, many organizations have a cloud environment that contains multiple [Azure Active Directory (Azure AD) tenants](../active-directory/develop/quickstart-create-new-tenant.md), resulting from mergers and acquisitions or due to identity separation requirements.
When determining how many tenants and workspaces to use, consider that most Microsoft Sentinel features operate by using a single workspace or Microsoft Sentinel instance, and Microsoft Sentinel ingests all logs housed within the workspace.
Costs are one of the main considerations when determining Microsoft Sentinel arc
If you have multiple tenants, such as if you're a managed security service provider (MSSP), we recommend that you create at least one workspace for each Azure AD tenant to support built-in, [service to service data connectors](connect-data-sources.md#service-to-service-integration-for-data-connectors) that work only within their own Azure AD tenant.
-All connectors based on diagnostics settings cannot be connected to a workspace that is not located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors/azure-firewall.md), [Azure Storage](./data-connectors/azure-storage-account.md), [Azure Activity](./data-connectors/azure-activity.md) or [Azure Active Directory](connect-azure-active-directory.md).
+All connectors based on diagnostics settings can't be connected to a workspace that isn't located in the same tenant where the resource resides. This applies to connectors such as [Azure Firewall](./data-connectors/azure-firewall.md), [Azure Storage](./data-connectors/azure-storage-account.md), [Azure Activity](./data-connectors/azure-activity.md) or [Azure Active Directory](connect-azure-active-directory.md).
Use [Azure Lighthouse](../lighthouse/how-to/onboard-customer.md) to help manage multiple Microsoft Sentinel instances in different tenants.
Use [Azure Lighthouse](../lighthouse/how-to/onboard-customer.md) to help manage
After your data is collected, stored, and processed, compliance can become an important design requirement, with a significant impact on your Microsoft Sentinel architecture. Having the ability to validate and prove who has access to what data under all conditions is a critical data sovereignty requirement in many countries and regions, and assessing risks and getting insights in Microsoft Sentinel workflows is a priority for many customers.
-In Microsoft Sentinel, data is mostly stored and processed in the same geography or region, with some exceptions, such as when using detection rules that leverage Microsoft's Machine learning. In such cases, data may be copied outside your workspace geography for processing.
+In Microsoft Sentinel, data is mostly stored and processed in the same geography or region, with some exceptions, such as when using detection rules that leverage Microsoft's Machine learning. In such cases, data might be copied outside your workspace geography for processing.
For more information, see:
To start validating your compliance, assess your data sources, and how and where
> > ## Region considerations
-Use separate Microsoft Sentinel instances for each region. While Microsoft Sentinel can be used in multiple regions, you may have requirements to separate data by team, region, or site, or regulations and controls that make multi-region models impossible or more complex than needed. Using separate instances and workspaces for each region helps to avoid bandwidth / egress costs for moving data across regions.
+Use separate Microsoft Sentinel instances for each region. While Microsoft Sentinel can be used in multiple regions, you might have requirements to separate data by team, region, or site, or regulations and controls that make multi-region models impossible or more complex than needed. Using separate instances and workspaces for each region helps to avoid bandwidth / egress costs for moving data across regions.
Consider the following when working with multiple regions: - Egress costs generally apply when the [Log Analytics or Azure Monitor agent](connect-windows-security-events.md) is required to collect logs, such as on virtual machines. -- Internet egress is also charged, which may not affect you unless you export data outside your Log Analytics workspace. For example, you may incur internet egress charges if you export your Log Analytics data to an on-premises server.
+- Internet egress is also charged, which might not affect you unless you export data outside your Log Analytics workspace. For example, you might incur internet egress charges if you export your Log Analytics data to an on-premises server.
- Bandwidth costs vary depending on the source and destination region and collection method. For more information, see:
Consider the following when working with multiple regions:
- Use templates for your analytics rules, custom queries, workbooks, and other resources to make your deployments more efficient. Deploy the templates instead of manually deploying each resource in each region. -- Connectors that are based on diagnostics settings do not incur in-bandwidth costs. For more information, see [Data transfers charges using Log Analytics](../azure-monitor/usage-estimated-costs.md#data-transfer-charges).
+- Connectors that are based on diagnostics settings don't incur in-bandwidth costs. For more information, see [Data transfers charges using Log Analytics](../azure-monitor/usage-estimated-costs.md#data-transfer-charges).
-For example, if you decide to collect logs from Virtual Machines in East US and send them to a Microsoft Sentinel workspace in West US, you'll be charged ingress costs for the data transfer. Since the Log Analytics agent compresses the data in transit, the size charged for the bandwidth may be lower than the size of the logs in Microsoft Sentinel.
+For example, if you decide to collect logs from Virtual Machines in East US and send them to a Microsoft Sentinel workspace in West US, you'll be charged ingress costs for the data transfer. Since the Log Analytics agent compresses the data in transit, the size charged for the bandwidth might be lower than the size of the logs in Microsoft Sentinel.
-If you're collecting Syslog and CEF logs from multiple sources around the world, you may want to set up a Syslog collector in the same region as your Microsoft Sentinel workspace to avoid bandwidth costs, provided that compliance is not a concern.
+If you're collecting Syslog and CEF logs from multiple sources around the world, you might want to set up a Syslog collector in the same region as your Microsoft Sentinel workspace to avoid bandwidth costs, provided that compliance isn't a concern.
Understanding whether bandwidth costs justify separate Microsoft Sentinel workspaces depend on the volume of data you need to transfer between regions. Use the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/details/bandwidth/) to estimate your costs.
For more information, see [Data residency in Azure](https://azure.microsoft.com/
## Access considerations
-You may have situations planned where different teams will need access to the same data. For example, your SOC team must have access to all Microsoft Sentinel data, while operations and applications teams will need access to only specific parts. Independent security teams may also need to access Microsoft Sentinel features, but with varying sets of data.
+You might have situations planned where different teams will need access to the same data. For example, your SOC team must have access to all Microsoft Sentinel data, while operations and applications teams will need access to only specific parts. Independent security teams might also need to access Microsoft Sentinel features, but with varying sets of data.
Combine [resource-context RBAC](resource-context-rbac.md) and [table-level RBAC](../azure-monitor/logs/manage-access.md#set-table-level-read-access) to provide your teams with a wide range of access options that should support most use cases.
In this image, the Microsoft Sentinel workspace is placed in a separate subscrip
> > In addition to the security subscription, a separate subscription is used for the applications teams to host their workloads. The applications teams are granted access to their respective resource groups, where they can manage their resources. This separate subscription and resource-context RBAC allows these teams to view logs generated by any resources they have access to, even when the logs are stored in a workspace where they *don't* have direct access. The applications teams can access their logs via the **Logs** area of the Azure portal, to show logs for a specific resource, or via Azure Monitor, to show all of the logs they can access at the same time.
-Azure resources have built-in support for resource-context RBAC, but may require additional fine-tuning when working with non-Azure resources. For more information, see [Explicitly configure resource-context RBAC](resource-context-rbac.md#explicitly-configure-resource-context-rbac).
+Azure resources have built-in support for resource-context RBAC, but might require additional fine-tuning when working with non-Azure resources. For more information, see [Explicitly configure resource-context RBAC](resource-context-rbac.md#explicitly-configure-resource-context-rbac).
### Table-level RBAC
For example, consider if the organization whose architecture is described in the
If you have different entities, subsidiaries, or geographies within your organization, each with their own security teams that need access to Microsoft Sentinel, use separate workspaces for each entity or subsidiary. Implement the separate workspaces within a single Azure AD tenant, or across multiple tenants using Azure Lighthouse.
-Your central SOC team may also use an additional, optional Microsoft Sentinel workspace to manage centralized artifacts such as analytics rules or workbooks.
+Your central SOC team might also use an additional, optional Microsoft Sentinel workspace to manage centralized artifacts such as analytics rules or workbooks.
For more information, see [Simplify working with multiple workspaces](#simplify-working-with-multiple-workspaces).
Use the following best practice guidance when creating the Log Analytics workspa
- **When naming your workspace**, include *Microsoft Sentinel* or some other indicator in the name, so that it's easily identified among your other workspaces. -- **Use the same workspace for both Microsoft Sentinel and Microsoft Defender for Cloud**, so that all logs collected by Microsoft Defender for Cloud can also be ingested and used by Microsoft Sentinel. The default workspace created by Microsoft Defender for Cloud will not appear as an available workspace for Microsoft Sentinel.
+- **Use the same workspace for both Microsoft Sentinel and Microsoft Defender for Cloud**, so that all logs collected by Microsoft Defender for Cloud can also be ingested and used by Microsoft Sentinel. The default workspace created by Microsoft Defender for Cloud won't appear as an available workspace for Microsoft Sentinel.
- **Use a dedicated workspace cluster if your projected data ingestion is around or more than 1 TB per day**. A [dedicated cluster](../azure-monitor/logs/logs-dedicated-clusters.md) enables you to secure resources for your Microsoft Sentinel data, which enables better query performance for large data sets. Dedicated clusters also provide the option for more encryption and control of your organization's keys.
sentinel Billing https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/billing.md
Before you add any resources for Microsoft Sentinel, use the [Azure pricing calc
Costs for Microsoft Sentinel are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan costs and understand the billing for Microsoft Sentinel, you're billed for all Azure services and resources your Azure subscription uses, including Partner services.
+This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
+ ## Free trial Enable Microsoft Sentinel on an Azure Monitor Log Analytics workspace and the first 10 GB/day is free for 31 days. The cost for both Log Analytics data ingestion and Microsoft Sentinel analysis charges up to the 10 GB/day limit are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
There are two ways to pay for the analytics logs: **Pay-As-You-Go** and **Commit
- Log Analytics and Microsoft Sentinel have **Commitment Tier** pricing, formerly called Capacity Reservations. These pricing tiers are combined into simplified pricing tiers which are more predictable and offer substantial savings compared to **Pay-As-You-Go** pricing.
- **Commitment Tier** pricing starts at 100 GB/day. Any usage above the commitment level is billed at the Commitment Tier rate you selected. For example, a Commitment Tier of 100 GB bills you for the committed 100 GB data volume, plus any extra GB/day at the discounted rate for that tier.
+ **Commitment Tier** pricing starts at 100 GB/day. Any usage above the commitment level is billed at the Commitment Tier rate you selected. For example, a Commitment Tier of 100-GB bills you for the committed 100-GB data volume, plus any extra GB/day at the discounted rate for that tier.
Increase your commitment tier anytime to optimize costs as your data volume increases. Lowering the commitment tier is only allowed every 31 days. To see your current Microsoft Sentinel pricing tier, select **Settings** in Microsoft Sentinel, and then select the **Pricing** tab. Your current pricing tier is marked as **Current tier**.
Learn how to [view and download your Azure bill](../cost-management-billing/unde
## Costs and pricing for other services
-Microsoft Sentinel integrates with many other Azure services, including Azure Logic Apps, Azure Notebooks, and bring your own machine learning (BYOML) models. Some of these services may have extra charges. Some of Microsoft Sentinel's data connectors and solutions use Azure Functions for data ingestion, which also has a separate associated cost.
+Microsoft Sentinel integrates with many other Azure services, including Azure Logic Apps, Azure Notebooks, and bring your own machine learning (BYOML) models. Some of these services might have extra charges. Some of Microsoft Sentinel's data connectors and solutions use Azure Functions for data ingestion, which also has a separate associated cost.
Learn about pricing for these
Learn more about how to [connect data sources](connect-data-sources.md), includi
- [Monitor costs for Microsoft Sentinel](billing-monitor-costs.md) - [Reduce costs for Microsoft Sentinel](billing-reduce-costs.md)-- Learn [how to optimize your cloud investment with Azure Cost Management](../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+- Learn [how to optimize your cloud investment with Microsoft Cost Management](../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
- Learn more about managing costs with [cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Learn about how to [prevent unexpected costs](../cost-management-billing/understand/analyze-unexpected-charges.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Take the [Cost Management](/training/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
sentinel Configure Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/configure-content.md
# Configure Microsoft Sentinel content
-In the previous deployment step, you enabled Microsoft Sentinel, health monitoring, and the required solutions. In this article, you learn how to configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems.
+In the previous deployment step, you enabled Microsoft Sentinel, health monitoring, and the required solutions. In this article, you learn how to configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Configure your security content
sentinel Configure Data Retention Archive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/configure-data-retention-archive.md
# Configure data retention and archive in Microsoft Sentinel
-In the previous deployment step, you enabled the User and Entity Behavior Analytics (UEBA) feature to streamline your analysis process. In this article, you learn how to set up data retention and archive, to make sure your organization retains the data that's important in the long term.
+In the previous deployment step, you enabled the User and Entity Behavior Analytics (UEBA) feature to streamline your analysis process. In this article, you learn how to set up data retention and archive, to make sure your organization retains the data that's important in the long term. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Configure data retention and archive
sentinel Deploy Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/deploy-overview.md
Title: Deploy Microsoft Sentinel
-description: Learn about the steps for deploying Microsoft Sentinel.
--
+ Title: Deployment guide for Microsoft Sentinel
+description: Learn about the steps to deploy Microsoft Sentinel including the phases to plan and prepare, deploy, and fine tune.
++ Previously updated : 07/05/2023 Last updated : 08/23/2023+
-# Deploy Microsoft Sentinel
-This article introduces the activities that help you deploy Microsoft Sentinel. To plan for your deployment, review the [plan and prepare overview](prerequisites.md).
+# Deployment guide for Microsoft Sentinel
-The deployment phase is typically performed by a SOC analyst or related roles.
+This article introduces the activities that help you plan, deploy, and fine tune your Microsoft Sentinel deployment.
+
+## Plan and prepare overview
+
+This section introduces the activities and prerequisites that help you plan and prepare before deploying Microsoft Sentinel.
+
+The plan and prepare phase is typically performed by a SOC architect or related roles.
+
+| Step | Details |
+| | - |
+| **1. Plan and prepare overview and prerequisites** | Review the [Azure tenant prerequisites](prerequisites.md). |
+| **2. Plan workspace architecture** | Design your Microsoft Sentinel workspace. Consider parameters such as:<br><br>- Whether you'll use a single tenant or multiple tenants<br>- Any compliance requirements you have for data collection and storage<br>- How to control access to Microsoft Sentinel data<br><br>Review these articles:<br><br>1. [Review best practices](best-practices-workspace-architecture.md)<br>2. [Design workspace architecture](design-your-workspace-architecture.md)<br>3. [Review sample workspace designs](sample-workspace-designs.md)<br>4. [Prepare for multiple workspaces](prepare-multiple-workspaces.md) |
+| **3. [Prioritize data connectors](prioritize-data-connectors.md)** | Determine which data sources you need and the data size requirements to help you accurately project your deployment's budget and timeline.<br><br>You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel. |
+| **4. [Plan roles and permissions](roles.md)** |Use Azure role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly, or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits. |
+| **5. [Plan costs](billing.md)** |Start planning your budget, considering cost implications for each planned scenario.<br><br> Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. |
## Deployment overview
+The deployment phase is typically performed by a SOC analyst or related roles.
+ | Step | Details | | | - |
-| **1. Deployment overview** | **YOU ARE HERE** |
-| [**2. Enable Microsoft Sentinel, health and audit, and content**](enable-sentinel-features-content.md) | Enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs. |
-| [**3. Configure content**](configure-content.md) | Configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems: Data connectors, analytics rules, automation rules, playbooks, workbooks, and watchlists. |
-| [**4. Set up a cross-workspace architecture**](use-multiple-workspaces.md) |If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants. |
-| [**5. Enable User and Entity Behavior Analytics (UEBA)**](enable-entity-behavior-analytics.md) | Enable and use the [UEBA](identify-threats-with-entity-behavior-analytics.md) feature to streamline the analysis process. |
-| [**6. Set up data retention and archive**](configure-data-retention-archive.md) |Set up data retention and archive, to make sure your organization retains the data that's important in the long term. |
+| [**1. Enable Microsoft Sentinel, health and audit, and content**](enable-sentinel-features-content.md) | Enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs. |
+| [**2. Configure content**](configure-content.md) | Configure the different types of Microsoft Sentinel security content, which allow you to detect, monitor, and respond to security threats across your systems: Data connectors, analytics rules, automation rules, playbooks, workbooks, and watchlists. |
+| [**3. Set up a cross-workspace architecture**](use-multiple-workspaces.md) |If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants. |
+| [**4. Enable User and Entity Behavior Analytics (UEBA)**](enable-entity-behavior-analytics.md) | Enable and use the UEBA feature to streamline the analysis process. |
+| [**5. Set up data retention and archive**](configure-data-retention-archive.md) |Set up data retention and archive, to make sure your organization retains the data that's important in the long term. |
+
+## Fine tune and review: Checklist for post-deployment
+
+Review the post-deployment checklist to helps you make sure that your deployment process is working as expected, and that the security content you deployed is working and protecting your organization according to your needs and use cases.
+
+The fine tune and review phase is typically performed by a SOC engineer or related roles.
+
+|Step |Actions |
+| | - |
+|&#x2705; **Review incidents and incident process** |- Check whether the incidents and the number of incidents you're seeing reflect what's actually happening in your environment.<br>- Check whether your SOC's incident process is working to efficiently handle incidents: Have you assigned different types of incidents to different layers/tiers of the SOC?<br><br>Learn more about how to [navigate and investigate](investigate-incidents.md) incidents and how to [work with incident tasks](work-with-tasks.md). |
+|&#x2705; **Review and fine-tune analytics rules** | - Based on your incident review, check whether your analytics rules are triggered as expected, and whether the rules reflect the types of incidents you're interested in.<br>- [Handle false positives](false-positives.md), either by using automation or by modifying scheduled analytics rules.<br>- Microsoft Sentinel provides built-in fine-tuning capabilities to help you analyze your analytics rules. [Review these built-in insights and implement relevant recommendations](detection-tuning.md). |
+|&#x2705; **Review automation rules and playbooks** |- Similar to analytics rules, check that your automation rules are working as expected, and reflect the incidents you're concerned about and are interested in.<br>- Check whether your playbooks are responding to alerts and incidents as expected. |
+|&#x2705; **Add data to watchlists** |Check that your watchlists are up to date. If any changes have occurred in your environment, such as new users or use cases, [update your watchlists accordingly](watchlists-manage.md). |
+|&#x2705; **Review commitment tiers** | [Review the commitment tiers](billing.md#analytics-logs) you initially set up, and verify that these tiers reflect your current configuration. |
+|&#x2705; **Keep track of ingestion costs** |To keep track of ingestion costs, use one of these workbooks:<br>- The [**Workspace Usage Report** workbook](billing-monitor-costs.md#deploy-a-workbook-to-visualize-data-ingestion) provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts.<br>- The **Microsoft Sentinel Cost** workbook gives a more focused view of Microsoft Sentinel costs, including ingestion and retention data, ingestion data for eligible data sources, Logic Apps billing information, and more. |
+|&#x2705; **Fine-tune Data Collection Rules (DCRs)** |- Check that your [DCRs](../azure-monitor/essentials/data-collection-rule-overview.md) reflect your data ingestion needs and use cases.<br>- If needed, [implement ingestion-time transformation](data-transformation.md#filtering) to filter out irrelevant data even before it's first stored in your workspace. |
+|&#x2705; **Check analytics rules against MITRE framework** |[Check your MITRE coverage in the Microsoft Sentinel MITRE page](mitre-coverage.md): View the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework. |
+|&#x2705; **Hunt for suspicious activity** |Make sure that your SOC has a process in place for [proactive threat hunting](hunts.md). Hunting is a process where security analysts seek out undetected threats and malicious behaviors. By creating a hypothesis, searching through data, and validating that hypothesis, they determine what to act on. Actions can include creating new detections, new threat intelligence, or spinning up a new incident. |
+
+## Related articles
+
+In this article, you reviewed the activities in each of the phases that help you deploy Microsoft Sentinel.
+
+Depending on which phase you're in, choose the appropriate next steps:
-## Next steps
+- Plan and prepare - [Prerequisites to deploy Azure Sentinel](prerequisites.md)
+- Deploy - [Enable Microsoft Sentinel and initial features and content](enable-sentinel-features-content.md)
+- Fine tune and review - [Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)[Navigate and investigate incidents in Microsoft Sentinel](investigate-incidents.md)
-In this article, you reviewed the activities that help you deploy Microsoft Sentinel.
+When you're finished with your deployment of Microsoft Sentinel, continue to explore Microsoft Sentinel capabilities by reviewing tutorials that cover common tasks:
-> [!div class="nextstepaction"]
-> >[Enable Microsoft Sentinel, health and audit, and content](enable-sentinel-features-content.md)
+- [Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent](forward-syslog-monitor-agent.md)
+- [Configure data retention policy](configure-data-retention.md)
+- [Detect threats using analytics rules](tutorial-log4j-detection.md)
+- [Automatically check and record IP address reputation information in incidents](tutorial-enrich-ip-information.md)
+- [Respond to threats using automation](tutorial-respond-threats-playbook.md)
+- [Extract incident entities with non-native action](tutorial-extract-incident-entities.md)
+- [Investigate with UEBA](investigate-with-ueba.md)
+- [Build and monitor Zero Trust](sentinel-solution.md)
sentinel Design Your Workspace Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/design-your-workspace-architecture.md
Last updated 06/28/2023
# Design your Microsoft Sentinel workspace architecture
-This article provides a decision tree to help you make key decisions about how to design your Microsoft Sentinel workspace architecture. For more information, see [Microsoft Sentinel sample workspace designs](sample-workspace-designs.md) and [Microsoft Sentinel workspace architecture best practices](best-practices-workspace-architecture.md).
+This article provides a decision tree to help you make key decisions about how to design your Microsoft Sentinel workspace architecture. For more information, see [Microsoft Sentinel sample workspace designs](sample-workspace-designs.md) and [Microsoft Sentinel workspace architecture best practices](best-practices-workspace-architecture.md). This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Prerequisites
Before working through the decision tree, make sure you have the following infor
|Prerequisite | Description | |||
-|**Regulatory requirements related to Azure data residency** | Microsoft Sentinel can run on workspaces in most, but not all regions [supported in GA for Log Analytics](https://azure.microsoft.com/global-infrastructure/services/?products=monitor). Newly supported Log Analytics regions may take some time to onboard the Microsoft Sentinel service. <br><br> Data generated by Microsoft Sentinel, such as incidents, bookmarks, and analytics rules, may contain some customer data sourced from the customer's Log Analytics workspaces.<br><br> For more information, see [Geographical availability and data residency](geographical-availability-data-residency.md).|
+|**Regulatory requirements related to Azure data residency** | Microsoft Sentinel can run on workspaces in most, but not all regions [supported in GA for Log Analytics](https://azure.microsoft.com/global-infrastructure/services/?products=monitor). Newly supported Log Analytics regions might take some time to onboard the Microsoft Sentinel service. <br><br> Data generated by Microsoft Sentinel, such as incidents, bookmarks, and analytics rules, might contain some customer data sourced from the customer's Log Analytics workspaces.<br><br> For more information, see [Geographical availability and data residency](geographical-availability-data-residency.md).|
|**Data sources** | Find out which [data sources](connect-data-sources.md) you need to connect, including built-in connectors to both Microsoft and non-Microsoft solutions. You can also use Common Event Format (CEF), Syslog or REST-API to connect your data sources with Microsoft Sentinel. <br><br>If you have Azure VMs in multiple Azure locations that you need to collect the logs from and the saving on data egress cost is important to you, you need to calculate the data egress cost using [Bandwidth pricing calculator](https://azure.microsoft.com/pricing/details/bandwidth/#overview) for each Azure location. |
-|**User roles and data access levels/permissions** | Microsoft Sentinel uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. <br><br>All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace. Therefore, you need to find out whether there is a need to control data access per data source or row-level as that will impact the workspace design decision. For more information, see [Custom roles and advanced Azure RBAC](roles.md#custom-roles-and-advanced-azure-rbac). |
+|**User roles and data access levels/permissions** | Microsoft Sentinel uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. <br><br>All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace. Therefore, you need to find out whether there's a need to control data access per data source or row-level as that will impact the workspace design decision. For more information, see [Custom roles and advanced Azure RBAC](roles.md#custom-roles-and-advanced-azure-rbac). |
|**Daily ingestion rate** | The daily ingestion rate, usually in GB/day, is one of the key factors in cost management and planning considerations and workspace design for Microsoft Sentinel. <br><br>In most cloud and hybrid environments, networking devices, such as firewalls or proxies, and Windows and Linux servers produce the most ingested data. To obtain the most accurate results, Microsoft recommends an exhaustive inventory of data sources. <br><br>Alternatively, the Microsoft Sentinel [cost calculator](https://cloudpartners.transform.microsoft.com/download?assetname=assets%2FAzure_Sentinel_Calculator.xlsx&download=1) includes tables useful in estimating footprints of data sources. <br><br>**Important**: These estimates are a starting point, and log verbosity settings and workload will produce variances. We recommend that you monitor your system regularly to track any changes. Regular monitoring is recommended based on your scenario. <br><br>For more information, see [Azure Monitor Logs pricing details](../azure-monitor/logs/cost-logs.md). |
Do you have an existing workspace that you can use for Microsoft Sentinel?
<a name="note1"></a>[Decision tree note #1](#decision-tree): Logs specific to tenant boundaries, such as from Office 365 and Microsoft Defender for Cloud, can only be stored in the workspace within the same tenant.
- Although it is *possible* to use custom collectors to collect tenant-specific logs from a workspace in another tenant, we do not recommend this due to the following disadvantages:
+ Although it's *possible* to use custom collectors to collect tenant-specific logs from a workspace in another tenant, we don't recommend this due to the following disadvantages:
- Data collected by custom connectors will be ingested into custom tables. Therefore, you wonΓÇÖt be able to use all the built-in rules and workbooks.
- - Custom tables are not considered by some of the built-in features, such as UEBA and machine learning rules.
+ - Custom tables aren't considered by some of the built-in features, such as UEBA and machine learning rules.
- Additional cost and effort required for the custom connectors, such as using Azure Functions and Logic Apps.
- If these disadvantages are not a concern for your organization, continue with [step 4](#step-4-splitting-billing--charge-back) instead of using separate Microsoft Sentinel workspaces.
+ If these disadvantages aren't a concern for your organization, continue with [step 4](#step-4-splitting-billing--charge-back) instead of using separate Microsoft Sentinel workspaces.
### Step 4: Splitting billing / charge-back?
If you need to split your billing or charge-back, consider whether the usage rep
**If you *do* have overlaps between SOC and non-SOC data**, treat the overlapping data as SOC data only. Then, consider whether the ingestion for *both* SOC and non-SOC data individually is less than 100 GB / day, but more than 100 GB / day when combined: - **Yes**: Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
- - **No**: We do not recommend using the same workspace for the sake of cost efficiency. Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
+ - **No**: We don't recommend using the same workspace for the sake of cost efficiency. Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
In either case, for more information, see [note 10](#note10). **If you have *no* overlapping data**, consider whether the ingestion for *both* SOC and non-SOC data individually is less than 100 GB / day, but more than 100 GB / day when combined: - **Yes**: Proceed with [step 6](#step-6-multiple-regions) for further evaluation. For more information, see [note 3](#combining-your-soc-and-non-soc-data).
- - **No**: We do not recommend using the same workspace for the sake of cost efficiency. Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
+ - **No**: We don't recommend using the same workspace for the sake of cost efficiency. Proceed with [step 6](#step-6-multiple-regions) for further evaluation.
#### Combining your SOC and non-SOC data
-<a name="note3"></a>[Decision tree note #3](#decision-tree): While we generally recommend that customers keep a separate workspace for their non-SOC data so that non-SOC data is not subject to Microsoft Sentinel costs, there may be situations where combining SOC and non-SOC data is less expensive than separating them.
+<a name="note3"></a>[Decision tree note #3](#decision-tree): While we generally recommend that customers keep a separate workspace for their non-SOC data so that non-SOC data isn't subject to Microsoft Sentinel costs, there might be situations where combining SOC and non-SOC data is less expensive than separating them.
For example, consider an organization that has security logs ingesting at 50 GB/day, operations logs ingesting at 50 GB/day, and a workspace in the East US region.
However, this recommendation for separate workspaces for non-SOC data comes from
- If the data egress cost is enough of a concern to make maintaining separate workspaces worthwhile, use a separate Microsoft Sentinel workspace for each region where you need reduce the data egress cost.
- <a name="note5"></a>[Decision tree note #5](#decision-tree): We recommend that you have as few workspaces as possible. Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=azure-sentinel) to estimate the cost and determine which regions you actually need, and combine workspaces for regions with low egress costs. Bandwidth costs may be only a small part of your Azure bill when compared with separate Microsoft Sentinel and Log Analytics ingestion costs.
+ <a name="note5"></a>[Decision tree note #5](#decision-tree): We recommend that you have as few workspaces as possible. Use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=azure-sentinel) to estimate the cost and determine which regions you actually need, and combine workspaces for regions with low egress costs. Bandwidth costs might be only a small part of your Azure bill when compared with separate Microsoft Sentinel and Log Analytics ingestion costs.
For example, your cost might be estimated as follows:
However, this recommendation for separate workspaces for non-SOC data comes from
- If each data owner must have access to the Microsoft Sentinel portal, use a separate Microsoft Sentinel workspace for each owner.
- <a name="note6"></a>[Decision tree note #6](#decision-tree): Access to the Microsoft Sentinel portal requires that each user have a role of at least a [Microsoft Sentinel Reader](../role-based-access-control/built-in-roles.md), with **Reader** permissions on all tables in the workspace. If a user does not have access to all tables in the workspace, they'll need to use Log Analytics to access the logs in search queries.
+ <a name="note6"></a>[Decision tree note #6](#decision-tree): Access to the Microsoft Sentinel portal requires that each user have a role of at least a [Microsoft Sentinel Reader](../role-based-access-control/built-in-roles.md), with **Reader** permissions on all tables in the workspace. If a user doesn't have access to all tables in the workspace, they'll need to use Log Analytics to access the logs in search queries.
- If access to the logs via Log Analytics is sufficient for any owners without access to the Microsoft Sentinel portal, continue with [step 8](#step-8-controlling-data-access-by-data-source--table).
However, this recommendation for separate workspaces for non-SOC data comes from
- If you have multiple, custom data sources/tables, where each one needs separate permissions
- In other cases, when you do *not* need to control access at the row level, provide multiple, custom data sources/tables with separate permissions, use a single Microsoft Sentinel workspace, with table-level RBAC for data access control.
+ In other cases, when you *don't* need to control access at the row level, provide multiple, custom data sources/tables with separate permissions, use a single Microsoft Sentinel workspace, with table-level RBAC for data access control.
#### Considerations for resource-context or table-level RBAC When planning to use resource-context or table level RBAC, consider the following information: -- <a name="note7"></a>[Decision tree note #7](#decision-tree): To configure resource-context RBAC for non-Azure resources, you may want to associate a Resource ID to the data when sending to Microsoft Sentinel, so that the permission can be scoped using resource-context RBAC. For more information, see [Explicitly configure resource-context RBAC](resource-context-rbac.md#explicitly-configure-resource-context-rbac) and [Access modes by deployment](../azure-monitor/logs/workspace-design.md).
+- <a name="note7"></a>[Decision tree note #7](#decision-tree): To configure resource-context RBAC for non-Azure resources, you might want to associate a Resource ID to the data when sending to Microsoft Sentinel, so that the permission can be scoped using resource-context RBAC. For more information, see [Explicitly configure resource-context RBAC](resource-context-rbac.md#explicitly-configure-resource-context-rbac) and [Access modes by deployment](../azure-monitor/logs/workspace-design.md).
- <a name="note8"></a>[Decision tree note #8](#decision-tree): [Resource permissions](../azure-monitor/logs/manage-access.md) or [resource-context](../azure-monitor/logs/workspace-design.md) allows users to view logs only for resources that they have access to. The workspace access mode must be set to **User resource or workspace permissions**. Only tables relevant to the resources where the user has permissions will be included in search results from the **Logs** page in Microsoft Sentinel.
sentinel Enable Entity Behavior Analytics https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/enable-entity-behavior-analytics.md
# Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
-In the previous deployment step, you enabled the Microsoft Sentinel security content you need to protect your systems. In this article, you learn how to enable and use the UEBA feature to streamline the analysis process.
+In the previous deployment step, you enabled the Microsoft Sentinel security content you need to protect your systems. In this article, you learn how to enable and use the UEBA feature to streamline the analysis process. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organizationΓÇÖs entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon. Using a variety of techniques and machine learning capabilities, Microsoft Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Learn more about [UEBA](identify-threats-with-entity-behavior-analytics.md).
sentinel Enable Sentinel Features Content https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/enable-sentinel-features-content.md
# Enable Microsoft Sentinel and initial features and content
-To begin your deployment, you need to enable Microsoft Sentinel and set up key features and content. In this article, you learn how to enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs.
+To begin your deployment, you need to enable Microsoft Sentinel and set up key features and content. In this article, you learn how to enable Microsoft Sentinel, enable the health and audit feature, and enable the solutions and content you've identified according to your organization's needs. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Enable features and content
sentinel Prepare Multiple Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/prepare-multiple-workspaces.md
# Prepare for multiple workspaces and tenants in Microsoft Sentinel
-To prepare for your deployment, you need to determine whether a multiple workspace architecture is relevant for your environment. In this article, you learn how Microsoft Sentinel can extend across multiple workspaces and tenants so you can determine whether this capability suits your organization's needs.
+To prepare for your deployment, you need to determine whether a multiple workspace architecture is relevant for your environment. In this article, you learn how Microsoft Sentinel can extend across multiple workspaces and tenants so you can determine whether this capability suits your organization's needs. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
-If you've determined and set up your environment to extend across workspaces, you can [manage and monitor cross-workspace architecture](extend-sentinel-across-workspaces-tenants.md) or [manage multiple workspaces with workspace manager](workspace-manager.md).
+If you've decided to set up your environment to extend across workspaces, see [Extend Microsoft Sentinel across workspaces and tenants](extend-sentinel-across-workspaces-tenants.md) and [Centrally manage multiple Microsoft Sentinel workspaces with workspace manager](workspace-manager.md).
## The need to use multiple Microsoft Sentinel workspaces When you onboard Microsoft Sentinel, your first step is to select your Log Analytics workspace. While you can get the full benefit of the Microsoft Sentinel experience with a single workspace, in some cases, you might want to extend your workspace to query and analyze your data across workspaces and tenants.
-This table lists some of these scenarios and, when possible, suggests how you may use a single workspace for the scenario.
+This table lists some of these scenarios and, when possible, suggests how you might use a single workspace for the scenario.
| Requirement | Description | Ways to reduce workspace count | |-|-|--| | Sovereignty and regulatory compliance | A workspace is tied to a specific region. To keep data in different [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/) to satisfy regulatory requirements, split up the data into separate workspaces. | | | Data ownership | The boundaries of data ownership, for example by subsidiaries or affiliated companies, are better delineated using separate workspaces. | | | Multiple Azure tenants | Microsoft Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore, each Azure AD tenant requires a separate workspace. | |
-| Granular data access control | An organization may need to allow different groups, within or outside the organization, to access some of the data collected by Microsoft Sentinel. For example:<br><ul><li>Resource owners' access to data pertaining to their resources</li><li>Regional or subsidiary SOCs' access to data relevant to their parts of the organization</li></ul> | Use [resource Azure RBAC](resource-context-rbac.md) or [table level Azure RBAC](https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043) |
+| Granular data access control | An organization might need to allow different groups, within or outside the organization, to access some of the data collected by Microsoft Sentinel. For example:<br><ul><li>Resource owners' access to data pertaining to their resources</li><li>Regional or subsidiary SOCs' access to data relevant to their parts of the organization</li></ul> | Use [resource Azure RBAC](resource-context-rbac.md) or [table level Azure RBAC](https://techcommunity.microsoft.com/t5/azure-sentinel/table-level-rbac-in-azure-sentinel/ba-p/965043) |
| Granular retention settings | Historically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the introduction of table level retention settings. | Use [table level retention settings](https://techcommunity.microsoft.com/t5/azure-sentinel/new-per-data-type-retention-is-now-available-for-azure-sentinel/ba-p/917316) or automate [data deletion](../azure-monitor/logs/personal-data-mgmt.md#exporting-and-deleting-personal-data) | | Split billing | By placing workspaces in separate subscriptions, they can be billed to different parties. | Usage reporting and cross-charging |
-| Legacy architecture | The use of multiple workspaces may stem from a historical design that took into consideration limitations or best practices which don't hold true anymore. It might also be an arbitrary design choice that can be modified to better accommodate Microsoft Sentinel.<br><br>Examples include:<br><ul><li>Using a per-subscription default workspace when deploying Microsoft Defender for Cloud</li><li>The need for granular access control or retention settings, the solutions for which are relatively new</li></ul> | Re-architect workspaces |
+| Legacy architecture | The use of multiple workspaces might stem from a historical design that took into consideration limitations or best practices which don't hold true anymore. It might also be an arbitrary design choice that can be modified to better accommodate Microsoft Sentinel.<br><br>Examples include:<br><ul><li>Using a per-subscription default workspace when deploying Microsoft Defender for Cloud</li><li>The need for granular access control or retention settings, the solutions for which are relatively new</li></ul> | Re-architect workspaces |
### Managed Security Service Provider (MSSP)
sentinel Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/prerequisites.md
Title: Plan and prepare for your Microsoft Sentinel deployment
-description: Learn about pre-deployment activities and prerequisites for deploying Microsoft Sentinel.
--
+ Title: Prerequisites for deploying Microsoft Sentinel
+description: Learn about pre-deployment prerequisites to deploy Microsoft Sentinel.
++ Previously updated : 06/29/2023 Last updated : 08/23/2023
-# Plan and prepare for your Microsoft Sentinel deployment
-This article introduces the activities and prerequisites that help you plan and prepare before deploying Microsoft Sentinel.
+# Prerequisites to deploy Microsoft Sentinel
-The plan and prepare phase is typically performed by a SOC architect or related roles.
+Before deploying Microsoft Sentinel, make sure that your Azure tenant meets the requirements listed in this article. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
-Before deploying Microsoft Sentinel, we recommend taking the following steps to help focus your deployment on providing maximum value, as soon as possible.
-
-## Plan and prepare overview
-
-| Step | Details |
-| | - |
-| **1. Plan and prepare overview and prerequisites** | **YOU ARE HERE**<br><br>Review the [Azure tenant prerequisites](#azure-tenant-prerequisites). |
-| **2. Plan workspace architecture** | Design your Microsoft Sentinel workspace. Consider parameters such as:<br><br>- Whether you'll use a single tenant or multiple tenants<br>- Any compliance requirements you have for data collection and storage<br>- How to control access to Microsoft Sentinel data<br><br>Review these articles:<br><br>1. [Review best practices](best-practices-workspace-architecture.md)<br>2. [Design workspace architecture](design-your-workspace-architecture.md)<br>3. [Review sample workspace designs](sample-workspace-designs.md)<br>4. [Prepare for multiple workspaces](prepare-multiple-workspaces.md) |
-| **3. [Prioritize data connectors](prioritize-data-connectors.md)** | Determine which data sources you need and the data size requirements to help you accurately project your deployment's budget and timeline.<br><br>You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel. |
-| **4. [Plan roles and permissions](roles.md)** |Use Azure role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly, or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits. |
-| **5. [Plan costs](billing.md)** |Start planning your budget, considering cost implications for each planned scenario.<br><br> Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. |
-
-## Azure tenant prerequisites
-
-Before deploying Microsoft Sentinel, make sure that your Azure tenant has the following requirements:
+## Prerequisites
- An [Azure Active Directory license and tenant](../active-directory/develop/quickstart-create-new-tenant.md), or an [individual account with a valid payment method](https://azure.microsoft.com/free/), are required to access Azure and deploy resources. - After you have a tenant, you must have an [Azure subscription](../cost-management-billing/manage/create-subscription.md) to track resource creation and billing. -- After you have a subscription, you'll need the [relevant permissions](../role-based-access-control/index.yml) to begin using your subscription. If you are using a new subscription, an admin or higher from the Azure AD tenant should be designated as the [owner/contributor](../role-based-access-control/rbac-and-directory-admin-roles.md) for the subscription.
+- After you have a subscription, you'll need the [relevant permissions](../role-based-access-control/index.yml) to begin using your subscription. If you're using a new subscription, an admin or higher from the Azure AD tenant should be designated as the [owner/contributor](../role-based-access-control/rbac-and-directory-admin-roles.md) for the subscription.
- To maintain the least privileged access available, assign roles at the level of the resource group. - For more control over permissions and access, set up custom roles. For more information, see [Role-based access control](../role-based-access-control/custom-roles.md).
Before deploying Microsoft Sentinel, make sure that your Azure tenant has the fo
- We recommend that when you set up your Microsoft Sentinel workspace, [create a resource group](../azure-resource-manager/management/manage-resource-groups-portal.md) that's dedicated to Microsoft Sentinel and the resources that Microsoft Sentinel uses, including the Log Analytics workspace, any playbooks, workbooks, and so on.
- A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to any relevant resources. Managing access via a resource group helps to ensure that you're using Microsoft Sentinel efficiently without potentially issuing improper permissions. Without a resource group for Microsoft Sentinel, where resources are scattered among multiple resource groups, a user or service principal may find themselves unable to perform a required action or view data due to insufficient permissions.
+ A dedicated resource group allows for permissions to be assigned once, at the resource group level, with permissions automatically applied to any relevant resources. Managing access via a resource group helps to ensure that you're using Microsoft Sentinel efficiently without potentially issuing improper permissions. Without a resource group for Microsoft Sentinel, where resources are scattered among multiple resource groups, a user or service principal might find themselves unable to perform a required action or view data due to insufficient permissions.
To implement more access control to resources by tiers, use extra resource groups to house the resources that should be accessed only by those groups. Using multiple tiers of resource groups enables you to separate access between those tiers. ## Next steps
-In this article, you reviewed the activities and prerequisites that help you plan and prepare before deploying Microsoft Sentinel.
+In this article, you reviewed the prerequisites that help you plan and prepare before deploying Microsoft Sentinel.
> [!div class="nextstepaction"] > >[Review workspace architecture best practices](best-practices-workspace-architecture.md)
sentinel Prioritize Data Connectors https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/prioritize-data-connectors.md
# Prioritize your data connectors for Microsoft Sentinel
-In this article, you learn how to plan and prioritize which data sources to use for your Microsoft Sentinel deployment.
+In this article, you learn how to plan and prioritize which data sources to use for your Microsoft Sentinel deployment. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Determine which connectors you need
sentinel Review Fine Tune Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/review-fine-tune-overview.md
- Title: Fine tune and review your Microsoft Sentinel deployment process and content
-description: This article includes a checklist to help you fine tune and review your deployed content and deployment process.
--- Previously updated : 07/05/2023-
-# Fine tune and review your Microsoft Sentinel deployment process and content
-
-In previous steps, you planned and prepared for your deployment, and then you enabled the Microsoft solution and deployed key security content. In this article, you review a post-deployment checklist that helps you make sure that your deployment process is working as expected, and that the security content you deployed is working and protecting your organization according to your needs and use cases.
-
-The fine tune and review phase is typically performed by a SOC engineer or related roles.
-
-## Fine tune and review: Checklist for post-deployment
-
-|Step |Actions |
-| | - |
-|&#x2705; **Review incidents and incident process** |- Check whether the incidents and the number of incidents you're seeing reflect what's actually happening in your environment.<br>- Check whether your SOC's incident process is working to efficiently handle incidents: Have you assigned different types of incidents to different layers/tiers of the SOC?<br><br>Learn more about how to [navigate and investigate](investigate-incidents.md) incidents and how to [work with incident tasks](work-with-tasks.md). |
-|&#x2705; **Review and fine-tune analytics rules** | - Based on your incident review, check whether your analytics rules are triggered as expected, and whether the rules reflect the types of incidents you're interested in.<br>- [Handle false positives](false-positives.md), either by using automation or by modifying scheduled analytics rules.<br>- Microsoft Sentinel provides built-in fine-tuning capabilities to help you analyze your analytics rules. [Review these built-in insights and implement relevant recommendations](detection-tuning.md). |
-|&#x2705; **Review automation rules and playbooks** |- Similar to analytics rules, check that your automation rules are working as expected, and reflect the incidents you're concerned about and are interested in.<br>- Check whether your playbooks are responding to alerts and incidents as expected. |
-|&#x2705; **Add data to watchlists** |Check that your watchlists are up to date. If any changes have occurred in your environment, such as new users or use cases, [update your watchlists accordingly](watchlists-manage.md). |
-|&#x2705; **Review commitment tiers** | [Review the commitment tiers](billing.md#analytics-logs) you initially set up, and verify that these tiers reflect your current configuration. |
-|&#x2705; **Keep track of ingestion costs** |To keep track of ingestion costs, use one of these workbooks:<br>- The [**Workspace Usage Report** workbook](billing-monitor-costs.md#deploy-a-workbook-to-visualize-data-ingestion) provides your workspace's data consumption, cost, and usage statistics. The workbook gives the workspace's data ingestion status and amount of free and billable data. You can use the workbook logic to monitor data ingestion and costs, and to build custom views and rule-based alerts.<br>- The **Microsoft Sentinel Cost** workbook gives a more focused view of Microsoft Sentinel costs, including ingestion and retention data, ingestion data for eligible data sources, Logic Apps billing information, and more. |
-|&#x2705; **Fine-tune Data Collection Rules (DCRs)** |- Check that your [DCRs](../azure-monitor/essentials/data-collection-rule-overview.md) reflect your data ingestion needs and use cases.<br>- If needed, [implement ingestion-time transformation](data-transformation.md#filtering) to filter out irrelevant data even before it's first stored in your workspace. |
-|&#x2705; **Check analytics rules against MITRE framework** |[Check your MITRE coverage in the Microsoft Sentinel MITRE page](mitre-coverage.md): View the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework. |
-|&#x2705; **Hunt for suspicious activity** |Make sure that your SOC has a process in place for [proactive threat hunting](hunts.md). Hunting is a process where security analysts seek out undetected threats and malicious behaviors. By creating a hypothesis, searching through data, and validating that hypothesis, they determine what to act on. Actions can include creating new detections, new threat intelligence, or spinning up a new incident. |
-
-## Next steps
-
-In this article, you reviewed a checklist of post-deployment steps. You're now finished your deployment of Microsoft Sentinel.
-
-To continue exploring Microsoft Sentinel capabilities, review these tutorials with common Microsoft Sentinel tasks:
--- [Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent](forward-syslog-monitor-agent.md)-- [Configure data retention policy](configure-data-retention.md)-- [Detect threats using analytics rules](tutorial-log4j-detection.md)-- [Automatically check and record IP address reputation information in incidents](tutorial-enrich-ip-information.md)-- [Respond to threats using automation](tutorial-respond-threats-playbook.md)-- [Extract incident entities with non-native action](tutorial-extract-incident-entities.md)-- [Investigate with UEBA](investigate-with-ueba.md)-- [Build and monitor Zero Trust](sentinel-solution.md)
sentinel Roles https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/roles.md
# Roles and permissions in Microsoft Sentinel
-This article explains how Microsoft Sentinel assigns permissions to user roles and identifies the allowed actions for each role. Microsoft Sentinel uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure.
+This article explains how Microsoft Sentinel assigns permissions to user roles and identifies the allowed actions for each role. Microsoft Sentinel uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to provide [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
Use Azure RBAC to create and assign roles within your security operations team to grant appropriate access to Microsoft Sentinel. The different roles give you fine-grained control over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the Microsoft Sentinel workspace directly (see note below), or in a subscription or resource group that the workspace belongs to, which Microsoft Sentinel inherits.
Use Azure RBAC to create and assign roles within your security operations team t
> > - For best results, assign these roles to the **resource group** that contains the Microsoft Sentinel workspace. This way, the roles apply to all the resources that support Microsoft Sentinel, as those resources should also be placed in the same resource group. >
-> - As another option, assign the roles directly to the Microsoft Sentinel **workspace** itself. If you do this, you must also assign the same roles to the SecurityInsights **solution resource** in that workspace. You may need to assign them to other resources as well, and you will need to constantly manage role assignments to resources.
+> - As another option, assign the roles directly to the Microsoft Sentinel **workspace** itself. If you do this, you must also assign the same roles to the SecurityInsights **solution resource** in that workspace. You might need to assign them to other resources as well, and you will need to constantly manage role assignments to resources.
### Other roles and permissions
-Users with particular job requirements may need to be assigned other roles or specific permissions in order to accomplish their tasks.
+Users with particular job requirements might need to be assigned other roles or specific permissions in order to accomplish their tasks.
- **Install and manage out-of-the-box content**
Users with particular job requirements may need to be assigned other roles or sp
### Azure and Log Analytics roles you might see assigned
-When you assign Microsoft Sentinel-specific Azure roles, you may come across other Azure and Log Analytics roles that may have been assigned to users for other purposes. Note that these roles grant a wider set of permissions that include access to your Microsoft Sentinel workspace and other resources:
+When you assign Microsoft Sentinel-specific Azure roles, you might come across other Azure and Log Analytics roles that might have been assigned to users for other purposes. Note that these roles grant a wider set of permissions that include access to your Microsoft Sentinel workspace and other resources:
- **Azure roles:** [Owner](../role-based-access-control/built-in-roles.md#owner), [Contributor](../role-based-access-control/built-in-roles.md#contributor), and [Reader](../role-based-access-control/built-in-roles.md#reader). Azure roles grant access across all your Azure resources, including Log Analytics workspaces and Microsoft Sentinel resources. - **Log Analytics roles:** [Log Analytics Contributor](../role-based-access-control/built-in-roles.md#log-analytics-contributor) and [Log Analytics Reader](../role-based-access-control/built-in-roles.md#log-analytics-reader). Log Analytics roles grant access to your Log Analytics workspaces.
-For example, a user assigned the **Microsoft Sentinel Reader** role, but not the **Microsoft Sentinel Contributor** role, can still edit items in Microsoft Sentinel, if that user is also assigned the Azure-level **Contributor** role. Therefore, if you want to grant permissions to a user only in Microsoft Sentinel, carefully remove this userΓÇÖs prior permissions, making sure you do not break any needed access to another resource.
+For example, a user assigned the **Microsoft Sentinel Reader** role, but not the **Microsoft Sentinel Contributor** role, can still edit items in Microsoft Sentinel, if that user is also assigned the Azure-level **Contributor** role. Therefore, if you want to grant permissions to a user only in Microsoft Sentinel, carefully remove this userΓÇÖs prior permissions, making sure you don't break any needed access to another resource.
## Microsoft Sentinel roles, permissions, and allowed actions
After understanding how roles and permissions work in Microsoft Sentinel, you ca
> [!TIP]
-> More roles may be required depending on the data you ingest or monitor. For example, Azure AD roles may be required, such as the global admin or security admin roles, to set up data connectors for services in other Microsoft portals.
+> More roles might be required depending on the data you ingest or monitor. For example, Azure AD roles might be required, such as the global admin or security admin roles, to set up data connectors for services in other Microsoft portals.
> ## Resource-based access control
-You may have some users who need to access only specific data in your Microsoft Sentinel workspace, but shouldn't have access to the entire Microsoft Sentinel environment. For example, you may want to provide a non-security operations (non-SOC) team with access to the Windows event data for the servers they own.
+You might have some users who need to access only specific data in your Microsoft Sentinel workspace, but shouldn't have access to the entire Microsoft Sentinel environment. For example, you might want to provide a non-security operations (non-SOC) team with access to the Windows event data for the servers they own.
In such cases, we recommend that you configure your role-based access control (RBAC) based on the resources that are allowed to your users, instead of providing them with access to the Microsoft Sentinel workspace or specific Microsoft Sentinel features. This method is also known as setting up resource-context RBAC. [Learn more about RBAC](resource-context-rbac.md)
sentinel Sample Workspace Designs https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/sample-workspace-designs.md
This article describes suggested workspace designs for organizations with the fo
The samples in this article use the [Microsoft Sentinel workspace design decision tree](design-your-workspace-architecture.md) to determine the best workspace design for each organization. For more information, see [Microsoft Sentinel workspace architecture best practices](best-practices-workspace-architecture.md).
+This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
+ ## Sample 1: Multiple tenants and regions The Contoso Corporation is a multinational business with headquarters in London. Contoso has offices around the world, with important hubs in New York City and Tokyo. Recently, Contoso has migrated their productivity suite to Office 365, with many workloads migrated to Azure.
sentinel Use Multiple Workspaces https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sentinel/use-multiple-workspaces.md
# Set up multiple workspaces and tenants in Microsoft Sentinel
-When you planned your deployment, you [determined whether a multiple workspace architecture is relevant for your environment](prepare-multiple-workspaces.md). If your environment requires multiple workspaces, you can now set them up as part of your deployment. In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants.
+When you planned your deployment, you determined whether a multiple workspace architecture is relevant for your environment. If your environment requires multiple workspaces, you can now set them up as part of your deployment. For more information, see [Prepare for multiple workspaces and tenants in Microsoft Sentinel](prepare-multiple-workspaces.md).
+
+In this article, you learn how to set up Microsoft Sentinel to extend across multiple workspaces and tenants. This article is part of the [Deployment guide for Microsoft Sentinel](deploy-overview.md).
## Options for using multiple workspaces
service-bus-messaging Message Expiration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-expiration.md
Title: Azure Service Bus - message expiration description: This article explains about expiration and time to live (TTL) of Azure Service Bus messages. After such a deadline, the message is no longer delivered. Previously updated : 06/08/2023 Last updated : 10/10/2023 # Azure Service Bus - Message expiration (Time to Live)
The expiration for any individual message can be controlled by setting the **tim
Past the **expires-at-utc** instant, messages become ineligible for retrieval. The expiration doesn't affect messages that are currently locked for delivery. Those messages are still handled normally. If the lock expires or the message is abandoned, the expiration takes immediate effect. While the message is under lock, the application might be in possession of a message that has expired. Whether the application is willing to go ahead with processing or chooses to abandon the message is up to the implementer.
-Extremely low TTL in the order of milliseconds or seconds may cause messages to expire before receiver applications receive it. Consider the highest TTL that works for your application.
+Extremely low TTL in the order of milliseconds or seconds might cause messages to expire before receiver applications receive it. Consider the highest TTL that works for your application.
> [!NOTE] > For [scheduled messages](message-sequencing.md#scheduled-messages), you specify the enqueue time at which you want the message to materialize in the queue for retrieval. The time at which the message is sent to Service Bus is different from the time at which the message is enqueued. The message expiration time depends on the enqueued time, not on the time at which the message is sent to Service Bus. Therefore, the **expires-at-utc** is still **enqueued time + time-to-live**.
The combination of time-to-live and automatic (and transactional) dead-lettering
For example, consider a web site that needs to reliably execute jobs on a scale-constrained backend, and which occasionally experiences traffic spikes or wants to be insulated against availability episodes of that backend. In the regular case, the server-side handler for the submitted user data pushes the information into a queue and subsequently receives a reply confirming successful handling of the transaction into a reply queue. If there's a traffic spike and the backend handler can't process its backlog items in time, the expired jobs are returned on the dead-letter queue. The interactive user can be notified that the requested operation takes a little longer than usual, and the request can then be put on a different queue for a processing path where the eventual processing result is sent to the user by email.
+### Expiration for session-enabled entities
+For session-enabled queues or topics' subscriptions, messages are locked at the session level. If the TTL for any of the messages expires, all messages related to that session are either dropped or dead-lettered based on the dead-lettering enabled on messaging expiration setting on the entity. In other words, if there's a single message in the session that has passed the TTL, all the messages in the session are expired. The messages expire only if there's an active listener.
## Temporary entities
service-bus-messaging Message Sessions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/message-sessions.md
When multiple concurrent receivers pull from the queue, the messages belonging t
The previous illustration shows three concurrent session receivers. One Session with `SessionId` = 4 has no active, owning client, which means that no messages are delivered from this specific session. A session acts in many ways like a sub queue.
-The session lock held by the session receiver is an umbrella for the message locks used by the *peek-lock* settlement mode. Only one receiver can have a lock on a session. A receiver may have many in-flight messages, but the messages will be received in order. Abandoning a message causes the same message to be served again with the next receive operation.
+The session lock held by the session receiver is an umbrella for the message locks used by the *peek-lock* settlement mode. Only one receiver can have a lock on a session. A receiver might have many in-flight messages, but the messages are received in order. Abandoning a message causes the same message to be served again with the next receive operation.
### Message session state
The definition of delivery count per message in the context of sessions varies s
|-|| | Session is accepted, but the session lock expires (due to timeout) | Yes | | Session is accepted, the messages within the session aren't completed (even if they're locked), and the session is closed | No |
-| Session is accepted, messages are completed, and then the session is explicitly closed | N/A (It's the standard flow. Here messages are removed from the session) |
+| Session is accepted, messages are completed, and then the session is explicitly closed | N/A (It's the standard flow. Here, messages are removed from the session) |
## Request-response pattern The [request-reply pattern](https://www.enterpriseintegrationpatterns.com/patterns/messaging/RequestReply.html) is a well-established integration pattern that enables the sender application to send a request and provides a way for the receiver to correctly send a response back to the sender application. This pattern typically needs a short-lived queue or topic for the application to send responses to. In this scenario, sessions provide a simple alternative solution with comparable semantics.
So, the messages are processed in this order: message 2, message 3, and message
If messages just need to be retrieved in order, you don't need to use sessions. If messages need to be processed in order, use sessions. The same session ID should be set on messages that belong together, which could be message 1, 4, and 8 in a set, and 2, 3, and 6 in another set.
+## Message expiration
+For session-enabled queues or topics' subscriptions, messages are locked at the session level. If the TTL for any of the messages expires, all messages related to that session are either dropped or dead-lettered based on the dead-lettering enabled on messaging expiration setting on the entity. In other words, if there's a single message in the session that has passed the TTL, all the messages in the session are expired. The messages expire only if there's an active listener. For more information, see [Message expiration](message-expiration.md).
+ ## Next steps You can enable message sessions while creating a queue using Azure portal, PowerShell, CLI, Resource Manager template, .NET, Java, Python, and JavaScript. For more information, see [Enable message sessions](enable-message-sessions.md).
service-bus-messaging Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/policy-reference.md
Title: Built-in policy definitions for Azure Service Bus Messaging description: Lists Azure Policy built-in policy definitions for Azure Service Bus Messaging. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
service-bus-messaging Service Bus Dead Letter Queues https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-dead-letter-queues.md
Title: Service Bus dead-letter queues | Microsoft Docs description: Describes dead-letter queues in Azure Service Bus. Service Bus queues and topic subscriptions provide a secondary subqueue, called a dead-letter queue. Previously updated : 10/25/2022 Last updated : 10/09/2023
Azure Service Bus queues and topic subscriptions provide a secondary subqueue, called a *dead-letter queue* (DLQ). The dead-letter queue doesn't need to be explicitly created and can't be deleted or managed independent of the main entity.
-This article describes dead-letter queues in Service Bus. Much of the discussion is illustrated by the [Dead-Letter queues sample](https://github.com/Azure/azure-service-bus/tree/master/samples/DotNet/Microsoft.Azure.ServiceBus/DeadletterQueue) on GitHub.
+This article describes dead-letter queues in Service Bus. Much of the discussion is illustrated by the [Dead-Letter queues sample](https://github.com/Azure/azure-service-bus/tree/master/samples/DotNet/Microsoft.Azure.ServiceBus/DeadletterQueue) on GitHub. This sample uses the deprecated library, not the current `Azure.Messaging.ServiceBus`, but the concepts are the same.
## The dead-letter queue
There are several activities in Service Bus that cause messages to get pushed to
| Dead-letter reason | Dead-letter error description | | | |
-|HeaderSizeExceeded |The size quota for this stream has been exceeded. |
-|TTLExpiredException |The message expired and was dead lettered. See the [Time to live](#time-to-live) section for details. |
+| `HeaderSizeExceeded` |The size quota for this stream has been exceeded. |
+| `TTLExpiredException` |The message expired and was dead lettered. See the [Time to live](#time-to-live) section for details. |
|Session ID is null. |Session enabled entity doesn't allow a message whose session identifier is null. |
-|MaxTransferHopCountExceeded | The maximum number of allowed hops when forwarding between queues has been exceeded. This value is set to 4. |
-| MaxDeliveryCountExceeded | Message couldn't be consumed after maximum delivery attempts. See the [Maximum delivery count](#maximum-delivery-count) section for details. |
+|`MaxTransferHopCountExceeded` | The maximum number of allowed hops when forwarding between queues has been exceeded. This value is set to 4. |
+| `MaxDeliveryCountExceeded` | Message couldn't be consumed after maximum delivery attempts. See the [Maximum delivery count](#maximum-delivery-count) section for details. |
## Maximum delivery count
-There is a limit on number of attempts to deliver messages for Service Bus queues and subscriptions. The default value is 10. Whenever a message has been delivered under a peek-lock, but has been either explicitly abandoned or the lock has expired, the delivery count on the message is incremented. When the delivery count exceeds the limit, the message is moved to the DLQ. The dead-letter reason for the message in DLQ is set to: MaxDeliveryCountExceeded. This behavior can't be disabled, but you can set the max delivery count to a large number.
+There's a limit on number of attempts to deliver messages for Service Bus queues and subscriptions. The default value is 10. Whenever a message has been delivered under a peek-lock, but has been either explicitly abandoned or the lock has expired, the delivery count on the message is incremented. When the delivery count exceeds the limit, the message is moved to the DLQ. The dead-letter reason for the message in DLQ is set to: `MaxDeliveryCountExceeded`. This behavior can't be disabled, but you can set the max delivery count to a large number.
## Time to live
-When you enable dead-lettering on queues or subscriptions, all expiring messages are moved to the DLQ. The dead-letter reason code is set to: TTLExpiredException.
+When you enable dead-lettering on queues or subscriptions, all expiring messages are moved to the DLQ. The dead-letter reason code is set to: `TTLExpiredException`.
-Deferred messages will not be purged and moved to the dead-letter queue after they expire. This behavior is by design.
+Deferred messages won't be purged and moved to the dead-letter queue after they expire. This behavior is by design.
## Errors while processing subscription rules
If you enable dead-lettering on filter evaluation exceptions, any errors that oc
In addition to the system-provided dead-lettering features, applications can use the DLQ to explicitly reject unacceptable messages. They can include messages that can't be properly processed because of any sort of system issue, messages that hold malformed payloads, or messages that fail authentication when some message-level security scheme is used.
-This can be done by calling [QueueClient.DeadLetterAsync(Guid lockToken, string deadLetterReason, string deadLetterErrorDescription) method](/dotnet/api/microsoft.servicebus.messaging.queueclient.deadletterasync#microsoft-servicebus-messaging-queueclient-deadletterasync(system-guid-system-string-system-string)).
+This can be done by calling [QueueClient.DeadLetterAsync(Guid lockToken, string deadLetterReason, string deadLetterErrorDescription)](/dotnet/api/microsoft.servicebus.messaging.queueclient.deadletterasync#microsoft-servicebus-messaging-queueclient-deadletterasync(system-guid-system-string-system-string)) method.
-It is recommended to include the type of the exception in the DeadLetterReason and the StackTrace of the exception in the DeadLetterDescription as this makes it easier to troubleshoot the cause of the problem resulting in messages being dead-lettered. Be aware that this may result in some messages exceeding [the 256KB quota limit for the Standard Tier of Azure Service Bus](./service-bus-quotas.md), further indicating that the Premium Tier is what should be used for production environments.
+We recommend that you include the type of the exception in the `DeadLetterReason` and the stack trace of the exception in the `DeadLetterDescription` as it makes it easier to troubleshoot the cause of the problem resulting in messages being dead-lettered. Be aware that this might result in some messages exceeding [the 256 KB quota limit for the Standard Tier of Azure Service Bus](./service-bus-quotas.md), further indicating that the Premium Tier is what should be used for production environments.
-## Dead-lettering in ForwardTo or SendVia scenarios
+## Dead-lettering in auto forward scenarios
-Messages will be sent to the transfer dead-letter queue under the following conditions:
+Messages are sent to the dead-letter queue under the following conditions:
- A message passes through more than four queues or topics that are [chained together](service-bus-auto-forwarding.md). - The destination queue or topic is disabled or deleted. - The destination queue or topic exceeds the maximum entity size.
+## Dead-lettering in send via scenarios
+
+- If the destination queue or topic is disabled, the message is sent to a transfer dead letter queue (TDLQ).
+- If the destination queue or topic is deleted, the 404 exception is raised.
+- If the destination queue or entity exceeds the entity size, the message doesn't go to either DLQ or TDLQ.
+
+ ## Path to the dead-letter queue You can access the dead-letter queue by using the following syntax:
You can access the dead-letter queue by using the following syntax:
<topic path>/Subscriptions/<subscription path>/$deadletterqueue ``` ---------- ## Sending dead-lettered messages to be reprocessed
-As there can be valuable business data in messages that ended up in the dead-letter queue, it is desirable to have those messages be reprocessed when operators have finished dealing with the circumstances which caused the messages to be dead-lettered in the first place.
+As there can be valuable business data in messages that ended up in the dead-letter queue, it's desirable to have those messages be reprocessed when operators have finished dealing with the circumstances that caused the messages to be dead-lettered in the first place.
-Tools like [Azure Service Bus Explorer](./explorer.md) enable manual moving of messages between queues and topics. If there are many messages in the dead-letter queue that need to be moved, [code like this](https://stackoverflow.com/a/68632602/151350) can help move them all at once. Operators will often prefer having a user interface so they can troubleshoot which message types have failed processing, from which source queues, and for what reasons, while still being able to resubmit batches of messages to be reprocessed. Tools like [ServicePulse with NServiceBus](https://docs.particular.net/servicepulse/intro-failed-messages) provide these capabilities.
+Tools like [Azure Service Bus Explorer](./explorer.md) enable manual moving of messages between queues and topics. If there are many messages in the dead-letter queue that need to be moved, [code like this](https://stackoverflow.com/a/68632602/151350) can help move them all at once. Operators often prefer having a user interface so they can troubleshoot which message types have failed processing, from which source queues, and for what reasons, while still being able to resubmit batches of messages to be reprocessed. Tools like [ServicePulse with NServiceBus](https://docs.particular.net/servicepulse/intro-failed-messages) provide these capabilities.
## Next steps
service-bus-messaging Service Bus Ip Filtering https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-ip-filtering.md
Title: Configure IP firewall rules for Azure Service Bus
description: How to use Firewall Rules to allow connections from specific IP addresses to Azure Service Bus. Previously updated : 02/16/2023 Last updated : 10/10/2023 # Allow access to Azure Service Bus namespace from specific IP addresses or ranges
This section shows you how to use the Azure portal to create IP firewall rules f
> [!NOTE] > You see the **Networking** tab only for **premium** namespaces. 1. On the **Networking** page, for **Public network access**, you can set one of the three following options. Choose **Selected networks** option to allow access from only specified IP addresses.
- - **Disabled**. This option disables any public access to the namespace. The namespace is accessible only through [private endpoints](private-link-service.md).
+ - **Disabled**. This option disables any public access to the namespace. The namespace is accessible only through [private endpoints](private-link-service.md).
+
+ :::image type="content" source="./media/service-bus-ip-filtering/public-access-disabled-page.png" alt-text="Screenshot that shows the Networking page of a namespace with public access disabled.":::
+
+ Choose whether you want to allow trusted Microsoft services to bypass the firewall. For the list of trusted Microsoft services for Azure Service Bus, see the [Trusted Microsoft services](#trusted-microsoft-services) section.
- **Selected networks**. This option enables public access to the namespace using an access key from selected networks. > [!IMPORTANT]
This section shows you how to use the Azure portal to create IP firewall rules f
1. To allow access from only specified IP address, select the **Selected networks** option if it isn't already selected. In the **Firewall** section, follow these steps: 1. Select **Add your client IP address** option to give your current client IP the access to the namespace. 2. For **address range**, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.
- 3. Specify whether you want to **allow trusted Microsoft services to bypass this firewall**.
+ 3. Specify whether you want to **allow trusted Microsoft services to bypass this firewall**. For the list of trusted Microsoft services for Azure Service Bus, see the [Trusted Microsoft services](#trusted-microsoft-services) section.
>[!WARNING] > If you select the **Selected networks** option and don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).
service-bus-messaging Service Bus Service Endpoints https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-bus-messaging/service-bus-service-endpoints.md
This section shows you how to use Azure portal to add a virtual network service
> You see the **Networking** tab only for **premium** namespaces. 1. On the **Networking** page, for **Public network access**, you can set one of the three following options. Choose **Selected networks** option to allow access from only specified IP addresses. - **Disabled**. This option disables any public access to the namespace. The namespace is accessible only through [private endpoints](private-link-service.md).
+
+ :::image type="content" source="./media/service-bus-ip-filtering/public-access-disabled-page.png" alt-text="Screenshot that shows the Networking page of a namespace with public access disabled.":::
+
+ Choose whether you want to allow trusted Microsoft services to bypass the firewall. For the list of trusted Microsoft services for Azure Service Bus, see the [Trusted Microsoft services](#trusted-microsoft-services) section.
- **Selected networks**. This option enables public access to the namespace using an access key from selected networks. > [!IMPORTANT]
service-connector How To Integrate Mysql https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/how-to-integrate-mysql.md
Supported authentication and clients for App Service, Container Apps, and Azure
## Default environment variable names or application properties and Sample codes
-Reference the connection details and sample codes in following tables, accordling to your connection's authentication type and client type, to connect compute services to Azure Database for MySQL.
+Reference the connection details and sample codes in following tables, according to your connection's authentication type and client type, to connect compute services to Azure Database for MySQL.
-
-### System assigned Managed Identity
+### System-assigned Managed Identity
#### [.NET](#tab/dotnet)
Reference the connection details and sample codes in following tables, accordlin
| `AZURE_MYSQL_CONNECTIONSTRING` | Go-sql-driver connection string | `<MySQL-DB-username>@tcp(<server-host>:<port>)/<MySQL-DB-name>?tls=true` |
-#### [NodeJS](#tab/node)
+#### [NodeJS](#tab/nodejs)
| Default environment variable name | Description | Example value | |-|-|--|
Reference the connection details and sample codes in following tables, accordlin
#### Sample codes Follow these steps and sample codes to connect to Azure Database for MySQL.--
-### User assigned Managed Identity
+### User-assigned Managed Identity
#### [.NET](#tab/dotnet) | Default environment variable name | Description | Example value |
Follow these steps and sample codes to connect to Azure Database for MySQL.
-#### [NodeJS](#tab/node)
+#### [NodeJS](#tab/nodejs)
| Default environment variable name | Description | Example value | |-|-|--|
Follow these steps and sample codes to connect to Azure Database for MySQL.
#### Sample codes Follow these steps and sample codes to connect to Azure Database for MySQL.-- ### Connection String
After created a `springboot` client type connection, Service Connector service w
| `AZURE_MYSQL_CONNECTIONSTRING` | Go-sql-driver connection string | `<MySQL-DB-username>:<MySQL-DB-password>@tcp(<server-host>:<port>)/<MySQL-DB-name>?tls=true` |
-#### [NodeJS](#tab/node)
+#### [NodeJS](#tab/nodejs)
| Default environment variable name | Description | Example value | |-|-|--|
After created a `springboot` client type connection, Service Connector service w
Follow these steps and sample codes to connect to Azure Database for MySQL. [!INCLUDE [code sample for mysql secrets](./includes/code-mysql-secret.md)] -- ### Service Principal #### [.NET](#tab/dotnet)
Follow these steps and sample codes to connect to Azure Database for MySQL.
| `AZURE_MYSQL_CONNECTIONSTRING` | Go-sql-driver connection string | `<MySQL-DB-username>@tcp(<server-host>:<port>)/<MySQL-DB-name>?tls=true` |
-#### [NodeJS](#tab/node)
+#### [NodeJS](#tab/nodejs)
| Default environment variable name | Description | Example value | |-|--|--|
Follow these steps and sample codes to connect to Azure Database for MySQL.
#### Sample codes Follow these steps and sample codes to connect to Azure Database for MySQL.-- ## Next steps
service-connector How To Integrate Postgres https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/how-to-integrate-postgres.md
# Integrate Azure Database for PostgreSQL with Service Connector
-This page shows the supported authentication types and client types of Azure Database for PostgreSQL using Service Connector. You might still be able to connect to Azure Database for PostgreSQL in other programming languages without using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).
+This page shows the supported authentication types and client types of Azure Database for PostgreSQL using Service Connector. You might still be able to connect to Azure Database for PostgreSQL in other programming languages without using Service Connector. This page also shows default environment variable names and values (or Spring Boot configuration) you get when you create the service connection and the sample code of how to use them. You can learn more about [Service Connector environment variable naming convention](concept-service-connector-internals.md).
## Supported compute service
Supported authentication and clients for App Service, Container Apps, and Azure
| None | ![yes icon](./media/green-check.png) | ![yes icon](./media/green-check.png)| ![yes icon](./media/green-check.png) | ![yes icon](./media/green-check.png) | > [!NOTE]
-> System-assigned managed identity,User-assigned managed identity and Service principal are only supported on Azure CLI.
+> System-assigned managed identity, User-assigned managed identity and Service principal are only supported on Azure CLI.
-## Default environment variable names or application properties
+## Default environment variable names or application properties and Sample codes
-Use the connection details below to connect compute services to PostgreSQL. For each example below, replace the placeholder texts `<postgreSQL-server-name>`, `<database-name>`, `<username>`, and `<password>` with your server name, database name, username and password.
+Reference the connection details and sample codes in following tables, according to your connection's authentication type and client type, to connect compute services to Azure Database for PostgreSQL.
-### .NET (ADO.NET)
+### Connect with System-assigned Managed Identity
-#### .NET (ADO.NET) System-assigned managed identity
+#### [.NET](#tab/dotnet)
| Default environment variable name | Description | Example value | ||--||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>@<PostgreSQL-server-name>;` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>;` |
-#### .NET (ADO.NET) User-assigned managed identity
-| Default environment variable name | Description | Example value |
-||--||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>@<PostgreSQL-server-name>;` |
+#### [Java](#tab/java)
-#### .NET (ADO.NET) secret / connection string
+| Default environment variable name | Description | Example value |
+|-|--|--|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
-| Default environment variable name | Description | Example value |
-|--|--||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>@<PostgreSQL-server-name>;Password=<password>;` |
+#### [SpringBoot](#tab/spring)
+| Application properties | Description | Example value |
+|-|-||
+| `spring.datasource.azure.passwordless-enabled` | Enable passwordless authentication | `true` |
+| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
+| `spring.datasource.username` | Database username | `username` |
-#### .NET (ADO.NET) Service principal
-| Default environment variable name | Description | Example value |
-|-|--||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>@<PostgreSQL-server-name>;` |
+#### [Python](#tab/python)
-### Go (pg)
+| Default environment variable name | Description | Example value |
+|--|-||
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>` |
-#### Go (pg) System-assigned managed identity
+#### [Django](#tab/django)
-| Default environment variable name | Description | Example value |
-|-|||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>@<server-name>`|
+| Default environment variable name | Description | Example value |
+|--|-|--|
+| `AZURE_POSTGRESQL_NAME` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
-#### Go (pg) User-assigned managed identity
+#### [Go](#tab/go)
| Default environment variable name | Description | Example value | |-|||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>@<server-name>`|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>`|
-#### Go (pg) secret / connection string
+#### [NodeJS](#tab/nodejs)
-| Default environment variable name | Description | Example value |
-|-|||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>@<server-name> password=<password>` |
-
-#### Go (pg) Service principal
-
-| Default environment variable name | Description | Example value |
-|-|||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>@<servername>` |
+| Default environment variable name | Description | Example value |
+|--|-|--|
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_PORT` | Port number | `5432` |
+| `AZURE_POSTGRESQL_SSL` | SSL option | `true` |
+#### [PHP](#tab/php)
-### Java (JDBC)
+| Default environment variable name | Description | Example value |
+|--|||
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>` |
-#### Java (JDBC) System-assigned managed identity
+#### [Ruby](#tab/ruby)
-| Default environment variable name | Description | Example value |
-|-|--|--|
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
+| Default environment variable name | Description | Example value |
+|--||-|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>` |
+
-#### Java (JDBC) User-assigned managed identity
+### Sample codes
-| Default environment variable name | Description | Example value |
-|--|--||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
+Follow these steps and sample codes to connect to Azure Database for PostgreSQL.
-#### Java (JDBC) secret / connection string
-| Default environment variable name | Description | Example value |
-|--|--|-|
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>%40<PostgreSQL-server-name>&password=<password>` |
+### Connect with User-assigned Managed Identity
-#### Java (JDBC) Service principal
+#### [.NET](#tab/dotnet)
-| Default environment variable name | Description | Example value |
-|-|--||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
+| Default environment variable name | Description | Example value |
+||--||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>;` |
-### Java - Spring Boot (JDBC)
+#### [Java](#tab/java)
-#### Java - Spring Boot (JDBC) System-assigned managed identity
-| Application properties | Description | Example value |
-|-|-||
-| `spring.datasource.azure.passwordless-enabled` | Enable passwordless authentication | `true` |
-| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
-| `spring.datasource.username` | Database username | `username` |
+| Default environment variable name | Description | Example value |
+|--|--||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
-#### Java - Spring Boot (JDBC) User-assigned managed identity
+#### [SpringBoot](#tab/spring)
| Application properties | Description | Example value | ||-||
Use the connection details below to connect compute services to PostgreSQL. For
| `spring.cloud.azure.credential.client-id` | Your client ID | `<identity-client-ID>` | | `spring.cloud.azure.credential.client-managed-identity-enabled`| Enable client managed identity | `true` | | `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
-| `spring.datasource.username` | Database username | `username` |
+| `spring.datasource.username` | Database username | `username` |
-#### Java - Spring Boot (JDBC) secret / connection string
+#### [Python](#tab/python)
-| Application properties | Description | Example value |
-||-||
-| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
-| `spring.datasource.username` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `spring.datasource.password` | Database password | `<password>` |
+| Default environment variable name | Description | Example value |
+|--|-||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>` |
+#### [Django](#tab/django)
-#### Java - Spring Boot (JDBC) Service principal
+| Default environment variable name | Description | Example value |
+|--|-|--|
+| `AZURE_POSTGRESQL_NAME` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<<identity-client-ID>>` |
-| Application properties | Description | Example value |
-||-||
-| `spring.datasource.azure.passwordless-enabled` | Enable passwordless authentication | `true` |
-| `spring.cloud.azure.credential.client-id` | Your client ID | `<client-ID>` |
-| `spring.cloud.azure.credential.client-secret` | Your client secret | `<client-secret>` |
-| `spring.cloud.azure.credential.tenant-id` | Your tenant ID | `<tenant-ID>` |
-| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
-| `spring.datasource.username` | Database username | `username` |
+#### [Go](#tab/go)
-### Node.js (pg)
+| Default environment variable name | Description | Example value |
+|-|||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>`|
-#### Node.js (pg) System-assigned managed identity
+#### [NodeJS](#tab/nodejs)
| Default environment variable name | Description | Example value | |--|-|--|
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_PORT` | Port number | `5432` |
-| `Azure_POSTGRESQL_SSL` | SSL option | `true` |
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_PORT` | Port number | `5432` |
+| `AZURE_POSTGRESQL_SSL` | SSL option | `true` |
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-#### Node.js (pg) User-assigned managed identity
+#### [PHP](#tab/php)
-| Default environment variable name | Description | Example value |
-|--|-|--|
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_PORT` | Port number | `5432` |
-| `Azure_POSTGRESQL_SSL` | SSL option | `true` |
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| Default environment variable name | Description | Example value |
+|--|||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>`|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>` |
-#### Node.js (pg) secret / connection string
+#### [Ruby](#tab/ruby)
-| Default environment variable name | Description | Example value |
-|--|-|--|
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_PASSWORD` | Database password | `<password>` |
-| `Azure_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_PORT` | Port number | `5432` |
-| `Azure_POSTGRESQL_SSL` | SSL option | `true` |
+| Default environment variable name | Description | Example value |
+|--||-|
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username> ` |
-#### Node.js (pg) Service principal
+
-| Default environment variable name | Description | Example value |
-|--|--|--|
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_PORT` | Port number | `5432` |
-| `Azure_POSTGRESQL_SSL` | SSL option | `true` |
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+### Sample codes
+Follow these steps and sample codes to connect to Azure Database for PostgreSQL.
-#### PHP (native)
+### Connect with Connection String
-#### PHP (native) System-assigned managed identity
+#### [.NET](#tab/dotnet)
-| Default environment variable name | Description | Example value |
-|--|||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<PostgreSQL-server-name>` |
+| Default environment variable name | Description | Example value |
+|--|--||
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>;` |
-#### PHP (native) User-assigned managed identity
+#### [Java](#tab/java)
-| Default environment variable name | Description | Example value |
-|--|||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>`|
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<PostgreSQL-server-name>` |
+| Default environment variable name | Description | Example value |
+|--|--|-|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>&password=<password>` |
+
+#### [SpringBoot](#tab/spring)
+
+| Application properties | Description | Example value |
+||-||
+| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
+| `spring.datasource.username` | Database username | `<username>` |
+| `spring.datasource.password` | Database password | `<password>` |
+
+#### [Python](#tab/python)
+
+| Default environment variable name | Description | Example value |
+|--|-||
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username> password=<password>` |
+
+#### [Django](#tab/django)
-#### PHP (native) secret / connection string
+| Default environment variable name | Description | Example value |
+|--|-|--|
+| `AZURE_POSTGRESQL_NAME` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_PASSWORD` | Database password | `<database-password>` |
+
+#### [Go](#tab/go)
+
+| Default environment variable name | Description | Example value |
+|-|||
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username> password=<password>` |
+
+#### [NodeJS](#tab/nodejs)
+
+| Default environment variable name | Description | Example value |
+|--|-|--|
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_PASSWORD` | Database password | `<password>` |
+| `AZURE_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_PORT` | Port number | `5432` |
+| `AZURE_POSTGRESQL_SSL` | SSL option | `true` |
+
+#### [PHP](#tab/php)
| Default environment variable name | Description | Example value | |--|--||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<PostgreSQL-server-name> password=<password>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username> password=<password>` |
-#### PHP (native) Service principal
+#### [Ruby](#tab/ruby)
-| Default environment variable name | Description | Example value |
-|--||-|
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<PostgreSQL-server-name>` |
+| Default environment variable name | Description | Example value |
+|--||-|
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username> password=<password>` |
-### Python
+
-#### Python (psycopg2) System-assigned managed identity
+### Sample codes
-| Default environment variable name | Description | Example value |
-|--|-||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>@<PostgreSQL-server-name>` |
+Follow these steps and sample codes to connect to Azure Database for PostgreSQL.
-#### Python (psycopg2) User-assigned managed identity
+### Connect with Service Principal
-| Default environment variable name | Description | Example value |
-|--|-||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>@<PostgreSQL-server-name>` |
+#### [.NET](#tab/dotnet)
-#### Python (psycopg2) secret / connection string
+| Default environment variable name | Description | Example value |
+|-|--||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | .NET PostgreSQL connection string | `Server=<PostgreSQL-server-name>.postgres.database.azure.com;Database=<database-name>;Port=5432;Ssl Mode=Require;User Id=<username>;` |
-| Default environment variable name | Description | Example value |
-|--|-||
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>@<PostgreSQL-server-name> password=<password>` |
-#### Python (psycopg2) Service principal
+#### [Java](#tab/java)
-| Default environment variable name | Description | Example value |
-|--|-||
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>@<PostgreSQL-server-name>` |
+| Default environment variable name | Description | Example value |
+|-|--||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | JDBC PostgreSQL connection string | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require&user=<username>` |
-#### Python-Django System-assigned managed identity
+#### [SpringBoot](#tab/spring)
-| Default environment variable name | Description | Example value |
-|--|-|--|
-| `Azure_POSTGRESQL_NAME` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
+| Application properties | Description | Example value |
+||-||
+| `spring.datasource.azure.passwordless-enabled` | Enable passwordless authentication | `true` |
+| `spring.cloud.azure.credential.client-id` | Your client ID | `<client-ID>` |
+| `spring.cloud.azure.credential.client-secret` | Your client secret | `<client-secret>` |
+| `spring.cloud.azure.credential.tenant-id` | Your tenant ID | `<tenant-ID>` |
+| `spring.datasource.url` | Database URL | `jdbc:postgresql://<PostgreSQL-server-name>.postgres.database.azure.com:5432/<database-name>?sslmode=require` |
+| `spring.datasource.username` | Database username | `username` |
-#### Python-Django User-assigned managed identity
+#### [Python](#tab/python)
-| Default environment variable name | Description | Example value |
-|--|-|--|
-| `Azure_POSTGRESQL_NAME` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<<identity-client-ID>>` |
+| Default environment variable name | Description | Example value |
+|--|-||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | psycopg2 connection string | `dbname=<database-name> host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 sslmode=require user=<username>` |
-#### Python-Django secret / connection string
+#### [Django](#tab/django)
| Default environment variable name | Description | Example value | |--|-|--|
-| `Azure_POSTGRESQL_NAME` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_PASSWORD` | Database password | `<database-password>` |
+| `AZURE_POSTGRESQL_NAME` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client SECRET| `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-#### Python-Django Service principal
-| Default environment variable name | Description | Example value |
-|--|-|--|
-| `Azure_POSTGRESQL_NAME` | Database name | `<database-name>` |
-| `Azure_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
-| `Azure_POSTGRESQL_USER` | Database username | `<username>@<PostgreSQL-server-name>` |
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client SECRET| `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+#### [Go](#tab/go)
+| Default environment variable name | Description | Example value |
+|-|||
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Go postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com dbname=<database-name> sslmode=require user=<username>` |
-### Ruby (ruby-pg)
+#### [NodeJS](#tab/nodejs)
-#### Ruby (ruby-pg) System-assigned managed identity
+| Default environment variable name | Description | Example value |
+|--|--|--|
+| `AZURE_POSTGRESQL_HOST` | Database host URL | `<PostgreSQL-server-name>.postgres.database.azure.com` |
+| `AZURE_POSTGRESQL_USER` | Database username | `<username>` |
+| `AZURE_POSTGRESQL_DATABASE` | Database name | `<database-name>` |
+| `AZURE_POSTGRESQL_PORT` | Port number | `5432` |
+| `AZURE_POSTGRESQL_SSL` | SSL option | `true` |
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client secret | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| Default environment variable name | Description | Example value |
-|--||-|
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<servername>` |
-#### Ruby (ruby-pg) User-assigned managed identity
+#### [PHP](#tab/php)
-| Default environment variable name | Description | Example value |
-|--||-|
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<identity-client-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<servername> ` |
+| Default environment variable name | Description | Example value |
+|--||-|
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | PHP native postgres connection string | `host=<PostgreSQL-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>` |
-#### Ruby (ruby-pg) secret / connection string
+#### [Ruby](#tab/ruby)
| Default environment variable name | Description | Example value | |--||-|
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<servername> password=<password>` |
+| `AZURE_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
+| `AZURE_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
+| `AZURE_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
+| `AZURE_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>` |
-#### Ruby (ruby-pg) Service principal
++
+### Sample codes
+
+Follow these steps and sample codes to connect to Azure Database for PostgreSQL.
-| Default environment variable name | Description | Example value |
-|--||-|
-| `Azure_POSTGRESQL_CLIENTID` | Your client ID | `<client-ID>` |
-| `Azure_POSTGRESQL_CLIENTSECRET` | Your client SECRET | `<client-secret>` |
-| `Azure_POSTGRESQL_TENANTID` | Your tenant ID | `<tenant-ID>` |
-| `Azure_POSTGRESQL_CONNECTIONSTRING` | Ruby postgres connection string | `host=<your-postgres-server-name>.postgres.database.azure.com port=5432 dbname=<database-name> sslmode=require user=<username>@<servername>` |
## Next steps
service-connector How To Manage Authentication https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/how-to-manage-authentication.md
In this guide, learn about the different authentication options available in Ser
Select one of the four different authentication options offered by Service Connector to connect your Azure services together: -- **System assigned managed identity**: provides an automatically managed identity tied to the resource in Azure Active Directory (Azure AD)
+- **System assigned managed identity**: provides an automatically managed identity tied to the resource in Microsoft Entra ID
- **User assigned managed identity**: provides an identity that can be used on multiple resources - **Connection string**: provides one or multiple key-value pairs with secrets or tokens-- **Service principal**: creates a service principal that defines the access policy and permissions for the user/application in the Azure AD tenant
+- **Service principal**: creates a service principal that defines the access policy and permissions for the user/application in the Microsoft Entra tenant
Service Connector offers the following authentication options:
service-connector Quickstart Cli App Service Connection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/quickstart-cli-app-service-connection.md
az webapp connection create storage-blob --secret
#### [Using a managed identity](#tab/Using-Managed-Identity) > [!IMPORTANT]
-> Using Managed Identity requires you have the permission to [Azure AD role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have the permission, your connection creation would fail. You can ask your subscription owner for the permission or using access key to create the connection.
+> Using Managed Identity requires you have the permission to [Microsoft Entra role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have the permission, your connection creation would fail. You can ask your subscription owner for the permission or using access key to create the connection.
Use the Azure CLI [az webapp connection](/cli/azure/webapp/connection) command to create a service connection to a Blob Storage with a System-assigned Managed Identity, providing the following information:
service-connector Quickstart Cli Container Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/quickstart-cli-container-apps.md
You can create a connection using an access key or a managed identity.
### [Managed identity](#tab/using-managed-identity) > [!IMPORTANT]
-> To use a managed identity, you must have the permission to modify [Azure AD role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Without this permission, your connection creation will fail. Ask your subscription owner to grant you this permission, or use an access key instead to create the connection.
+> To use a managed identity, you must have the permission to modify [Microsoft Entra role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Without this permission, your connection creation will fail. Ask your subscription owner to grant you this permission, or use an access key instead to create the connection.
1. Run the `az containerapp connection create` command to create a service connection from Container Apps to a Blob Storage with a system-assigned managed identity.
service-connector Quickstart Cli Spring Cloud Connection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/quickstart-cli-spring-cloud-connection.md
You can create a connection from Azure Spring Apps using an access key or a mana
### [Managed Identity](#tab/Using-Managed-Identity) > [!IMPORTANT]
-> To use Managed Identity, you must have the permission to modify [role assignments in Azure Active Directory](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Without this permission, your connection creation will fail. Ask your subscription owner to grant you a role assignment permission or use an access key to create the connection.
+> To use Managed Identity, you must have the permission to modify [role assignments in Microsoft Entra ID](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). Without this permission, your connection creation will fail. Ask your subscription owner to grant you a role assignment permission or use an access key to create the connection.
1. Run the `az spring connection create` command to create a service connection to a Blob Storage with a system-assigned managed identity
service-connector Quickstart Portal App Service Connection https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/quickstart-portal-app-service-connection.md
Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
### [System-assigned managed identity](#tab/SMI)
- System-assigned managed identity is the recommended authentication option. Select **System-assigned managed identity** to connect through an identity that's generated in Azure Active Directory and tied to the lifecycle of the service instance.
+ System-assigned managed identity is the recommended authentication option. Select **System-assigned managed identity** to connect through an identity that's generated in Microsoft Entra ID and tied to the lifecycle of the service instance.
### [User-assigned managed identity](#tab/UMI)
Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
### [Service principal](#tab/SP)
- Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Azure Active Directory.
+ Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Microsoft Entra ID.
1. Select **Next: Networking** to configure the network access to your target service and select **Configure firewall rules to enable access to your target service**.
service-connector Quickstart Portal Container Apps https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/quickstart-portal-container-apps.md
You'll use Service Connector to create a new service connection in Container App
### [SMI](#tab/SMI)
- System-assigned managed identity is the recommended authentication option. Select **System-assigned managed identity** to connect through an identity that's automatically generated in Azure Active Directory and tied to the lifecycle of the service instance.
+ System-assigned managed identity is the recommended authentication option. Select **System-assigned managed identity** to connect through an identity that's automatically generated in Microsoft Entra ID and tied to the lifecycle of the service instance.
### [UMI](#tab/UMI)
You'll use Service Connector to create a new service connection in Container App
### [Service principal](#tab/SP)
- 1. Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Azure Active Directory.
+ 1. Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Microsoft Entra ID.
1. Select a service principal from the list and enter a **secret**
You'll use Service Connector to create a new service connection in Container App
Check the guide below for more information about Service Connector: > [!div class="nextstepaction"]
-> [Service Connector internals](./concept-service-connector-internals.md)
+> [Service Connector internals](./concept-service-connector-internals.md)
service-connector Tutorial Java Jboss Connect Managed Identity Mysql Database https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/tutorial-java-jboss-connect-managed-identity-mysql-database.md
> [!div class="checklist"] > * Create a MySQL database. > * Deploy a sample JBoss EAP app to Azure App Service using a WAR package.
-> * Configure a Spring Boot web application to use Azure Active Directory (Azure AD) authentication with MySQL Database.
+> * Configure a Spring Boot web application to use Microsoft Entra authentication with MySQL Database.
> * Connect to MySQL Database with Managed Identity using Service Connector. [!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
Follow these steps to create an Azure Database for MySQL in your subscription. T
az group create --name $RESOURCE_GROUP --location $LOCATION ```
-1. Create an Azure Database for MySQL server. The server is created with an administrator account, but it isn't used because we're going to use the Azure AD admin account to perform administrative tasks.
+1. Create an Azure Database for MySQL server. The server is created with an administrator account, but it isn't used because we're going to use the Microsoft Entra admin account to perform administrative tasks.
```azurecli-interactive export MYSQL_ADMIN_USER=azureuser
Install the Service Connector passwordless extension for the Azure CLI:
az extension add --name serviceconnector-passwordless --upgrade ```
-Then, use the following command to create a user-assigned managed identity for Azure Active Directory authentication. For more information, see [Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/how-to-azure-ad).
+Then, use the following command to create a user-assigned managed identity for Microsoft Entra authentication. For more information, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/how-to-azure-ad).
```azurecli export USER_IDENTITY_NAME=<your-user-assigned-managed-identity-name>
az webapp connection create mysql-flexible \
This Service Connector command does the following tasks in the background: * Enable system-assigned managed identity for the app `$APPSERVICE_NAME` hosted by Azure App Service.
-* Set the Azure Active Directory admin to the current signed-in user.
+* Set the Microsoft Entra admin to the current signed-in user.
* Add a database user for the system-assigned managed identity in step 1 and grant all privileges of the database `$DATABASE_NAME` to this user. You can get the user name from the connection string in the output from the previous command. * Add a connection string to App Settings in the app named `AZURE_MYSQL_CONNECTIONSTRING`.
service-connector Tutorial Passwordless https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-connector/tutorial-passwordless.md
az webapp connection create postgres-flexible \
::: zone pivot="mysql"
-Azure Database for MySQL - Flexible Server requires a user-assigned managed identity to enable Azure Active Directory authentication. For more information, see [Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server](../mysql/flexible-server/how-to-azure-ad.md). You can use the following command to create a user-assigned managed identity:
+Azure Database for MySQL - Flexible Server requires a user-assigned managed identity to enable Microsoft Entra authentication. For more information, see [Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server](../mysql/flexible-server/how-to-azure-ad.md). You can use the following command to create a user-assigned managed identity:
```azurecli USER_IDENTITY_NAME=<YOUR_USER_ASSIGNED_MANAGEMED_IDENTITY_NAME>
az webapp connection create sql \
This Service Connector command completes the following tasks in the background: - Enable system-assigned managed identity, or assign a user identity for the app `$APPSERVICE_NAME` hosted by Azure App Service/Azure Spring Apps/Azure Container Apps.-- Set the Azure Active Directory admin to the current signed-in user.
+- Set the Microsoft Entra admin to the current signed-in user.
- Add a database user for the system-assigned managed identity, user-assigned managed identity, or service principal. Grant all privileges of the database `$DATABASE_NAME` to this user. The username can be found in the connection string in preceding command output. - Set configurations named `AZURE_MYSQL_CONNECTIONSTRING`, `AZURE_POSTGRESQL_CONNECTIONSTRING`, or `AZURE_SQL_CONNECTIONSTRING` to the Azure resource based on the database type. - For App Service, the configurations are set in the **App Settings** blade.
If you encounter any permission-related errors, confirm the Azure CLI signed-in
| Permission | Operation | | | | | `Microsoft.DBforPostgreSQL/flexibleServers/read` | Required to get information of database server |
-| `Microsoft.DBforPostgreSQL/flexibleServers/write` | Required to enable Azure AD authentication for database server |
+| `Microsoft.DBforPostgreSQL/flexibleServers/write` | Required to enable Microsoft Entra authentication for database server |
| `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write` | Required to create firewall rule in case the local IP address is blocked | | `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete` | Required to revert the firewall rule created by Service Connector to avoid security issue |
-| `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read` | Required to check if Azure CLI login user is a database server Azure AD administrator |
-| `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` | Required to add Azure CLI login user as database server Azure AD administrator |
+| `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read` | Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
+| `Microsoft.DBforPostgreSQL/flexibleServers/administrators/write` | Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end
If you encounter any permission-related errors, confirm the Azure CLI signed-in
| `Microsoft.DBforMySQL/flexibleServers/write` | Required to add the provided User assigned managed identity to database server | | `Microsoft.DBforMySQL/flexibleServers/firewallRules/write` | Required to create firewall rule in case the local IP address is blocked | | `Microsoft.DBforMySQL/flexibleServers/firewallRules/delete` | Required to revert the firewall rule created by Service Connector to avoid security issue |
-| `Microsoft.DBforMySQL/flexibleServers/administrators/read` | Required to check if Azure CLI login user is a database server Azure AD administrator |
-| `Microsoft.DBforMySQL/flexibleServers/administrators/write` | Required to add Azure CLI login user as database server Azure AD administrator |
+| `Microsoft.DBforMySQL/flexibleServers/administrators/read` | Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
+| `Microsoft.DBforMySQL/flexibleServers/administrators/write` | Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end
If you encounter any permission-related errors, confirm the Azure CLI signed-in
| `Microsoft.Sql/servers/read` | Required to get information of database server | | `Microsoft.Sql/servers/firewallRules/write` | Required to create firewall rule in case the local IP address is blocked | | `Microsoft.Sql/servers/firewallRules/delete` | Required to revert the firewall rule created by Service Connector to avoid security issue |
-| `Microsoft.Sql/servers/administrators/read` | Required to check if Azure CLI login user is a database server Azure AD administrator |
-| `Microsoft.Sql/servers/administrators/write` | Required to add Azure CLI login user as database server Azure AD administrator |
+| `Microsoft.Sql/servers/administrators/read` | Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
+| `Microsoft.Sql/servers/administrators/write` | Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end In some cases, the permissions aren't required. For example, if the Azure CLI-authenticated user is already an Active Directory Administrator on SQL server, you don't need to have the `Microsoft.Sql/servers/administrators/write` permission.
-#### Azure Active Directory
+<a name='azure-active-directory'></a>
-If you get an error `ERROR: AADSTS530003: Your device is required to be managed to access this resource.`, ask your IT department for help with joining this device to Azure Active Directory. For more information, see [Azure AD-joined devices](../active-directory/devices/concept-azure-ad-join.md).
+#### Microsoft Entra ID
-Service Connector needs to access Azure Active Directory to get information of your account and managed identity of hosting service. You can use the following command to check if your device can access Azure Active Directory:
+If you get an error `ERROR: AADSTS530003: Your device is required to be managed to access this resource.`, ask your IT department for help with joining this device to Microsoft Entra ID. For more information, see [Microsoft Entra joined devices](../active-directory/devices/concept-azure-ad-join.md).
+
+Service Connector needs to access Microsoft Entra ID to get information of your account and managed identity of hosting service. You can use the following command to check if your device can access Microsoft Entra ID:
```azurecli az ad signed-in-user show
az ad signed-in-user show
If you don't log in interactively, you may also get the error and `Interactive authentication is needed`. To resolve the error, log in with the `az login` command.
-## Connect to database with Azure Active Directory authentication
+<a name='connect-to-database-with-azure-active-directory-authentication'></a>
+
+## Connect to database with Microsoft Entra authentication
-After creating the connection, you can use the connection string in your application to connect to the database with Azure Active Directory authentication. For example, you can use the following solutions to connect to the database with Azure Active Directory authentication.
+After creating the connection, you can use the connection string in your application to connect to the database with Microsoft Entra authentication. For example, you can use the following solutions to connect to the database with Microsoft Entra authentication.
:::zone pivot="postgresql" :::zone-end :::zone pivot="mysql" :::zone-end
After creating the connection, you can use the connection string in your applica
:::zone pivot="sql" :::zone-end
service-fabric Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/service-fabric/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Service Fabric
site-recovery Azure To Azure How To Enable Zone To Zone Disaster Recovery https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery.md
Title: Enable Zone to Zone Disaster Recovery for Azure Virtual Machines
-description: This article describes when and how to use Zone to Zone Disaster Recovery for Azure virtual machines.
+ Title: Enable zone-to-zone disaster recovery for Azure virtual machines
+description: This article describes when and how to use zone-to-zone disaster recovery for Azure virtual machines.
# Enable Azure VM disaster recovery between availability zones
-This article describes how to replicate, failover, and failback Azure virtual machines from one Availability Zone to another, within the same Azure region.
+This article describes how to replicate, fail over, and fail back Azure virtual machines (VMs) from one availability zone to another within the same Azure region.
-Site Recovery service contributes to your business continuity and disaster recovery strategy by keeping your business apps up and running, during planned and unplanned outages. It's the recommended Disaster Recovery option to keep your applications up and running if there are regional outages.
+The Azure Site Recovery service can contribute to your strategy for business continuity and disaster recovery by keeping your business apps running during planned and unplanned outages. We recommend Site Recovery as the disaster recovery option to keep your applications running if there are regional outages.
-Availability Zones are unique physical locations within an Azure region. Each zone has one or more datacenters.
+Availability zones are unique physical locations within an Azure region. Each zone has one or more datacenters.
-If you want to move VMs to an availability zone in a different region, [review this article](../resource-mover/move-region-availability-zone.md).
+If you want to move VMs to an availability zone in a different region, review [this article](../resource-mover/move-region-availability-zone.md).
-## Supported regions for Zone to Zone Disaster Recovery
+## Supported regions for zone-to-zone disaster recovery
-Support for Zone to Zone disaster recovery is currently limited to the following regions:
+Support for zone-to-zone disaster recovery is currently limited to the following regions:
-| **Americas** | Europe | Middle East | Africa | APAC |
+| Americas | Europe | Middle East | Africa | APAC |
|--|--|-|--|--| | Canada Central | UK South | Qatar Central | South Africa North | Southeast Asia | | US Gov Virginia | West Europe | | | East Asia |
Support for Zone to Zone disaster recovery is currently limited to the following
| East US | Norway East | | | Australia East | | East US 2 | France Central | | | Central India | | West US 2 | Switzerland North | | | China North 3 |
-| West US 3 | Sweden Central (Managed Access) | | | |
+| West US 3 | Sweden Central (managed access) | | | |
| Brazil South | Poland Central | | | | | | Italy North | | | |
-
-Site Recovery doesn't move or store customer data out of the region in which it's deployed when the customer is using Zone to Zone Disaster Recovery. Customers can select a Recovery Services Vault from a different region if they so choose. The Recovery Services Vault contains metadata but no actual customer data.
->[!Note]
->Zone to Zone disaster recovery isn't supported for VMs having ZRS managed disks.
+When you use zone-to-zone disaster recovery, Site Recovery doesn't move or store data out of the region in which it's deployed. You can select a Recovery Services vault from a different region if you want one. The Recovery Services vault contains metadata but no actual customer data.
-## Using Availability Zones for Disaster Recovery
+> [!Note]
+> Zone-to-zone disaster recovery isn't supported for VMs that have managed disks via zone-redundant storage (ZRS).
-Typically, Availability Zones are used to deploy VMs in a High Availability configuration. They could be too close to each other to serve as a Disaster Recovery solution in natural disaster.
+## Using availability zones for disaster recovery
-However, in some scenarios, Availability Zones can be used for Disaster Recovery:
+Typically, customers use availability zones to deploy VMs in a high-availability configuration. Those VMs might be too close to each other to serve as a disaster recovery solution in natural disaster.
-- Many customers who had a metro Disaster Recovery strategy while hosting applications on-premises sometimes look to mimic this strategy once they migrate applications over to Azure. These customers acknowledge the fact that metro Disaster Recovery strategy might not work in a large-scale physical disaster and accept this risk. For such customers, Zone to Zone Disaster Recovery can be used as a Disaster Recovery option.-- Many other customers have complicated networking infrastructure and don't wish to recreate it in a secondary region due to the associated cost and complexity. Zone to Zone Disaster Recovery reduces complexity as it uses redundant networking concepts across Availability Zones making configuration simpler. Such customers prefer simplicity and can also use Availability Zones for Disaster Recovery.-- In some regions that don't have a paired region within the same legal jurisdiction (for example, Southeast Asia), Zone to Zone Disaster Recovery can serve as the defacto Disaster Recovery solution as it helps ensure legal compliance, since your applications and data don't move across national boundaries.
+However, in some scenarios, customers can use availability zones for disaster recovery:
-- Zone to Zone Disaster Recovery implies replication of data across shorter distances when compared with Azure to Azure Disaster Recovery and therefore, you can see lower latency and therefore lower RPO.
+- Customers who had a metro disaster recovery strategy while hosting applications on-premises sometimes want to mimic this strategy after they migrate applications to Azure. These customers acknowledge that a metro disaster recovery strategy might not work in a large-scale physical disaster, and they accept this risk. Such customers can use zone-to-zone disaster recovery.
+- Many customers have complicated networking infrastructure and don't want to re-create it in a secondary region because of the associated cost and complexity. Zone-to-zone disaster recovery reduces complexity. It uses redundant networking concepts across availability zones to make configuration simpler. Such customers prefer simplicity and can also use availability zones for disaster recovery.
+- In some regions that don't have a paired region within the same legal jurisdiction (for example, Southeast Asia), zone-to-zone disaster recovery can serve as the disaster recovery solution. It helps ensure legal compliance, because applications and data don't move across national boundaries.
+- Zone-to-zone disaster recovery implies replication of data across shorter distances when compared with Azure-to-Azure disaster recovery. It can reduce latency and therefore reduce recovery point objective (RPO).
-While these are strong advantages, there's a possibility that Zone to Zone Disaster Recovery can fall short of resilience requirements in the event of a region-wide natural disaster.
+Although these are strong advantages, there's a possibility that zone-to-zone disaster recovery can fall short of resilience requirements in the event of a region-wide natural disaster.
-## Networking for Zone to Zone Disaster Recovery
+## Networking for zone-to-zone disaster recovery
-As mentioned before, Zone to Zone Disaster Recovery reduces complexity as it uses redundant networking concepts across Availability Zones making configuration simpler. The behavior of networking components in the Zone to Zone Disaster Recovery scenario is outlined as follows:
+As mentioned before, zone-to-zone disaster recovery uses redundant networking concepts across availability zones to reduce complexity. The behavior of networking components in the zone-to-zone disaster recovery scenario is outlined as follows:
-- **Virtual Network**: You can use the same virtual network as the source network for actual failovers. Use a different virtual network to the source virtual network for test failovers.
+- **Virtual network**: You can use the same virtual network as the source network for actual failovers. For test failovers, use a virtual network that's different from the source virtual network.
- **Subnet**: Failover into the same subnet is supported.-- **Private IP address**: If you're using static IP addresses, you can use the same IPs in the target zone if you choose to configure them in such a manner.
- However, for each VM protected by Azure Site Recovery for which you wish to use the same IP on target zone, you must have a free IP available in the subnet as Azure Site Recovery uses it during failover. Azure Site Recovery allocates this free IP address to the source VM to free up the target IP address. Azure Site Recovery then allocates the target IP address to the target VM.
-- **Accelerated Networking**: Similar to Azure to Azure Disaster Recovery, you can enable Accelerated Networking if the VM SKU supports it.-- **Public IP address**: You can attach a previously created standard public IP address in the same region to the target VM. Basic public IP addresses don't support Availability Zone related scenarios.-- **Load balancer**: Standard load balancer is a regional resource and therefore the target VM can be attached to the backend pool of the same load balancer. A new load balancer isn't required.-- **Network Security Group**: You can use the same network security groups as applied to the source VM.
+- **Private IP address**: If you're using static IP addresses, you can use the same IP addresses in the target zone if you choose to configure them that way.
+
+ When you use Azure Site Recovery, you must have a free IP address available in the subnet for each VM for which you want to use the same IP address in the target zone. During failover, Azure Site Recovery allocates this free IP address to the source VM to free up the target IP address. Azure Site Recovery then allocates the target IP address to the target VM.
+- **Accelerated networking**: Similar to Azure-to-Azure disaster recovery, you can enable accelerated networking if the VM type supports it.
+- **Public IP address**: You can attach a previously created standard public IP address in the same region to the target VM. Basic public IP addresses don't support scenarios related to availability zones.
+- **Load balancer**: A standard load balancer is a regional resource, so the target VM can be attached to the back-end pool of the same load balancer. A new load balancer isn't required.
+- **Network security group**: You can use the same network security groups that you applied to the source VM.
## Prerequisites
-Before deploying Zone to Zone Disaster Recovery for your VMs, it's important to ensure that other features enabled on the VM are interoperable with zone to zone disaster recovery.
+Before you deploy zone-to-zone disaster recovery for your VMs, ensure that other features enabled on the VMs are interoperable with it.
|Feature | Support statement | |||
-|Classic VMs | Not supported |
-|ARM VMs | Supported |
-|Azure Disk Encryption v1 (dual pass, with Azure Active Directory (Azure AD)) | Supported |
-|Azure Disk Encryption v2 (single pass, without Azure AD) | Supported |
-|Unmanaged disks | Not supported |
-|Managed disks | Supported |
-|Customer-managed keys | Supported |
-|Proximity placement groups | Supported |
-|Backup interoperability | File level backup and restore are supported. Disk and VM level backup and restore aren't supported. |
-|Hot add/remove | Disks can be added after enabling zone to zone replication. Removal of disks after enabling zone to zone replication isn't supported. |
+|VMs (classic) | Not supported. |
+|VMs (Azure Resource Manager) | Supported. |
+|Azure Disk Encryption v1 (dual pass, with Microsoft Entra ID) | Supported. |
+|Azure Disk Encryption v2 (single pass, without Microsoft Entra ID) | Supported. |
+|Unmanaged disks | Not supported. |
+|Managed disks | Supported. |
+|Customer-managed keys | Supported. |
+|Proximity placement groups | Supported. |
+|Backup interoperability | File-level backup and restore are supported. Disk and VM-level backup and restore aren't supported. |
+|Hot add/remove | You can add disks after you enable zone-to-zone replication. Removing disks after you enable zone-to-zone replication isn't supported. |
-## Set up Site Recovery Zone to Zone Disaster Recovery
+## Set up Site Recovery zone-to-zone disaster recovery
-### Log in
+### Sign in
-Log in to the Azure portal.
+Sign in to the Azure portal.
### Enable replication for the zonal Azure virtual machine
-1. On the Azure portal menu, select Virtual machines, or search for and select Virtual machines on any page. Select the VM you want to replicate. For zone to zone disaster recovery, this VM must already be in an availability zone.
-1. In Operations, select Disaster recovery.
-1. Under Basics tab, select **Yes** for **Disaster Recovery between Availability Zones?**
+1. On the Azure portal menu, select **Virtual machines**, or search for and select **Virtual machines** on any page. Then select the VM that you want to replicate. For zone-to-zone disaster recovery, this VM must already be in an availability zone.
+1. In **Operations**, select **Disaster recovery**.
+1. On the **Basics** tab, for **Disaster recovery between availability zones?**, select **Yes**.
+
+ :::image type="Basic Settings page" source="./media/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery/zonal-disaster-recovery-basic-settings.png" alt-text="Screenshot of the page for basic settings of disaster recovery.":::
- :::image type="Basic Settings page" source="./media/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery/zonal-disaster-recovery-basic-settings.png" alt-text="Screenshot of Basic Settings page.":::
+1. If you accept all defaults, skip to the next step.
-1. If you accept all defaults, select **Review + Start replication** followed by **Start replication**.
-1. If you want to make changes to the replication settings, click on **Next: Advanced settings**.
-1. Change the settings away from default wherever appropriate. For users of Azure to Azure Disaster Recovery, this page might seem familiar. More details on the options presented on this blade can be found [here](./azure-to-azure-tutorial-enable-replication.md)
-
- :::image type="Advanced Settings page" source="./media/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery/zonal-disaster-recovery-advanced-settings.png" alt-text="Screenshot of Advanced Settings page.":::
+ If you want to make changes to the replication settings, select **Next: Advanced settings**. For users of Azure-to-Azure disaster recovery, this tab might seem familiar. For details about the options on this tab, see [Tutorial: Set up disaster recovery for Azure VMs](./azure-to-azure-tutorial-enable-replication.md).
-1. Select **Next: Review + Start** replication and then **Start replication**.
+ :::image type="Advanced Settings page" source="./media/azure-to-azure-how-to-enable-zone-to-zone-disaster-recovery/zonal-disaster-recovery-advanced-settings.png" alt-text="Screenshot of advanced settings for disaster recovery.":::
+
+1. Go to the **Review + Start replication** tab, and then select **Start replication**.
## FAQs
-**1. How does pricing work for Zone to Zone Disaster Recovery?**
-Pricing for Zone to Zone Disaster Recovery is identical to the pricing of Azure to Azure Disaster Recovery. You can find more details on the pricing page [here](https://azure.microsoft.com/pricing/details/site-recovery/) and [here](https://azure.microsoft.com/blog/know-exactly-how-much-it-will-cost-for-enabling-dr-to-your-azure-vm/). The egress charges that you would see in zone to zone disaster recovery would be lower than region to region disaster recovery. For data transfer charges between Availability Zones, check [here](https://azure.microsoft.com/pricing/details/bandwidth/).
+**How does pricing work for zone-to-zone disaster recovery?**
+Pricing for zone-to-zone disaster recovery is identical to the pricing for Azure-to-Azure disaster recovery. You can find more details on the [Azure Site Recovery pricing page](https://azure.microsoft.com/pricing/details/site-recovery/) and in [this blog post](https://azure.microsoft.com/blog/know-exactly-how-much-it-will-cost-for-enabling-dr-to-your-azure-vm/).
+
+The egress charges in zone-to-zone disaster recovery are lower than the egress charges in region-to-region disaster recovery. For information about data transfer charges between availability zones, see the [bandwidth pricing page](https://azure.microsoft.com/pricing/details/bandwidth/).
-**2. What is the SLA for RTO and RPO?**
-The RTO SLA is the same as that for Site Recovery overall. We promise RTO of up to 2 hours. There's no defined SLA for RPO.
+**What is the SLA for RTO and RPO?**
+The service-level agreement (SLA) for recovery time objective (RTO) is the same as the SLA for Site Recovery overall. We promise an RTO of up to two hours. There's no defined SLA for RPO.
-**3. Is capacity guaranteed in the secondary zone?**
-The Site Recovery team and Azure capacity management team plan for sufficient infrastructure capacity. When you start a failover, the teams also help ensure VM instances that are protected by Site Recovery deploys to the target zone. Check [here](./azure-to-azure-common-questions.md#capacity) for more FAQs on Capacity.
+**Is capacity guaranteed in the secondary zone?**
+The Site Recovery team and the Azure capacity management team plan for sufficient infrastructure capacity. When you start a failover, the teams also help ensure that VM instances protected by Site Recovery deploy to the target zone. For more FAQs on capacity, check the [common questions about Azure-to-Azure disaster recovery](./azure-to-azure-common-questions.md#capacity).
-**4. Which operating systems are supported?**
-Zone to Zone Disaster Recovery supports the same operating systems as Azure to Azure Disaster Recovery. Refer to the support matrix [here](./azure-to-azure-support-matrix.md).
+**Which operating systems does zone-to-zone disaster recovery support?**
+Zone-to-zone disaster recovery supports the same operating systems as Azure-to-Azure disaster recovery. For more information, see the [support matrix](./azure-to-azure-support-matrix.md).
-**5. Can the source and target resource groups be the same?**
-No, you must fail over to a different resource group.
+**Can the source and target resource groups be the same?**
+No. You must fail over to a different resource group.
## Next steps
-The steps that need to be followed to run a Disaster Recovery drill, fail over, reprotect, and failback are the same as the steps in Azure to Azure Disaster Recovery scenario.
+The steps that you follow to run a disaster recovery drill, fail over, reprotect, and failback are the same as the steps in an Azure-to-Azure disaster recovery scenario.
-To perform a Disaster Recovery drill, follow the steps outlined [here](./azure-to-azure-tutorial-dr-drill.md).
+To perform a disaster recovery drill, follow the steps outlined in [Tutorial: Run a disaster recovery drill for Azure VMs](./azure-to-azure-tutorial-dr-drill.md).
-To perform a failover and reprotect VMs in the secondary zone, follow the steps outlined [here](./azure-to-azure-tutorial-failover-failback.md).
+To perform a failover and reprotect VMs in the secondary zone, follow the steps outlined in [Tutorial: Fail over Azure VMs to a secondary region](./azure-to-azure-tutorial-failover-failback.md).
-To failback to the primary zone, follow the steps outlined [here](./azure-to-azure-tutorial-failback.md).
+To fail back to the primary zone, follow the steps outlined [Tutorial: Fail back Azure VMs to the primary region](./azure-to-azure-tutorial-failback.md).
site-recovery Azure To Azure Support Matrix https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/azure-to-azure-support-matrix.md
Oracle Linux | 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5,
18.04 LTS |[9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0)| 4.15.0-196-generic <br> 4.15.0-1157-azure <br> 5.4.0-1098-azure <br> 4.15.0-1158-azure <br> 4.15.0-1159-azure <br> 4.15.0-201-generic <br> 4.15.0-202-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic | 18.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |4.15.0-1151-azure </br> 4.15.0-193-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic</br>4.15.0-1153-azure </br>4.15.0-194-generic </br>5.4.0-1094-azure </br>5.4.0-128-generic </br>5.4.0-131-generic | |||
-20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-79-generic <br> 5.4.0-156-generic|
+20.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.4.0-1110-azure <br> 5.4.0-1111-azure <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-152-generic <br> 5.4.0-153-generic <br> 5.4.0-155-generic <br> 5.4.0-1112-azure <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-79-generic <br> 5.4.0-156-generic <br> 5.15.0-1047-azure <br> 5.15.0-84-generic <br> 5.4.0-1116-azure <br> 5.4.0-163-generic <br> 5.15.0-1043-azure <br> 5.15.0-1045-azure <br> 5.15.0-1046-azure <br> 5.15.0-82-generic <br> 5.15.0-83-generic |
20.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.4.0-1105-azure <br> 5.4.0-1106-azure <br> 5.4.0-146-generic <br> 5.4.0-147-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-70-generic <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.4.0-1107-azure <br> 5.4.0-148-generic <br> 5.4.0-149-generic <br> 5.4.0-150-generic <br> 5.4.0-1108-azure <br> 5.4.0-1109-azure <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 20.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.4.0-1101-azure <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.4.0-1103-azure <br> 5.4.0-139-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic <br> 5.4.0-1104-azure <br> 5.4.0-144-generic | 20.04 LTS | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | 5.4.0-1095-azure <br> 5.15.0-1023-azure <br> 5.4.0-1098-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.4.0-1100-azure <br> 5.4.0-136-generic <br> 5.4.0-137-generic | 20.04 LTS | [9.51](https://support.microsoft.com/topic/update-rollup-64-for-azure-site-recovery-kb5020102-23db9799-102c-4378-9754-2f19f6c7858a) |5.13.0-1009-azure </br> 5.13.0-1012-azure </br> 5.13.0-1013-azure </br> 5.13.0-1014-azure </br> 5.13.0-1017-azure </br> 5.13.0-1021-azure </br> 5.13.0-1022-azure </br> 5.13.0-1023-azure </br> 5.13.0-1025-azure </br> 5.13.0-1028-azure </br> 5.13.0-1029-azure </br> 5.13.0-1031-azure </br> 5.13.0-21-generic </br> 5.13.0-22-generic </br> 5.13.0-23-generic </br> 5.13.0-25-generic </br> 5.13.0-27-generic </br> 5.13.0-28-generic </br> 5.13.0-30-generic </br> 5.13.0-35-generic </br> 5.13.0-37-generic </br> 5.13.0-39-generic </br> 5.13.0-40-generic </br> 5.13.0-41-generic </br> 5.13.0-44-generic </br> 5.13.0-48-generic </br> 5.13.0-51-generic </br> 5.13.0-52-generic </br> 5.15.0-1007-azure </br> 5.15.0-1008-azure </br> 5.15.0-1013-azure </br> 5.15.0-1014-azure </br> 5.15.0-1017-azure </br> 5.15.0-1019-azure </br> 5.15.0-1020-azure </br> 5.15.0-33-generic </br> 5.15.0-51-generic </br> 5.15.0-43-generic </br> 5.15.0-46-generic </br> 5.15.0-48-generic </br> 5.4.0-1091-azure </br> 5.4.0-126-generic </br> 5.15.0-1021-azure </br> 5.15.0-1022-azure </br> 5.15.0-50-generic </br> 5.15.0-52-generic </br> 5.4.0-1094-azure </br> 5.4.0-128-generic </br> 5.4.0-131-generic | |||
-22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-1044-azure <br> 5.15.0-79-generic |
+22.04 LTS |[9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810)| 5.15.0-1039-azure <br> 5.15.0-1040-azure <br> 5.15.0-1041-azure <br> 5.15.0-73-generic <br> 5.15.0-75-generic <br> 5.15.0-76-generic <br> 5.15.0-78-generic <br> 5.15.0-1042-azure <br> 5.15.0-1044-azure <br> 5.15.0-79-generic <br> 5.15.0-1047-azure <br> 5.15.0-84-generic <br> 5.15.0-1045-azure <br> 5.15.0-1046-azure <br> 5.15.0-82-generic <br> 5.15.0-83-generic |
22.04 LTS |[9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f)| 5.15.0-1035-azure <br> 5.15.0-1036-azure <br> 5.15.0-69-generic <br> 5.15.0-70-generic <br> 5.15.0-1037-azure <br> 5.15.0-1038-azure <br> 5.15.0-71-generic <br> 5.15.0-72-generic <br> 5.15.0-73-generic <br> 5.15.0-1039-azure | 22.04 LTS | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | 5.15.0-1003-azure <br> 5.15.0-1005-azure <br> 5.15.0-1007-azure <br> 5.15.0-1008-azure <br> 5.15.0-1010-azure <br> 5.15.0-1012-azure <br> 5.15.0-1013-azure <br> 5.15.0-1014-azure <br> 5.15.0-1017-azure <br> 5.15.0-1019-azure <br> 5.15.0-1020-azure <br> 5.15.0-1021-azure <br> 5.15.0-1022-azure <br> 5.15.0-1023-azure <br> 5.15.0-1024-azure <br> 5.15.0-1029-azure <br> 5.15.0-1030-azure <br> 5.15.0-1031-azure <br> 5.15.0-25-generic <br> 5.15.0-27-generic <br> 5.15.0-30-generic <br> 5.15.0-33-generic <br> 5.15.0-35-generic <br> 5.15.0-37-generic <br> 5.15.0-39-generic <br> 5.15.0-40-generic <br> 5.15.0-41-generic <br> 5.15.0-43-generic <br> 5.15.0-46-generic <br> 5.15.0-47-generic <br> 5.15.0-48-generic <br> 5.15.0-50-generic <br> 5.15.0-52-generic <br> 5.15.0-53-generic <br> 5.15.0-56-generic <br> 5.15.0-57-generic <br> 5.15.0-58-generic <br> 5.15.0-1033-azure <br> 5.15.0-60-generic <br> 5.15.0-1034-azure <br> 5.15.0-67-generic |
Debian 11 | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azur
**Release** | **Mobility service version** | **Kernel version** | | | |
-SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 <br> 4.12.14-16.146-azure:5 |
+SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.136-azure:5 <br> 4.12.14-16.139-azure:5 <br> 4.12.14-16.146-azure:5 <br> 4.12.14-16.149-azure:5 |
SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.130-azure:5 <br> 4.12.14-16.133-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.124-azure:5 <br> 4.12.14-16.127-azure:5 | SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | All [stock SUSE 12 SP1,SP2,SP3,SP4,SP5 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 4.12.14-16.115-azure:5 <br> 4.12.14-16.120-azure:5 |
SUSE Linux Enterprise Server 12 (SP1, SP2, SP3, SP4, SP5) | [9.51](https://suppo
**Release** | **Mobility service version** | **Kernel version** | | | |
-SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 <br> 5.14.21-150400.14.60-azure:4 |
+SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.55](https://support.microsoft.com/topic/update-rollup-68-for-azure-site-recovery-a81c2d22-792b-4cde-bae5-dc7df93a7810) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.52-azure:4 <br> 4.12.14-16.139-azure:5 <br> 5.14.21-150400.14.55-azure:4 <br> 5.14.21-150400.14.60-azure:4 <br> 5.14.21-150400.14.63-azure:4 <br> 5.14.21-150400.14.66-azure:4 |
SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.54](https://support.microsoft.com/topic/update-rollup-67-for-azure-site-recovery-9fa97dbb-4539-4b6c-a0f8-c733875a119f) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.40-azure:4 <br> 5.14.21-150400.14.43-azure:4 <br> 5.14.21-150400.14.46-azure:4 <br> 5.14.21-150400.14.49-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.53](https://support.microsoft.com/topic/update-rollup-66-for-azure-site-recovery-kb5023601-c306c467-c896-4c9d-b236-73b21ca27ca5) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.14.31-azure:4 <br> 5.14.21-150400.14.34-azure:4 <br> 5.14.21-150400.14.37-azure:4 | SUSE Linux Enterprise Server 15 (SP1, SP2, SP3, SP4) | [9.52](https://support.microsoft.com/topic/update-rollup-65-for-azure-site-recovery-kb5021964-15db362f-faac-417d-ad71-c22424df43e0) | By default, all [stock SUSE 15, SP1, SP2, SP3, SP4 kernels](https://www.suse.com/support/kb/doc/?id=000019587) are supported. </br></br> 5.14.21-150400.12-azure:4 <br> 5.14.21-150400.14.10-azure:4 <br> 5.14.21-150400.14.13-azure:4 <br> 5.14.21-150400.14.16-azure:4 <br> 5.14.21-150400.14.7-azure:4 <br> 5.3.18-150300.38.83-azure:3 <br> 5.14.21-150400.14.21-azure:4 <br> 5.14.21-150400.14.28-azure:4 <br> 5.3.18-150300.38.88-azure:3 |
site-recovery Vmware Azure Set Up Replication Tutorial Modernized https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-set-up-replication-tutorial-modernized.md
VMware to Azure replication includes the following procedures:
To create and register the Azure Site Recovery replication appliance, you need an Azure account with: - Contributor or Owner permissions on the Azure subscription.-- Permissions to register Azure Active Directory (AAD) apps.
+- Permissions to register Microsoft Entra apps.
- Owner or Contributor and User Access Administrator permissions on the Azure subscription to create a Key Vault, used during agentless VMware migration. If you just created a free Azure account, you're the owner of your subscription. If you're not the subscription owner, work with the owner for the required permissions.
Use the following steps to assign the required permissions:
4. In **Add a role assignment**, Select **Add,** select the Contributor or Owner role, and select the account. Then Select **Save**.
-5. To register the Azure Site Recovery replication appliance, your Azure account needs permissions to register the Azure Active Directory apps.
+5. To register the Azure Site Recovery replication appliance, your Azure account needs permissions to register the Microsoft Entra apps.
**Follow these steps to assign required permissions**:
-1. In Azure portal, navigate to **Azure Active Directory** > **Users** > **User Settings**. In **User settings**, verify that Azure AD users can register applications (set to *Yes* by default).
+1. In Azure portal, navigate to **Microsoft Entra ID** > **Users** > **User Settings**. In **User settings**, verify that Microsoft Entra users can register applications (set to *Yes* by default).
-2. In case the **App registrations** settings is set to *No*, request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the Application Developer role to an account to allow the registration of Azure Active Directory App.
+2. In case the **App registrations** settings is set to *No*, request the tenant/global admin to assign the required permission. Alternately, the tenant/global admin can assign the Application Developer role to an account to allow the registration of Microsoft Entra App.
## Grant required permissions to the vault
Follow these steps to enable replication:
## Next steps After enabling replication, run a drill to make sure everything's working as expected. > [!div class="nextstepaction"]
-> [Run a disaster recovery drill](site-recovery-test-failover-to-azure.md)
+> [Run a disaster recovery drill](site-recovery-test-failover-to-azure.md)
site-recovery Vmware Azure Troubleshoot Configuration Server https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-azure-troubleshoot-configuration-server.md
Manually stop the following
To update the configuration server, run the [unified setup](service-updates-how-to.md#links-to-currently-supported-update-rollups) again.
-## Azure Active Directory application creation failure
+<a name='azure-active-directory-application-creation-failure'></a>
-You have insufficient permissions to create an application in Azure Active Directory (Azure AD) using the [Open Virtualization Application (OVA)](vmware-azure-deploy-configuration-server.md#deploy-a-configuration-server-through-an-ova-template) template.
+## Microsoft Entra application creation failure
+
+You have insufficient permissions to create an application in Microsoft Entra ID using the [Open Virtualization Application (OVA)](vmware-azure-deploy-configuration-server.md#deploy-a-configuration-server-through-an-ova-template) template.
To resolve the issue, sign in to the Azure portal and do one of the following: -- Request the Application Developer role in Azure AD. For more information on the Application Developer role, see [Administrator role permissions in Azure Active Directory](../active-directory/roles/permissions-reference.md).-- Verify that the **User can create application** flag is set to *true* in Azure AD. For more information, see [How to: Use the portal to create an Azure AD application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app).
+- Request the Application Developer role in Microsoft Entra ID. For more information on the Application Developer role, see [Administrator role permissions in Microsoft Entra ID](../active-directory/roles/permissions-reference.md).
+- Verify that the **User can create application** flag is set to *true* in Microsoft Entra ID. For more information, see [How to: Use the portal to create a Microsoft Entra application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md#permissions-required-for-registering-an-app).
## Process server/Master Target are unable to communicate with the configuration server
site-recovery Vmware Physical Secondary Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/site-recovery/vmware-physical-secondary-architecture.md
If you're using a URL-based firewall proxy to control outbound connectivity, all
| **Name** | **Commercial** | **Government** | **Description** | | - | -- | - | -- | | Storage | `*.blob.core.windows.net` | `*.blob.core.usgovcloudapi.net` | Allows data to be written from the VM to the cache storage account in the source region. |
-| Azure Active Directory | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. |
+| Microsoft Entra ID | `login.microsoftonline.com` | `login.microsoftonline.us` | Provides authorization and authentication to Site Recovery service URLs. |
| Replication | `*.hypervrecoverymanager.windowsazure.com` | `*.hypervrecoverymanager.windowsazure.com` | Allows the VM to communicate with the Site Recovery service. | | Service Bus | `*.servicebus.windows.net` | `*.servicebus.usgovcloudapi.net` | Allows the VM to write Site Recovery monitoring and diagnostics data. |
spring-apps How To Bind Postgres https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/how-to-bind-postgres.md
Use the following steps to prepare your project.
All the connection strings and credentials are injected as environment variables, which you can reference in your application code.
-For the default environment variable names, see [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties).
+For the default environment variable names, see [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-codes).
Use the following steps to prepare your project.
All the connection strings and credentials will be injected as the environment variables, which can be referenced in your application codes.
-You can find the default environment variable names in this doc: [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties)
+You can find the default environment variable names in this doc: [Integrate Azure Database for PostgreSQL with Service Connector](../service-connector/how-to-integrate-postgres.md#default-environment-variable-names-or-application-properties-and-sample-codes)
spring-apps Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/policy-reference.md
Title: Built-in policy definitions for Azure Spring Apps description: Lists Azure Policy built-in policy definitions for Azure Spring Apps. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
spring-apps Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/spring-apps/whats-new.md
Azure Spring Apps is improved on an ongoing basis. To help you stay up to date w
This article is updated quarterly, so revisit it regularly. You can also visit [Azure updates](https://azure.microsoft.com/updates/?query=azure%20spring), where you can search for updates or browse by category.
-## June 2023
+## Q3 2023
+
+The following updates are now available in the Enterprise plan:
+
+- **Spring Cloud Gateway enables you to set log level per logger name**: Spring Cloud Gateway now supports precise control over the generation of log messages and their respective verbosity levels. This enhancement enables you to concentrate your attention on specific areas within the codebase that warrant closer inspection and monitoring. For more information, see the [Configure log levels](how-to-configure-enterprise-spring-cloud-gateway.md#configure-log-levels) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md) and [Troubleshoot VMware Spring Cloud Gateway](how-to-troubleshoot-enterprise-spring-cloud-gateway.md).
+
+- **Spring Cloud Gateway supports a restart operation using the Azure portal and the Azure CLI**: This enhancement enables you to initiate a restart of Spring Cloud Gateway conveniently, either through the Azure portal or by using Azure CLI commands, in alignment with your preferred schedule. For more information, see the [Restart VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md#restart-vmware-spring-cloud-gateway) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md).
+
+- **Spring Cloud Gateway supports Cross-Origin Resource Sharing (CORS)**: Spring Cloud Gateway now enables you to restrict access to resources to specific domains by using Cross-Origin Resource Sharing (CORS). For more information, see the [Configure cross-origin resource sharing](how-to-configure-enterprise-spring-cloud-gateway.md#configure-cross-origin-resource-sharing) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md).
+
+- **Spring Cloud Gateway exposes addon properties**: This update enables you to configure advanced properties of Spring Cloud Gateway that serve specific use cases that might not be universally recommended. This capability brings you the flexibility to fine-tune Spring Cloud Gateway to address particular scenarios and requirements. For more information, see the [Update add-on configuration](how-to-configure-enterprise-spring-cloud-gateway.md#update-add-on-configuration) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md).
+
+- **API Portal supports single sign-on with multiple replicas**: This update removes the restriction that prevents you from getting better reliability by configuring multiple replicas of your API Portal instance when single sign-on is enabled. For more information, see the [Configure single sign-on (SSO)](how-to-use-enterprise-api-portal.md#configure-single-sign-on-sso) section of [Use API portal for VMware Tanzu](how-to-use-enterprise-api-portal.md).
+
+- **Accelerator supports Git repositories in Azure DevOps**: Application Accelerator maintains ready-made, enterprise-conformant code and configurations in Git repositories. Now, Application Accelerator enables loading accelerators directly from Git repositories hosted in Azure DevOps. For more information, see the [Manage your own accelerators](how-to-use-accelerator.md#manage-your-own-accelerators) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md).
+
+- **Accelerator supports fragments and sub paths**: Application Accelerator supports fragments, enabling the efficient reuse of sections within an accelerator. This functionality saves you effort when you add new accelerators. For more information, see the [Reference a fragment in your own accelerators](how-to-use-accelerator.md#reference-a-fragment-in-your-own-accelerators) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md).
+
+- **Native image support**: Native images generally have smaller memory footprints and quicker startup times when compared to their JVM counterparts. With this feature, you can deploy Spring Boot native image applications using the `java-native-image` buildpack. For more information, see the [Deploy Java Native Image applications](how-to-enterprise-deploy-polyglot-apps.md#deploy-java-native-image-applications-preview) section of [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md).
+
+- **Support for the PHP Buildpack**: You can use the PHP buildpack with PHP runtimes. For more information, see the [Deploy PHP applications](how-to-enterprise-deploy-polyglot-apps.md#deploy-php-applications) section of [How to deploy polyglot apps in the Azure Spring Apps Enterprise plan](how-to-enterprise-deploy-polyglot-apps.md).
+
+- **New Relic APM support for .NET apps**: New Relic is a software analytics tool suite to measure and monitor performance bottlenecks, throughput, service health, and more. This update enables you to bind your .NET application with New Relic Application Performance Monitoring (APM). For more information, see the [Supported APM types](how-to-enterprise-configure-apm-integration-and-ca-certificates.md#supported-apm-types) section of [How to configure APM integration and CA certificates](how-to-enterprise-configure-apm-integration-and-ca-certificates.md).
+
+The following update is now available in the Standard consumption and dedicated plan:
+
+- **JHipster Azure Spring Apps**: With the collaboration between the [JHipster](https://www.jhipster.tech/azure/) and Azure Spring Apps teams, JHipster Azure Spring Apps is designed to streamline your full-stack Spring application development and deployment from end to end. For more information, see [Build and deploy your full-stack Spring app with JHipster Azure Spring Apps](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/build-and-deploy-your-full-stack-spring-app-with-jhipster-azure/ba-p/3923268).
+
+## Q2 2023
The following update announces a new plan:
The following updates are now available in the Enterprise plan:
- **App Accelerator certificate verification**: This update provides certification verification over TLS between App Accelerator and Git repos. For more information, see the [Configure accelerators with a self-signed certificate](how-to-use-accelerator.md#configure-accelerators-with-a-self-signed-certificate) section of [Use VMware Tanzu Application Accelerator with the Azure Spring Apps Enterprise plan](how-to-use-accelerator.md).
-## March 2023
+## Q1 2023
The following updates are now available in both the Basic/Standard and Enterprise plans:
The following updates are now available in both the Basic/Standard and Enterpris
The following updates are now available in the Enterprise plan: -- **More options for build pools and allow queueing of build jobs**: Build service now supports a large build agent pool and allows at most one pool-sized build task to build, and twice the pool-sized build tasks to queue. For more information, see the [Build agent pool](how-to-enterprise-build-service.md#build-agent-pool) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md).
+- **More options for build pools and enable queueing of build jobs**: Build service now supports a large build agent pool and enables at most one pool-sized build task to build, and twice the pool-sized build tasks to queue. For more information, see the [Build agent pool](how-to-enterprise-build-service.md#build-agent-pool) section of [Use Tanzu Build Service](how-to-enterprise-build-service.md).
- **Improved SLA support**: Improved SLA for mission-critical workloads. For more information, see [SLA for Azure Spring Apps](https://azure.microsoft.com/support/legal/sla/spring-apps). - **High vCPU and memory app support**: Deployment support for large CPU and memory applications to support CPU intensive or memory intensive workloads. For more information, see [Deploy large CPU and memory applications in Azure Spring Apps in the Enterprise plan](how-to-enterprise-large-cpu-memory-applications.md). -- **SCG APM & certificate verification support**: You can allow configuration of APM and TLS certificate verification between Spring Cloud Gateway and applications. For more information, see the [Configure application performance monitoring](how-to-configure-enterprise-spring-cloud-gateway.md#configure-application-performance-monitoring) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md).
+- **SCG APM & certificate verification support**: You can enable the configuration of APM and TLS certificate verification between Spring Cloud Gateway and applications. For more information, see the [Configure application performance monitoring](how-to-configure-enterprise-spring-cloud-gateway.md#configure-application-performance-monitoring) section of [Configure VMware Spring Cloud Gateway](how-to-configure-enterprise-spring-cloud-gateway.md).
-- **Tanzu Components on demand**: You can allow enabling or disabling of Tanzu components after service provisioning. You can also learn how to do that per Tanzu component doc. For more information, see the [Enable/disable Application Configuration Service after service creation](how-to-enterprise-application-configuration-service.md#enabledisable-application-configuration-service-after-service-creation) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md).
+- **Tanzu Components on demand**: You can enable or disable Tanzu components after service provisioning. You can also learn how to do that per Tanzu component doc. For more information, see the [Enable/disable Application Configuration Service after service creation](how-to-enterprise-application-configuration-service.md#enabledisable-application-configuration-service-after-service-creation) section of [Use Application Configuration Service for Tanzu](how-to-enterprise-application-configuration-service.md).
-## December 2022
+## Q4 2022
The following updates are now available in both the Basic/Standard and Enterprise plans:
The following updates are now available in the Enterprise plan:
- **Managed Spring Cloud Gateway enhancement**: We have newly added app-level routing rule support to simplify your routing rule configuration and TLS support from the gateway to apps in managed Spring Cloud Gateway. For more information, see [Use Spring Cloud Gateway](how-to-use-enterprise-spring-cloud-gateway.md).
-## September 2022
+## Q3 2022
The following updates are now available to help customers reduce adoption barriers and pricing frictions to take full advantage of the capabilities offered by Azure Spring Apps Enterprise.
sql-database Sql Database Import Purview Labels https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/sql-database/scripts/sql-database-import-purview-labels.md
This document describes how to add Microsoft Purview labels in your Azure SQL Da
## Create an application
-1. From the Azure portal, open your **Azure Active Directory**.
+1. From the Azure portal, open your **Microsoft Entra ID**.
2. Under **Manage**, select **App registration**.
-3. Create a new Azure Active Directory app by selecting **New Application**.
+3. Create a new Microsoft Entra app by selecting **New Application**.
4. Enter a name for your application, and select **Register**. 5. After your application is created, open **Certificates & secrets** under **Manager**. 6. Create a new client secret by selecting on **New client secret** under **Client secrets**.
static-web-apps Assign Roles Microsoft Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/assign-roles-microsoft-graph.md
This article demonstrates how to use a function to query [Microsoft Graph](https
In this tutorial, you learn to: - Deploy a static web app.-- Create an Azure Active Directory app registration.-- Set up custom authentication with Azure Active Directory.
+- Create a Microsoft Entra app registration.
+- Set up custom authentication with Microsoft Entra ID.
- Configure a [serverless function](authentication-custom.md#manage-roles) that queries the user's Active Directory group membership and returns a list of custom roles. > [!NOTE]
There's a function named *GetRoles* in the app's API. This function uses the use
| Requirement | Comments | ||| | Active Azure account | If you don't have one, you can [create an account for free](https://azure.microsoft.com/free/). |
-| Azure Active Directory permissions | You must have sufficient permissions to create an Azure Active Directory application. |
+| Microsoft Entra permissions | You must have sufficient permissions to create a Microsoft Entra application. |
## Create a GitHub repository
There's a function named *GetRoles* in the app's API. This function uses the use
1. In the overview section, locate your application's **URL**. Copy this value into a text editor to use in upcoming steps to set up Active Directory authentication.
-## Create an Azure Active Directory application
+<a name='create-an-azure-active-directory-application'></a>
-1. In the Azure portal, search for and go to *Azure Active Directory*.
+## Create a Microsoft Entra application
+
+1. In the Azure portal, search for and go to *Microsoft Entra ID*.
1. From the *Manage* menu, select **App registrations**.
There's a function named *GetRoles* in the app's API. This function uses the use
|||| | Name | Enter **MyStaticWebApp**. | | | Supported account types | Select **Accounts in this organizational directory only**. ||
- | Redirect URI | Select **Web** and enter the Azure Active Directory [authentication callback](authentication-custom.md#authentication-callbacks) URL of your static web app. Replace `<YOUR_SITE_URL>` in `<YOUR_SITE_URL>/.auth/login/aad/callback` with the URL of your static web app. | This URL is what you copied to a text editor in an earlier step. |
+ | Redirect URI | Select **Web** and enter the Microsoft Entra [authentication callback](authentication-custom.md#authentication-callbacks) URL of your static web app. Replace `<YOUR_SITE_URL>` in `<YOUR_SITE_URL>/.auth/login/aad/callback` with the URL of your static web app. | This URL is what you copied to a text editor in an earlier step. |
:::image type="content" source="media/assign-roles-microsoft-graph/create-app-registration.png" alt-text="Create an app registration":::
There's a function named *GetRoles* in the app's API. This function uses the use
||| | `rolesSource` | The URL where the login process gets a list of available roles. For the sample application the URL is `/api/GetRoles`. | | `userDetailsClaim` | The URL of the schema used to validate the login request. |
- | `openIdIssuer` | The Azure Active Directory login route, appended with your tenant ID. |
- | `clientIdSettingName` | Your Azure Active Directory tenant ID. |
- | `clientSecretSettingName` | Your Azure Active Directory client secret value. |
+ | `openIdIssuer` | The Microsoft Entra login route, appended with your tenant ID. |
+ | `clientIdSettingName` | Your Microsoft Entra tenant ID. |
+ | `clientSecretSettingName` | Your Microsoft Entra client secret value. |
| `loginParameters` | To obtain an access token for Microsoft Graph, the `loginParameters` field must be configured with `resource=https://graph.microsoft.com`. | 1. Select **Edit** to update the file.
-1. Update the *openIdIssuer* value of `https://login.microsoftonline.com/<YOUR_AAD_TENANT_ID>` by replacing `<YOUR_AAD_TENANT_ID>` with the directory (tenant) ID of your Azure Active Directory.
+1. Update the *openIdIssuer* value of `https://login.microsoftonline.com/<YOUR_AAD_TENANT_ID>` by replacing `<YOUR_AAD_TENANT_ID>` with the directory (tenant) ID of your Microsoft Entra ID.
1. Select **Commit changes...**.
Based on the user's group memberships, the function assigns custom roles to the
1. In your GitHub repository, go to the *GetRoles* function located at *api/GetRoles/index.js*.
- Near the top, there's a `roleGroupMappings` object that maps custom user roles to Azure Active Directory groups.
+ Near the top, there's a `roleGroupMappings` object that maps custom user roles to Microsoft Entra groups.
1. Select **Edit**.
-1. Update the object with group IDs from your Azure Active Directory tenant.
+1. Update the object with group IDs from your Microsoft Entra tenant.
For instance, if you have groups with IDs `6b0b2fff-53e9-4cff-914f-dd97a13bfbd6` and `b6059db5-9cef-4b27-9434-bb793aa31805`, you would update the object to:
Based on the user's group memberships, the function assigns custom roles to the
}; ```
- The *GetRoles* function is called whenever a user is successfully authenticated with Azure Active Directory. The function uses the user's access token to query their Active Directory group membership from Microsoft Graph. If the user is a member of any groups defined in the `roleGroupMappings` object, then the corresponding custom roles are returned.
+ The *GetRoles* function is called whenever a user is successfully authenticated with Microsoft Entra ID. The function uses the user's access token to query their Active Directory group membership from Microsoft Graph. If the user is a member of any groups defined in the `roleGroupMappings` object, then the corresponding custom roles are returned.
In the above example, if a user is a member of the Active Directory group with ID `b6059db5-9cef-4b27-9434-bb793aa31805`, they're granted the `reader` role.
Based on the user's group memberships, the function assigns custom roles to the
1. When the deployment is complete, you can verify your changes by navigating to the app's URL.
-1. Sign in to your static web app using Azure Active Directory.
+1. Sign in to your static web app using Microsoft Entra ID.
1. When you're logged in, the sample app displays the list of roles that you're assigned based on your identity's Active Directory group membership.
static-web-apps Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/authentication-authorization.md
> If you want to continue to use X(formerly Twitter) for authentication/authorization with your app, update your app configuration to [register a custom provider](./authentication-custom.md).
-Azure Static Web Apps provides a streamlined authentication experience, where no other actions or configurations are required to use GitHub and Azure Active Directory (Azure AD) for authentication.
+Azure Static Web Apps provides a streamlined authentication experience, where no other actions or configurations are required to use GitHub and Microsoft Entra ID for authentication.
In this article, learn about default behavior, how to set up sign-in and sign-out, how to block an authentication provider, and more.
Be aware of the following defaults and resources for authentication and authoriz
**Defaults:** - Any user can authenticate with a pre-configured provider - GitHub
- - Azure Active Directory (Azure AD)
+ - Microsoft Entra ID
- To restrict an authentication provider, [block access](#block-an-authentication-provider) with a custom route rule - After sign-in, users belong to the `anonymous` and `authenticated` roles. For more information about roles, see [Manage roles](authentication-custom.md#manage-roles)
Be aware of the following defaults and resources for authentication and authoriz
- Assign users custom roles using the built-in [invitations system](authentication-custom.md#manage-roles) - Programmatically assign users custom roles at sign-in with an [API function](apis-overview.md) - Understand that authentication and authorization significantly overlap with routing concepts, which are detailed in the [Application configuration guide](configuration.md)-- Restrict sign-in to a specific Azure AD tenant by [configuring a custom Azure AD provider](authentication-custom.md?tabs=aad). The pre-configured Azure AD provider allows any Microsoft account to sign in.
+- Restrict sign-in to a specific Microsoft Entra tenant by [configuring a custom Microsoft Entra provider](authentication-custom.md?tabs=aad). The pre-configured Microsoft Entra provider allows any Microsoft account to sign in.
## Set up sign-in Azure Static Web Apps uses the `/.auth` system folder to provide access to authorization-related APIs. Rather than expose any of the routes under the `/.auth` folder directly to end users, create [routing rules](configuration.md#routes) for friendly URLs.
Use the following table to find the provider-specific route.
| Authorization provider | Sign in route | | - | -- |
-| Azure AD | `/.auth/login/aad` |
+| Microsoft Entra ID | `/.auth/login/aad` |
| GitHub | `/.auth/login/github` | For example, to sign in with GitHub, you could include something similar to the following link.
To prevent the platform from providing this information on future requests to in
https://<WEB_APP_DOMAIN_NAME>/.auth/purge/<AUTHENTICATION_PROVIDER_NAME> ```
-If you're using Azure AD, use `aad` as the value for the `<AUTHENTICATION_PROVIDER_NAME>` placeholder.
+If you're using Microsoft Entra ID, use `aad` as the value for the `<AUTHENTICATION_PROVIDER_NAME>` placeholder.
> [!TIP] > For information about general restrictions and limitations, see [Quotas](quotas.md).
static-web-apps Authentication Custom https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/authentication-custom.md
Custom identity providers are configured in the `auth` section of the [configura
To avoid putting secrets in source control, the configuration looks into [application settings](application-settings.md#configure-application-settings) for a matching name in the configuration file. You may also choose to store your secrets in [Azure Key Vault](./key-vault-secrets.md).
-# [Azure Active Directory](#tab/aad)
+# [Microsoft Entra ID](#tab/aad)
To create the registration, begin by creating the following [application settings](application-settings.md#configure-application-settings): | Setting Name | Value | | | |
-| `AZURE_CLIENT_ID` | The Application (client) ID for the Azure AD app registration. |
-| `AZURE_CLIENT_SECRET` | The client secret for the Azure AD app registration. |
+| `AZURE_CLIENT_ID` | The Application (client) ID for the Microsoft Entra app registration. |
+| `AZURE_CLIENT_SECRET` | The client secret for the Microsoft Entra app registration. |
Next, use the following sample to configure the provider in the [configuration file](configuration.md).
-Azure Active Directory providers are available in two different versions. Version 1 explicitly defines the `userDetailsClaim`, which allows the payload to return user information. By contrast, version 2 returns user information by default, and is designated by `v2.0` in the `openIdIssuer` URL.
+Microsoft Entra providers are available in two different versions. Version 1 explicitly defines the `userDetailsClaim`, which allows the payload to return user information. By contrast, version 2 returns user information by default, and is designated by `v2.0` in the `openIdIssuer` URL.
-### Azure Active Directory Version 1
+<a name='azure-active-directory-version-1'></a>
+
+### Microsoft Entra Version 1
```json {
Azure Active Directory providers are available in two different versions. Versio
} ```
-Make sure to replace `<TENANT_ID>` with your Azure Active Directory tenant ID.
+Make sure to replace `<TENANT_ID>` with your Microsoft Entra tenant ID.
+
+<a name='azure-active-directory-version-2'></a>
-### Azure Active Directory Version 2
+### Microsoft Entra Version 2
```json {
Make sure to replace `<TENANT_ID>` with your Azure Active Directory tenant ID.
} ```
-Make sure to replace `<TENANT_ID>` with your Azure Active Directory tenant ID.
+Make sure to replace `<TENANT_ID>` with your Microsoft Entra tenant ID.
-For more information on how to configure Azure Active Directory, see the [App Service Authentication/Authorization documentation](../app-service/configure-authentication-provider-aad.md#-option-2-use-an-existing-registration-created-separately) on using an existing registration.
+For more information on how to configure Microsoft Entra ID, see the [App Service Authentication/Authorization documentation](../app-service/configure-authentication-provider-aad.md#-option-2-use-an-existing-registration-created-separately) on using an existing registration.
-To configure which accounts can sign in, see [Modify the accounts supported by an application](../active-directory/develop/howto-modify-supported-accounts.md) and [Restrict your Azure AD app to a set of users in an Azure AD tenant](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md).
+To configure which accounts can sign in, see [Modify the accounts supported by an application](../active-directory/develop/howto-modify-supported-accounts.md) and [Restrict your Microsoft Entra app to a set of users in a Microsoft Entra tenant](../active-directory/develop/howto-restrict-your-app-to-a-set-of-users.md).
> [!NOTE]
-> While the configuration section for Azure Active Directory is `azureActiveDirectory`, the platform aliases this to `aad` in the URL's for login, logout and purging user information. Refer to the [authentication and authorization](authentication-authorization.md) section for more information.
+> While the configuration section for Microsoft Entra ID is `azureActiveDirectory`, the platform aliases this to `aad` in the URL's for login, logout and purging user information. Refer to the [authentication and authorization](authentication-authorization.md) section for more information.
# [Apple](#tab/apple)
Identity providers require a redirect URL to complete the login or logout reques
| Login | `https://<YOUR_SITE>/.auth/login/<PROVIDER_NAME_IN_CONFIG>/callback` | | Logout | `https://<YOUR_SITE>/.auth/logout/<PROVIDER_NAME_IN_CONFIG>/callback` |
-If you are using Azure Active Directory, use `aad` as the value for the `<PROVIDER_NAME_IN_CONFIG>` placeholder.
+If you are using Microsoft Entra ID, use `aad` as the value for the `<PROVIDER_NAME_IN_CONFIG>` placeholder.
> [!Note] > These URLs are provided by Azure Static Web Apps to receive the response from the authentication provider, you don't need to create pages at these routes.
To use a custom identity provider, use the following URL patterns.
| User details | `/.auth/me` | | Purge user details | `/.auth/purge/<PROVIDER_NAME_IN_CONFIG>` |
-If you are using Azure Active Directory, use `aad` as the value for the `<PROVIDER_NAME_IN_CONFIG>` placeholder.
+If you are using Microsoft Entra ID, use `aad` as the value for the `<PROVIDER_NAME_IN_CONFIG>` placeholder.
## Manage roles
Invitations are specific to individual authorization-providers, so consider the
| Authorization provider | Exposes | | - | - |
-| Azure AD | email address |
+| Microsoft Entra ID | email address |
| GitHub | username | | Twitter | username |
After you define the `rolesSource` property in your app's configuration, add an
Each time a user successfully authenticates with an identity provider, the POST method calls the specified function. The function passes a JSON object in the request body that contains the user's information from the provider. For some identity providers, the user information also includes an `accessToken` that the function can use to make API calls using the user's identity.
-See the following example payload from Azure AD:
+See the following example payload from Microsoft Entra ID:
```json {
static-web-apps Configuration https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/configuration.md
You can create new roles as needed in the `allowedRoles` array. To restrict a ro
It's common to require authentication for every route in an application. To enable this, add a rule that matches all routes and include the built-in `authenticated` role in the `allowedRoles` array.
-The following example configuration blocks anonymous access and redirects all unauthenticated users to the Azure Active Directory sign-in page.
+The following example configuration blocks anonymous access and redirects all unauthenticated users to the Microsoft Entra sign-in page.
```json {
static-web-apps Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/static-web-apps/overview.md
With Static Web Apps, static assets are separated from a traditional web server
- **Free SSL certificates**, which are automatically renewed. - **Custom domains** to provide branded customizations to your app. - **Seamless security model** with a reverse-proxy when calling APIs, which requires no CORS configuration.-- **Authentication provider integrations** with Azure Active Directory and GitHub.
+- **Authentication provider integrations** with Microsoft Entra ID and GitHub.
- **Customizable authorization role definition** and assignments. - **Back-end routing rules** enabling full control over the content and routes you serve. - **Generated staging versions** powered by pull requests enabling preview versions of your site before publishing.
storage-mover Agent Deploy https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage-mover/agent-deploy.md
Several things take place during the unregistration process:
- The agent is removed from the storage mover resource. You can no longer see the agent in the *Registered agents* tab in the portal or select it for new migration jobs. - The agent is also removed from the Azure ARC service. This removal deletes the hybrid compute resource of type *Server - Azure Arc* that represented the agent with the Azure ARC service in the same resource group as your storage mover resource.-- Unregistration removes the managed identity of the agent from Azure Active Directory (Azure AD). The associated service principal is automatically removed, invalidating any permissions this agent may have had on other Azure resources. If you check the role-based access control (RBAC) role assignments, for instance of a target storage container the agent previously had permissions to, you no longer find the service principal of the agent, because it was deleted. The assignment itself is still visible as "Unknown service principal" but this assignment no longer connects to an identity and can never be reconnected. It's simply a sign that a role assignment used to be here, of a service principal that no longer exists.
+- Unregistration removes the managed identity of the agent from Microsoft Entra ID. The associated service principal is automatically removed, invalidating any permissions this agent may have had on other Azure resources. If you check the role-based access control (RBAC) role assignments, for instance of a target storage container the agent previously had permissions to, you no longer find the service principal of the agent, because it was deleted. The assignment itself is still visible as "Unknown service principal" but this assignment no longer connects to an identity and can never be reconnected. It's simply a sign that a role assignment used to be here, of a service principal that no longer exists.
- This behavior is standard, and not specific to Azure Storage Mover. You can observe the same behavior if you remove a different service principal from Azure AD and then check a former role assignment.
+ This behavior is standard, and not specific to Azure Storage Mover. You can observe the same behavior if you remove a different service principal from Microsoft Entra ID and then check a former role assignment.
> [!WARNING] > Unregistration of an offline agent is supported, but the agent's Azure ARC resource isn't automatically deleted. Instead, you'll need to manually delete the resource after unregistering an offline agent. The lifecycle of the agent's managed identity is tied to this resource. Removing it removes the managed identity and service principal, as previously described.
storage-mover Agent Register https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage-mover/agent-register.md
After you've supplied these values, the agent will attempt registration. During
> [!IMPORTANT] > The Azure credentials you use for registration must have owner permissions to the specified resource group and storage mover resource.
- For authentication, the agent utilizes the [device authentication flow](../active-directory/develop/msal-authentication-flows.md#device-code) with Azure Active Directory.
+ For authentication, the agent utilizes the [device authentication flow](../active-directory/develop/msal-authentication-flows.md#device-code) with Microsoft Entra ID.
The agent displays the device auth URL: [https://microsoft.com/devicelogin](https://microsoft.com/devicelogin) and a unique sign-in code. Navigate to the displayed URL on an internet connected machine, enter the code, and sign into Azure with your credentials.
You can reference this Azure Resource Manager (ARM) resource when you want to as
### Azure Arc service
-The agent is also registered with the [Azure Arc service](../azure-arc/overview.md). Arc is used to assign and maintain an [Azure AD managed identity](../active-directory/managed-identities-azure-resources/overview.md) for this registered agent.
+The agent is also registered with the [Azure Arc service](../azure-arc/overview.md). Arc is used to assign and maintain an [Microsoft Entra managed identity](../active-directory/managed-identities-azure-resources/overview.md) for this registered agent.
Azure Storage Mover uses a system-assigned managed identity. A managed identity is a service principal of a special type that can only be used with Azure resources. When the managed identity is deleted, the corresponding service principal is also automatically removed.
storage-mover Deployment Planning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage-mover/deployment-planning.md
Azure Storage Mover aspires to work for a wide range of migration scenarios. How
A deployment of Azure Storage Mover consists out of cloud service components and one or more migration agents you run in your environment, close to the source storage.
-A storage mover resource comprises the cloud service component. This resource is deployed within your choice of Azure subscription and resource group. Identify a subscription in the same Azure Active Directory (Azure AD) tenant as the Azure storage accounts you want to migrate into.
+A storage mover resource comprises the cloud service component. This resource is deployed within your choice of Azure subscription and resource group. Identify a subscription in the same Microsoft Entra tenant as the Azure storage accounts you want to migrate into.
> [!NOTE]
-> An Azure storage mover resource can orchestrate migrations into Azure Storage in other subscriptions, as long as they are governed by the same Azure Active Directory tenant.
+> An Azure storage mover resource can orchestrate migrations into Azure Storage in other subscriptions, as long as they are governed by the same Microsoft Entra tenant.
## Select an Azure region for your deployment
Deploying a Storage Mover agent as an Azure VM hasn't been tested and is current
## Getting your subscription ready
-Your subscription must be in the same Azure Active Directory tenant as the target Azure storage accounts you want to migrate into. When you've decided on an Azure subscription and resource group for your storage mover resource, you need to prepare a few things depending on how you deploy and which actions you or another admin perform.
+Your subscription must be in the same Microsoft Entra tenant as the target Azure storage accounts you want to migrate into. When you've decided on an Azure subscription and resource group for your storage mover resource, you need to prepare a few things depending on how you deploy and which actions you or another admin perform.
### Resource provider namespaces
storage Access Tiers Overview https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/access-tiers-overview.md
Last updated 08/10/2023-+
The cold tier is now generally available in all public and Azure Government regi
### Limitations and known issues -- The [change feed](storage-blob-change-feed.md) is not yet compatible with the cold tier. - [Object replication](object-replication-overview.md) is not yet compatible with the cold tier. - The default access tier setting of the account can't be set to cold tier. - Setting the cold tier in a batch call is not yet supported (For example: using the [Blob Batch](/rest/api/storageservices/blob-batch) REST operation along with the [Set Blob Tier](/rest/api/storageservices/set-blob-tier) subrequest).
storage Authorize Access Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/authorize-access-azure-active-directory.md
While Microsoft recommends using the Azure Identity client library when possible
When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide an Azure AD resource ID. The Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account.
-The following table describes the values that you can provide for the resource ID. The resource ID for Azure Storage is the same for all public and sovereign clouds:
+When you provide a resource ID that is specific to a single storage account and service, the resource ID is used to acquire a token for authorizing requests to the specified account and service only. The following table lists the value to use for the resource ID, based on the cloud you're working with. Replace `<account-name>` with the name of your storage account.
+
+| Cloud | Resource ID |
+| | |
+| Azure Global | `https://<account-name>.blob.core.windows.net` |
+| Azure Government | `https://<account-name>.blob.core.usgovcloudapi.net` |
+| Azure China 21Vianet | `https://<account-name>.blob.core.chinacloudapi.cn` |
+
+You can also provide a resource ID that applies to any storage account, as shown in the following table. This resource ID is the same for all public and sovereign clouds, and is used to acquire a token for authorizing requests to any storage account.
+
+| Cloud | Resource ID |
+| | |
+| Azure Global<br />Azure Government<br />Azure China 21Vianet<br /> | `https://storage.azure.com/` |
-| Resource ID | Description |
-|||
-| `https://<account>.blob.core.windows.net` | The service endpoint for a given storage account. Use this value to acquire a token for authorizing requests to that specific Azure Storage account and service only. Replace the value in brackets with the name of your storage account. |
-| `https://storage.azure.com/` | Use to acquire a token for authorizing requests to any Azure Storage account. |
## Assign Azure roles for access rights
storage Secure File Transfer Protocol Host Keys https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/secure-file-transfer-protocol-host-keys.md
When you connect to Blob Storage by using an SFTP client, you might be prompted
## Valid host keys > [!div class="mx-tdBreakAll"]
-> | Region | Host key type | SHA 256 fingerprint <sup>1</sup> | Public key |
-> |||||
-> | Australia Central | ecdsa-sha2-nistp256 | `m2HCt3ESvMLlVBMwuo9jsQd9hJzPc/fe0WOJcoqO3RA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElXRuNJbnDPWZF84vNtTjt4I/842dWBPvPi2fkgOV//2e/Y9gh0koVVAYp6MotNodg4L9MS7IfV9nnFSKaJW3o=` |
-> | Australia Central | ecdsa-sha2-nistp384 | `uoYLwsgkLp4D5diAulDKlLb7C5nT4gMCyf9MFvjr7qg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBARO/VI5TyirrsNZZkI2IBS0TelywsJKj71zjBGB8+mmki+mmdtooSTPgH0zmmyWb/z3iJG+BnEEv/58zIvJ+cXsVoRChzN+ewvsqdfzfCqVrzwyro52x5ymB08yBwDYig==` |
-> | Australia Central | rsa-sha2-256 | `q2pDjwwgUuAMU3irDl2D+sbH8wQpPB5LHBOFFzwM9Sk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOrNklxmyreRYe7N72ylBCensxxPTBWX/CfbdbGfEbcGRtMGHReeojkvf4iJ7mDMZRzecgYxZ9o2bwTH9UImNkuZTsFNH6APuJ075WyxoDgdBX1UAQ3eE6BrCNI0BcwLakU9lq0rNhmxMpt/quBXxxWbRieKR9liTOg5CGSqoUPo7TpwaZQBltJCEf7rN5wGUlHV49iuiJIasSldYT6F1c3vS4bJb2sdIvVnKVLq+yTMzaPzWn34BD+KHx/pkB+s7/vQtdMfBBEdgEdPVvMPsyXtIKhx4Q79LnfZT19RDY8KW1mJrbPo67oEcjJYTXSZTKysjCUNmNNrnXvp6sHd` |
-> | Australia Central | rsa-sha2-512 | `+tdLVAC4I+7DhQn9JguFBPu0/Hdt5Ru2zjuOOat+Opw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCnd0ETMwpU8w7uwWu1AWDv6COIwLKMmxXu+/1rR429cNXuPrBkMldUfI7NKVaiwnu1kLPuJsgUDkvs/fc7lxx2l5i6mYBWJOXcWzAfXSBfB1a+1SK+2tDPYT3j4/W/KRW74DFPokWTINre22UVc+8sbzkmdtX/FzZdVcqI4+xJSjwdsp2hbzcsVWkxWhrFzKmBU40m5E/YwKQwAcbkzmX6AN5O8s66TQs2uPkRuTItDWI3ShW7QzW05jb6W8TeYdkouZ5PY0Yz/h3/oysFzo4VaUc0y3JP98KRWNXPiBrmvphpKnU1TQrjvVkYEsiCBHMOUnNVHdR1oIHd2zPRneK5` |
-> | Australia Central 2 | ecdsa-sha2-nistp256 | `m7Go9P1bwcPHAcZzRSXdwYroDIdZzt0jhxkJW42YGKY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHp76felOL7GAHcJoW6vcCS83jkeR6RdFCwUk0Jf6v7SFoqYNZfTaryy2n0vwG1W1dAyHvOjB1+gzTZOkHN/cAI=` |
-> | Australia Central 2 | ecdsa-sha2-nistp384 | `9Jc39OueTg3pQcq8KJgzsmPlVXxILG24Euw27on7SkY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEduOE61sSP2BozvJ6QLtRDZ7j0TenX7PjcpPVtYIQuKQ+h3qakXFwFnj8N3m8+LpTXYO41mgX7N02Rl12QvD7lDpUgHUChaNpUcMcSpm5qvguLyG6XZg2BDNd6pyx+fpw==` |
-> | Australia Central 2 | rsa-sha2-256 | `sqVq1zdzD3OiAbnDjs70/why2c3UZOPMTuk5sXeOu4Y=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDKNZVZ5RVnGa0fYSn+Nx3tnt526fmMf+VufOBOy5/hEnqV6mPKXMiDijx2gFhKY4nyy957jYUwcqp1XasweWX6ISuhfg4QWcygW0HgmVdlSDezobPDueuP0WdhVsG3vXGbEYnrZOUR5kQHagX/wWf6Diy1J5Cn2ojIKGuSuGY/9bu3bnZzKt08fj+gQCEd1GxpPoBUfjF/73MM57IRhdmv919rsGD5nsyZCBmqFoKlLH/gKYZ4B3hylqf/6gER7OeZmG2S/U/fRAN0hVK7RkHNf2CFoCmuxXS6r87BznT5vF3nmd7tsf0akaxLjfWRbKLMWWyZkzU4/jijpbDDuu1x` |
-> | Australia Central 2 | rsa-sha2-512 | `p6vLHCTBcKOkqz7eiVCT6pLuIg7h4Jp41lvL/WOQLWM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDcqD2zICW1RLKweRXMG9wtOGxA5unQO/nd9yslfOIo54Ef0dlhAXGFPmCd3Yj60Gt/CIpqguzKLGm4D3nf19KjXE8V59cD7/lN6mVrFrm+6CU44JAzKN9ERUelxhSQKi/dsDR773wt4jsAt4SLBRrs19RC2fkYnxZgC/LzNZKXXY3FFb06uwheJjGOHyeQJbGpaV3hlelhOSV1UF2JAB8v6d8+9+S+b666EcpQ70JtxtA8h1s30hqhTKgYdRYMPfz7lqKXvact2NBXlqYRPod5cLW7lYBb2LzqTk1D44d8cwDknX2pYQJpgeFwJhB6SO9mF/Ot+jk+jV/CxUI55DPd` |
-> | Australia East | ecdsa-sha2-nistp256 | `s8NdoxI0mdWchKMMt/oYtnlFNAD8RUDa1a4lO8aPMpQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBKG2nz5SnoR5KVYAnBMdt8be1HNIOkiZ5UrHxm4pZpLG3LCuzLEXyWlhTm8rynuM/8rATVB5FZqrDCIrnn8pkw=` |
-> | Australia East | ecdsa-sha2-nistp384 | `YmeF1kX0R0W/ssqzKCkjoSLh3CciQvtV7iacYpRU2xc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFJi5nieNPCIxkYS7HKMH2fQgONSy2kGkViQucVhWrTJCEQMVz5peL2JZJFjf2a6zaB2olPaBNEkeuJRHxGyW0luTII9ZXXUoiGQH9l05B41mweVtG6pljHfuKQ4HzoUJA==` |
-> | Australia East | rsa-sha2-256 | `MrPZLU8llsG+SzgBN8eH702H4zuynyYgqqQLQmWGDEs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDsRwHZ+DKINZZNP0GO6l7mFIIgTRnJy7ikg07h54iuk+KStoB2Cwppj+ulPs0NiR2RgAsP5nchWRZQysjsfYDui8wha6JEXKvWPlQ90rEYEs96gpUcbVQesgfH8ILXK06Kn1xY/4CWAHEc5U++66e+pHQulkkFyDXTsRYHsjTk574OiUI1` |
-> | Australia East | rsa-sha2-512 | `jkDaVBMh+d9CUJq0QtH5LNwCIpc9DuWxetgJsE5vgNc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDFHirQKaYqkcecqdutyMQr1eFwIaIM/h302KjROiocgb4iywMAJkBLXmhJn+sSbagM5tzIk4K4k5LRjAizEIhC26sc2aa7spyvDu7+HMqDmNQ+nRgBgvO7kpxVRcK45ZjFsgZ6+mq9jK/eRnA8wgG3LnM+3zWaNLhWlrcCM0Pdy87Cswev/CEFZu6o6E6PgpBGw0MiPVY8CbdhFoTkT8Nt6tx9VhMTpcA2yzkd3LT7JGdC2I6MvRpuyZH1q+VhW9bC4eUVoVuIHJ81hH0vzzhIci2DKsikz2P4pJT0osg5YE/o9hVJs+4CG5n1MZN/l11K8lVb9Ns7oXYsvVdtR2Jp` |
-> | Australia Southeast | ecdsa-sha2-nistp256 | `4xc49pnNg4t/tr91pdtbZLDkqzQVCguwyUc16ACuYTc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdswzJ+/Bw5ia/wRMaa0llZOjlz67MyZXkq7Ye38XMSHbS4k/GwM0AzdX+qFEwR00lxZCmpHH28SS+RyCdIzO0=` |
-> | Australia Southeast | ecdsa-sha2-nistp384 | `DEyjMyyAYkegwLtMBROR/8STr1kNoQzEV+EZbAMhb1s=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJRZx6caZTXnbTW/zRzKfoKC4LGzvD5fnr2p8yGWxDq27CjUEMxkctWcT6XS3AstF2MLMTOFp/UkkSr8eP0vXI8g99YDeFGXtoBiFSIgYF2Aiu/kpfEu3feiIUl3SVzxKw==` |
-> | Australia Southeast | rsa-sha2-256 | `YafIMxux7NtoKCrjQ2eDxaoRKHBzpanatwsYbRhrDKQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7omLu37G00gLoGvrPOJXpRcI5GTszUSldKjrARq0WeJIXEdekaSTz5qv2kSN/JaBDJiO9E4AJFI9q5AvchdmMVs4I59EIJ0bsR9lK+9eRP4071EEc8pb3u/EPFaZQ8plKkvINJrdK6p0R2FhlFxa7wrRlKybenF1v7aU3Vw79RQYYXaZifiNrIQFB8XQy3QQj2DcWoEEOjbOgZir9XzPBvmeR8LLEWPTLYangYd3TsQtybDpP6acpOKaGYDEyXiA8Lxv8O276LUBny6katPrNvfGZScxn6vbTEZyog+By8vyXMWKEbC1Qc/ecBBk5obFzbUnq3RP1VXLJspo99cex` |
-> | Australia Southeast | rsa-sha2-512 | `FpFCo9sNUkdnD1kOSkWDIfnasYhExvRr1pJlE631QrA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDmuW2VZAhR6IoIOr32WnLlsr/rt3y4bPFpFcNhXaLifCenkflj9BufX3lk5aEXadcemfKlUJJdwBTvTt1j4+X3P2ecCZX1/GSsRKSTuiivuOgkPxk3UlfggkgN9flE9EdUxHi/jN/OQ9CjGtHxxk72NJSMNAjvIe0Ixs7TfqqyEytYAcirYcSGcc0r70juiiWozflXlt+bS7mXvkxpqMjjIivX+wTAizzzJRaC6WcRbjQAkL2GP6UCFfBI1o9NBfXbz+qvs1KTmNA0ugRQ7g6MdiNOePHrvoF1JgTlCxEjy+/IqPiC8nNQUVCW6/gcATQoDQn0n9Lwm1ekycS35xEh` |
-> | Brazil South | ecdsa-sha2-nistp256 | `rbOdmodk5Aq+nxHt04TN7g6WyuwbW5o+sDbj86l6jp8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNFqueXBigofrM5Kp2eA4wd4XxHcwcNgNFWGgEd0EoNdKWt9NroU47bN43f79Y5vPiSa4prKW1ccMBl40nNN4S4=` |
-> | Brazil South | ecdsa-sha2-nistp384 | `cenQeg58JZ+Dvu3AC7P7lC/Jq7V3+YPaS37/BBn3OlQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBHBhfnlfXV9/m6ZgOoqmSgX3VPnRdTOraBhMv8v7lEN1lWwyBpiWepu52KS0jR1RhttfXB+n+p6i2+9djJ1zT7fHq4sNn/d/3k2J6IjJlymZ32GwPvDk+fGefupUtabvRQ==` |
-> | Brazil South | rsa-sha2-256 | `qNzxx1kid41tZGcmbbyZrzlCIPJ9TFa20pUqvRbcjro=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC04g5K8emsS4NpL6jCT3wlpi6Msb5ax6QGlefO3IKp3wDKWAEqN+PvqBdrNp1PsitTKeyRSCLofq9k2wzeAMzV2n3UVqmUpNf9Q0Yd8SuXPhKG6VhqG2hL5+ztrlVTMI2Ak18SLaAEA1x7y9Z1lkEYGvCzJQaAw5EG8kd7XHGaI9nSCJ7RFOdJQF/40gq8z6E+bWW9Xs55JpWQ0i44i/ZvQUEiv5nyAa7D86y23wk1pTIFkRT99Kwdua0GtyUlcgCRDDTOzsCTn4qTo/MAF1Uq/ol4G0ZxwKnAEkazSZ1c+zEmh6GJNwT64nWBZ+pt5Rp3ugW+iDc/mIlXtxEV2k7V` |
-> | Brazil South | rsa-sha2-512 | `KAmGT8A7nRdxxQD7gulgmGTJvRhRdWPVDdagGCDmJug=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6W0FiaS21Dze6Sr6CTB8rLBu1T1Zej+11m7Kt283PSkQNYmjDDPUx0wSgylHoElTnFcXG+eFMznnjxDqkH+GnYBmlpW3nxxdTYD/MrdP4dX9ibPCFjDupIDJ4thv+9xWCw/0RpGc1NlUx2YmenDVMFJtYqjB1IDa2UUEeUHeQa1qmiBs1tbBQdlws1MCFnfldliB5H+cO4xnbAUjOlaa01k7GKqPf0H75+R83VcIcFw8hSuCvgMT+86H6jRRfqiIzE7WGbQBTPQs0rGcvxcGR3oGOmtB2UmOD232XTEk+sG3q2RxtPKWTz8wz1Tt2c1BOxmtuXTtzXnigZjB2t8y5` |
-> | Brazil Southeast | ecdsa-sha2-nistp256 | `dhADLmzQOE0mPcctS3wV+x2AUlv1GviguDQgSbGn/qs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPYuseeJN3CvtyPSKOz5FSu7PoNul+o6/LB62/MW9CUW+3AmqtVANVox1XQ8eX/YhL0a5+brjmveZPQS6M09YyQ=` |
-> | Brazil Southeast | ecdsa-sha2-nistp384 | `mjFHELtgAJkPTWO4dc7pzVVnJ6WLfAXGvXN1Wq2+NPs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIwFI6bRmgPe0tN7Qwc03PMrlpBn+wBChcuofyWlKVd/Ec6t2dxHr/0ev0dqyKS2nbK7CAOQxSrV1NVYnYZKql/eC2sPqI1oxz7DzUtRnNKrXcH714ViN3RIY3DZA6rJOw==` |
-> | Brazil Southeast | rsa-sha2-256 | `D+S7uHDWy0VPrRg9mlaK70PBPghBRCR1ru/KEsKpcjA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCz86hzEBpBBVJqClTRb7dNolds/LShOM4jucPRawZrlKGEpeKv70Khk8BdI4697fORKavxjWK0O9tQpAJHtVGSv3Ajwb9MB7ERKncBVx/xfdiedrJNmF0G+p97XlCiwkAqePT/9IFaMy1OFqwl6LF7p7I0iBKZX0UgePwdiHtJnK0foTfsASNY4AEVcXHEuaulLFJKUjrr6ootblEbPBnC6IxTPj9oD+Nm0rtlCeD5JtCRFgKUj3LWybEog/AnnMNQDQ+vMPbsCnfsW/J/HQc+ebx3NtcumL+PIxqJw2Pk6mRpDdL+vs2nw/PtnPkdJ7DjIQYLypBSi3AFIONSlO15` |
-> | Brazil Southeast | rsa-sha2-512 | `C+p2eAPf5uec0yG+aeoVAaLOAAf0p8gbBNss3xfawPQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDV3WmETlQwzfuYoOsPAqfB9Z2gxsNecbpuwIBYwitLYKmJnT9Q3SNSgqnBiI1TKWyEweerdQaPnEvz9TeynGqSmLyGT0JJXQXFQCjTCgRHP4WD0Q+V7HWHnWYQ5c2e8tKEVA1jWt57dcrFlrGKEsywuMeEX21V13qQxK2acXVRWJPWgQCVwtiNpToc/cILOqL5XXKnSA81Ex7iRqw8QRAGdIozkryisucy+cStdJX6q+YUE5L62ENV8qMwJdwUGywEpKhXRg5VQKN0ciFqvyT/3cZQVF+NkUFGPnOi0bk4JzHxWxmQNTIwE7bmPsuniw5njD3ota/IPUHV2og190Xx` |
-> | Canada Central | ecdsa-sha2-nistp256 | `HhbpllbdxrinWvNsk/OvkowI9nWd9ZRVXXkQmwn2cq4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBuyYEUpBjzEnYljSwksmHMxl5uoErbC30R8wstMIDLexpjSpdUxty1u2nDE3WY7m4W/doyXVSBYiHUUYhdNFjg=` |
-> | Canada Central | ecdsa-sha2-nistp384 | `EjEadkKaEgaNfdwXtzlqanUbDigzsdzcZJeTzJfQXP0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBORAcpaBXKmSUyCLbAOzghHvH8NKzk0khR0QGHdru0kiFiE16uz9j07aV9AiQQ3PRyRZzsf+dnheD7zuEZAewRiWc54Vg8v8QVi9VUkOHCeSNaYxzaDTcMsKP/A7lR2AOQ==` |
-> | Canada Central | rsa-sha2-256 | `KOYkeGvx4egH9DTGgxiONDMvSlkEkoU8cXWnynOEQRE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7jhZvp5GMrYyA2gYjbQXTC/QoSeDeluBUpji6ndy52KuqBNXelmHIsaEBc69MbixqfoopaFyJshdu7X8maxcRSsdDcnhbCgUO/MnJ+am6yb33v/25qtLToqzJRXb5y86o9/WtyA9DXbJMwwzQFqxIsa1gB` |
-> | Canada Central | rsa-sha2-512 | `tdixmLr++BVpFMpiWyVkr5iAXM4TDmj3jp5EC0x8mrw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNMZwL0AuF2Uyn4NIK+XdaHuon2jEBwUFSNAXo4JP7WDfmewISzMWqqi1btip/7VwZbxiz98C4NUEcsPNweaw3VdpYiXXXc7NN45cC32uM8yFeV6TqizoerHf+8Hm8avWQOfBv17kvGihob2vx8wZo4HkZg9KacQGvyuUyfUKa9LJI9BnpI2Wo3RPue4kbaV3JKmzxl8sF9i6OTT8Adj6+H7SkluITm105NX32uKBMjipEeMwDSQvkWGwlh2oZwJpL+Tvi2G0hQ/Q/FCQS5MAW9MCwnp0SSPWZaLiA9EDnzFrugFoundyBa0vRjNGZoj+X4+8MVG2fYgOzDED1JSPB` |
-> | Canada East | ecdsa-sha2-nistp256 | `YPqDobCavdQ/zGV7FuR/gzYqgUIzWePgERDTQjYEE0M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKlfnJ9/rlO5/YGeGle1K6I6Ctan4Z3cKpGE3W9BPe1ZcSfkXq47u/f6F/nR7WgrC6+NwJHaMkhiBGadEWbuA3Q=` |
-> | Canada East | ecdsa-sha2-nistp384 | `Y6FK9rWscBkyKN7mgPAEj0jKFXrv4mGNzoaZ9ttc4io=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDS8gYaqmJ8eEjmDF2ET7d2d6WAO7SgBQdTvqt6cUEjp7I11AYATKVN4Isz1hx8qBCWGIjA42X1/jNzk3YR7Bv/hgXO7PgAfDZ41AcT4+cJd0WrAWnxv0xgOvgLKL/8GYQ==` |
-> | Canada East | rsa-sha2-256 | `SRhd9gnvJS630A8VtCYMqc4djz5R8EiG7spwAUCYSJk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD2nSByIh/NC3ZHsjK3zt7mspcUUXcq9Y/jc9QQsfHXQetOH/fBalf17d5odCwQSyNY5Mm+RWTt+Aae5t8kGm0f+sKVO/4HcBIihNlAnXkf1ah5NoeJ+R0eFxRs6Uz/cJILD4wuJnyDptRk1GFhpAphvBi0fLEnvn6lGJbrfOxuHJSXhjJcxDCbmcTlcWoU1l+1SaYfOzkVBcqelYIimspCmIznMdE2D9vNar77FVaNlx4J9Ew+HQRPSLG1zAh5ae1806B6CHG1+4puuTUFxJR1AO+BuT6fqy1p0V77CrhkBTHs8DNqw9ZYI27fjyTrSW4SixyfcH16DAegeHO+d2YZ` |
-> | Canada East | rsa-sha2-512 | `60yzcSSOHlubdGkuNPWMXB9j21HqIkIzGdJUv0J57iY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDDmA4meGZwkdDzrgA9jAgcrlglZro0+IVzkLDCo791vsjJ29bTM6UbXVYFoKEkYliXSueL0q92W91IaFH/NhlOdW81Dbjs3jE+CuE4OX5pMisIMKx45QDcYCx3MJxqZrIOkDdS+m8JLs6XwM07LxiTX+6bH5vSwuGwvqg5gpnYfUpN0U5o7Wq7H7UplyUN8vsiDvTux3glXBLAI3ugjn6FC/YVPwMOq7Luwry3kxwEMx4Fnewe6hAlz47lbBHW6l/qmzzu4wfhJC20GqPzMJHD3kjHEGFBHpcmRbyijUUIyd7QBrnfS4J0xPVLftGJsrOOUP7Oq8AAru66/00We501` |
-> | Central India | ecdsa-sha2-nistp256 | `zBKGtf770MPVvxgqLl/4pJinGPJDlvh/mM963AwH6rs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBjHx8+PF0VBspl6l9Xa3BGyJwSx2eDX0qTDnhrdayzHMWsHGX3vz0wr7oMeBVdQ26dOckExa6iPrEDSt8foV1M=` |
-> | Central India | ecdsa-sha2-nistp384 | `PzKXWvO/DR/KnUElcVWIwSdabp6ZJqce37DJZzNl3Sk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJwEy1f+GYN4rxhlCAkXGgqAU1S7ssI4JPEJs8z1mcs8dDAAVy1cqdsir9yZ9RSZzOz/BOIubZsG137G2+po0Pz0FfJ0jZVGzlx1UHXu7OMuKQ7d2+1TkPpBYFy6PiCa3w==` |
-> | Central India | rsa-sha2-256 | `OcX6wPaofbb+UG/lLYr30CPhntKUXyTW7PUAhC6iDN0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDWuKbOJR8ZZqhE3k2HMBWO99rNWoHwUa+PVWPQHyCELyLR19hfrygNL9uugMQKTvPYPWx8VM6PrQBrvioifktc/HMNRsoOxlBifQETfRgBseXcIWorNlslfFhBnSn6ZGn8q4XICGgZ1hWUj9z1PUmcM2LZDjJS33LLzd23uIdLePizAliJAzlPyea8JNpCVjfmwnNwtuxXc48uAUXlmX+e0ZXRwuEGble8c1PbrWWTWU4xhWNJ+MInyvIGv9s6cGN7+fxAFaUAJS0wNEa3poCnhyNxrckvaqiI3WhPQ8Hefy2DpXTY03mdxCz8PZPcLWdQU3H5nmuAc/pypnc0Avax` |
-> | Central India | rsa-sha2-512 | `HSgc5u8s+QILdyBq6wGJkxRcK5nxj81gxvpkR5bcH6k=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDSO/R/yw8q33yLkSHOw0Bi2WKDWQPrll8skh3hdRUB6wtw9dvtQFEV3suvFJsTVvAbnGBe2Fjgi69X0zkIygxg74XuQsx7GZO6gyaKDwljyanFoCzer+OzFSpDcVJ0zOfhY99uHeYT6k4leb2ngABqjiqieDHMZ9JQX12KOK3cAks/oytrNUo9krGb1Nyv5BYu4dWXHmuFgtigDd043khaARfdWkg88lKgb6G9k+vQTGKphLnFMqhada/aP8GsaA2Dq5d/LH5P5CTU7MRPA8TuuyLOtbv8FtQ2TyaAXhYCplCQELtto1yXZ79WVjQE/uKuX8xK5M2rfOH+H5ck/Rxl` |
-> | Central US | ecdsa-sha2-nistp256 | `qN1Fm+zcCQ4xEkNTarKiQduCd9S+Aq3vH8BlfCaqL74=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6KpNy9XBIlV6jsqyRDSxPO2niTAEesFjIScsq8q36bZpKTXOLV4MjML0rOTD4VLm0mPGCwhY5riLZ743fowWA=` |
-> | Central US | ecdsa-sha2-nistp384 | `9no3/m09BEugyFxhaChilKiwyOaykwghTlV+dWfPT6c=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCiEYrlw9pskKzDp/6HsA2g0uMXNxJKrO5n16cHwXS1lVlgYMK3mmQdA+CjzMdJflvVw7sZO2caApr+sxI3rMmGWCt5gNvBaU6E9oUN8kdcNDvsfFavCb3vguOgtgbvHTg==` |
-> | Central US | rsa-sha2-256 | `GOPn34T1cCkLHO0xjLwmkEphxKKBQIjIf9QE1OAk3lU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9oA4N2MxbHjcdSrOlJOdIPjTB2LpQUMwJJj+aI2KEALYDGWWJnv0E14XjY1/M35jk8z0hX4MHGE/MEocSsTVdFRdWdW9CKTWT6eICpg9frTj6wfkB/Dxz/BAYb/YXq5OMrFlkFJUG8FMp9N80W6UWichcltmSrCpRi5N3ZGpVXEYhJF+I0mCH7Yheoq2KzIG2iWU/EJT5fui4t51wD8CQ1NWG8/THnNr0gjCr3AtB+ZPAl/6N7i2vO3FlZEHUj6BHoQ4dhIGjGCkgFDNU6RpdifqMJRihP9fSMOq4qksch1TE5sOnp0sOaP/RQvChb4oXB8Pru+j45RxPzIvzzOZZ` |
-> | Central US | rsa-sha2-512 | `VLhZbZjHzoNRMyRSa3GYvk2rgacjmldxQ2YNzvsMpZA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDPnuJixcZd6gAIifABQ377Mn0ZootRmdJs1J3R8/u7mbdfmpX2ItI0VfgMh4BzGEdgCqewx4BjADhfXRurfimuP8P9PLRq89AHX2V+IfeizLZkrnrxKiijjGEz640gORzzwIp2X+bmnBABWzEZjSNOeE3CKVr4ONvH80bYGFFqR4+arOelDqWEgxktM1QBlId7xR7efmtEGAuAhFbZVaqjBNsbqyiR/hlkMQfmWn1bjGSoenUoPojc7UAp9+Xf6ujkhCihRV/O4A69tVvp5E0Qv5MJ1Qj3kzAYbHQcIQ2l47MQq1wdZYxkYBHmH5leAjHgQbbccPalOLSbLRYjF169` |
-> | East Asia | ecdsa-sha2-nistp256 | `/iq1i88fRFHFBw4DBtZUX7GRbT5dQq4g7KfUi5346co=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCvI7Dc7W3K919GK2VHZZkzJhTM+n2tX3mxq4EAI7l8p0HO0UHSmucHdQhpKApTIBR0j9O/idZ/Ew6Yr4nusBwE=` |
-> | East Asia | ecdsa-sha2-nistp384 | `KssXSE1WC6Oca0dS2CNySgObkbVshqRGE2JcaNsUvpA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNEYGYGolx8LNs5TVJRF/yoxOCal3a4C0fw1Wlj1BxzUsDtxaQAxSfzQhZG+lFCF7RVQyiUwKjCxmWoZbSb19aE7AnRx9UOVmrbTt2PMD3dx8VmPj1K8rsPOSq+XX4KGdQ==` |
-> | East Asia | rsa-sha2-256 | `XYuEB+zABdpXRklca8RCoWy4hZp9wAxjk50MD9w6UjE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNKlaGhRiHdomU5uGvkcEjFQ0mhmNnWXsHAUNoGUhH6BU8LmsgWS61QOKHf1d3qQ0C9bPaRWMpemAa3DKGGqbgIdRrI2Yd9op+tqM+3hrZ8cBvBCgqKgaj4ZitoFnYm+iwwuReOz+x0I2/NmWUxuQlbiHTzcu8TVIln/5sj+n9PbwXC8Zk6vsCt6aon/P7hESHBJ4yf2E+Io30m+vaPNzxQGmwHjmBrZXzX8gAjGi6p823v5zdL4mq3tT5aPPsFQcfjkSMRDGq6yFSMMEA7i2dfczBQmTIJkYihdS8LBE0Ir5islJbaoPQxeXIrF+EgYgla505kJEogrLprcTGCY/t` |
-> | East Asia | rsa-sha2-512 | `FUYhL0FaN8Zkj/M0/VJnm8jPL+2WxMsHrrc/G+xo5QM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7x8s74EH+il+k99G2aLl1ip5cfGfO/WUd3foiwwq+qT/95xdtstPYmOP77VBQ4G6EnauP2dY6RHKzSM2qUdmBWiYaK0aaI/2lCAaPxco12Te5Htf7igWyAHYz7W99I2CfJCEUm1Soa0v/57gLtvUg/HOqTgFX44W+PEOstMhqGoU9bSpw2IKlos9ZP87C6IQB5xPQQ1HlnIQRIzluJoFCuT7YHXFWU+F4ZOwq5+uofNH3tLlCy7D4JlxLQ0hkqq3IhF4y5xXJyuWaBYF2H8OGjOL4QN+r9osrP7iithf1Q0EZwuPYqcT1QeIhgqI7OIYEKwqMfMIMNxZwnzKgnDC1` |
-> | East US | ecdsa-sha2-nistp256 | `ixDeCdmQOB9ROqdJiVdXyFVsRqLmJJUb2M4shrWj8gI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNrdcVT12fftnDcjYL8K3zLX3bdMwYLjNu2ZJ1kUZwpVHSjNc+1KWB2CGHca+cMLuPSao4TxjIX0drn9/o+GHMQ=` |
-> | East US | ecdsa-sha2-nistp384 | `DPTC6EIORrsxzpGt6IZzAN67nlZUXzg5ANQ3QGz987Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEP3CUvPVWNVnFuojR43KRxTQt1xiClbgDzqN/s9F5luivP+Gh0QrK5UHf6diEju4ZQ9k2O10MEDs6c46g4fT56rY8CQkeBsaaBq8WYLRhSQsFZ6SZuw14oFNodniAO33g==` |
-> | East US | rsa-sha2-256 | `F6pNN5Py68/1hVRGEoCwpY5H7vWhXZM/4L442lY4ydE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAiUB94zwLf0e/++OeiAjE0X7Od2nuqyLyAqpOb7nfQUAOWyqgRL04yaan6R2Ir2YtI0FRwA6yRETUBf2+NuVhIONgLNsgPw3RakL1BUqAEzZAyF4sOjWnYE5/s/1KmYOE052SefzMciqjgkBV2+YrPW1CLivNhL4d1vuQh05kADLgHJiAVD6BqSM7Z6VoLhW+hfP4JklyQAojCF6ejXW7ZGWdqQGKLCUhdaOPSRAxjOmr9gZxJ69OvdJT2Cy6KO1YQt2gY2GbPs+4uAeNrz40swffjut4zn1NILImpHi8PTM+wcGYzbW4Nn7t5lhvT9kmX9BkSYXLVTlI9p1neT9t` |
-> | East US | rsa-sha2-512 | `MIpoRIiCtEKI23MN+S2bLqm5GKClzgmRpMnh90DaHx8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Ut7Rq7Vak26F29czig5auq334N9mNaJmdtWoT32uDzWjZNw/N8uxXQS51oSeD7c0oXWIMBklH0AS8JR1xvMUGVnv5aRXwubicQ6z4poG5RSudYDA3BjMs61LZUKZH/DRj7qR/KUBMNieT1X+0DbopZkO9etxXdKx+VqJaK3fRC5Zflxj5Z9Stfx/XlaBXptDdqnInHZAUbZxnNziPYrBOuXYl5/Cd6W4lR7dBsMCbjINSIShvrhPpVfd3qOv/xPpU172nqkOx2VsV4mrfqqg62ZdcenLJDYsiXd/AVNUAL+dvzmj1/3/yVtFwadA2l83Em6CgGpqUmvK6brY3bPh` |
-> | East US 2 | ecdsa-sha2-nistp256 | `bouiC5HdtURUU19RJbym8R94fbMOTw/bUxFUkoAByoI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJshJI18IECu6neLrash/Q622MAXO07C+hbIOiVPC6M/ZIJM8HyYvQEh4DKI1CMEaeAIs/HA905QKeU/syvt7QI=` |
-> | East US 2 | ecdsa-sha2-nistp384 | `vWnPlGaQOY4LFj9XSQ2qN/NMF92+UOfKPjGNSPA2bOg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBByJNAblwxCNVqedg5FcdbdwiuzTMVEWj/uF3uzI8wp890Xv2M4H+aMTpeItxgQsuiQCptgITsO+XCf2dBTHOGWpd90QtvcznzHyy/FEWVAKWs9brvyaNVe82c4TOFqYRg==` |
-> | East US 2 | rsa-sha2-256 | `K+QQglmdpev3bvEKUgBTiOGMxwTlbD7gaYnLZhPfe1c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOA2Aj1tIG/TUXoVFHOltyW8qnCOtm2gq2NFTdfyDFw3/C4jk2HHQf2smDX54g8ixcLuSX3bRDtKRJItUhrKFY6A0AfN1+r46kkJJdFjzdcgi7C3M0BehH7HlHZ7Fv2u01VdROiXocHpNOVeLFKyt516ooe6b6bxrdc480RrgopPYpf6etJUm8d4WrDtGXB3ctip8p6Z2Z/ORfK77jTeKO4uzaHLM0W7G5X+nZJWn3axaf4H092rDAIH1tjEuWIhEivhkG9stUSeI3h6zw7q9FsJTGo0mIMZ9BwgE+Q2WLZtE2uMpwQ0mOqEPDnm0uJ5GiSmQLVyaV6E5SqhTfvVZ1` |
-> | East US 2 | rsa-sha2-512 | `UKT1qPRfpm+yzpRMukKpBCRFnOd257uSxGizI7fPLTw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/HCjYc4tMVNKmbEDT0HXVhyYkyzufrad8pvGb3bW1qGnpM1ZT3qauJrKizJFIuT3cPu43slhwR/Ryy79x6fLTKXNNucHHEpwT/yzf5H6L14N+i0rB/KWvila2enB2lTDVkUW50Fo+k5U/JPTn8vdLPkYJbtx9s0s3RMwaRrRBkW6+36Xrh0h7rxV5LfY/EI1331f+1bgNM7xD59D3U76OafZMh5VfSbCisvDWyIPebXkOMF/eL8ATlaOfab0TAC8lriCkLQolR+El9ARZ69CJtKg4gBB3IY766Ag3+rry1/J97kr4X3aVrDxMps1Pq+Q8TCOf4zFDPf2JwZhUpDPp` |
-> | East US 2 EUAP | ecdsa-sha2-nistp256 | `X+c1NIpAJGvWU31UJ3Vd2Os4J7bCfgvyZGh35b2oSBQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+U6CE6con74cCntkFAm6gxbzGxm9RgjboKuLcwBiFanNs/uYywMCpj+1PMYXVx/nMM4vFbAjEOA20fJeoQtN8=` |
-> | East US 2 EUAP | ecdsa-sha2-nistp384 | `Q3zIFfOI1UfCrMq6Eh7nP1/VIvgPn3QluTBkyZ2lfCw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDWRjO+e8kZpalcdg7HblZ4I3q9yzURY5VXGjvs5+XFuvxyq4CoAIPskCsgtDLjB5u6NqYeFMPzlvo406XeugO4qAui+zUMoQDY8prNjTGk5t7JVc4wYeAWbBJ2WUFyMrQ==` |
-> | East US 2 EUAP | rsa-sha2-256 | `dkP64W5LSbRoRlv2MV02TwH5wFPbV6D3R3nyTGivVfk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC3PqLDKkkqUXrZSAbiEZsI6T1jYRh5cp+F5ktPCw7aXq6E9Vn2e6Ngu+vr+nNrwwtHqPzcZhxuu9ej2vAKTfp2FcExvy3fKKEhJKq0fJX8dc/aBNAGihKqxTKUI7AX5XsjhtIf0uuhig506g9ZssyaDWXuQ/3gvTDn923R9Hz5BdqQEH9RSHKW+intO8H4CgbhgwfuVZ0mD4ioJKCwfdhakJ2cKMDfgi/FS6QQqeh1wI+uPoS7DjW8Zurd7fhXEfJQFyuy5yZ7CZc7qV381kyo/hV1az6u3W4mrFlGPlNHhp9TmGFBij5QISC6yfmyFS4ZKMbt6n8xFZTJODiU2mT1` |
-> | East US 2 EUAP | rsa-sha2-512 | `M39Ofv6366yGPdeFZ0/2B7Ui6JZeBUoTpxmFPkwIo4c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC+1NvYoRon15Tr2wwSNGmL+uRi7GoVKwBsKFVhbRHI/w8oa3kndnXWI4rRRyfOS7KVlwFgtb/WolWzBdKOGVe6IaUHBU8TjOx2nKUhUvL605O0aNuaGylACJpponYxy7Kazftm2rV/WfxCcV7TmOGV1159mbbILCXdEWbHXZkA3qWe4JPGCT+XoEzrsXdPUDsXuUkSGVp0wWFI2Sr13KvygrwFdv4jxH1IkzJ5uk6Sxn0iVE+efqUOmBftQdVetleVdgR9qszQxxye0P2/FuXr0S+LUrwX4+lsWo3TSxXAUHxDd8jZoyYZFjAsVYGdp0NDQ+Y6yOx5L9bR6whSvKE1` |
-> | France Central | ecdsa-sha2-nistp256 | `N61PH8SVCAXOq7Z7eIV4mRnotafmNoPrpc+TaLxtPX4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3UBFa/Ke9y3aLs1q1b8gh/tXiS7lpOTzUiDFpXdbq00/V9Ag+v2z5MIaicFdum9Ih4fls1Mg07Ert16bi5M8E=` |
-> | France Central | ecdsa-sha2-nistp384 | `/CkQnHA57ehNeC9ZHkTyvVr8yVyl/P1dau2AwCg579k=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBG/x6qX+DRtmxOoMZwe7d7ZckHyeLkBWxB7SNH6Wnw2tXvtNekI9d9LGl1DaSmiZLJnawtX+MPj64S31v8AhZcVle9OPVIvH5im3IcoPSKQ6TIfZ26e2WegwJxuc1CjZZg==` |
-> | France Central | rsa-sha2-256 | `zYLnY1rtM2sgP5vwYCtaU8v2isldoWWcR8eMmQSQ9KQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDCmdsufvzqydsoecjXzxxL9AqnnRNCjlIRPRGohdspT9AfApKA9ZmoJUPY8461hD9qzsd7ps8RSIOkbGzgNfDUU9+ekEZLnhvrc7sSS9bikWyKmGtjDdr3PrPSZ/4zePAlYwDzRqtlWa/GKzXQrnP/h9SU4/3pj21gyUssOu2Mpr6zdPk59lO/n/w2JRTVVmkRghCmEVaWV25qmIEslWmbgI3WB5ysKfXZp79YRuByVZHZpuoQSBbU0s7Kjh3VRX8+ZoUnBuq7HKnIPwt+YzSxHx7ePHR+Ny4EEwU7NFzyfVYiUZflBK+Sf8e1cHnwADjv/qu/nhSinf3JcyQDG1lN` |
-> | France Central | rsa-sha2-512 | `ixum/Dragma5DAMBzA/c5/MY02FjUBD/gI8+XQDzJvc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDjTJ9EvMFWicBCcmYF0zO2GaWZJXLc7F5QrvFv6Nm/6pV72YrRmSdiY9znZowNK0NvwnucKjjQj0RkJOlwVEnsq7OVS+RqGA35vN6u6c0iGl4q2Jp+XLRm8nazC1B5uLVurVzYCH0SOl1vkkeXTqMOAZQlhj9e7RiFibDdv8toxU3Fl87KtexFYeSm3kHBVBJHoo5sD2CdeCv5/+nw9/vRQVhFKy2DyLaxtS+l2b0QXUqh6Op7KzjaMr3hd168yCaqRjtm8Jtth/Nzp+519H7tT0c0M+pdAeB7CQ9PAUqieXZJK+IvycM5gfi0TnmSoGRG8TPMGHMFQlcmr3K1eZ8h` |
-> | France South | ecdsa-sha2-nistp256 | `LHWlPtDIQAHBlMkOagvMJUO0Wr41aGgM+B/zjsDXCl0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdj2SxQdvNbizz8DPcRSZHLyw5dOtQbzNgjedSmFwOqiRuZ2Vzu88m2v5achBwIj9gp0Ga14T7YMGyAm04OOA0=` |
-> | France South | ecdsa-sha2-nistp384 | `btqtCD/hJWVahHWz/qftHV3B+ezJPY1I3JEI/WpgOuQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB2rbgGSTtFMciVSpWMvmGGTu8p1vGYfS2nlm+5pAM85A4Em1mYlgHfVZx+SdG5FSYcsX4vTWt4Yw2OnDmxV3W0ycrKBs4Bx3ASX4rx3oZezVafHsUUV0ErM+LmdmKfH8g==` |
-> | France South | rsa-sha2-256 | `aywTR4RYJBQrwWsiALXc1lDDHpJ34jIEnq3DQhYny0g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDELY4UcRAMkJpEBZT40Oh5TIxI6o6Enmlv+KxWkkcyFcNJlFtaF2Hl+afWlysrg+lB5Un4XpveWY64pl7a/dSju7aPfujcXowELIPqFSoWW7xQ+jkfJdyI0daa0l2h2oNCPqWnx8+04Vx5kcb2GktlNG4RMLx7Q6COJgQ3pGHtyfZ5fnmrWNBsuv4mvsXp0u1KGWX6s2LZtO+BpKE6DegSNLMVapAZ0ju8pagqtm6aeWEtqmkAvsI0U31qhL25FQX4DzjIbGzXd6I25AJcSXcpnwQefsaOwO/ztvIKeIf3i/h2rXdigXV1wyhvIdKm1uWwj6ph4XvOiHMZhsRUe02B` |
-> | France South | rsa-sha2-512 | `+y5oZsLMVG6kfdlHltp475WoKuqhFbTZnvY0KvLyOpA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDmsS9WimMMG95CMXFZiStR/peQU1VA6dklMbGmYwLqpxLNxxsaQuQi6NpyU6/TS8C3CX0832v1uutW38IfQGrQfcTGdAz+GjKverzaSXqZGgTMh/JSj06rxreSKvRjYae596aPdxX5P+9YVuTEeTMSdzeklpxaElPfOoZ7Ba5A2iCnB/5l/piHiN8qlXBPmfGLdZrTUFtgRkE4Ie4zaoWo19611XgUDMDX4N4be/qilb95cUBE73ceXwdVKJ3QVQinZgbwWFUq0fMlyd8ZNb9XN6bwXH7K6cLS6HYGgG6uJhkYSAqpAZK2pOFn3MCh8gw2BkM/Rg+1ahqPNAzGPVz9` |
-> | Germany North | ecdsa-sha2-nistp256 | `F4o8Z9llB5SRp0faYFwKMQtNw/+JYFKZdNoIuO7XUU0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMoIo/OXMP7W5a5QRDAVBo+9YQg4YBrl3J7xM91PUGUiALDE1Iw8Uq4e1gLiSNA6A46om5yY/6oGj4iqEk8Ar8Y=` |
-> | Germany North | ecdsa-sha2-nistp384 | `BgW5e9lciYG1oIxolnVUcpdh3JpN/eQxfOyeyuZ6ZjI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ69kH0urhCdcMMaqpID2m+u8MECowtNlYjYXoSUn6oEhj7VPxvCRZi5R02vHrtrTJslsrbpgYHXz+/jSLplKpccQGJFaZso9WWgEJH1k7tJOuOv0NIjoBTv7fY5IxeAvQ==` |
-> | Germany North | rsa-sha2-256 | `ppHnlruDLR73KzW/m7yc3dHQ0JvxzuC1QKJWHPom9KU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNNjCcDxjL3ess1QQEkb9n5bPYpxXpekd32ZX4oTcXXFDOu+tz/jpA8JZL8lOBAcBQ5n+mZF0Pot1o+B1JxQOHHiEZdcdKtLtPWrI2OQyxZnvo7sCBeSk+r/j3mjqpvq3+KpwoTZKpYF/oNRXVHU4VFs+MzvqWd6vgLXsDwtJrriojtkrWy0bTa4NjjN/+olsITxDmR0TGAu+epCJptdpKjTcgcn25QuIKy37/zVW8BJ5QsZmIRwvlCYxj11UOAoDcbapJcnzJYpOmQTNpdzkazjViX17DZW17Jmfhc6Dk3H+TEseilkbq1ZjsUyGBBxklWHid7+BgKVXOoIgG6+0x` |
-> | Germany North | rsa-sha2-512 | `m/OFTRHkc3HxfhCKk1+jY1rPJrT9t4FYtQ/Wmo3MOUE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDkN3CN1VITaHy/CduQaZIkuKSC/+oX19sYntRdgCblJlIzUBmiGlhmnKXyhA29lwWWAYxSbUu0jEJUZfQ6xdQ4uALOb815DLNZtVrxqSm4SjvP5anNa7zRyCFfo4V8M4i6ji6NB+u+PwH5DOhxKLu6/Ml9pF8hWyfLRft8cg4wORLLhwGt2+agizq7N7vF2nmLBojmS0MMmpH5ON/NFshYIDNKPEeK9ehpaARf4fuXm440Zqzy/FfpptSspJIhbY2zsg4qGQgYGZyuRxkLzYgtD/uKW5ieFwXPn+tvVeVzezZTmGMoDlkPX18HSsuNaRkdnwpX8yk1/uoBCsuOFSph` |
-> | Germany Westcentral | ecdsa-sha2-nistp256 | `Ce+h+7thT5tt75ypIkWZ6+JnmQMZEl1N7Tt3Ldalb64=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmVDE0INhtrKI83oB4r8eU1tXq7bRbzrtIhZdkgiy3lrsvNTEzsEExtWae2uy8zFHdkpyTbBlcUYCZEtNr9w3U=` |
-> | Germany Westcentral | ecdsa-sha2-nistp384 | `hhQQi2iRjSX5d9c+4714hAFvTA3c63+TGknhuQi7Tss=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDlFF3ceA17ZFERfvijHkPI2Na1wuti9/AOY5E/bDvZfP08kkmYTb9Ma6omhB0dHR6e1CmRJfKmFXfTd81iVWPa7yXCxbS8yG+uNKCuHxuNv8hFhNM84h2727BSBHBBHBA==` |
-> | Germany Westcentral | rsa-sha2-256 | `0SKtGye+E9pp4QLtWNLLiPSx+qKvDLNjrqHwYcDjyZ8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDsbkjxK9IJP8K98j+4/wGJQVdkO/x0Msf89wpjd/3O4VIbmZuQ/Ilfo6OClSMVxah6biDdt3ErqeyszSaDH9n3qnaLxSd5f+317oVpBlgr2FRoxBEgzLvR/a2ZracH14zWLiEmCePp/5dgseeN7TqPtFGalvGewHEol6y0C6rkiSBzuWwFK+FzXgjOFvme7M6RYbUS9/MF7cbQbq696jyetw2G5lzEdPpXuOxJdf0GqYWpgU7XNVm+XsMXn66lp87cijNBYkX7FnXyn4XhlG4Q6KlsJ/BcM3BMk+WxT+equ7R7sU/oMQ0ti/QNahd5E/5S/hDWxg6ZI1zN8WTzypid` |
-> | Germany Westcentral | rsa-sha2-512 | `9OYO7Hn5p+JJeGGVsTSanmHK3rm+iC6KKhLEWRPD9ro=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCwrSTqa0GD36iymT4ZxSMz3mf5iMIHk6APQ2snhR5FUvacnqTOHt3xhMF+UwYmGLbQtmr4HdXIKd7Dgn5EzHcfaYFbaLJs2aDngfv7Pd6TyLW3TtSgJ6K+mC1MDI/vHzGvRxizuxwdN0uMXv5kflQvnEtWlsKAHW/H7Ypk4R8s+Kl2AIVEKdy+PYwzRd2ojqqNs+4T2tPP5Y6pnJpzTlcHkIIIf7V0Bk/bFG2B7r73DG2cSUlnJz8QW9pLXIn7268YDOR/5nozSXj7DinVDBlE5oeZh4qkdMHO1FSWynj/isUCm5qBn76WNa6sAeMBS3dYiJHUgmKMc+ZHgpu6sqgd` |
-> | Japan East | ecdsa-sha2-nistp256 | `IFt/j4bH2Jc0UvhUUADfcy3TvesQO+vhVdY4KPBeZY8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVq+uiJXmIlYS367Ir9AFq/mL3iliLgUNIWqdLSh7XV+R8UJUz1jpcT1F6sJlCdGovM3R5xW/PrTQOr3DmikyI=` |
-> | Japan East | ecdsa-sha2-nistp384 | `9XLsxg1xqDtoZOsvWZ/m74I8HwdOw9dx7rqbYGZokqA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFh7i1cfUoXeyAgXs+LxFGo7NwrO2vjDwCmONLuPMnwPT+Ujt7xelTlAW72G3aPeG2eoLgr6zkE48VguyhzSSQKy7fSpLkJCKt9s0DZg2w0+Bqs44XuB43ao6ZnxbMelJQ==` |
-> | Japan East | rsa-sha2-256 | `P3w0fZQMpmRcFBtnIQH2R88eWc+fYudlPy7fT5NaQbY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCZucqkz4UicI20DdIyMMeuFs+xUxMytNp7QaqufmA2SgUOoM387jesl27rwvadT6PlJmzFIBCSnFzjWe5xYy3GE59hv4Q3Fp3HMr5twlvAdYc5Ns5BEBEKiU0m88VPIXgsXfoWbF0wzhChx8duxHgG4Cm+F8SOsEw/yvl+Z/d42U9YzliQ1AafNj4siFVcAkoytxKZZgIqIL4VUI322uc93K5OBi9lgBqciFnvLMiVjxTWS/wXtVEjORFqbuTAu/gM4FuKHqKzD1o39hvBenyZF2BjIAfkiE6iYqROd75KaVfZlBSOOIIgrkdhvyj9IfaZFYs3HkLc7XgawYe6JVPR` |
-> | Japan East | rsa-sha2-512 | `4adNtgbPGYD+r/yLQZfuSpkirI9zD5ase01a+G7ppDw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCjHai98wsFv0iy+RPFPxcSv8fvTs3hN/YnuPxesS21tUtf0j5t8BTZiicFg6MLOQJxT4jv5AfwEwlfTqvSj3db6lZaUf/7qs/X9aN1gSoQNnUvALgnQDYGjNYO8frhR7S0/D/WggQo2YKMAeNLRScT7Pg/MJaOI12UhoUloCXbTAP1c85hYx0TGKlGWpFjfen/2fwYEKR1vuqaQxj+amRatnG+k18KWsqvHKze8I2D19cn5fp2VkqXzh6zQ1s5AMc5B9qIF48NIec9FAemb9pXzOoYBDFna0qNT4dfeWOQK6tM/Ll10jafaw2P32dGBF8MQKXB2sxtcC0nU4EEtS5d` |
-> | Japan West | ecdsa-sha2-nistp256 | `VYWgC6A4ol1B7MolIeKuF2zhhgdzQAoGBj5WgnQj9XE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFLIuhTo1et/bNvYUj+sanWnQEqiqs9ArKANIWG19F9Db6HVMtX8Y4i7qX6eFxXhZL17YB2cEpReNSEjs+DcEw4=` |
-> | Japan West | ecdsa-sha2-nistp384 | `+gvZrOQRq3lVOUqDqgsSawKvj6v/IWraGInqvqOmC6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBD3ZiyS1p7F1xdf6sJ3ebarzA5DbQl1HazzLUJCqnrA84U8yliLvPolUQJw4aYORIb5pMgijsN3v9l0spRYwjGHxbJZY/V6tmcaGbNPekJWzgXA1DY35EbFYJTkxh/Yezw==` |
-> | Japan West | rsa-sha2-256 | `DRVsSje7BbYlVJCfXqLzIzncbVU4/ETFGzdxFwocl8E=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDl/rlTgQpomq4FmJKSR2fjgAklV818RcjR/e/C1VUJVpbntJoWUlBhKYDFPTVQaHXDTK5HyJU5APsdy6CJo8ia32qc2E/573LDNk4dgFFrh+KFRiD+ULt3IH15i1DieVw61MAVOvzh+DmTJHPLaTufXoQ62YACm3yC1st1kXv4bawfXs0ssmeqrBcCOQvMvW/DexnnGXO6QXYTcjUktNrO2h2dd355n5FP4fcsBEdGmfT79HYPM6ZoqkItRZEO6Nel65KxtenAwQub8SK3iJgFyJwd3zIH4OCHp3z4tcGXw5yNAX15dJMSnls0zvzhx0f4ThwfgB4t1g9jVb47Ig7B` |
-> | Japan West | rsa-sha2-512 | `yLl9t2jlkrTVWAxsZ59Wbpq+ZCnwHfdMW8foUmMvGwI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9zrpnjY7c0dHpE1BMv+sUp+hmvkBl3zPW/uCInYM5SgtViSQqn/DowySeq+2qMEnOpHGZ8DnEjq55PmHEumkYGWUUAs38xVGdvRZk6yU7TxGU42GBz0fT/sdungPHLQ2WvqTZYOFqBeulRaWsSBgovrOnQEa2bNTejK9m353/dmAtKHfu68zVT+XYADrT3PY5KZ1tpKJA0ZO9/ScUvXEAYs20WSYRZBcNDoSC9xz4K8hv9/6w3O3k0LyBKMFM5ZW8WVDfpZx1X0GBCypqS+RNZuVvx81h3nxVAZSx80CygYcV4UHml7wtnWDYEIBSyVRsJWVNGBlQrQ4voNdoTrk5` |
-> | Jio India Central | ecdsa-sha2-nistp256 | `zAZ0A1pk0Xz8Vr/DEf8ztPaLCivXxfajlKMtWqAEzgU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDow29ds+BRDNTZNW70CEoxUjLiUF+IHgaDRaO+dAWwxL13d+MqTIYY4I0D7vgVvh0OegmYLXIWpCdR8LvVT7zA=` |
-> | Jio India Central | ecdsa-sha2-nistp384 | `OTG7jxUSj+XrdL28JpYAhsfr6tfO7vtnfzWCxkC/jmQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ/Bb3/3u/UIcYGRLSl7YvOObb43LO5Ksi0ewWJU+MPsPWZr7OTTPs76TdwXMvD8+QuY8U9JxgQQrNmvbpabmbGENkllEgjGlev5P2mHy/IZZAUQhAeeCinCRvTsiOOoLw==` |
-> | Jio India Central | rsa-sha2-256 | `DmNCjG1VJxWWmrXw5USD0pAnJAbEAVonkUtzRFKEEFI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/x6T0nye3elqPzK8IF+Q70bLn2zg4MVJpK3P6YurtsRH8cv5+NEHyP0LWdeQWqKa9ivQRIQb8mHS+9KDMxOnzZraUeaaJLcXI0YV512kqzdevsEbH6BSmy8HhZHcRyXqH0PjxLcWJ5Wn9+caNhiVC40Oks7yrrZpAVbddzD9y/eJfguMVWiu1c8iZpYORss1QYo7JqVvEB6pLY03NXWM+xti1RSs+C6IEblQkPvnT3ELni9T1eZOACi12KGZHVLU9n27Nyg/fPjRheYSkw/lkkKDG0zvIQ7jr/k8SCHGcvtDYwRlFErFdGYBlIE888le2oDNNoKjJuhzN6S7ddpzp` |
-> | Jio India Central | rsa-sha2-512 | `m2P7vnysl2adTz/0P6ebSR7Xx8AubkYkex6cmD9C0ys=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDQHFDt8zTk+Hqh912v0U8CVTgAPUb8Kmuec+2orydM/InG+/zSuqQHsCZaD2mhEg8kevU8k2veF5z2sbko5TR/cghGg5dXlzz4YaKiNdNyKIGm2MdynXJofAtiktGhcB6ummctHqATfGSgkLJHtLvstzTVbVK1zgxXcB8hA52c2EPB1cN1TkAKEyiYNX7fKFe1EEPCxdx3fC/UyApKdD+D432HCW/g8Syj/n7asdB8EQqcoCT3ajh2wG2Qq0ZxjVbbrFImlr0VoTqLImJ4kZ9d2G7Rq2jqrlfESLAxKVDaqj+SjyWpzb3MHFSnwJZybCKXyTt+7BXpKeeGAcHpTs3F` |
-> | Jio India West | ecdsa-sha2-nistp256 | `mBx6CZ+6DseVrwsKfkNPh9NdrVLgwhHT4DEq9cYfZrg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPXqhYQKwmkGb8qRq52ulEkXrNVjzVU4sGEuRFn4xXK8xanasbEea3iMOTihzMDflMwgTDmVGoTKtDXy8tQ+Y8k=` |
-> | Jio India West | ecdsa-sha2-nistp384 | `lwQX9Yfn7uDz/8gXpG4sZcWLCAoXIpkpSYlgh8NpK1E=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLKY2+wwHIzFOfiKFKFHyfiqjUrscm0qwYTAirNPE1GI6OwAjconeX072ecY3/1G0dE7kAUaWbCKWSO3DqM4r6O+AewzxJoey85zMexW23g2lXFH7HkYn9rldURoUdk31A==` |
-> | Jio India West | rsa-sha2-256 | `hcy1XbIniEZloraGrvecJCvlw6zZhTOrzgMJag5b5DA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOBU9e1Ae68+ScLUA5O1gaZ3eq0EGqBIEqL3+QuN8LYpF3Bi/+m43kgjhgiOx5imPK6peHHaaT/nEBQFJKFtWyn8q2kspcDy1xvJfG8Jaks1GQG33djOItiHlKjRWMcyWFvisFE2vVkp3uO0xG4nMDLM2rFazkax+6XA5cf2iW2SfL6Trs4v1waakU/jQLA7vsrx14S+wGEdVINTSPeh5DHqkLzTa3m2tpXVcUA4CG8uQZM8E/3/y0BuIW0Ahl/P6dx35W1Al7gnaTqmx7+idcc/YVe0auorZWWdyclf1sjnAw6U8uMhWmQ0dZgDehDtshlHyx84vvJ1JOJs0+6S2l` |
-> | Jio India West | rsa-sha2-512 | `LPctDLIz/vqg4POMOPqI1yD9EE9sNS1gxY6cJoX+gEY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOH+IZFFfJN4lpFFpvp5x1lRzuOxLXs0WfpcCIACMOhCor2tkaa/MHlmPIbAqgZgth5NZIWpYkPAv7GpzPBOwTp3Bg5lUM7MXSayO/5+eJjMhB5PUCJ0We8Kfgf/U+vbaMIg9R8gJKutXrANd3sAWXMwWqKUw+ZX/AC7h58w04gb1s+lNOQbfhpqkw8+mrOj2eKH8zHYUJQBUYEyDHqirj565r7HhBtEZImn/ioJS+nYT5Zl/SNtW/ehhUsARG9p6O4wSy20Ysdk7b9Ur2YL0RyFa6QhWQeKktKPVFQuMMLRkYX7dv35uAKq8YN833lLjGESYNdCzYmGTJXk5KYZ8B` |
-> | Korea Central | ecdsa-sha2-nistp256 | `XjVSEyGlBtkONdvdw11tA0X1nKpw5nlCvN/0vXEy1Gc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPYiomaLB3ROxZvdfqiilpZ+2XJiPDeIIv4/fnQRZxnCBCFrUm7ATB6bMBSUTd00WfMhnOGj4hKRGFjkE+7SPy4=` |
-> | Korea Central | ecdsa-sha2-nistp384 | `p/jQTk9VsbsKZYk09opQVQi3HzvJ/GOKjALEMYmCRHw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBN3NA7U4ZC576ibkC/ACWl6/jHvQixx+C6i2gUeYxp7Tq6k4YLn7Gr1GNr+XIitT6Jy5lNgTkTqmuLTOp7Bx9rGIw9Or37EGf7keUM42Urtd+9xF1dyVKbBw0pIuUSSy+w==` |
-> | Korea Central | rsa-sha2-256 | `Ek+yOmuAfsZhTF4w7ToRcWdOevgZPYXCxLiM10q44oA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCyUTae7QtAd3lmH+4lKJNEBNWnPUB+PELE9f4us5GxP8rGYRar1v3ZGXiP2gzPF1km1cGNrPvBChlwFMjW+O5HavIFYugVIe8NzfI7S3t+kgTylXegSo1cWen18MAZe6Q5vxqqFzfs+ZChWEa/P37lTXVkLVOYCe5NJUPm8Zvip7DHB2vk25Fk3HMHG9M50KNj1Hp4etPI7yiLNLNCh5V410mf3xhZChMUrH6PMl/A+sVv68ulcVeIZ68eMuQktxz1ULohBdSExZGmknVrwfF/fLTKWxHlVBjB3yDlLIJO3nTFKaQ4RzPa/0If+FcbY+hIdzSjIAK6W3fRlbVuWHYR` |
-> | Korea Central | rsa-sha2-512 | `KAji7Q8E2lT3+lSe7h74L6rfPnLEfGVzYZ/xyM96//0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDxZYb5eIWhBmWSwNU6G9FFDRgqlZjYYorMSXJ4swHm4YYHKGZTf4JOE5d87MNtkVgKe2942TQxA1t2TaENlmNejeVG5QZ4to+nVnwsFov2iqAYChoI6GlhpwzyPsO0RkqLB8mvhoKMel1sNGfmxjxYVFt4OSPHDzNIU4XjGfW24YURx/xRkLU1M9zBNADDx+41EMNRT7aBXrKW9MzsxkfCM3bYwjdBbI2Yi2nUqARm+e/sBPLTqVfjuMFvosacYc43MqepFSQoZE5snwYxkLJzltAbxNUysJs277isnGgezh9p5T2MCxtCERU0lvp7M52hd1p75QEtNrdadfDprzT9` |
-> | Korea South | ecdsa-sha2-nistp256 | `XM5xNHAWcYsC5WxEMUMIFCoNJU/g90kjk/rfLdqK7aw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHTHpO85vgsI6/SEJWgEhP5VDTikLrNrSi6myIqoJvRx6x8+doTPkH87L/bOe/pTU/rCgkuPi1kXTC7iUTSzZYk=` |
-> | Korea South | ecdsa-sha2-nistp384 | `6T8uMI9gcG3HtjYUYqNNxi99ksghHvsDitIYpdQ4BL4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAgPPIDWZqvB/kuIguFnmCws7F4vzb6QG7pqSG/L9E1VfhlJBeKfngQwyUJxzS2tCSwXlto/1/W302g0HQSIzCtsR4vSbx827Hu2pGMGECPJmNrN3g82P8M0zz7y3dSJPA==` |
-> | Korea South | rsa-sha2-256 | `J1W5chMr9yRceU2fqpywvhEQLG7jC6avayPoqUDQTXHtB2oTlQy2rQB` |
-> | Korea South | rsa-sha2-512 | `sHzKpDvhndbXaRAfJUskmpCCB3HgPbsDFI/9HFrSi3U=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCfGUmJIogHgbhxjEunkOALMjG77m+jgZqujO3MwTIQxQNd/mDeNDQaWDBVb2FJrw15TD3uvkctztGn2ear3lLOfPFt0NjYAaZ8u5g9JYCtdZUTo5CETQFU/sfbu2P2RJ/vIucMMg8HuuuIMO059+etsDZ5dZHu9cySfwbz/XtGA0jDaTlWG0ZDT+evOE0KmFABjgMFWyPnupzmSEXAjzlD/muGeeUhtXUB8F6HVUCXLz7ffzgYiYj+1OB0eZlG/cF8+aW7MOpnWvfpBxwm16soSE1gmZnXhPrz/KXlqPmEhgIhq7Cwk54r3rgfg/wCqFw+1JcbNOv5d4levu/aA7pt` |
-> | North Central US | ecdsa-sha2-nistp256 | `6xMRs7dmIdi3vUOgNnOf6xOTbF9RlGk6Pj7lLk6z/bM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJw1dXTy1YqYLJhAo1tB+F5NNaimQwDI+vfEDG4KXIFfS83mUFqr9VO9o+zgL3+0vTrlWQQTsP/hLHrjhHd9If8=` |
-> | North Central US | ecdsa-sha2-nistp384 | `0cJkHHeTNQpl7ewPTZwug5+/hfebiH6Yxl2rOTtYZQo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBG8aqja46A9Q5PmhPzhxcklcJGp+CiC3MCjVR6Qdl9oQGMywOHfe+kCD72YBKnA6KNudZdx7pUUB/ZahvI5vwt4bi593adUMTY1/RlTRjplz6c2fSfwSO/0Ia4+0mxQyjw==` |
-> | North Central US | rsa-sha2-256 | `9AV5CnZNkf9nd6WO6WGNu7x6c4FdlxyC0k6w6wRO0cs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDJTv+aoDs1ngYi5OPrRl1R6hz+ko4D35hS0pgPTAjx/VbktVC9WGIlZMRjIyerfalN6niJkyUqYMzE4OoR9Z2NZCtHN+mJ7rc88WKg7RlXmQJUYtuAVV3BhNEFniufXC7rB/hPfAJSl+ogfZoPW4MeP/2V2g+jAKvGyjaixqMczjC2IVAA1WHB5zr/JqP2p2B6JiNNqNrsFWwrTScbQg0OzR4zcLcaICJWqLo3fWPo5ErNIPsWlLLY6peO0lgzOPrIZe4lRRdNc1D//63EajPgHzvWeT30fkl8fT/gd7WTyGjnDe4TK3MEEBl3CW8GB71I4NYlH4QBx13Ra20IxMlN` |
-> | North Central US | rsa-sha2-512 | `R3HlMn2cnNblX4qnHxdReba31GMPphUl9+BQYSeR6+E=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDeM6MOS9Av7a5PGhYLyLmT09xETbcvdt9jgNE1rFnZho5ikzjzRH4nz60cJsUbbOxZ38+DDyZdR84EfTOYR2Fyvv08mg98AYXdKVWMyFlx08w1xI4vghjN2QQWa8cfWI02RgkxBHMlxxvkBYEyfXcV1wrKHSggqBtzpxPO94mbrqqO+2nZrPrPFkBg4xbiN8J2j+8c7d6mXJjAbSddVfwEbRs4mH8GwK8yd/PXPd1U0+f62bJRIbheWbB+NTfOnjND5XFGL9vziCTXO8AbFEz0vEZ9NmxfFTuVVxGtJBePVdCAYbifQbxe/gRTEGiaJnwDRnQHn/zzK+RUNesJuuFJ` |
-> | North Europe | ecdsa-sha2-nistp256 | `wUF5N8VjGTnA/PYBVzQrhcrMgHuCfAYL1tu+p6s28Ms=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCh4oFTmr3wzccXcayCwvcx+EyvZ7yANMYfc3epZqEzAcDeoPV+6v58gGhYLaEVDh69fGdhiwIvMcB7yWXtqHxE=` |
-> | North Europe | ecdsa-sha2-nistp384 | `w7dzF6HD42eE2dgf/G1O73dh+QaZ7OPPZqzeKIT1H68=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLgyasQj6FYeRa1jiQE4TzOGY/BcQwrWFxXNEmbyoG89ruJcmXD01hS2RzsOPaVLHfr/l71fslVrB8MQzlj3MFwgfeJdiPn7k/4owFoQolaZO7mr/vY/bqOienHN4uxLEA==` |
-> | North Europe | rsa-sha2-256 | `vTEOsEjvg/jHYH1xIWf2rKrtENlIScpBx450ROw52UI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQChnfrsd1M0nb7mOYhWqgjpA+ChNf7Ch6Eul6wnGbs7ZLxXtXIPyEkFKlEUw4bnozSRDCfrGFY78pjx4FXrPe5/m1sCCojZX8iaxCOyj00ETj+oIgw/87Mke1pQPjyPCL29TeId16e7Wmv5XlRhop8IN6Z9baeLYxg6phTH9ilA5xwc9a1AQVoQslG0k/eTyL4gVNVOgjhz94dlPYjwcsmMFif6nq2YgQgJlIjFJ+OwMqFIzCEZIIME1Mc04tRtPlClnZN/I+Hgnxl8ysroLBJrNXGYhuRMJjJm0J1AZyFIugp/z3X1SmBIjupu1RFn/M/iB6AxziebQcsaaFEkee0l` |
-> | North Europe | rsa-sha2-512 | `c4FqTQY/IjTcovY/g7RRxOVS5oObxpiu3B0ZFvC0y+A=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCanDNwi72RmI2j6ZEhRs4/tWoeDE4HTHgKs5DRgRfkH/opK6KHM64WnVADFxAvwNws1DYT1cln3eUs6VvxUDq5mVb6SGNSz4BWGuLQ4onRxOUS/L90qUgBp4JNgQvjxBI1LX2VNmFSed34jUkkdZnLfY+lCIA/svxwzMFDw5YTp+zR0pyPhTsdHB6dST7qou+gJvyRwbrcV4BxdBnZZ7gpJxnAPIYV0oLECb9GiNOlLiDZkdsG+SpL7TPduCsOrKb/J0gtjjWHrAejXoyfxP5R054nDk+NfhIeOVhervauxZPWeLPvqdskRNiEbFBhBzi9PZSTsV4Cvh5S5bkGCfV5` |
-> | Norway East | ecdsa-sha2-nistp256 | `mE43kdFMTV2ioIOQxwwHD7z+VvI4lvLCYW8ZRDtWCxI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDWP6vJCbOhnvdmr7gPe8awR/E+Bx+c8fhjeFLRwp6/0xvhcywT9a1AFp7FdAhkVahNKuNMU1dZ0WTbOEhEGvdg=` |
-> | Norway East | ecdsa-sha2-nistp384 | `cKF2asIQufOuV0C/wau4exb9ioVTrGUJjJDWfj+fcxg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDGb8w8jVrPU1n68/hz9lblILow6YA9SPOYh5r9ClAW0VdaVvCIR/9cvQCHljOMJQbWwfQOcBXUQkO5yI4kgAN3oCTwLpFYcCNEK6RVug9Q5ULQh1MRcGCy3IcUcmvnYdg==` |
-> | Norway East | rsa-sha2-256 | `vmcel/XXoNut7YsRo79fP5WAKYhTQUOrUcwnbasj/fQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC4Y1b2Bomv8tc/JwPgW0jR5YQhF031XOk4G0l3FOdZWY31L8fLTW6rOaJdizOnWCvMwYQK39tyHe6deN9TZESobh0kVVuCWaZNI6NUR0PSHi0OfbUkuV0gm/nwtwJkH5G9QbtiJ5miNb4Ys3+467/7JkqFZmqN6vBLhL9RVInO00LPYkUGtGfTv+/hmsPDGzSAujNDCFybti4c+wMgkrIH6/uqenGfA1zW3AjBYN2bBBDZopzysLHNJYQi3nQHQSiD4Mdl7IGZtJQeC/tH9CKH5R4U4jdPN1TmvNMuaBR/Etw4+v0vrDALG1aTmWJ7kJiBXEZKoWq/vWRfLzhxd4oB` |
-> | Norway East | rsa-sha2-512 | `JZPRhXmx44tEnXp+wPvexDys1tSYq9EDkolj9k6nRCM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC11j19LeEqRzJOs8sWeNarue+bknE3vvkvSnsewApVMQH35t9kpqRGMSr6RTU2QCYDiQTCKI2vzLSTLGoizoPBiY/7lvdylDRCbeEpuFUkgvKZrapkJ6JqKOySPpFNhqCs27rdY5dJ2C7/nmTL/kvcyhXFXZT2lJaOIdRSKv/1Q3DAWQ9icNGbDokQDubF5etlkquqTV6r/ioFuh7hdKE+fJooyHa2oYTD+j5cNDKBxrJWBEidOe2HwplR4lYPggUcVtGu9aoSVIMmswztFF6+MNIdOT1kdvHewKLjkVB1hbIHl/E+uexsyMGcCg5fPy7dDIipFi1aED+6R7CnAynJ` |
-> | Norway West | ecdsa-sha2-nistp256 | `muljUcRHpId06YvSLxboTHWmq0pUXxH6QRZHspsLZvs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOefohG21zu2JGcUvjk/qlz5sxhJcy5Vpk5Etj3cgmE/BuOTt5GR4HHpbcj/hrLxGRmAWhBV7uVMqO376pwsOBs=` |
-> | Norway West | ecdsa-sha2-nistp384 | `QlzJV54Ggw1AObztQjGt/J2TQ1kTiTtJDcxxIdCtWYE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNYnNgJKaYCByLPdh21ZYEV/I4FNSZ4RWxK4bMDgNo/53HROhQmezQgoDvJFWsQiFVDXOPLXf26OeVXJ7qXAm6vS+17Z7E1iHkrqo2MqnlMTYzvBOgYNFp9GfW6lkDYfiQ==` |
-> | Norway West | rsa-sha2-256 | `Ea3Vj3EfZYM25AX1IAty30AD+lhXYZsgtPGEFzNtjOk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDuxOcTdADdJHI8MFrXV00XKbKVjXpirS3ZPzzIxw0mIFxFTArJEpXJeRfb0OZzQ1IABDwoasp1u+IhnY1Uv2VQ8mYAXtC3He08+7+EXJgFU/xQ8qFfM4eioAuXpxR7M7qV/0golNT4dvvLrY4zHxbSWmVB7cYJAeIjDU8dKISWFvMYjnRuiI7RYtxh/JI5ZfImU65Vfxi26vqWm51QDyF5+FmmXLUHpMFFuW8i/g8wSE1C3Qk+NZ3YJDlHjYqasPm4QidX8rHQ1xyMX9+ouzBZArNrVfrA4/ozoKGnPhe4GFzpuwdppkP4Ciy+H6t1/de/8fo9zkNgUJWHQrxzT4Lt` |
-> | Norway West | rsa-sha2-512 | `uHGfIB97I8y8nSAEciD7InBKzAx9ui5xQHAXIUo6gdE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDPXLVCb1kqh8gERY43bvyPcfxVOUnZyWsHkEK5+QT6D7ttThO2alZbnAPMhMGpAzJieT1IArRbCjmssWQmJrhTGXSJBsi75zmku4vN+UB712EGXm308/TvClN0wlnFwFI9RWXonDBkUN1WjZnUoQuN+JNZ7ybApHEgyaiHkJfhdrtTkfzGLHqyMnESUvnEJkexLDog88xZVNL7qJTSJlq1m32JEAEDgTuO4Wb7IIr92s6GOFXKukwY8dRldXCaJvjwfBz5MEdPknvipwTHYlxYzpcCtb9qnOliDLD2g4gm9d5nq3QBlLj/4cS1M9trkAxQQfUmuVQooXfO2Zw+fOW1` |
-> | Poland Central | ecdsa-sha2-nistp256 | `aX1HJKXvnL8pJ1upt1OnBQT0vLbQXDrBeThar32gyEs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTFAOA/iJnf5S+3tGqyGEpFspwR86HChkrkloJnehNvYhecP4tGhJx5Z15j9TJqHWEzpBFPIcxF+O9tStiv+oQ=` |
-> | Poland Central | ecdsa-sha2-nistp384 | `jNH6sSVNE+1NhyZzA3tzk0RaJpZoLVZHd8yjQG64DDw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFoLS+6QCyjyibWZvldjErzY9ptf+LXhyeQQDu7K+UajFsLk7xzx4vIRLsPJ+UhRyu81Lwo/pxcgoDX6uyB2M82JfQAWF+jniU7RfC/QzO5Jxbsj4mlY1kVO+R7/vdLTyQ==` |
-> | Poland Central | rsa-sha2-256 | `Ph2MhHZIZtRk76qOvea61JQGRMyxbHeYqbQYo1bDorc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCplMMhYJaBSEOXRYRvUACL1zoisjy7BRVdsKORsnqKtMimDqvl8UY304znr9Rn2DBT55EzRQIPs4V6tKwUMe4+FBm9Ef32/jxRdlJ7bM/eMRwFwmo4PxJ1pVpP8TYkpLcXXx5T+zCtphkSXUBHrZRas0OLJIw6ooj9rt60PeCvEIl9HBA8sMt8u7882KKGIZra7C1PK/0/rKub+7oRBEgXoxZxKYFmu72CJV4/4FmxQsYpqcwKaFgMnDYEzpJexL+XlGJ+GkeX8tngy38lwlwGdxi6s6w9e20TUSYtbfPJE8OBq08cHN1OhpbL3bS2Ynr5QkFwHIcwa0seSuXJCIj1` |
-> | Poland Central | rsa-sha2-512 | `aSOu8q60R2fx2C9eoCX3ReG/wKQbXzHf5XoTaEww6GQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC4c5mGbfEkwSgXnhzF4zrguh9X1aHMn1p6pTwJhCjGTQ54ZIFYgfA294RXTYJdL84Xi++qCXHeENVeTWfD9dRlz+KDCOST4JpHauGKnKUF3udsHNNItai88CpDHj8JM6YYxfUR4/BHCNJQ8BrVnvrljWaj7SYJhyUuwChZkTeycZSQPOVJRoHKAnfI+KVZGfQp6dfJx1M11Ojz6a72E6cDDeu8YBNEGiWfYARTi0FJWpy36CsA6aLjXkWTLgM4ZD7vIhLOCLholei+zR43jpZUNKRe7Ym4nSliRsrlEsYkblxsIxotpLt9Al+ftn7GBAjU4HwhC13o8K3yWw0z3daR` |
-> | Qatar Central | ecdsa-sha2-nistp256 | `QOdUXQx3Bi3ss/976Q0n+aIt/vkWjfmGH4fsgk1mBvw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJz1f9SCaXyUAatHKEr/sfY2uRJWtftsigePCckBp+l/VenEVY22vVwstmrIeu02JKz1+IfePfGQ2bWOprpodXA=` |
-> | Qatar Central | ecdsa-sha2-nistp384 | `znqSno+29X1UUZV3ljgE7qSoYZtAybbH4dWNoSZIg6w=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKkIRyyU0RVr0/xTE1pce28UeVStaqyw0daAWkChabp9SQb9ONmJ5UFzZ0p3bvcy2ZWeYiJCvg63qKojPomVCwT8ZtRtgeewRMWPS6kKAJDQfzl8r05dNjwbd8Y+1BerHw==` |
-> | Qatar Central | rsa-sha2-256 | `iHCboIvdshFEnYt/6+vvLQnjyUZQ550Pm7dkFX/Q43o=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+RNosbUkJxEwcZ0i22DPBTOgStdqEdaL+jRzzi8xs6n9hR2I8Mnv6PR+ujaejqAzXVmI5LLnMrQA9efsUR4F0Is5ruJgrK6f2ORiLsaYj7PgTOsoaItdjWxXHFQ7hZA1FmYLgody3Js68akvGkp8NwnW9goFq3qBrtpHRcvxFxWixeNTy4a4azVjmoN8SfZxiPa0mBT61fjpVttUrb+sJeZ3jo6Ox2ZQxc0My8kPY+8J1qNxjsoCUirHZsgsmYTM5F7lWSdszB7h2irIiMEi+cmcowhez6LJd3TcDxnElOz2Wva/wSNo0JJx/VLdZvP06hJTxIw2QsX2uwI7lyF1` |
-> | Qatar Central | rsa-sha2-512 | `EMxIi2rduXMod/OMKHrHRZKo9t9oYUdnw3sw8Txyaj8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDqTnxkToyGf9z/+6fXJ+DvHvKqADITDu+JqvJX2kaPSbkxEBvR1uW/jFT3DD7SL8ZS8qm8HD1MYyoiHE6yvM+K9md83GMNqBiuxIceHH7uW5mEUt25j519R7a/fQUXApt5ZXZTG5e9eUSP0W9r/HvwA+LkE66gDwamPZrF6OkBQnu3DEK1AcZNufM31lnFBlu0yzdLMFZh/L6yXRi9sh0ATf7aZeR2lgGuTuoaOUAx3F2xTt5lRNGpy8O4HV8uZKW0EsEcGYANguOEqiNEgjiw1sHIZ4XPZSYe+sXAkafVl6X07nu9CpEncrRnTcQIfZXnwbneOetDWlhZH/vk38ZJ` |
-> | South Africa North | ecdsa-sha2-nistp256 | `e6v7pRdZE0i1U2/VePcQLguy7d+bHXdQf3RZ4jhae+g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIEQemJxERZKre+A+MAs0T0R7++E6XanZ7uiKXZEFCyDgqjVcjk8Xvtrpk5pqo4+tMWM7DbtE0sgm1XmKhDSWFs=` |
-> | South Africa North | ecdsa-sha2-nistp384 | `NmxPlXzK2GpozWY374nvAFnYUBwJ2cCs9v/VEnk0N6Q=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKgEuS9xgExVxicW0HMK4RLO5ZC6S0ZyENe5XVVJY0WKZ5IfIXEhVTkYXMnbtrYIdfrTdDuHstoWY9uu4bS8PtFDheNn3MyNfObqpoBPAh1qJdwfJgzo5e7pEoxVORUMnw==` |
-> | South Africa North | rsa-sha2-256 | `qU1qry+E/fBbRtDoO+CdKiLxxKNfGaI9gAplekDpYvk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC2UBC1KeTx8/tQIxVEBUypcu/5n3B/g0zqE7tFmPYMFYngrXqEysIzgAdpiu2+ZX/vY8AF/0UkhYec/X/rwKQL8CCVwYqa2hufbSrX/qSuUHZd/95LFB2Nh+hJ23fn3EK8Gpgo/Xkmx9YVZoaQPGPsWVWVKjU6aVpM54cd6iuDT3y9SAnqbUMqgwwz3mK7bQGFPrbUVOUwVIcYKZD9HMNZhpo8HpjllKYIt1AFy4db8lSrLyuX8Nn/U7XAlPUndUCpKsAfWw8SemyuxSHziFDHF5xo8eLU+QYxdtzirgDAgEYWv9aa0TSx5Q2Mq8XJ7POffQxKj44ocHzmMGq/wPS1` |
-> | South Africa North | rsa-sha2-512 | `1/ogzd+xjh3itFg3IpAYA2pwj1o3DprEabjObSpY/DY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDLAkEygbVyp189UwvaslGRgaqcGWXaYJVq+gUB0906xkkjGoJeqSgTW5C/77vOk0zBCZM3yBgtDFZL1d6lze1QJZ6kGGPynJa5SeyydAds9G745yaFFuE53zJUyMy+y5I1ytfx003PKvk8+fHZK3rPYYr+LKm2u+9BmnuDB/0t561oFg1ZiMCPgNnDdUwkya2EtsJAifkUaBlYmzBZAFbIYyGfb898utZHyI+ix2TrMS/RHEDIchG8qSBMpOPmcpa29ADVsmAQDd5ds5D7WjirfMXwBxgJTMyuy+N9rJRgHoqDnt/GsgI2GtoPM7YSET8uYug941hAvFm5TI/dW3YR` |
-> | South Africa West | ecdsa-sha2-nistp256 | `pr1KB8apI+FNQLKkzvUXx0/waiqBGZPEXMNglKimUwA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPvbvOfXQjT+/3+jQtW3FBAnPnaypYSUhZMkTTSfd7RQMmSxsLNmDooERhVuUTa7XCTlpDNTSPdnnaa6P1a+F6A=` |
-> | South Africa West | ecdsa-sha2-nistp384 | `A3RfMOd6dGgUlcrkXL1YRKNXIdAB8M1lF9qwmy6PjFg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNaJmo4QGmo6pbLHOXh06Rz9inntdxmuOtVxlJBO1i/ZK5les/AuaILMW7oQCxOKvZs/xI+P0MWRfrNgWSSapy5hNuTkbl8IqO4pH/lO//zdaHmVBC1kPnujDM9znJs6Rg==` |
-> | South Africa West | rsa-sha2-256 | `aMMzaNmXR+V1NrwLmovyvKwfbKQ6aAKYiA5n8ETYQmU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDGhe98UTnljsYaeJwtP3ABvT/hZP6Mp1r5beyJ2SWpdqZSZaKC+UQlWLu6WhLxLZ+5snB+YAlC56u4qOdDHLoid6vbAR/FPIcJlvQfcFJD88nihv9sq1kUX3JXrh0ZUrl2/Zj71aNlM/RL1OnXK/Pg2E+wu4EfnQTrzlWMhR8bxlQA0jH1zmfFN/6BTwP2if29TNlQkWuW3uq3rccY1GA6n0QtlucanPNRzsBtAzsH5/oFuB5R4sD/Msw0itvWuQP4e0y+Vdov1My/rjK19xLce6AhWmmhwkn5qxHdIy158C4cWnSkQvkYzPnwsi7KT9WRH7vfr8qD9zlA5mO+IDxJ` |
-> | South Africa West | rsa-sha2-512 | `Uc7QB0fT4NGyBp34GCAt8G4j1ZBXh/3Wa2YRlILu818=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCijtmaOHIcXjI07fVugz1M33+amlOEqdqtVgOlLmFRKSehPW2+6iGpAjQVwzsYOx32Hp5O07xj/PhiFsbBBqZXGHmuSIOJYa7tQSFvwclO+JW/kuoELXQLwnHxUfPyq4tYoj83GSZ5k/KRlEtbmjEwcozMQVya/7MzulAeV4nN6PDxoLjXlfGEQU2ZCGz2neeisQEM8+hZNuEH+O9O03g7CW8bwiI1Y70/bnNq95xJ5F7lRpwtJNWlx+kmUiNpfXOUPxZAUsny7z1Ka5XKEB1fDP8E/jAtrSWrRPDJew8lFpQeWukwB5tf3F3bh1SuSKaSQqKBArnSpJizWxp0brZZ` |
-> | South Central US | ecdsa-sha2-nistp256 | `Wg9hTlPmrRH9aC9lTSf8hGFqa85AnW3jqvSXjmHAdg4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJnEz4iwyq7aaBNKiABce+CsVIUfiw9Jw3pp6pGbL6cUaJs9mEVg1RMLHgPg2I+7XV0doisYhYb/XtufxzGCe94=` |
-> | South Central US | ecdsa-sha2-nistp384 | `rgRhPelmxAix6TBDahmGqXnKjdImdI3MnDPVc6qhF2o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKXGKbWfVe18G9gbCxFQiBGkGYM9LktSPKkRI18WRQ50qyuxVRXRDoV+iIEJyCQTpuFTPprQ6glQYeF+ztEb4MZaXpVrcs1/Og191dcEtty3UWuJBCrv/t1kezlwBWKyXg==` |
-> | South Central US | rsa-sha2-256 | `n7P8NrxY8pWNSaNIh8tSZxi9rXi11g3JuzWZF93Ws4g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD4PgB8PxPPpGfvrIUGSiiDFIfkRk2/u1DmhcoGoIfW+/KR8KC2JA0kY4Yj+AceGnDUiBbSPz7lcmy2eGATfCCL6fC5swgJoDoYDJiJoaKACuVA0Nk2y0OeO58kS6qVHGX/XHzx8+IkfGdlhUUttcga7RNeppT5iqSz49q9x6Ly42yrV3DIAkOgh+f9SsMMfR6dQQmvWN3HYDOtiO2DvVN+ZenViQVcsynspF3z4ysk53ZYw5YcLhZu8JFw4u0F6QJAznR6TfNqIlhSjR1ub8DiHvIwrmDNf8TgG5kPVGhIcibYPf+y0B0M8nr9OKCxZzUTlXX4Xcnx+VOQ1e1qGHvV` |
-> | South Central US | rsa-sha2-512 | `B2oOtHpXzwezblrKxGcNBc3QJLQG/TiVgOjnmNorqkA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC+LJA8W3BcwITzJv6CAkx/0HBPdy3LjKPK2NQgV9mxSMw8mhz4Ere59u2vRsVFcdW6iAeGrH66VF6mJSCgUKiYnyZAfTp1O6p6DnUg4tktMQFo4BEwSz1S5SGDuRhpWvoKjzvljESf/vZBqgms7nMRWe3MGuvlUWBqB+2CnJ7bxhvGQCdBTQeoPO9EZKYKi/fPlcxBmLFGcZnRRpB6nu/Cxhhj1aHLJdjqCd+4ahtjBHeFrPxeQv9gTJ1B+EipJZu7WgPZOTI8iZaIcnCbhuGOy0iOFXeuexC9/ptHDW9UEgKVLyZ4UIPJkSLFVgW5NRujWyZ/thc5+EfHY9Db3UAl` |
-> | South India | ecdsa-sha2-nistp256 | `7PQhzR5S6sEFYkn2s3GxK6k8bwHgAy0000zb07YvI44=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLgZw/ouE23XQnzO8bBPSCJp/KR+N/xfuJS5QtWU/PzlNLmSYS20b65GRP6ThwZdaigMhwHOEc8twpJ7aA7LBu0=` |
-> | South India | ecdsa-sha2-nistp384 | `sXR2nhTTNof58ne5K+Xjm9Pu8miEbKJn4Bo9NYoqQs4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLwbzUI8q9f5YTLIs6ddRTPlHdb35xrbsJeOQII/nEXhlNjzpdL9XnDJjQunQL2vg6XND1pfp3TNBJ9LF3mud442LbpwSt9B7EZD8tQ5u0+2NeNjn8JnCu6/tdvS+xoNiA==` |
-> | South India | rsa-sha2-256 | `5gFLJvQvQodZxKBi3DnGywpf9dliWguiMTqcgkTmtu8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDlxVnaYnmg1cK+g/PI1jB1fgQQJiX39ZmfBss3mSW3kUxP3KWhm7lHBTkrbnfhVHnGpP6GcGFy09YBQa6UiyVpD8p8APtx0j9Jp8m3yhhgqOIjup0C7crl49NqMVryOZmCLOvA7KTyTxxV37GpRI+ffqQ8LOO+anWVWVaJlVCYBMct/OVhA7ePXblcbJg5eu5JjUiWW+cPdVqAqWojNHZzzprCFEBTCvYaZtzBx4kFGiipPmJSN6yvBPEfnA7Lzr/T9iXV/XkmI1txuJRBasoQMt+4jCZG25sCCN8y4iuUJCioUELr//TWaDyTsQAR4MbRW+L/GSIM9VUY4Uc+Impp` |
-> | South India | rsa-sha2-512 | `T4mrHCEHbFNAQSng//m0Viu/hXfi11JMnyA0PqAuTtg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCz9tQa7D4dyrULCLH75yKwH27AQMRNWFUqgUQQXYHR1MYegLf7JEmFn126bxgEHPRO0bNwBM9S626Gcr1R1uDI/luL6uvG0Q57k+Pmv7HNQtv12J3fAuxuhSPcppE5IE5QR94Qgd1RzGXv954TK1Z+kCXHyLA583XTQ4btOEwqUo/16tSCqaoTSdyNp17q8BrOCPaTWMqT774lSGELIDc6RaGKHRu/Qa+F5FRMswdZt5YJDEKtlKdvbyIiSfIP2GZGhWBiSW2D6xpnzSjstR3LfRfFek/ryGkDPu5c5HNaVJwc1fatP6ggAbhVCcyDgWiCCpEBICV2wnPpGfDUdbRh` |
-> | Southeast Asia | ecdsa-sha2-nistp256 | `q7OsE02p9SZ6E63b+Mxri1wbI5WfkdWcIJgAP2+WTg8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEbvjkwSA0RQuT2nQf8ABKc21s/kcC/7I5431oNEwQPZQ8S18RAKktv6ti19Ju8op6NOZZ3Up9lOn3iybxHgy+s=` |
-> | Southeast Asia | ecdsa-sha2-nistp384 | `HpneuSwbRG7eiqHGEAkSXF0HtjvccoT3OIgeQbPDzoE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMGAMUN+0oyuXuf6rkS+eopeoISA2US3UrgAovMwoqAeYSPoHKy9n/WKczsHPy/G+FKsXM4VlMHtNhEAxYwjtueF0Sb2GRZFzngeXMfVZPVL5Twph/pT6ZJnUD8iloW0Mw==` |
-> | Southeast Asia | rsa-sha2-256 | `f0cyRMVxUgtpsa9J6pwAMysk2MY/sybo5ioPjhy9LZk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDWPK6PAGMTdzNkwKZt+A3Dhbnete6jyLLboOXWdv/QdhvjR2pNCMhGuWUxadaiLUxzZM7IvugSLGexQlZi5aCJ06DpaVYqZk/Q8l+QUydp9TfNg/kP+0OJXCJ6XdsVggboDIfrEN8ku4nfasD4QTo2tnmqZhmbIDUr38SP16PsH2bQAi2lZKg4DfWgnSFyj5sbMSDLljBEY6JQkLGiPcbqlYEN4kjB5mudE9c/ts6Jn1fhizBwJY/pE3kOydq8dCMXYFMZ6NafPacCi7Pe5zcTKfi/daioVlSXQhWK3jNzCVENonF2xWSPH+1T5F2IOV0wb0HL2l8d02x5Bw2Su4aF` |
-> | Southeast Asia | rsa-sha2-512 | `vh8Uh40NCD3iHVh5KEcURUZrT3hictlF9pMDEoK5Rxk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCdL+E/W2RpmJiWMRg5EtMs0AE7BF2Qb5jnXXaIbwqr5/BGuUPLm43eVJJt5R0BmEJe2lYfYLAzinC9MhsxKSTHIt5u8QleyIAxI759M3DWZwFSKngjsHFRe/SvZOzc7gvtR7osdnVaXCTXY5NccLT34gDybEbjlmp+SEvSZZmXyy2wmUR3O022euBifKN0t9Tk1mkLYhbfRySQi0ZADWazjd7loM9ZHArVe8y9oDrs7QYX4eHIVRbgtsBbkR3g9zP3VWVMERFyi6cU0Dyvue8DCx9YzNsdmKjkB2dvYTMVcUkad81pbO81jpLb1wL25WPHIPHqTOLZhdn9JxLn245Z` |
-> | Sweden Central | ecdsa-sha2-nistp256 | `6HikgYBMSL9VguDq9bmwRaVXdOIUKEQUf4hlOjfvv6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBErZhZNNmDhMKbSUXLB1VcTmR7pXcXWAqfFpdI81OP1FeCxBtpRNpIeWMyVoP3FeO3yWcODLm/ZkK7BICFpjleo=` |
-> | Sweden Central | ecdsa-sha2-nistp384 | `apRb96GLQ3LZ3E+rt2dyr9imMFDXYbaZERiireEO6ks=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKA5kwsqDKzZWmQCjIFBBjZun3rjg62pv8BOULwvwImaPvMFuR2OipExQZIyKSbR7wS9HA4/QKVA5rLRrSGpYvOBG438/7fwVZy5rOj3GXq6X7Havr1ExRXwsw5rJ56acA==` |
-> | Sweden Central | rsa-sha2-256 | `feu0rEf3KhvHGfhxEjcuFcPtIl+f0ZVzOMXyxy+f8f4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOimUzZHr0DxrjdWEPQqkrBudLW2P2dvPE9DoaXSNbehU13bxzsF6lzO65JBPh9rlNwwyt2yWtrR4XI0Qh/QSXmBntefOeH6BZVrN06aHrsd1dQBr4UFT5chCwy6Keu0ARW3fY8kO9lycTmMIeoiaYahicxyRRC8WLs0cSCH8tO0dA2aoaMxafBWqR6D5dNzu00rIcsCxvyjtN3Y8C4fw3YnNvPB/qWHdZ4aNcu7sQMRhCYVNPqX9UNGeXkbw8gHf9uL9dFu1c+P+VFIEs5bIecgT5HiGvtuXsWRdtEcM1v3mrRnNdmeWWQIqXzLrs5svipMIbnYXekhhLYHIlVo4d` |
-> | Sweden Central | rsa-sha2-512 | `5fx+Ic5p/MMR6TZvjj2yrb4HMHwc1TgM4x1xQw4aD3Y=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC2nRaxWTg4KGLClTZLQ5QgPZPyQ/XYbH4prjhg1uK7m/JKlmJw5LjmIUVKnlXS38qTKpWpJZyGU/eBCa5FPQODvoAXfNncgtIQxd7j00P8aO2tho+uIxSgiTCte8sgrAyx22uIJlORJn2x1cBFBJrlgQDJOKEAs9IakMNdLvlfjJV405gk7pstF4eeIANRWC3eOTrMs0O1gCTt2rnWR5BNQJu8swj9FEWreNQ3PvUliM6Ig6u8b+4d8ryYGuzh5+E8wy/aNxlowkoCI4D/+dBnH43pSYyjhrVx966JMlrJZjDmbgtygkJI+FoEEfBoFlrpIGfisqIX41Np9ZRre4Ux` |
-> | Sweden South | ecdsa-sha2-nistp256 | `8C148yiGdrJCGF6HpDzINhGkB5AAyWDqkauJClRqCZs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEREKXJT7obM0RXGFrUPmJOoEpJD8T+QT29UEt3/jZrUzVzqXLV/9+VK0xqv1suljhUoUoClBdKqx5E/Sv1kSV4=` |
-> | Sweden South | ecdsa-sha2-nistp384 | `ra8+vb8aSkTBsO0KAxDrl2lN9p41BxymtRU6Seby83M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIMby6y3wzWnzE304DjregQcSqKTsoMx2vPGk7OlBtjFKoubZlBRQH4jQrtPbJv/Hpf8f+D0JmvPe5G75yZFG1BcP5eB4aonAr0NNCw+3sCb50JVpoT4yoT787KKYf+5qg==` |
-> | Sweden South | rsa-sha2-256 | `kS1NUherycqJAYe8KZi8AnqIQ9UdDbpoEpcdHlZ702g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ+Imy6VuOvZsel9SCoMmej4kFvP8MDgDY9EdgfkgpjEfOSk+vmXBMCFtthI7sHRggkuXQE5v6OkOPwuWuVWjAWmclfFIz+TTNE5dUUY6L+UMipDEcwFxtufnY3AW0v2MW5lOFHWbx3w7605yb2AFQuZjvngkjdelhDpVpX9a0XdPa7zUYBwXdxWeteH+i4ZJ62sjlBGzYRjFhK/y1rUKR3BVR5xtP9ofzqE1n/TRLpViU8iy4bpsQntTWa71xVoTFtE29h3ESw4QG2lRCwk7NIf8efyNdR25+YpVGIysAxXG2smGAi2W/YXUjteCE7k3IU+ehHJdWKB3spUBSoF/V` |
-> | Sweden South | rsa-sha2-512 | `G+oX014UJXR0t1xHrCi715XuoHBkBxJMdH8hmVMilJc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDCa5Ny0EUd8yLOgzczm6Zge+D39VY7hpG+et2ln0i/HdYLd1aijEiF/0RDgnJYxZM4RhPZHxrVZXJXLsLa2T+ud+cqifvsjudsUSCzWNY3pHAwKBTSuu8Po+TrJXx8b+ogg+EhTh1BZQzIVQbtLwqRFJ3beLtvhp+V1pPWOoXRiN6Rq+x6ciT37jOdp033rbEM3AtzWdRBvRxUiVxKoRXcDYwAAIb3joaZ26p69Vj7HpD0HAf7w9f70zIwIzqrW4RcHcP+RbDVzNukK8gWP66OgSKrAQgRmibS6SEJx4kgkaghiQfm1k1bXkTnlKlz956DHkTkpMQe21/eW1Prs+q1` |
-> | Switzerland North | ecdsa-sha2-nistp256 | `DfyPsw04f2rU6PXeLx8iVRu+hrtSLushETT3zs5Dq7U=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJICveabT6GPfbyaCSeU7D553Q4Rr/IgGjTMC8vMCIUJKUzazeCeS3q46mXL2kwnBLIge9wTzzvP7JSWf+I2Fis=` |
-> | Switzerland North | ecdsa-sha2-nistp384 | `Rw0TLDVU4PqsXbOunR2BZcn2/wqFty6rCgWN4cCD/1Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLLhGaEyHYvfVU05lmKV4Rnrl9YiuSSOCXjUaJjJJRhe5ZXbDMHeiC67CAWW3mm/+c5i1hoob/8pHg7vmeC+ve+Ztu/ww12JsC4qy/CG8qIIQvlnDDqnfmOgr0Svw3/Izw==` |
-> | Switzerland North | rsa-sha2-256 | `4cXg5pca9HCvAxDMrE7GdwvUZl5RlaivApaqz8gl7vs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCqqSS6hVSmykLqNCqZntOao0QSS1xG89BiwNaR7uQvz7Y2H+gJiXhgot6wtc4/A5743t7svXZqsCBGPvkpK05JMNZDUy0UTwQ1eI9WAcgFAHqzmazKT1B5/aK0P5IMcK00dVap4jTwxaoQbtc973E5XAiUW1ZRt6YComeoZB6cFVX28MaE6auWOPdEaSg8SlcmWyw73Q9X5SsJkDTW5543tzjJI5hnH03LAvPIs8pIvqxntsKPEeWnyIMHWtc5Vpg8LB7CnAr4C86++hxt3mws7+AOtcjfUu2LmLzG1A34B1yEa/wLqJCz7jWV/Wm21KlTp1VdBk+4qFoVfy2IFeX9` |
-> | Switzerland North | rsa-sha2-512 | `E63lmwPWd5a6K3wJLj4ksx0wPab1lqle2a4kwjXuR4c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCtSlbkDdzwqHy2C/pAteV2mrkZFpJHAlL05iOrJSFk0dhq8iwsmOmQiF9Xwth6T1n3NVVncAodIN2MyHR7pQTUJu1dmHcikG/JU6wGPVN8law0+3f9aClbqWRV5tdOx1vWQP3uPrppYlT90bWbD0IBmmHnxPJXsXm+7tI1n+P1/bKewG7FvU1yF+gqOXyTXrdb3sEZOD6IYW/PusR44mDl/rV5dFilBvmluHY5155hk1O2HBOWlCiDGBdEIOmB73waUQabqBCicAWfyloGZqB1n8Eay6FksLtRSAUcCSyBSnA81phYdLiLBd9UmiVKPC7gvdBWPztWB+2MeLsXtim9` |
-> | Switzerland West | ecdsa-sha2-nistp256 | `5MyZiuHQIMDh/+QEnbr3Zm6/HnsLpYT2GXetsWD6M8Q=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEj5nXHEjkVlLcf9R9fPQw9k2QGyUUP6NrFRj1gbxKzwHsgG2YKWDdOJiyguiro0xV9+JRdW3VC49/psIYUFDPA=` |
-> | Switzerland West | ecdsa-sha2-nistp384 | `nS9RIUnm5ULmNIG+d7qSeIl/kNzuJxAX9/PcwfCxcB0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB/Ps4Wp15xhNenavSHZijwVXdZcvhzVq8IcfHR3+Gz3tKLed36OdHRTdWpvjrg0mENw4L1mEZnHnDx96WMtA+FfagGWXMVMMfcyM4riIedemHsz45KAR2suqcdkNHfdVA==` |
-> | Switzerland West | rsa-sha2-256 | `yoVjbjB+U4Cp/ZpMgKKuji9T2pIFtdeXnJudyeNvPs0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDFl9NO3CJyKTdYxDIgCjygwIxlT1ppJQm/ykv2zDz6C7mjweiuuwhVM3LRua3WyP5mbgl3qYm+PHlA7UyIMY5jtsg7GaSfhiBSGZAdfgfDgOp3qRkgyep84P69SLb2b0hwgsPVkx8eWLDDVbOEdQLLx7TVndyxtdw+X4bZs6UdEcLMvLUWl7v3SoD5oiuJN6vOJPQl0VBeEaK/uhujjFgnlEu7/31rYEKQ8vQBbx22a4kIyBtUSAGo/VfKGRWF9oXL7Umh2xHAPwNbGwP+DdCKUY27wWG7Qe18O+QS9AOu0yL4+MRIHZg8ODLQsk0Hp3q8Iw2JjohSkk4lcjHYgb69` |
-> | Switzerland West | rsa-sha2-512 | `UgWxFaVY0YYMiNQ82Wt3D1LDg3xta1DfRUUKWjZYllk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6svukqfg7147raZZrA1bZFOO/EDFgi+WRsxoOfH/EEWGmZ89QQ5m855TpsTPZ5ZARQD9kxrYEtqefcSPuWgth4Ze5PNVwRfAwedsSfnYwHZqHRlRM54bOQ6Img7T292ERl4KNJUI7SLyF+kKB7eXqp5nMBrTZ4rSHXoeibv2yZAph0cyf4V/NnfRj6KZSf6YDs0LW1VuovWAC6S7mpBjwtabBmd1gIiJleWhB7Jj48yiyh0m7L9oIoR4NRiuFC535JwqCYhrgFwujuk6iIR9ScRdayEr6gVcv6tBms3MyR16ytA/MHRxYHfPKb1kHUrpFjDQZZZswoDJDnhQGOm8Z` |
-> | UAE Central | ecdsa-sha2-nistp256 | `P3KxgoZgjHHxid66gbkRETjPsHUsNiPt5/TFU0Kby6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOvHAXCWC9HGJnr5SRW8I1zZWsyHIczEdPpzmafrU8drYmhpRxlD6HlKnY7iXqfq8bOIK063tpVOsPbrVevAKPs=` |
-> | UAE Central | ecdsa-sha2-nistp384 | `E+jKxd6hnfVIXPQYreABXpZB7tppZnWUxAelvEDh874=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMDLyroqceuIpmDQk/gvHHzFup7NZbyzjXMdGrkDvZDE2H+6XTthCGSVNVmwqdyHE4yGw88jgW1TfWTAZxCxTfXD+xF72iYyBAsejgiyYY/0x9NKM/lrtw8mnRtkZzLyrA==` |
-> | UAE Central | rsa-sha2-256 | `GW5lrSx75BsjFe4y4vwJFdg454fndPjm4ez2mYsG3zs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQiEpj9zkZ8F3iDkDDbZV4A3+1RC/0Un6HZVYv5MCVYKqsVzmyn+7rbseUTkZMO/EqgF8+VWlwSU5C2JOesZtKXAgNzXBSOER3NbiucB5v1b1cC+8Qo4C2+iTHXyJSKxV0bTz55crCfhKO1KTQw3uZoYh6jE9xI1RzCI1J4qP+afZQQhn3H+7q+8kTMhmlQrfKuMWennoWZih+uTe9LPHjlvzwYiXkS2sOIlKtx8eLDJJg2ONl7YKSE4XVq7K33807Gz5sCD/ZV+Bn+NyP2yX14QKcyI97pkrFdcJf2DZi7LdTuEVPx3qK/rHzmzotwe6ne6sfV+FJpowUUTbKgT5` |
-> | UAE Central | rsa-sha2-512 | `zflL4olL2bga9JCxPA/qfvT2jSYmIfr2RY6GagpUjkE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAtxSG7lHzGFclWVuErRZZo6VG5uaWy1ikhb67rJSXdTLuSGDU+4Boj4wKxK0EyVKXpdQ3VrIwC4rOEy/lKAlnI2PrkrMjluau2aetlwW0hCBKAcgEOpMeMJJxCvv9EVatmEhvCe0ARyVM539058da9LzoZ2geFnFIbh3t8fNCaJZTNSS5PW1SLkspSqYXUYJWzu8Kx9l3LTzlmJT1DukKLIKj5ZDwuzOIN5m1ePYp4MzfIeBN6ys8df8HqXLoEXE+vOZWOzwkPVWoTsYvwB8j9+FHECAVf4Gcm8sPvRZA/RKDn1dGW2THzVw/VI/F87fFC7stLmZJ1v+a9TTFE649` |
-> | UAE North | ecdsa-sha2-nistp256 | `vAuGgsr0IQnOLUaWCCOBt+Jg0DV9C6rqHhnoJnwORM8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEYpnxgANJNJ4IIvSwvrRtjgbejCpTc3D+l5iob7dBK4KQ7MB40rq+CtdBDGZ1J7d6oCevW6gb1SIxU/PxCuvMI=` |
-> | UAE North | ecdsa-sha2-nistp384 | `A5fa4Pzkdl0H2kVJxlNiEQkOhPzBYkrfQrcviQUUWUA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOz4ENDgFpo0547D5XCRCJLg8brp+iUyId2IdEhZAhuNX9spxlVe6uSkiQbd+8D5hHPVNuLFTFx7v2wXObycM8tr/WGejn/934BvSUhM6lDpU+d5n+ZcxEEhp4gDiy1l+Q==` |
-> | UAE North | rsa-sha2-256 | `Vazz+KIADh85GQHAylrlI1tTY8/ckoRqTe/kbLXPmd0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDRGQHLLR9ruI0GcNF2u3EpS2CbHdZlqcgSR1bkaOXA9ZufHyxuhIpzG2IgYQ8wrjGzIilYds6UIH7CAw9FApKLNpLR6qdm8qjM0tJiyHLm3KloU27FfjCQjE9JhmsbTWCRH3N52A9HXIdiVCE3BBSoXhg/mF+3cvm1JvabKr1twoyfbUgDFuF7fDyhSxJ/MTig8SpgzWqcd5J+wbzjXG0ob2yWVhwtrcB6k97g25p77EKXo3VhSs0jN7VR+SAHupVwWsUgx4fZzi2I5xTUTBdOXW+e3EiXytPL2N5N/MtFKVY/JVhFkKkcTRgeuOds51tkByteSkc32kakcUxw6CjJ` |
-> | UAE North | rsa-sha2-512 | `NDeTZPUor2OuTdgSjLLhSaqJiTJUdfwTAzpkjNbNQUY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAx9LfiyVmWwGD/rjQeHiHTMWYaE/mMP6rxmfs9/I4wEFkaTBbc4qewxUlrB1jd7Se2a0kljI3lqQJ9h+gjtH/IaVTZOKCOZD8yV9Dh4ZENRqH/TOVz6LCvZifVbjUtxRtbvOuh1lJIVBSBFciNr0HThFMnTEIwcs5V48EFIT6eS9Krggu+cWAX2RbjM0VQnIgkA5BeM33MjSjNz86zhO+e7e1lhflPKL5RTIswtWbwatgkyvfM33pJql/zJz+3/usSpIA/pgWw23c8WziYXiHPTShJXN+N+9iLKf9YUkpzQUZSaRw8XDPyjJNx327Lot0Bh4YLpe37R0SrOvitBsN` |
-> | UK South | ecdsa-sha2-nistp256 | `weMVzOmQnlMdMp5XBoU9SdN5meBbx/8nvA8dB45w8Ck=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEnBllEm4/HsTP+ZMhlc8YnSAYWF23tibZDqGxf0yBRTU/ncuaavuQdIJ5TcJb0NcXG7skEmq3StwHT0FPMWN8Y=` |
-> | UK South | ecdsa-sha2-nistp384 | `HpsZ8zoOCCsUbpD3nAOtxpuKIvn0L8KGyg1KMLuMUqU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGd/672brwX1kOhH31ZTdBRj+bcEmemcdmTEe0J88cJ3RRQy7nDFs25UrnR+h3P0ov9Uq24EJQS8auxRgNCUJ3i3ZH9QjcwX/MDRFPnUrNosH8NkcPmJ/pezVeMJLqs3Qw==` |
-> | UK South | rsa-sha2-256 | `3nrDdWUOwG0XgfrFgW27xhWSizttjabHXTRX8AOHmGw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCdLm+9OROp5zrc6nLKBJWNrTnUeCeo8n1v9Y3qWicwYMqmRs/sS9t5V3ABWnus4TxH3bqgnQW3OqWLgOHse/3S+K1wGERmBbEdKOl7A7kQ9QgDkWEZoftwJ9hp+AMVTfCYhcOOsG+gW021difNx+WW2O5TldL31pk+UvdhnQKRHLX31cqx5vuUmiwq4mlbBx+rY8B/xngP2bzx/oYXdy1I9fZbWWAQ6FwJBav1sSWL0l7snRdOsy5ASeMnYollEw1IATwYeUv8g3PzrryZuru+7gu/Ku9w8d5jbFyI6Up4KLwjs/gZNuqQ5dif7utiQYbVe4L0TPWOmuLA25JJRZaF` |
-> | UK South | rsa-sha2-512 | `Csnl8SFblkdpVVsJC1jNVSyc2eDWdCBVQj9t6J3KHvw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIwNEfrP6Httmm5GoxwprQ57AyD6b3EOVe5pTGQWIOzxnrIw2KnDPL07KNa33xZOmtXro5PYyhr5eNXUkFiQMEe+RblilZSNAvc4MHbp2TVD0L9N7Pdy2SetoF4m5BCXdC48kZntqgkpzXoDbFiaAVln5zQCHB5fOuBPS1id8+k3zqG0o+K0MHb6qcbYV8gdQeOn/PlJzKE4M0Ie8na3aWHdGvfJjDdK/hNN0J+eUK8qIb9KCJkSMDj/l3rnue9L8XgeKKA2Pkvh3nch4VBXCcCsDVhgSf+aoiJ0Fy8GVOTk2s7QDMzD9y37D9V2OPl66q4pjFGOfK0mJmrgqxWNy5` |
-> | UK West | ecdsa-sha2-nistp256 | `bNYdYVgicvl1yaOR/1xLqocxT8bamjezGFqFdO6Od0I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWKoJuxB3EO5bKjxnviF+QTv3PBSViD1SNKbfj0qYfAjObQKZuiqcFYeDoPrkhk9jfan2jU6oCEN4+KDwivz3k=` |
-> | UK West | ecdsa-sha2-nistp384 | `6V8vLtRf6I5BjuLgToJ1cROM72UqPD+SC0N9L9WG6PA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBA+7R/5qSfsXACmseiErhfwhiE7Rref/TNHONqiFlAZq2KCW3w3u8+O4gpJEflibMFP/Mj5YeoygdPUwflFNcST9K+vnkEL3/lqzoGOarGBYIKtEZwixv3qlBR+KyoRUkw==` |
-> | UK West | rsa-sha2-256 | `2NQ5z6fQjt4SZKdViPS+I2kX7GoXOx3fVE81t8/BCVE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNq0xtA0tdZmkSDTNgA05YLH5ZuLFKD7RbruzuL4KVU2In0DQUtJkVqRXIaB3f+cEBTs9QrMUqolOdCCunhzosr5FvCO3I6HZ8BLnVNshtUBf2C1aT9yonlkdiIyc2pCHonds8vHKC4SBNu3Jr584bhyan8NuzJqzPCnKTdHwyWjf8m5mB4liK/ka4QGiaLLYTAjCCXmaXXOVZI2u0yDcJQXAjAP5niCOQaPHgdGk6oSjs0YKB29V+lIdB8twUnBaJA9jgECM2brywksmXrAyUPnIFD6AVEiFZsUH3iwgFAH7O6PLZTOSgJuu994CNwigrOXTbABfpH2YMjvUF///5` |
-> | UK West | rsa-sha2-512 | `MrfRlQmVjukl5Q5KvQ6YDYulC3EWnGH9StlLnR2JY7Q=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQClZODHJMnlU29q0Dk1iwWFO0Sa0whbWIvUlJJFLgOKF5hGBz9t9L6JhKFd1mKzDJYnP9FXaK1x9kk7l0Rl+u1A4BJMsIIhESuUBYq62atL5po18YOQX5zv8mt0ou2aFlUDJiZQ4yuWyKd44jJCD5xUaeG8QVV4A8IgxKIUu2erV5hvfVDCmSK07OCuDudZGlYcRDOFfhu8ewu/qNd7M0LCU5KvTwAvAq55HiymifqrMJdXDhnjzojNs4gfudiwjeTFTXCYg02uV/ubR1iaSAKeLV649qxJekwsCmusjsEGQF5qMUkezl2WbOQcRsAVrajjqMoW/w1GEFiN6c70kYil` |
-> | US DoD Central | ecdsa-sha2-nistp256 | `03WHYAk6NEf2qYT62cwilvrkQ8rZCwdi+9M6yTZ9zjc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVsp8VO4aE6PwKD4nKZDU0xNx2CyNvw7xU3/KjXgTPWqNpbOlr6JmHG67ozOj+JUtLRMX15cLbDJgX9G9/EZd8=` |
-> | US DoD Central | ecdsa-sha2-nistp384 | `do10RyIoAbeuNClEvjfq5OvNTbcjKO6PPaCm1cGiFDA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKYiTs82RA54EX24BESc5hFy5Zd+bPo4UTI/QFn+koMnv2QWSc9SYIumaVtl0bIWnEvdlOA4F2IJ1hU5emvDHM2syOPxK7wTPms9uLtOJBNekQaAUw61CJZ4LWlPQorYNQ==` |
-> | US DoD Central | rsa-sha2-256 | `htGg4hqLQo4QQ92GBDJBqo7KfMwpKpzs9KyB07jyT9w=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDVHNOQQpJY9Etaxa+XKttw4qkhS9ZsZBpNIsEM4UmfAq6yMmtXo1EXZ/LDt4uALIcHdt3tuEkt0kZ/d3CB+0oQggqaBXcr9ueJBofoyCwoW+QcPho5GSE5ecoFEMLG/u4RIXhDTIms/8MDiCvbquUBbR3QBh5I2d6mKJJej0cBeAH/Sh7+U+30hJqnrDm4BMA2F6Hztf19nzAmw7LotlH5SLMEOGVdzl28rMeDZ+O3qwyZJJyeXei1BiYFmOZDg4FjG9sEDwMTRnTQHNj2drNtRqWt46kjQ1MjEscoy8N/MlcZtGj1tKURL909l3tUi3fIth4eAxMaAkq023/mOK1x` |
-> | US DoD Central | rsa-sha2-512 | `ho5JpqNw8wV20XjrDWy/zycyUMwUASinQd0gj8AJbkE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCT/6XYwIYUBHLTaHW8q7jE2fdLMWZpf1ohdrUXkfSksL3V8NeZ3j12Jm/MyZo4tURpPPcWJKT+0zcEyon9/AfBi6lpxhKUZQfgWQo7fUBDy1K4hyVt9IcnmNb22kX8y3Y6u/afeqCR8ukPd0uBhRYyzZWvyHzfVjXYSkw2ShxCRRQz4RjaljoSPPZIGFa2faBG8NQgyuCER8mZ72T3aq8YSUmWvpSojzfLr7roAEJdPHyRPFzM/jy1FSEanEuf6kF1Y+i1AbbH0dFDLU7AdxfCB4sHSmy6Xxnk7yYg5PYuxog7MH27wbg4+3+qUhBNcoNU33RNF9TdfVU++xNhOTH1` |
-> | US DoD East | ecdsa-sha2-nistp256 | `dk3jE5LOhsxfdaeeRPmuQ33z/ZO55XRLo8FA3I6YqAk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD7vMN0MTHRlUB8/35XBfYIhk8RZjwHyh6GrIDHgsjQPiZKUO/blq6qZ57WRmWmo7F+Rtw6Rfiub53a6+yZfgB4=` |
-> | US DoD East | ecdsa-sha2-nistp384 | `6nTqoKVqqpBl7k9m/6joVb+pIqKvdssxO5JRPkiPYeE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOwn2WSEmmec+DlJjPe0kjrdEmN/6tIQhN8HxQMq/G81c/FndVVFo97HQBYzo1SxCLCwZJRYQwFef3FWBzKFK7bqtpB055LM58FZv59QNCIXxF+wafqWolrKNGyL8k2Vvw==` |
-> | US DoD East | rsa-sha2-256 | `3rvLtZPtROldWm2TCI//vI8IW0RGSbvlrHSU4e4BQcA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDv+66WtA3nXV5IWgTMPK9ZMfPzDaC/Z1MXoeTKhv0+kV+bpHq30EBcmxfNriTUa8JZBjbzJ0QMRD+lwpV1XLI1a26JQs3Gi1Rn+Cn+mMQzUocsgNN+0mG1ena2anemwh4dXTawTbm3YRmb5N1aSvxMWcMSyBtRzs7menLh/yiqFLr+qEYPhkdlaxxv4LKPUXIJ1HFMEq/6LkpWq61PczRrdAMZG9OJuFe/4iOXKLmxswXbwcvo6ZQPM6Yov1vljovQP2Iu4PYXPWOIHZe4Vb90IuitCcxpGYUs0lxm4swDRaIx0g+RLaNGQ7/f/l+uzbXvkLqdzr5u6gLYbb8+H6qp` |
-> | US DoD East | rsa-sha2-512 | `xzDw4ZHUTvtpy/GElnkDg95GRD8Wwj7+AuvCUcpIEVo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDrAT5kTs5GXMoc+fSX1VScJ4uOFAaeA7i1CVZyWCcVNJrz2iHyZAncdxJ86BS8O2DceOpzjiFHr6wvg2OrFmByamDAVQCZQLPm+XfYV7Xk0cxZYk5RzNDQV87hEPYprNgZgPuM3tLyHVg76Zhx5LDhX7QujOIVIxQLkJaMJ/GIT+tOWzPOhxpWOGEXiifi4MNp/0uwyKbueoX7V933Bu2fz0VMJdKkprS5mXnZdcM9Y/ZvPFeKaX55ussBgcdfjaeK3emwdUUy4SaLMaTG6b1TgVaTQehMvC8ufZ3qfpwSGnuHrz1t7gKdB3w7/Q7UFXtBatWroZ10dnyZ/9Nn4V5R` |
-> | US Gov Arizona | ecdsa-sha2-nistp256 | `NVCEDFMJplIVFSg34krIni9TGspma70KOmlYuvCVj7M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKM1pvnkaX5Z9yaJANtlYVZYilpg0I+MB1t2y2pXCRJWy8TSTH/1xDLSsN29QvkZN68cs5774CtazYsLUjpsK04=` |
-> | US Gov Arizona | ecdsa-sha2-nistp384 | `CsqmZyqRDf5YKVt52zDgl6MOlfzvhvlJ0W+afH7TS5o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKwIkowKaWm5o8cyM4r6jW39uHf9oS3A5aVqnpZMWBU48LrONSeQBTj0oW7IGFRujBVASn/ejk25kwaNAzm9HT4ATBFToE3YGqPVoLtJO27wGvlGdefmAvv7q5Y7AEilhw==` |
-> | US Gov Arizona | rsa-sha2-256 | `lzreQ6XfJG0sLQVXC9X52O76E0D/7dzETSoreA9cPsI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCt8cRUseER/kSeSzD6i2rxlxHinn2uqVFtoQQGeyW2g8CtfgzjOr4BVB7Z6Bs2iIkzNGgbnKWOj8ROBmAV4YBesEgf7ZXI+YD5vXtgDCV+Mnp1pwlN8mC6ood4dh+6pSOg2dSauYSN59zRUEjnwOwmmETSUWXcjIs2fWXyneYqUZdd5hojj5mbHliqvuvu0D6IX/Id7CRh9VA13VNAp1fJ8TPUyT7d2xiBhUNWgpMB3Y96V/LNXjKHWtd9gCm96apgx215ev+wAz6BzbrGB19K5c5bxd6XGqCvm924o/y2U5TUE8kTniSFPwT/dNFSGxdBtXk23ng1yrfYE/48CcS5` |
-> | US Gov Arizona | rsa-sha2-512 | `dezlFAhCxrM3XwuCFW4PEWTzPShALMW/5qIHYSRiTZQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIAphA39+aUBaDkAhjJwhZK37mKfH0Xk3W3hepz+NwJ5V/NtrHgAHtnlrWiq/F7mDM0Xa++p7mbJNAhq9iT2vhQLX/hz8ibBRz8Kz6PutYuOtapftWz7trUJXMAI1ASOWjHbOffxeQwhUt2n0HmojFp4CoeYIoLIJiZNl8SkTJir3kUjHunIvvKRcIS0FBjEG9OfdJlo0k3U2nj5QLCORw8LzxfmqjmapRRfGQct/XmkJQM5bjUTcLW7vCkrx+EtHbnHtG+q+msnoP/GIwO3qMEgRvgxRnTctV82T8hmOz+6w1loO6B8qwAFt6tnsq2+zQvNdvOwRz/o+X8YWLGIzN` |
-> | US Gov Iowa | ecdsa-sha2-nistp256 | `nGg8jzH0KstWIW2icfYiP5MSC0k6tiI07u580CIsOdo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGlFqr2aCuW5EE5thPlbGbqifEdGhGiwFQyto9OUwQ7TPSmxTEwspiqI7sF4BSJARo9ZTHw2QiTkprSsEihCAlE=` |
-> | US Gov Iowa | ecdsa-sha2-nistp384 | `Dg+iVLxNGWu0DUgxBG4omcB9UlTjXvUnlCyDxLMli4E=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAsubBoJjCp1gO26Xl0t0t0pHFuKybFFpE7wd4iozG0FINjCd4bFTEawmZs3yOJZSiVzLiP1cUotj2rkBK3dkbBw+ruX0DG1vTNT24D6k54LhzoMB0aXilDtwYQKWE+luw==` |
-> | US Gov Iowa | rsa-sha2-256 | `gzizFNptqVrw4CHf17tWFMBuzbpz2KqDwZLu/4OrUX8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDMv5Y4DdrKzfz2ZDn1UXKB6ItW9ekAIwflwgilf8CJxenEWINEK5bkEPgOz2eIxuThh9qE8rSR/XRJu3GfgSl9ATlUbl+HppXSF7S1V1DIlZbhA75JU/blUZ1tTTowrjwSn8dpnR2GQcBhywmdbra7QcJyHb+QuY9ZGXOu3ESETQBCD6eUsPoHCdQRtKk1H6zQELRPDi/qWCYhdNULx4j19CdItjMWPHfQPV9JEGGFxfBzDkWaUIDymsex44tLLxe9/tT8XlD/prT/zCLV0QE/UYxYI3h9R9zL7OJ5a92J72dBRPbptXIhz7UVeSBojNXnnOf+HnwAVbt1Fi/iiEQJ` |
-> | US Gov Iowa | rsa-sha2-512 | `Izq7UgGmtMU/EHG+uhoaAtNKkpWxnbjeeLCqRpIsuWA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDofdiTcVwmbYyk9RRTSuI6MPoX7L03a6eKemHMkTx2t7WtP7KqC9PlnmQ2Jo5VoaybMWdxLZ+CE8cVi70tKDCNgD8nAjKizm0iMk2AO5iKcj8ucyGojOngXO4JGgrf1mUlnQnTlLaC1nL487RDEez5rryLETGSGmmTkvIGNeSJUWIWqwDeUMg1FUnugyOeUmRpY7bl/PlUfZAm9rJJZ5DwiDGjn6dokk7S/huORGyUWeDVYGCSQug6VRC1UxnJclckgRIJ2qMoAZln4VdqZtpT3pBXaZqOdY52TQSAdi345bEHSCaGxyTdT14k3XjI/9q8BZ9IX7K4fbJCX0dbLHJp` |
-> | US Gov Texas | ecdsa-sha2-nistp256 | `osmHklvhKEbYW8ViKXaF0uG+bnYlCSp1XEInnzoYaWs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjvs/Cy4EODF21qEafVDBjL4JQ5s4m87htOESPjMAvNoZ3vfRtJy81MB7Fk6IqJcavqwFas8e3FNRcWBVseOqM=` |
-> | US Gov Texas | ecdsa-sha2-nistp384 | `MIJbuk4de6NBeStxcfCaU0o8zAemBErm4GSFFwoyivQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGxPcJV0UdTiqah2XeXvfGgIU8zQkmb6oeJxRtZnumlbu5DfrhaMibo3VgSK7HUphavc6DORSAKdFHoGnPHBO981FWmd9hqxJztn2KKpdyZALfhjgu0ySN2gso7kUpaxIA==` |
-> | US Gov Texas | rsa-sha2-256 | `IL6063PFm771JPM4bDuaKiireq8L7AZP+B9/DaiJ2sI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDUTuQSTyQiJdXfDt9wfn9EpePO0SPMd+AtBNhYx1sTUbWNzBpHygfJlt2n0itodnFQ3d0fGZgxE/wHdG6zOy77pWU8i95YcxjdF+DMMY3j87uqZ8ZFk4t0YwIooAHvaBqw/PwtHYnTBr82T383pAasJTiFEd3GNDYIRgW5TZ4nnA26VoNUlUBaUXPUBfPvvqLrgcv8GBvV/MESSJTQDz1UegCqd6dGGfwdn2CWhkSjGcl17le/suND/fC5ZrvTkRNWfyeJlDkN4F+UpSUfvalBLV+QYv4ZJxsT4VagQ9n6wTBTDAvMu3CTP8XmAYEIGLf9YCbjxcTC+UywaL1Nk++x` |
-> | US Gov Texas | rsa-sha2-512 | `NZo9nBE/L1k6QyUcQZ5GV/0yg6rU2RTUFl+zvlvZvB4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCwNs5md1kYKAxFruSF+I4qS1IOuKw6LS9oJpcASnXpPi//PI5aXlLpy5AmeePEHgF+O0pSNs6uGWC+/T2kYsYkTvIieSQEzyXfV+ZDVqCHBZuezoM0tQxc9tMLr8dUExow1QY5yizj35s1hPHjr2EQThCLhl5M0g3s+ktKMb77zNX7DA3eKhRnK/ulOtMmewrGDg9/ooOa7ZWIIPPY0mUDs5Get/EWF1KCOABOacdkXZOPoUaD0fTEOhU+xd66CBRuk9SIFGWmQw2GiBoeF0432sEAfc3ZptyzSmCamjtsfihFeHXUij8MH8UiTZopV3JjUO6xN7MCx9BJFcRxtEQF` |
-> | US Gov Virginia | ecdsa-sha2-nistp256 | `RQCpx04JVJt2SWSlBdpItBBpxGCPnMxkv6TBrwtwt54=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD7FjQs4/JsT0BS3Fk8gnOFGNRmNIKH0/pAFpUnTdh7mci4FvCS2Wl/pOi3Vzjcq+IaMa9kUuZZ94QejGQ7nY/U=` |
-> | US Gov Virginia | ecdsa-sha2-nistp384 | `eR/fcgyjTj13I9qAif2SxSfoixS8vuPh++3emjUdZWU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKtxuygqAi2rrc+mX2GzMqHXHQwhspWFthBveUglUB8mAELFBSwEQwyETZpMuUKgFd//fia6NTfpq2d2CWPUcNjLu041n0f3ZUbDIh8To3zT7K+5nthxWURz3vWEXdPlKQ==` |
-> | US Gov Virginia | rsa-sha2-256 | `/ItawLaQuYeKzMjZWbHOrUk1NWnsd63zPsWVFVtTWK0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC87Alyx0GHEYiPTqsLcGI2bjwk/iaSKrJmQOBClBrS23wwyH/7rc/yDlyc3X8jqLvE6E8gx7zc+y3yPcWP1/6XwA8fVPyrY+v8JYlHL/nWiadFCXYc8p3s8aNeGQwqKsaObMGw55T/bPnm7vRpQNlFFLA9dtz42tTyQg+BvNVFJAIb8/YOMTLYG+Q9ZGfPEmdP6RrLvf2vM19R/pIxJVq5Xynt2hJp1dUiHim/D+x9aesARoW/dMFmsFscHQnjPbbCjU5Zk977IMIbER2FMHBcPAKGRnKVS9Z7cOKl/C71s0PeeNWNrqDLnPYd60ndRCrVmXAYLUAeE6XR8fFb2SPd` |
-> | US Gov Virginia | rsa-sha2-512 | `0SbDc5jI2bioFnP9ljPzMsAEYty0QiLbsq1qvWBHGK4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNu4Oori191gsGb8rlj1XCrGW/Qtnj6rrSQK2iy7mtdzv9yyND1GLWyNKkKo4F3+MAUX3GCMIYlHEv1ucl7JrJQ58/u7pR59wN18Ehf+tU8i1EirQWRhlgvkbFfV9BPb7m6SOhfmOKSzgc1dEnTawskCXe+5Auk33SwtWEFh560N5YGC5vvTiXEuEovblg/RQRwj+9oQD1kurYAelyr76jC/uqTTLBTlN7k0DBtuH305f7gkcxn+5Tx1eCvRSpsxD7lAbIoCvQjf95QvOzbqRHl6wOeEwm03uK8p9BLuzxlIc0TTh4CE8KrO5bciwTVi1xq7gvqh912q0OvWpg3XBh` |
-> | West Central US | ecdsa-sha2-nistp256 | `rkHjcTK2BvryQAFvjugTHdbpYBGfOdbBUNOuzctzJqM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMjEAUTIttG+f5eocMzRIhRx5GjHH7yYPzh/h9rp9Yb3c9q2Yxw/j35JNWxpGwpkb9W1QG86Hjt4xbB+7q/D8c=` |
-> | West Central US | ecdsa-sha2-nistp384 | `gS9SYvaH6dCqyugArvFb13cwi8q90glNaK+fyfPie+Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBD0HqM8ubcDBRMwuruX5zqCWSp1DaLcS9cA9ndXbQHzb2gJ5bJkjzxZEeIOM+AHPJB8UUZoD12It4tCRCCOkFnKgruT61hXbn0GSg4zjpTslLRYsbJzJ/q6F2DjlsOnvQQ==` |
-> | West Central US | rsa-sha2-256 | `aSNxepEhr3CEijxbPB4D5I+vj8Um7OO6UtpzJ/iVeRg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDDWmd8Zd7dCfamYd/c1i4wYhhRnaIgUmK7z/o8ehr4bzJgWRbjrxMtbkD2y7ImjE2NIBG5xglz6v9z4CFNjCKUmoUl7+Le3Rsc5sJ/JmHAmEXb0uiDMzhq9f6Qztp+Pb9uqLfsPmm6pt1WOcpu+KNpiGtPWTL21sJApv6JPKU+msUrrCIekutsHtW6044YPXNVOnvUXv08BaPFhbpeGZ4zkrji0mCdGfz2RNcgLw0y3ZzgUuv0Lw+xV0/xwanJu4IOFI1X9Ab7NnoGMkqN/upBLJ4lRhjYVTNEv01IX2/r5WZzTn4c38Nfw4Ma3hR0BiLMTFfklFVGg2R64Z7IILoB` |
-> | West Central US | rsa-sha2-512 | `vVHVYoH1kU1IZk+uZnStj3Qv2UCyOR9qVxJfmTc20jQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9Q8Tvvnea8hdaqt+SZr4XN1JIeR43nX6vrdhcS6yyfRgaTcEdKbAKQbwj9Fu3kq80c4F+SNzh1KQWlqLu3MJHSaSdQLN9RaHO1Dd+iVK1WgZtsPM9+6U7wupMZq8Hdmao5sqaMT5lj7g+win2J+Wibz7t8YwS7g2Xi+ode8tFPFKduZ5WvKLjI0EiAS4mvcyWEWca142E8fxV9TobUjAICfgtL4vCpmLYKnSL/kUgplD0ow86k/MHp9zghDLVSVDj8MGMra+IJEpgHOUrFNnuyua2WSJVuXR2ITfaecRKrGg7Z4IJzExPoQzDIWdCHptiGLAqvtKT0NE2rPj9U4Rp` |
-> | West Europe | ecdsa-sha2-nistp256 | `0WNMHmCNJE1YFBpHNeADuT5h+PfJ/jJPtUDHCxCSrO0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBANx85rJLXM8QZi33y8fzvUbH+O5Cujn0oJFDGQrwhGJQTHsjIhd5bhFFgDvJ64/4SGrtP1LHDKLwr9+ltzgxIE=` |
-> | West Europe | ecdsa-sha2-nistp384 | `90g+JfQChjbb3OOV0YIGSVTkNotnefCV2NcSuMdPrzY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNJgtrLFy2zsyhNvXlwHUmDBw1De++05pr1ZTxOIVnB17XZix0Euwq/wZTs0cE01c5/kYdAp+gQHEz594e7AQXBTCTqUiIS1a4+IXzfiCcShVfMsLFBvzjm9Yn8qgW9Ofg==` |
-> | West Europe | rsa-sha2-256 | `IeHrQ+N6WAdLMKSMsJiML4XqMrkF1kyOiTeTjh1PFyc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDZL63ZKHrWlwN8gkPvq43uTh88n0V6GwlTH2/sEpIyPxN56/gpgWW6aDyzyv6PIRI/zlLjZNdOBhqmEO+MhnBPkAI8edlvFoVOA6c/ft5RljQOhv+nFzgELyP8qAlZOi1iQHx7UeB1NGkQ5AIwNIkRDImeft9Iga+bDF6yWu60gY43QdGQCTNhjglNuZ6lkGnrTxQtPSC01AyU51V1yXKHzgaTByrA4tK6cGtwjFjMBsnXtX2+yoyyuQz/xNnIN63awqpQxZameGOtjAYhLhtEgl39XEIgvpAs1hXDWcSEBSMWP4z04U/tw2R5mtorL3QU1CmokWmuAQZNQcLSLLlt` |
-> | West Europe | rsa-sha2-512 | `7+VdJ21y+HcaNRZZeaaBtk1AjkCNK4weG5mkkoyabi0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDYAmiv6Tk/o02McJi79dlIdPLu1I5HfhsdPlUycW+t1zQwZL+WaI182G6SY728hJOGzAz51XqD4e5yueAZYjOJwcGhHVq6MfabbhvT1sxWQplnk3QKrUMRXnyuuSua1j+AwXsm957RlbW9bi1aQKdJgKq3y2yz+hqBS76SX9d8BxOHWJl5KwCIFaaJWb0u32W2HGb9eLDMQNipzHyANEQXI9Uq2qRL7Z20GiRGyy7VPP6AbPYTprrivo3QpYXSXe9VUuuXA9g3Bz3itxmOw6RV9aGQhCSp22BdJKDl70FMxTm1d87LEwOQmAViqelEeY+DEowPHwVLQs3rIJrZHxYV` |
-> | West India | ecdsa-sha2-nistp256 | `t+PVPMSVEgQ3FPNploXz7mO25PFiEwzxutMjypoA2DM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCzR5dhW3wfN5bRqLfeZ2hlj7iRerE4lF5jk+iQl6HJHKXIsH6lQ63Wyg7wOzF65jNnvubAJoEmzyyYig+D3A+w=` |
-> | West India | ecdsa-sha2-nistp384 | `pLODd+3JNeLVcPYYnI0rSWoemhMWws0jLc3J8cV6+GU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBL2PEknfZpPAT4ejqBJW8InHPELP1G7hGvroW5J3evJr8Qrr//voa6aH8ZF7Ak0HcVVOOCSzfjcEpZYjjrXrzuCOekU48DkSF8i1kKqV4iXejNNQ1ohDCbsiAyoxQMY9cA==` |
-> | West India | rsa-sha2-256 | `Fkh7r/tOJy1cZC6nI75VsO1sS3ugMvJ56U02uGGJHFo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDHCzLI51bbBLWK7TcXvXvEHaLQMzuYKEwyoS1/oC5EN3NsLZl4BV5d2zbLETFDjsky/btWiAkCvHuzxealxGgzw69ll90aWSOEY/epaYJvueOTvGy4+rJY8Xyc64VdHml8n3EEZTQmBEi3Tn6bViLwvC0iT2/noLeYGXh0/NL0T3BeblwSm3cNXyemkBQO/zyYcchqRtKJu8w8brYVZYFINlTeBu4LyDP1k9DMtuewGoeH8SmvDxUmiIGh2VDlPmXe3IkMR0nSgz10jMl3F0fei7ZJ+8zdCVbBuIqsJf+koJa/q9npstWGMFddMX3nR0A3HnG4v5aCAGVmfl11iC0J` |
-> | West India | rsa-sha2-512 | `xDtcgfElRGUUgWlU9tRmSQ58WEOKoUSKrHFDruhgDIM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCXehufp18nKehU4/GOWMkXJ87t22TyG5bNdVCPO2AgLJ88FBwZJvDurLgdPRDRuJImysbD7ucwk2WoDNC39q0TWtCRyIKTXfwvPmyG+JZKkT+/QfslMqiAXAPIQtVr2iXTeuHmn3tk+PksGXnTwb3oFV4wv40Wi1CbwvtCkUsBSujq4AR7BqksPnAqPrAyw+fFR3w4iD3EdtHBdIVULez3lkpMH/d04rf2bjh6lpI9YUdcdAmTGYeMtsf/ef8z0G2xpN2aniLCoCPQP85cooKq7YEhBDR8Lzem3vWnqS3gPc4rUrCJoDkGm0iL/4GCWRyG+RPi70WSdVysJ+HIm0Ct` |
-> | West US | ecdsa-sha2-nistp256 | `peqBbfcWZRW4QzLi69HicUUTwdtfW7/E9WGkgRMheAo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcTos/zmSn15kzn1Lk8N8QQh9hzOwqOSOf/bCpu6AQbWJtvjf1pHMuZlS2PpIV7G+/ImxXGpqpHqQlcD+Lg8Ro=` |
-> | West US | ecdsa-sha2-nistp384 | `sg63Cc3Mvnn9hoapGaEuZByscUEMa+xgw/3ruz49szk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGzX2t9ALjFwpcBLm4B0+/D47PMrDya0KTva5w4E5GZNb5OwQujQvtUS2owd8BcKdMBeXx2S7qbcw6cQFffRxE+ZTr4J+3GoCmDM0PqraXxJHBRxyeK6vlrSR8ojRzIApA==` |
-> | West US | rsa-sha2-256 | `kqxoK1j6vHU8o8XyaiV87tZFEX9nE6o/yU0lOR5S6lE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAd7gh0mFw3iRAKusX3ai6OE0KO5O2CMlezvZOAJEH88fzWQ/zp0RZ1j7zJ8sbwslA6v3oRQ7Cx9ptAMTrL8SW4CZYcwETlfL3ZP39Llh+t7rZovIgvCDU0tijYvsa1W0T9XZgcwWEm6cWQzdm+i9U0KUdh7KgsubPAhGQ7xrOVEqgB9MYMofSSdIfKMt8K7xOSam6mhWiTSSIEGgeMTIZ9TgXkgAEJ8TNl3QHRoM8HxMnRFjtkXbT3EeSg6VOqi69Cei3hrmS64qvdzt2WwoTQwTFjxHocWGgA+Ow53wqWt8iYgOudpoB1neXiIcF4p0CN8zjvXNiRbZPg9lXFM9R` |
-> | West US | rsa-sha2-512 | `/PP9B/9KEa+QUyump1Yt05Lfk0LY/eyQhHyojh5zMEg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8R8bFe8QSTYKK+4evMpnlB8y0rQCqikTyviqD4rva7i4f1f/JxmptJQ/wkipHPXk6E7Du6oK/iJaZ+wjZ03tNIWwAGn0SdlTvWuwQwigK9k3JRlLYO+Uj/SSnBQWf8Dmp+cA6RDalteHpM2KwaUK65BHYC75bWKHaNntadTIU4kQ0BvFzmNRcJWL6otd5RkdYXjJWHu21zcv4EpRHGmVCD0na+UWce6UGDbLDtsZVJd2Q7IyeTrXpWxEO0fFN2Gu9gINfWC1FpuffGaqWSa4nK69n39lUKz4PUdu6Owmd9aNbLXknvtnW4+xGbX6oQa8wYulINHjdNz8Ez6nOiNZ9` |
-> | West US 2 | ecdsa-sha2-nistp256 | `rt5kaA0neIFDIWTP2MjWk9cOSapzEyafirEgPGt+9HM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKEKP+1QZf3GfEvkNZtzoKr05iAwGq+yPhUsVdyA7uKnwvTwZAi7NBr4hMkGIIdgQlGrMNNXKS0V+rhMNI1sH48=` |
-> | West US 2 | ecdsa-sha2-nistp384 | `g0vDKd4G5MKnxWewbnCYahCv1lZgfnZeEXfPAhv+trs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB1+/Qu9Y1BqqV3seN0+0ITYCueuv0TFAnfG9z1Io8VYjmxLvdmaDvTi9kJ0ShjFJRKjbCfYKNekqYZDW4gBfmE9EyvMPI6VXPVLNY3TQ/z+Y7qO/oa28cSirW9fhp7vbA==` |
-> | West US 2 | rsa-sha2-256 | `ktnBebdoHk7eDo2tvJuv36XnMtfauhvF/r0uSo6DBfk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDoskHzExtM+YSXGK6cBgmnLlXsZLWXkEexPKC7wHdt0kSqkIk9F31wD+2LefZzaTGfAmY5/EWrOsyBJvIgOoksH+ZPMnE9+TOWqy6vsS+Ml/ITvUkWajS1bKDPDSoIrCM1rQ9PlbgMQFg4o0FfyxLVCP7hcgvHO+aycOxkiDqtvwANvIn2Qwt7xwpIv1Mnc4OpcBSxbigb7ISlrvR9XWivE/piWjXS3IEYkGv7VitAlmWEoTt9L7K94bYol2nCXSXJ33X6xVVwVNpdxVtnUQBIRinN+vkOccgG0jvWtWPtrMjyDg/lyvr6lBdO/CQy4VO4VrIBuL6pjsS8KfIfTxKd` |
-> | West US 2 | rsa-sha2-512 | `i8v3Xxh/phaa5EyZEr5NM4nTSC/Rz7Nz0KJLdvAL0Ls=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOOo5f0ACypThvoDEokPfzGJUxbkyMoQKca9AgEb3YkQ/lsYCfLtfGxMr2FTOGQyx5wfhOrN0B2SpI4DBgF3B0YSLK0omZRY7fpVPspWWHrsbTOJm/Fn7bWCM+p63xurZ6RUPCA6J1gXd3xbdW7WQXLGBJZ6fjG7PbqphIOfFtwcs/JvjhjhvleHrXOtfGw9b4Jr8W1ldtgKslGCU1mnUhOWWXUi+AhwGFTI0G/AShlpX8ywulk2R+fxet3SNGNQmjydnNkcsrBI/EMytO1kwoJB3KmLHEeijaQzK7iJxRDZEHlHWos6G7jwaGPI4rV5/S1N+xnG+OhCDYAUbunp5R` |
-> | West US 3 | ecdsa-sha2-nistp256 | `j4NlZP/wOXKnM3MkNEcTksqwBdF0Z46+rdi2Ic1Oj54=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBETvvRvehAQ2Ol0FfTt649/4Xsd0DQQ7vyZ666B92wRhvyziGIrOhy8klXHcijmRYRz3EjTHyXHZ4W8kcSKB4Lo=` |
-> | West US 3 | ecdsa-sha2-nistp384 | `DkJet/6Pm6EXfpz2Ut6aahJ94OvjG3R7+dlK0H4O1ts=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEu+HpgDp0a02miiJjD5qVcMcjWiZg5iIExECqD/KQVkfyraJ3WZ8P28JwB+IYlEGa2SHQxScDjG2t3iOSuU9BtpA0KK5PGtu3ZxhN1UmZbQgz6ANov7/+WHChg7/lhK0Q==` |
-> | West US 3 | rsa-sha2-256 | `pOKzaf3mrTJhfdR/9dbodyNza30TpQrYRFwKAndeaMo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC0KEDBaFSLsI28jdc854Rq6AL9Ku8g8L+OWQfWvb1ooBChMMd/oqVvFF9hkLzJ8nFPQw7+esVKys5uFwRTpBNuobF/RVtY0zLsNd+jkPxoUhs7Yl0hI2XXAPdp3uCsID56O+OrB7XbOsPCrJ2aXfiaRheRQg84/92c357uQ/epsva8XCMjIIGOAyEL6d4mnCNJ2Y0mXPJT1lfswoC8i2GSUKdJZhTLCe9zVDvTCTWuZJSH3A8nM3RVtnNgMXfNjh2blwW9YFv5BrMOXA205fahuDcPjwvXo9OMfEneDsrODmiEGYzbYLby/5/KPzz5OVn7BDJma6HL0z07i3PmEzXN` |
-> | West US 3 | rsa-sha2-512 | `KKcoWCeuJeepexnJCxoFqKJM88XrpsPKavXOoNFEGuY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNzhiVgDjCIarGEjKgmSxRh4vWjV6PxFbNK3cD0M4jWGlxPx/otJNEXCMee0hW29b7bwo2+aiyv3AEt7JYTeM/G9SHmenU6MTpqD/lC/LABtqTB7EV9FIFkc8MbbOvEkdTnRJw1d09MTqqwbkR9wq297AWggSzCuPDqMq+268UzsthMzODRVqW3yTr3M6vhlBCPfN5ptcvYwqRaa7Yhe4bdRZ+xYB5I2+ZMkalfn7SQiySSgAGjUJxrxK+LnJKSi32CfqTU8KjWNjCc40eAqexLFjg6AN9BtC0+ZYcD2KQmeqJ8oRCWw9r4CsaduSmcjc7XD75RKGdArjYzjeiVSlt` |
+> | Region | Host key type | Expiration | SHA 256 fingerprint <sup>1</sup> | Public key |
+> ||||||
+> | Australia Central | ecdsa-sha2-nistp256 | 12/31/2023 | `m2HCt3ESvMLlVBMwuo9jsQd9hJzPc/fe0WOJcoqO3RA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBElXRuNJbnDPWZF84vNtTjt4I/842dWBPvPi2fkgOV//2e/Y9gh0koVVAYp6MotNodg4L9MS7IfV9nnFSKaJW3o=` |
+> | Australia Central | ecdsa-sha2-nistp256 | 12/31/2025 | `5Vot7f2reXMzE6IR9GKiDCOz/bNf3lA0qYnBQzRgObo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLs9yqrEGdGvgdSWkAK5YkyazMWi30X+E6J/CiGpJwbuczVJwT/cwh+mxnE7DMTwhEo57jL7/wi/WT8CPfPpD4I=` |
+> | Australia Central | ecdsa-sha2-nistp384 | 12/31/2023 | `uoYLwsgkLp4D5diAulDKlLb7C5nT4gMCyf9MFvjr7qg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBARO/VI5TyirrsNZZkI2IBS0TelywsJKj71zjBGB8+mmki+mmdtooSTPgH0zmmyWb/z3iJG+BnEEv/58zIvJ+cXsVoRChzN+ewvsqdfzfCqVrzwyro52x5ymB08yBwDYig==` |
+> | Australia Central | ecdsa-sha2-nistp384 | 12/31/2025 | `adZj2DQSv+LtvnORWfJdnUJhVy/Tjck1AWxOwF5q4hU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKVV77ZE9HdETqzwJ+w71BdzF5+8T+LX6ZYvEpNkts6aNurkpH5jfl89Lb0GVeOxIfw6pi3TCiYiXysImBKTsMPQYJ+7jWgLMJEgKG6iDdo3Ust0iolueehHci2iMxPwEg==` |
+> | Australia Central | rsa-sha2-256 | 12/31/2023 | `q2pDjwwgUuAMU3irDl2D+sbH8wQpPB5LHBOFFzwM9Sk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOrNklxmyreRYe7N72ylBCensxxPTBWX/CfbdbGfEbcGRtMGHReeojkvf4iJ7mDMZRzecgYxZ9o2bwTH9UImNkuZTsFNH6APuJ075WyxoDgdBX1UAQ3eE6BrCNI0BcwLakU9lq0rNhmxMpt/quBXxxWbRieKR9liTOg5CGSqoUPo7TpwaZQBltJCEf7rN5wGUlHV49iuiJIasSldYT6F1c3vS4bJb2sdIvVnKVLq+yTMzaPzWn34BD+KHx/pkB+s7/vQtdMfBBEdgEdPVvMPsyXtIKhx4Q79LnfZT19RDY8KW1mJrbPo67oEcjJYTXSZTKysjCUNmNNrnXvp6sHd` |
+> | Australia Central | rsa-sha2-256 | 12/31/2025 | `u2Lg2ZWkF2yQcm/gYtuy1pTIyY4zIhy4VRwZe2sJZYQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNKRFZfxWPzqUEPzS7ywkynUs3ZQuhmFOaPqgORDqDf/+OYRswOcNwu1LqH7Ait5ntwFu99AyleKGkdKvkEHDHfKI3dJIczV5OpxZ4m9hFuDa0pSwlyUSVQc+jDTbtrUSFtkAZDsmfbXR3UBikrwJmA+9IF5UWewTxqvZ894r1rSbLkaZpObu5Cq9MW15On/Aa4lpR4mtVtSLt/ww/qGXy0wQDgzItjQlU+VrhjTd7PrL7NVpSmGIQioFqJqNP4mp8aUU9jceAOCa4nJkfEJ3oQRYTs2M0wxTNdo1XR1NPju6vlU0fKBq9G+hssOSNPZFc2Mnz7ECnVgjASKn9B1hJ` |
+> | Australia Central | rsa-sha2-512 | 12/31/2023 | `+tdLVAC4I+7DhQn9JguFBPu0/Hdt5Ru2zjuOOat+Opw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCnd0ETMwpU8w7uwWu1AWDv6COIwLKMmxXu+/1rR429cNXuPrBkMldUfI7NKVaiwnu1kLPuJsgUDkvs/fc7lxx2l5i6mYBWJOXcWzAfXSBfB1a+1SK+2tDPYT3j4/W/KRW74DFPokWTINre22UVc+8sbzkmdtX/FzZdVcqI4+xJSjwdsp2hbzcsVWkxWhrFzKmBU40m5E/YwKQwAcbkzmX6AN5O8s66TQs2uPkRuTItDWI3ShW7QzW05jb6W8TeYdkouZ5PY0Yz/h3/oysFzo4VaUc0y3JP98KRWNXPiBrmvphpKnU1TQrjvVkYEsiCBHMOUnNVHdR1oIHd2zPRneK5` |
+> | Australia Central | rsa-sha2-512 | 12/31/2025 | `oOWjGbOjG/o5T4MRYnl2JmIWDQor5ScEXhbbNBsN07Q=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC4/SgLtX9IiVa6W6cqMTozxCEnv5OcjT9aohtlhd9ho4h4OI/m+vDXdxeSUcJE1vMK/mIpzqs402Gm4PB1Z667t6mhpj6ISPIp2WhPdbnBo1vqagMUWM3tHJjp4XlOyQW/dteQtqV32m5iBfCjEzCJt7aw93uWrMosB5q0j1mS0EdCFBWzLtaPPyaQnQ6Pm7KX/ZICzhEadU2tYC4alALfFvqn1HDUY+gyzE0/W3S+4+o9ds1uzG165c8hluYInsgTFAbHjVDAvy/5lG93tkNDh1qQu1m2bYnIoXzFg3ZYHrcvewbrHCPOH4/6TVItibspePHqM+cbRTuLd3oVzgh1` |
+> | Australia Central 2 | ecdsa-sha2-nistp256 | 12/31/2023 | `m7Go9P1bwcPHAcZzRSXdwYroDIdZzt0jhxkJW42YGKY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHp76felOL7GAHcJoW6vcCS83jkeR6RdFCwUk0Jf6v7SFoqYNZfTaryy2n0vwG1W1dAyHvOjB1+gzTZOkHN/cAI=` |
+> | Australia Central 2 | ecdsa-sha2-nistp256 | 12/31/2025 | `ljng4w6TbLQ8Gx6ZRiD3/IpPELeGqMF0LIPVWKPGwpE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOUs2ledPbnskBJiCxyvDDZ2UXJ0FX0A0orlg0thjLfu+wTyDzhkMENTwBFQcxbHUiF2si2EaGH24/vGbTIu4u0=` |
+> | Australia Central 2 | ecdsa-sha2-nistp384 | 12/31/2023 | `9Jc39OueTg3pQcq8KJgzsmPlVXxILG24Euw27on7SkY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEduOE61sSP2BozvJ6QLtRDZ7j0TenX7PjcpPVtYIQuKQ+h3qakXFwFnj8N3m8+LpTXYO41mgX7N02Rl12QvD7lDpUgHUChaNpUcMcSpm5qvguLyG6XZg2BDNd6pyx+fpw==` |
+> | Australia Central 2 | ecdsa-sha2-nistp384 | 12/31/2025 | `jm715CgIcCpPm/Lbc05DQGY/ruz1OqdM5jZa1I63W34=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLSDA7juMVxMlQQghLVwdkg87U1kE9P4ssrwt8k9Pts2vVSlG/iUYeCOBibjFljDnWkZXNiUzz008fAdNCfcjuwXbKwBXU/shP+Of11rCfTTu2hCE8KLU/Q3uKQyiGB3cQ==` |
+> | Australia Central 2 | rsa-sha2-256 | 12/31/2023 | `sqVq1zdzD3OiAbnDjs70/why2c3UZOPMTuk5sXeOu4Y=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDKNZVZ5RVnGa0fYSn+Nx3tnt526fmMf+VufOBOy5/hEnqV6mPKXMiDijx2gFhKY4nyy957jYUwcqp1XasweWX6ISuhfg4QWcygW0HgmVdlSDezobPDueuP0WdhVsG3vXGbEYnrZOUR5kQHagX/wWf6Diy1J5Cn2ojIKGuSuGY/9bu3bnZzKt08fj+gQCEd1GxpPoBUfjF/73MM57IRhdmv919rsGD5nsyZCBmqFoKlLH/gKYZ4B3hylqf/6gER7OeZmG2S/U/fRAN0hVK7RkHNf2CFoCmuxXS6r87BznT5vF3nmd7tsf0akaxLjfWRbKLMWWyZkzU4/jijpbDDuu1x` |
+> | Australia Central 2 | rsa-sha2-256 | 12/31/2025 | `Rtw7IkxA4khKCdOQRMby9qILYVL9Vjc2Mq0mEk1bZCs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDD9nOyOSgLGF2U3gtmh+5K4JLna7i0nySgGrhsmSvM7ZMP0csSpNGqgfluu1QPYgCQdYWZ249zF8VyOecMvZeWPevsnKGk31W19v5uw0XFZehN2otbeDYhrIH3qGoYckGZ53UWNpwjCS5tn9AnGzifk91mufUxahHCMvOYW/yXziOUZG6aIRmJXwTNO+6boe4r3E7jNhi7fNmoaxb6C6CfgzzOXEnXxOGOH5gbvxDo0w2kCIsN3HlR8FPXZEDVsxMpRfl+8WLVUk1ReJY8D3UiRF74f0QtzZofgW0dErbu1yS4+m8Pd76P9Dk7X+warYVWPOJB6fiaUuJGMNztNZxF` |
+> | Australia Central 2 | rsa-sha2-512 | 12/31/2023 | `p6vLHCTBcKOkqz7eiVCT6pLuIg7h4Jp41lvL/WOQLWM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDcqD2zICW1RLKweRXMG9wtOGxA5unQO/nd9yslfOIo54Ef0dlhAXGFPmCd3Yj60Gt/CIpqguzKLGm4D3nf19KjXE8V59cD7/lN6mVrFrm+6CU44JAzKN9ERUelxhSQKi/dsDR773wt4jsAt4SLBRrs19RC2fkYnxZgC/LzNZKXXY3FFb06uwheJjGOHyeQJbGpaV3hlelhOSV1UF2JAB8v6d8+9+S+b666EcpQ70JtxtA8h1s30hqhTKgYdRYMPfz7lqKXvact2NBXlqYRPod5cLW7lYBb2LzqTk1D44d8cwDknX2pYQJpgeFwJhB6SO9mF/Ot+jk+jV/CxUI55DPd` |
+> | Australia Central 2 | rsa-sha2-512 | 12/31/2025 | `jDCUSB/oiZWdbT9D0ut2YeWp4Tc9B2sRkLckc89GyOQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCxq8t20rSdPNg8/wq9IHPFWonfXAbJgiRtnBfsdXGq42Mecyx8CMm9i+TUbKdNq9JjEay4V7R6A41tpCDiAhKF8Lm0LbLU+xMti2VGudCBoxhLw2Zwhw0LDP4JO+S9gzh6eWeEkLZqQH8EyxQg0RghwumAyEFl3xkeAsM1lDMuKqVPPluc9x1j3vGU3C1UpUBNFSYs4BtgcqFRwnMS2P4bYXkT7HJFuXTIZDIcxMAAv9mF5nHw8xyzHcug88OW1cnqW0HLBDFpjE2FCAuStu5qIydSDf8+4WlgcaSfYHe4WM31fDMYARCm68qVhriMBvlByhlgJPjhP3kkNiCsxm35` |
+> | Australia East | ecdsa-sha2-nistp256 | 12/31/2023 | `s8NdoxI0mdWchKMMt/oYtnlFNAD8RUDa1a4lO8aPMpQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBKG2nz5SnoR5KVYAnBMdt8be1HNIOkiZ5UrHxm4pZpLG3LCuzLEXyWlhTm8rynuM/8rATVB5FZqrDCIrnn8pkw=` |
+> | Australia East | ecdsa-sha2-nistp256 | 12/31/2025 | `qLI4Er+3h7wEuAuMSWffpVJnckWm9egyz7ciWi4+GqI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ5v4o12sOOmXEW0s7nd6hjm7s2R6psCu+J3XYYV90Kan31EIqQvLOVR+/ScRzR2ZWrglvHbZ0p3BIS9b+Qmuco=` |
+> | Australia East | ecdsa-sha2-nistp384 | 12/31/2023 | `YmeF1kX0R0W/ssqzKCkjoSLh3CciQvtV7iacYpRU2xc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFJi5nieNPCIxkYS7HKMH2fQgONSy2kGkViQucVhWrTJCEQMVz5peL2JZJFjf2a6zaB2olPaBNEkeuJRHxGyW0luTII9ZXXUoiGQH9l05B41mweVtG6pljHfuKQ4HzoUJA==` |
+> | Australia East | ecdsa-sha2-nistp384 | 12/31/2025 | `eHy1DetHa/RbyledxIW22WT8Da2fqrnO9QVvzA+1AlI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPKT9YkKOum0fA9ys/jDM6EKMs3WZj4FEsizY+lCF15RNRP27pTeUeksBeiBVJLJNxpDkxealP4kKTDAN2rO5KMcIjrfcaNpBfnhgg5u0E8tPjZgKTsFiWW4bRCKQ4MBaQ==` |
+> | Australia East | rsa-sha2-256 | 12/31/2023 | `MrPZLU8llsG+SzgBN8eH702H4zuynyYgqqQLQmWGDEs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDsRwHZ+DKINZZNP0GO6l7mFIIgTRnJy7ikg07h54iuk+KStoB2Cwppj+ulPs0NiR2RgAsP5nchWRZQysjsfYDui8wha6JEXKvWPlQ90rEYEs96gpUcbVQesgfH8ILXK06Kn1xY/4CWAHEc5U++66e+pHQulkkFyDXTsRYHsjTk574OiUI1` |
+> | Australia East | rsa-sha2-256 | 12/31/2025 | `O4+QFg7TgHTwoZ1asStdM+7ASB0kZ7Hr2BrC3pmTwZc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDLZNGWVC23V6iawz7XwcbwH7OcxNCl5mMKrQQPQLBqsf6uWMcIA66tV+Gwy7mOVztGEa7qb29MUdjKeIXD1je1THq/usWe8XaXCvIH1YueWx21ANCuo9YGrpRQLHTIu01SBeiFMsS4ZdMcTn1R2wEwxRR9awZ5Z24/iScJE/38M7WO9LtttwpOcFE1E6BGbdAbBtvpB55/1pRhLV4InwKULagNHkys6vqZ0TawgU1Xnfmvd2VfXREDkVqEcYKt6o1fEyD2ietUOqU0WOsNDIgXq87xDfY/D9i+3RD/mwHM6OzOCTF9lJIjJxCNAqohnP9A6VyKyWO7vtFvhN774d6V` |
+> | Australia East | rsa-sha2-512 | 12/31/2023 | `jkDaVBMh+d9CUJq0QtH5LNwCIpc9DuWxetgJsE5vgNc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDFHirQKaYqkcecqdutyMQr1eFwIaIM/h302KjROiocgb4iywMAJkBLXmhJn+sSbagM5tzIk4K4k5LRjAizEIhC26sc2aa7spyvDu7+HMqDmNQ+nRgBgvO7kpxVRcK45ZjFsgZ6+mq9jK/eRnA8wgG3LnM+3zWaNLhWlrcCM0Pdy87Cswev/CEFZu6o6E6PgpBGw0MiPVY8CbdhFoTkT8Nt6tx9VhMTpcA2yzkd3LT7JGdC2I6MvRpuyZH1q+VhW9bC4eUVoVuIHJ81hH0vzzhIci2DKsikz2P4pJT0osg5YE/o9hVJs+4CG5n1MZN/l11K8lVb9Ns7oXYsvVdtR2Jp` |
+> | Australia East | rsa-sha2-512 | 12/31/2025 | `f5+TI5gN7KXS/ofLDLeS+6d7rzChq8SrZMKr3+ylPFQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCrhphicX/V87bso8jPZG016Hez0oNP7CvJXDlEZRIkuJlX0wRorD0u7iyyJSXbFZsSl20H6idsNae0ljy/MUfBfb6nV4LXdV8SRSY2QExrd6sMiMgESpfTaXIM8YI/2B9Kyrx6AJBTuNMQACvq8VoBziNGoWhhCO4Mj5fwhDB6vNF3A0Of3qvh/mmMBpY/B/Ud4SwaoGxrP6vwvoB1S7RLQSDdjR1aeGwtWrxOnx1ReD3TsV3FYoj1Ot3LLySkPYF8eDVrnz54U/XJocta+bWdpgyxne4cNULHAyxtuTdvNo3eoZszUdZ8h52dEckhva1ud2eAMvq4xDbaBSIfW0Hp` |
+> | Australia Southeast | ecdsa-sha2-nistp256 | 12/31/2023 | `4xc49pnNg4t/tr91pdtbZLDkqzQVCguwyUc16ACuYTc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCdswzJ+/Bw5ia/wRMaa0llZOjlz67MyZXkq7Ye38XMSHbS4k/GwM0AzdX+qFEwR00lxZCmpHH28SS+RyCdIzO0=` |
+> | Australia Southeast | ecdsa-sha2-nistp256 | 12/31/2025 | `ieme9KpUiNa0zSTmW/zlYeiyq3yu4GwD28n3Le+Fwpc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFbcds+lsX2tixQjy47ZumhpAIvp0ojjVEOTnyKgMRYBbT6AOyjrk5ECbK5s1W79bTtZQQt4xmnfUXUkm0JvB9I=` |
+> | Australia Southeast | ecdsa-sha2-nistp384 | 12/31/2023 | `DEyjMyyAYkegwLtMBROR/8STr1kNoQzEV+EZbAMhb1s=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJRZx6caZTXnbTW/zRzKfoKC4LGzvD5fnr2p8yGWxDq27CjUEMxkctWcT6XS3AstF2MLMTOFp/UkkSr8eP0vXI8g99YDeFGXtoBiFSIgYF2Aiu/kpfEu3feiIUl3SVzxKw==` |
+> | Australia Southeast | ecdsa-sha2-nistp384 | 12/31/2025 | `YinhhlbjexJimlqKzOetdTlg+oP7sDVf3pjBZcUMZlU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKvI6seG26Vpmcc2WksGHHKnp4JSeDVJ3UvN3j4QoLrBGzRe1qx6IAMQuygggVCU54cGxkiPzci+NV6fl3Nw6uXMdyR2AP76yWbsYvk1nUnhsG83oVjucz9WsXjsl/dDNg==` |
+> | Australia Southeast | rsa-sha2-256 | 12/31/2023 | `YafIMxux7NtoKCrjQ2eDxaoRKHBzpanatwsYbRhrDKQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7omLu37G00gLoGvrPOJXpRcI5GTszUSldKjrARq0WeJIXEdekaSTz5qv2kSN/JaBDJiO9E4AJFI9q5AvchdmMVs4I59EIJ0bsR9lK+9eRP4071EEc8pb3u/EPFaZQ8plKkvINJrdK6p0R2FhlFxa7wrRlKybenF1v7aU3Vw79RQYYXaZifiNrIQFB8XQy3QQj2DcWoEEOjbOgZir9XzPBvmeR8LLEWPTLYangYd3TsQtybDpP6acpOKaGYDEyXiA8Lxv8O276LUBny6katPrNvfGZScxn6vbTEZyog+By8vyXMWKEbC1Qc/ecBBk5obFzbUnq3RP1VXLJspo99cex` |
+> | Australia Southeast | rsa-sha2-256 | 12/31/2025 | `xmdRGjdB8ODcmg68eG+/dplKKKfOSEAXtXAAXYaQxsk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCzYBSvVIo2FgllCfeH6xerVZf8jxxYsZiTcRvojdlB8b0/n2/BISx43EtAmFudQ3dJ3Phc+U81CSgfr3Y9dWbfXsbpF5G41hVrGjpmR7u8ZYx/u3B2t+ymMatNytsNpHiUqKf1TR55jQqjhIctbbn9poyb43H6MLsxsLxvmFN21jwp1N3uHuBJ4fHJraa+QOIfcdGw6hSCuSAXdlbUVVXiF8U+MB28wiXuKsv7TFPHsNOyslre2P0MxQt5E8w78bpx8DGor1yvvFo4qNcmXqrc3cZfmfEB8sMCRGqgWisieu+bAOtCkK8mMjopArQBYjuOLms0qpIKwG8m0jttQCuN` |
+> | Australia Southeast | rsa-sha2-512 | 12/31/2023 | `FpFCo9sNUkdnD1kOSkWDIfnasYhExvRr1pJlE631QrA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDmuW2VZAhR6IoIOr32WnLlsr/rt3y4bPFpFcNhXaLifCenkflj9BufX3lk5aEXadcemfKlUJJdwBTvTt1j4+X3P2ecCZX1/GSsRKSTuiivuOgkPxk3UlfggkgN9flE9EdUxHi/jN/OQ9CjGtHxxk72NJSMNAjvIe0Ixs7TfqqyEytYAcirYcSGcc0r70juiiWozflXlt+bS7mXvkxpqMjjIivX+wTAizzzJRaC6WcRbjQAkL2GP6UCFfBI1o9NBfXbz+qvs1KTmNA0ugRQ7g6MdiNOePHrvoF1JgTlCxEjy+/IqPiC8nNQUVCW6/gcATQoDQn0n9Lwm1ekycS35xEh` |
+> | Australia Southeast | rsa-sha2-512 | 12/31/2025 | `aJTfDB4bKb7ZXnNHf/rQpqn60uHNsDdaqrvsTqIK0wI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCfeIyKblF1xo44RVh/bFm1DYxI9l26h+tT5P7qBqZztZ2yT3tLUkru6dKbkT8epNhTP4e0NDZl/WlIsleCmzCRfHnFYit+riYnskJBP4wcBDkDmQLBQiKcPhMwwCXsijWisHsc0PrdfSwOAhGllsJTy7FsKfYyCRaeLEq8AszNSwfgjMlLxytTEyKNMRZhTq6udY+8u2OJZaOveiKCyw/PRD64kR6DONcHMc+y157UaDIfx6nZtQ4O8T0akM+s5J3xnhUOQH2J48+QBN8l4y/cX65quyW7zqN8pxR2N8CK498p6eWan94visO/evOhnlLPAMR1V+cd0soVxyKt5Qlp` |
+> | Brazil South | ecdsa-sha2-nistp256 | 12/31/2023 | `rbOdmodk5Aq+nxHt04TN7g6WyuwbW5o+sDbj86l6jp8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNFqueXBigofrM5Kp2eA4wd4XxHcwcNgNFWGgEd0EoNdKWt9NroU47bN43f79Y5vPiSa4prKW1ccMBl40nNN4S4=` |
+> | Brazil South | ecdsa-sha2-nistp256 | 12/31/2025 | `hKqaUmDSKTLOZ4e558z5EBbcsLClt6uZ9Gl5dNQD8X8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPoLBRafaKd+jqxNF+AygWL/E8CA7Bc398nruOHSyXLQEDRPvNbNzVEXeK4BbhuQxPZWZV8gtWcYcJjSGCRUX3g=` |
+> | Brazil South | ecdsa-sha2-nistp384 | 12/31/2023 | `cenQeg58JZ+Dvu3AC7P7lC/Jq7V3+YPaS37/BBn3OlQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBHBhfnlfXV9/m6ZgOoqmSgX3VPnRdTOraBhMv8v7lEN1lWwyBpiWepu52KS0jR1RhttfXB+n+p6i2+9djJ1zT7fHq4sNn/d/3k2J6IjJlymZ32GwPvDk+fGefupUtabvRQ==` |
+> | Brazil South | ecdsa-sha2-nistp384 | 12/31/2025 | `cMW9MxGhPxMZQj34L0PTuEcPUVds74cuC0rJ/nBv1hQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDb+/ZDeuja6wcxVJVSNMWylUTItczguOMOsqyVdhJp2A3AevWHCo7edA+7Hl8fHouzdGsamlxDOwv3/fvL/a3DLtNyr9q7/sEaEr5wll79PhKLgq4VqZzm91VXN3y9DJw==` |
+> | Brazil South | rsa-sha2-256 | 12/31/2023 | `qNzxx1kid41tZGcmbbyZrzlCIPJ9TFa20pUqvRbcjro=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC04g5K8emsS4NpL6jCT3wlpi6Msb5ax6QGlefO3IKp3wDKWAEqN+PvqBdrNp1PsitTKeyRSCLofq9k2wzeAMzV2n3UVqmUpNf9Q0Yd8SuXPhKG6VhqG2hL5+ztrlVTMI2Ak18SLaAEA1x7y9Z1lkEYGvCzJQaAw5EG8kd7XHGaI9nSCJ7RFOdJQF/40gq8z6E+bWW9Xs55JpWQ0i44i/ZvQUEiv5nyAa7D86y23wk1pTIFkRT99Kwdua0GtyUlcgCRDDTOzsCTn4qTo/MAF1Uq/ol4G0ZxwKnAEkazSZ1c+zEmh6GJNwT64nWBZ+pt5Rp3ugW+iDc/mIlXtxEV2k7V` |
+> | Brazil South | rsa-sha2-256 | 12/31/2025 | `XGzPXMnOOBOE6DKAtYZDL0J/p33FDBqYvtoI8d8iMo4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDQkgaV5fCbgfaq099rXhqysOfNdFgVqMpNPbaMVyuTrO3zu6TQ3qPUylUaihFK2EBtiIaTlnfqCg3lmdydojez4cJnRV1o9i72LnFTJm1bMVNYA5RtNrJUIZQ0dpCjlJHmsQnjTCC2nfaamR0vqA3u6/KTp8rMMA1eKkvPRWlcXo/7l+ZdPinrfpzZ1KL1F8RYv7wRzrEdFi+u1gmzw5a3X6R6W45r9R/nvj3xiEDr9D7NUAztCJZcIX6GPmInGNNA66q81cRmO3aaJj2LaYeXd9BLblvXcupaZYcV9//tLF3WL0JGu635O29JerlH8VHP7Q09PFQfSfRXR1KHQs49` |
+> | Brazil South | rsa-sha2-512 | 12/31/2023 | `KAmGT8A7nRdxxQD7gulgmGTJvRhRdWPVDdagGCDmJug=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6W0FiaS21Dze6Sr6CTB8rLBu1T1Zej+11m7Kt283PSkQNYmjDDPUx0wSgylHoElTnFcXG+eFMznnjxDqkH+GnYBmlpW3nxxdTYD/MrdP4dX9ibPCFjDupIDJ4thv+9xWCw/0RpGc1NlUx2YmenDVMFJtYqjB1IDa2UUEeUHeQa1qmiBs1tbBQdlws1MCFnfldliB5H+cO4xnbAUjOlaa01k7GKqPf0H75+R83VcIcFw8hSuCvgMT+86H6jRRfqiIzE7WGbQBTPQs0rGcvxcGR3oGOmtB2UmOD232XTEk+sG3q2RxtPKWTz8wz1Tt2c1BOxmtuXTtzXnigZjB2t8y5` |
+> | Brazil South | rsa-sha2-512 | 12/31/2025 | `c/BRQKWsx7emZMCDznUYFq4QgjqN3xY7oBdDXLbEFu4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCqu2gYqpE6pzLaaxbuN92SqpXcekRolPVC5BMFplaBVTfmyyw/SfaRbVQRAzXjjALjAxIrnPCAXOU1Za6FOwww6cUuex8F/5gIFIqPrQAKOqsOr6jj1cgS1BzvZyz8cbpL7Ovxf/hzmFl+SKoeDsPaLG6WcfitE13K9aPh0JacOSakTnPR82UpqWil3Dt24/gBUeKCUMTETaFK0N` |
+> | Brazil Southeast | ecdsa-sha2-nistp256 | 12/31/2023 | `dhADLmzQOE0mPcctS3wV+x2AUlv1GviguDQgSbGn/qs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPYuseeJN3CvtyPSKOz5FSu7PoNul+o6/LB62/MW9CUW+3AmqtVANVox1XQ8eX/YhL0a5+brjmveZPQS6M09YyQ=` |
+> | Brazil Southeast | ecdsa-sha2-nistp256 | 12/31/2025 | `waYY8zhE779/EFR8KCFsFx1by1jhT73Q4qfjLtfAZmU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHzDBumEcvBf0+y8zqSKlknaasOFOOPL+b8RSVycYmkR3CGsqb7QVRZGzhZnYOogynbbKlWtrGRiMMQNXp+FgeY=` |
+> | Brazil Southeast | ecdsa-sha2-nistp384 | 12/31/2023 | `mjFHELtgAJkPTWO4dc7pzVVnJ6WLfAXGvXN1Wq2+NPs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIwFI6bRmgPe0tN7Qwc03PMrlpBn+wBChcuofyWlKVd/Ec6t2dxHr/0ev0dqyKS2nbK7CAOQxSrV1NVYnYZKql/eC2sPqI1oxz7DzUtRnNKrXcH714ViN3RIY3DZA6rJOw==` |
+> | Brazil Southeast | ecdsa-sha2-nistp384 | 12/31/2025 | `LAPvDR8i5PsVJPSiMYN0pSNFz1axBwiYl2rNaOPzB2o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ2ZemQNN0FTdJXTb/zbuN3FzRD0oTtP5cLvNoNc6FZ2cTwJRZOtMwOZYuSxEC1FQk6Hw+jWq+ZGz1nmu12ohCeuVZbKo6hvdzOS0WEzTJ0wjVPDG30a8iBV8yTZtw3Kkg==` |
+> | Brazil Southeast | rsa-sha2-256 | 12/31/2023 | `D+S7uHDWy0VPrRg9mlaK70PBPghBRCR1ru/KEsKpcjA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCz86hzEBpBBVJqClTRb7dNolds/LShOM4jucPRawZrlKGEpeKv70Khk8BdI4697fORKavxjWK0O9tQpAJHtVGSv3Ajwb9MB7ERKncBVx/xfdiedrJNmF0G+p97XlCiwkAqePT/9IFaMy1OFqwl6LF7p7I0iBKZX0UgePwdiHtJnK0foTfsASNY4AEVcXHEuaulLFJKUjrr6ootblEbPBnC6IxTPj9oD+Nm0rtlCeD5JtCRFgKUj3LWybEog/AnnMNQDQ+vMPbsCnfsW/J/HQc+ebx3NtcumL+PIxqJw2Pk6mRpDdL+vs2nw/PtnPkdJ7DjIQYLypBSi3AFIONSlO15` |
+> | Brazil Southeast | rsa-sha2-256 | 12/31/2025 | `TatDYCAIu5TTBVlcv3TcZgBQft07KeMzSxxXIAeMpQc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9U3Bn/r8jYrJC+D0OVC8dK7+K1HVIaVqomWsXZv92iZC5xEuhnf9vQb0Qz+0vfWQn78G7pJ9O+HkEmx0TjSdHvA0rcXUDHoutJxry+OzDWPAoLnogkCs5EvqyQW8NAqZr69gYHLSx5aCV/ys7og7rmXD/mEylqfGc5BfEXDq+zfLVJZXtPta5D6/ZMH5YjggjHLNy1J0nw15/UMjt5KvhyIJS3jt3uYQymwvZBnNU33ZMPRm2lfpP+GGwDRBHv+/pA8ZaG1f5OHxJ2teEUXcQzL4jhWiIwAeeWlfD2JF1tZ2IlI1ei92Rtv0WyyZ64bqSW4E/eRew7p8slwMKzJJ` |
+> | Brazil Southeast | rsa-sha2-512 | 12/31/2023 | `C+p2eAPf5uec0yG+aeoVAaLOAAf0p8gbBNss3xfawPQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDV3WmETlQwzfuYoOsPAqfB9Z2gxsNecbpuwIBYwitLYKmJnT9Q3SNSgqnBiI1TKWyEweerdQaPnEvz9TeynGqSmLyGT0JJXQXFQCjTCgRHP4WD0Q+V7HWHnWYQ5c2e8tKEVA1jWt57dcrFlrGKEsywuMeEX21V13qQxK2acXVRWJPWgQCVwtiNpToc/cILOqL5XXKnSA81Ex7iRqw8QRAGdIozkryisucy+cStdJX6q+YUE5L62ENV8qMwJdwUGywEpKhXRg5VQKN0ciFqvyT/3cZQVF+NkUFGPnOi0bk4JzHxWxmQNTIwE7bmPsuniw5njD3ota/IPUHV2og190Xx` |
+> | Brazil Southeast | rsa-sha2-512 | 12/31/2025 | `QcySGI6X4F0GEHlkGj1MobZV+GGmy95/wYEYjyw0ORc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDwoCo/GZb1f/CnfvCBBuMODKxyPCmYM0wBafuKKKRrH+Jl1Ek0Qfgkuaa4GUYO+klyqxV5t+J6zVECEHQ6on6AXUJRO2/+zg2oYjLGSMQVvzE2pRj5+l2zOuZtu0p60MIYf49AZS7MDGRDBZBxcPxiNiUdKMD6D5h5zsMcNe28/CkRDdvOrORO8XPCKgNKFcGjSORKpRCuSn6NYQ6hx7lBuXnO6n5KfCjLH7+kRBx44kSBnHF7fEMhdzTh0tOdGJfRAl+YAK6T7m4FxwrJa1RaLyCKQXlK32y6h14WDRu2sHzfsJhTPuywJLvJvJ/ZzXtPKu/GGR+zR1RQiABc6krN` |
+> | Canada Central | ecdsa-sha2-nistp256 | 12/31/2023 | `HhbpllbdxrinWvNsk/OvkowI9nWd9ZRVXXkQmwn2cq4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBuyYEUpBjzEnYljSwksmHMxl5uoErbC30R8wstMIDLexpjSpdUxty1u2nDE3WY7m4W/doyXVSBYiHUUYhdNFjg=` |
+> | Canada Central | ecdsa-sha2-nistp256 | 12/31/2025 | `7QJ5hJsY84IxPMXFyL1NzG5OVNUEndWru1jNBxP26fI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAGEx7ZWe5opSy1zUn4PNfmAvWmTVRRTq2bwoQ5Dibfsr1byd7IIkhD5+0P5ybtq1dEdxh9oK2IjFSQWzj9jFPY=` |
+> | Canada Central | ecdsa-sha2-nistp384 | 12/31/2023 | `EjEadkKaEgaNfdwXtzlqanUbDigzsdzcZJeTzJfQXP0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBORAcpaBXKmSUyCLbAOzghHvH8NKzk0khR0QGHdru0kiFiE16uz9j07aV9AiQQ3PRyRZzsf+dnheD7zuEZAewRiWc54Vg8v8QVi9VUkOHCeSNaYxzaDTcMsKP/A7lR2AOQ==` |
+> | Canada Central | ecdsa-sha2-nistp384 | 12/31/2025 | `xqbUD0NAFshX0Cbq6XbxHOMB+9vSaQXCmv/mlHdUuiw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBmGFDJBLNDi3UWwk8IMuJQXK/927uHoYVK/wLH7zI7pvtmgb9/FdXa7rix8QVTsfk8uK8wxxqyIYYApUslOtUzkpkXwW9gx7d37wiZmTjEbsvVeHq+gD7PHmXTpLS8VPQ==` |
+> | Canada Central | rsa-sha2-256 | 12/31/2023 | `KOYkeGvx4egH9DTGgxiONDMvSlkEkoU8cXWnynOEQRE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7jhZvp5GMrYyA2gYjbQXTC/QoSeDeluBUpji6ndy52KuqBNXelmHIsaEBc69MbixqfoopaFyJshdu7X8maxcRSsdDcnhbCgUO/MnJ+am6yb33v/25qtLToqzJRXb5y86o9/WtyA9DXbJMwwzQFqxIsa1gB` |
+> | Canada Central | rsa-sha2-256 | 12/31/2025 | `sjyXW72mkYFHJsn3kOW9jTj4eigLiltCg7gBzUC50F8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDUSiEoTgcdpkDMTugT+lzCFwFIiwYocqCLxjr01TOHG4X1ieqOphVa0+ccHT5ptNZAc1Wj6Rtxl4XYeyW2Hsssd0fKY/S9z9tqbFf/j8M36/D3h+pns0e3qWZ9BQstKQryRgvVhok5Je9mPjv27nJD4kSzJcK8+APYMNwESXbLSeZ1llvvYgdrWmJ/aZhoNEVXfjMfwC0SgnhTO47977mBtxJXz6i0ApDa3Lc2xvIdMMsufjiqeLyQrjwFsMB09N43PanFKw/QL4xWaUygAlV5yEuMdKn4tY/yLETUiEliaIkNW2hoYFDLj+TeVtjgX2ToVSYJ+xik9XDimFmRW7I1` |
+> | Canada Central | rsa-sha2-512 | 12/31/2023 | `tdixmLr++BVpFMpiWyVkr5iAXM4TDmj3jp5EC0x8mrw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNMZwL0AuF2Uyn4NIK+XdaHuon2jEBwUFSNAXo4JP7WDfmewISzMWqqi1btip/7VwZbxiz98C4NUEcsPNweaw3VdpYiXXXc7NN45cC32uM8yFeV6TqizoerHf+8Hm8avWQOfBv17kvGihob2vx8wZo4HkZg9KacQGvyuUyfUKa9LJI9BnpI2Wo3RPue4kbaV3JKmzxl8sF9i6OTT8Adj6+H7SkluITm105NX32uKBMjipEeMwDSQvkWGwlh2oZwJpL+Tvi2G0hQ/Q/FCQS5MAW9MCwnp0SSPWZaLiA9EDnzFrugFoundyBa0vRjNGZoj+X4+8MVG2fYgOzDED1JSPB` |
+> | Canada Central | rsa-sha2-512 | 12/31/2025 | `z8Uq32MaJlqeL8bFNdJU55tq+gj6D9gwzQG1Cai1IHg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDs7iqGJ3oYF9ptVmzR5yQodggMFn7zAIu7XlZNqJk/BR3bQ/gG/ogtGg+893aQCcT8/6joGu7SUgFKJeS8L/N9fg+h0SCdq5Iu/p0kbURvtcR4+qyeH6WIaagAPNaPYf7p33QCzFvu0Izia5nleOfpnvTgGN0eVrDYmP4TemVHK/LJs3GB7U3YAztK9mDJtGjTjNnHYsxwlNvfZBr9eVNr1ebN/YvN9e9qSFAPdQnQa4bzEa2PeHYWVAvLjzPIHM3m0K+PxeWINSlZrLn2/RcjGV8F0jdUj3fGEohF9Ui4IPIDtP1WGx48Iw20DB5lERiOcWT2Ps9RPzC2gIY0OUl1` |
+> | Canada East | ecdsa-sha2-nistp256 | 12/31/2023 | `YPqDobCavdQ/zGV7FuR/gzYqgUIzWePgERDTQjYEE0M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKlfnJ9/rlO5/YGeGle1K6I6Ctan4Z3cKpGE3W9BPe1ZcSfkXq47u/f6F/nR7WgrC6+NwJHaMkhiBGadEWbuA3Q=` |
+> | Canada East | ecdsa-sha2-nistp256 | 12/31/2025 | `ppta3xQWBvWxjkRy0CyFY6a+qB3TrFI1qoCnXnSk3cY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIb5mteX+Vk00D8pPmjYuYBqC9g1xdmN8e3apdsXBucC8qXx9qug7veSex0/NzkTu00kIVVtvW+4LFOvhbat5Y=` |
+> | Canada East | ecdsa-sha2-nistp384 | 12/31/2023 | `Y6FK9rWscBkyKN7mgPAEj0jKFXrv4mGNzoaZ9ttc4io=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDS8gYaqmJ8eEjmDF2ET7d2d6WAO7SgBQdTvqt6cUEjp7I11AYATKVN4Isz1hx8qBCWGIjA42X1/jNzk3YR7Bv/hgXO7PgAfDZ41AcT4+cJd0WrAWnxv0xgOvgLKL/8GYQ==` |
+> | Canada East | ecdsa-sha2-nistp384 | 12/31/2025 | `RQXlsP8rowi9ndsJe+3zOl87/O2OOpjXA/rasqLQOns=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBO3mWu+SY6u27HQuJq154HCTrGxVsy9axbwTdVXFvgV1h1uhpIdgAZDL55bDe7ZPmB0BPirPas/vUQyG8aGDNAZJn1iinq/umZegYb0BCDthR5bPi7SPb3h7Qf6FN4dXoA==` |
+> | Canada East | rsa-sha2-256 | 12/31/2023 | `SRhd9gnvJS630A8VtCYMqc4djz5R8EiG7spwAUCYSJk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD2nSByIh/NC3ZHsjK3zt7mspcUUXcq9Y/jc9QQsfHXQetOH/fBalf17d5odCwQSyNY5Mm+RWTt+Aae5t8kGm0f+sKVO/4HcBIihNlAnXkf1ah5NoeJ+R0eFxRs6Uz/cJILD4wuJnyDptRk1GFhpAphvBi0fLEnvn6lGJbrfOxuHJSXhjJcxDCbmcTlcWoU1l+1SaYfOzkVBcqelYIimspCmIznMdE2D9vNar77FVaNlx4J9Ew+HQRPSLG1zAh5ae1806B6CHG1+4puuTUFxJR1AO+BuT6fqy1p0V77CrhkBTHs8DNqw9ZYI27fjyTrSW4SixyfcH16DAegeHO+d2YZ` |
+> | Canada East | rsa-sha2-256 | 12/31/2025 | `Xu6BiQYqbw7D0gTh+OZaARgIVYWTFlkIC+VNpuBOPF0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDCTQXQ0rFbmzK66YlBM5nA+413ZBtj5aWZBh9w1pPjmLRwuDtM+PgW6LSbWzC9TR0OkH0oinW4ARGTmECWs4oi5EZSwC9t45GUF3jYbsGfEzfOC51elTmYEA00IjAXVuBMQQ8/dZehuBXsGh6frtVpDus6f4lmfWLyrGGGo5gjrwzmQOw8lWXfMGohzM04qtqu2M18wNb17JraqrDQr6q7Nbpt/dRrjWmqpkOwCVALH27BiHPypCy7poCRyH1s5eakM20AC99Dl7XTDCGfaySPVIt0MdZDL59BHkyY55zjGaalQTxVXIISLg4kkdVMZ8iCvjFp39Ejy9j3oroQMSD1` |
+> | Canada East | rsa-sha2-512 | 12/31/2023 | `60yzcSSOHlubdGkuNPWMXB9j21HqIkIzGdJUv0J57iY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDDmA4meGZwkdDzrgA9jAgcrlglZro0+IVzkLDCo791vsjJ29bTM6UbXVYFoKEkYliXSueL0q92W91IaFH/NhlOdW81Dbjs3jE+CuE4OX5pMisIMKx45QDcYCx3MJxqZrIOkDdS+m8JLs6XwM07LxiTX+6bH5vSwuGwvqg5gpnYfUpN0U5o7Wq7H7UplyUN8vsiDvTux3glXBLAI3ugjn6FC/YVPwMOq7Luwry3kxwEMx4Fnewe6hAlz47lbBHW6l/qmzzu4wfhJC20GqPzMJHD3kjHEGFBHpcmRbyijUUIyd7QBrnfS4J0xPVLftGJsrOOUP7Oq8AAru66/00We501` |
+> | Canada East | rsa-sha2-512 | 12/31/2025 | `9WgdJJpcIgUfdOMQ0R9UCtYejScPaEk1/6mr0P/pirA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD2M/EM3gDr5tFjQlc/Fe+cyJhu3c/oVT7HnpHVLHLeSMaT6QM9j6XX4kfH9Vwsv6FaOFjDBDTWTWF/UY1KrJJl3beUwNLeEIDs8TY8x/lPd6cjAVNanGmrqPgeErIfTxOS1cmAV6AamTJKgrRLJkpoqZcEZ1+1ZF+SoRTAyPG3BP8L8V9VQa8mnN6Wn+vPbTc1vxyx4jXLWyPmPjFXnOJW3l/gJUTEstDoDA1V85OAwVg9TTkfweT7DhnbrM5OjpG6VaTfFTivAwK+SLhyzKtLHoiMf9Ps1ufRVZJGj7NnLQrYALdOVVNRlRkYXxiwTeHIHYHDeZnorZwj3PJd8Tll` |
+> | Central India | ecdsa-sha2-nistp256 | 12/31/2023 | `zBKGtf770MPVvxgqLl/4pJinGPJDlvh/mM963AwH6rs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBjHx8+PF0VBspl6l9Xa3BGyJwSx2eDX0qTDnhrdayzHMWsHGX3vz0wr7oMeBVdQ26dOckExa6iPrEDSt8foV1M=` |
+> | Central India | ecdsa-sha2-nistp256 | 12/31/2025 | `rHRhvRfgmqyom1omCeSUGYj7WGA4YjMeFl+UqwAlaC0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDdtXYbiF9jmvUF2CCOoI5KbFNXpSvzLDN0onfcToVHqOg5UOiDng3KLU/CfPBKrnkpJSYwuAXMHkz6ZndjsZEU=` |
+> | Central India | ecdsa-sha2-nistp384 | 12/31/2023 | `PzKXWvO/DR/KnUElcVWIwSdabp6ZJqce37DJZzNl3Sk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJwEy1f+GYN4rxhlCAkXGgqAU1S7ssI4JPEJs8z1mcs8dDAAVy1cqdsir9yZ9RSZzOz/BOIubZsG137G2+po0Pz0FfJ0jZVGzlx1UHXu7OMuKQ7d2+1TkPpBYFy6PiCa3w==` |
+> | Central India | ecdsa-sha2-nistp384 | 12/31/2025 | `r3wp9j9FCMQUljrxkegRavGW8rHGYWLrdnjhEvD+qX8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNtvF355mm7qAbl0aMHb8mDOj/4ZOw4DDyW5JXCW/+JTKMuRDY1IcYUx4BHV3F8C4nnFKvO5pPmUMmutQlPbnO7GLTGPbkkbTE97ukOnaE8zygggv2IL8o8ly+IScngaQg==` |
+> | Central India | rsa-sha2-256 | 12/31/2023 | `OcX6wPaofbb+UG/lLYr30CPhntKUXyTW7PUAhC6iDN0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDWuKbOJR8ZZqhE3k2HMBWO99rNWoHwUa+PVWPQHyCELyLR19hfrygNL9uugMQKTvPYPWx8VM6PrQBrvioifktc/HMNRsoOxlBifQETfRgBseXcIWorNlslfFhBnSn6ZGn8q4XICGgZ1hWUj9z1PUmcM2LZDjJS33LLzd23uIdLePizAliJAzlPyea8JNpCVjfmwnNwtuxXc48uAUXlmX+e0ZXRwuEGble8c1PbrWWTWU4xhWNJ+MInyvIGv9s6cGN7+fxAFaUAJS0wNEa3poCnhyNxrckvaqiI3WhPQ8Hefy2DpXTY03mdxCz8PZPcLWdQU3H5nmuAc/pypnc0Avax` |
+> | Central India | rsa-sha2-256 | 12/31/2025 | `i5Zac3+f2G320lSm0K8y+6viEGtsl6qCYMMpgVTcy64=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCjAJLsxbTma6wk7woZqkdhYdXNMI1HBklRHXXlgMdsu7wIOwlyzKAGRjFp5xG/FvWoGlJOUjd2xAg5zUS7CKRP9CHoKPfj+0M+LJUXKFabcIP3ibg2IWKiIVc3B+C76YUwz9J6vHrjinlVH7fJ3DU/71RcFwNTVS+MlWC+Z7rhZ3p/V7BGRXIA77lBvs4iXiXTmoIC4JqnscJqR/53zaCY0WbdDlaM1jfG1bxTGRSoJIoYoJwIled6fNKFdWscodjgT893mx19c6blfnVbohCWvvhXqmARoeoMFLqEhGitZgyEtW6Nrww+KnQsHt//6slBhkXYCF4t32Jan/Od4coJ` |
+> | Central India | rsa-sha2-512 | 12/31/2023 | `HSgc5u8s+QILdyBq6wGJkxRcK5nxj81gxvpkR5bcH6k=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDSO/R/yw8q33yLkSHOw0Bi2WKDWQPrll8skh3hdRUB6wtw9dvtQFEV3suvFJsTVvAbnGBe2Fjgi69X0zkIygxg74XuQsx7GZO6gyaKDwljyanFoCzer+OzFSpDcVJ0zOfhY99uHeYT6k4leb2ngABqjiqieDHMZ9JQX12KOK3cAks/oytrNUo9krGb1Nyv5BYu4dWXHmuFgtigDd043khaARfdWkg88lKgb6G9k+vQTGKphLnFMqhada/aP8GsaA2Dq5d/LH5P5CTU7MRPA8TuuyLOtbv8FtQ2TyaAXhYCplCQELtto1yXZ79WVjQE/uKuX8xK5M2rfOH+H5ck/Rxl` |
+> | Central India | rsa-sha2-512 | 12/31/2025 | `ayU+zBGAtHWl//+qIGkX+J2V9HmjLkrFIuouPXpHn3I=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCw2Cg206KXydbvcCXQnMUmF1cJX3duWHQ4tkToq9ne2C28+rb7tPNznxR1tyXEG/in6U7W24QvkwcRiq8yPOjgTOlDUVXyVp5g/JZyElVZkSh22/cOHjwpJyNvqXAW3/8Gy4umrbB+hZhloZVINswKn4H476z7y/bAqZ5xzpEjIoXUkGz3KJvFa6zbAyh4cK9P0BosnXT9CPQ6KEgUmW37HI2GbBfSgg1Oh+hTEWYVMUHQ6lRA+rGVtVo7dtF/Lcq+M2xw9` |
+> | Central US | ecdsa-sha2-nistp256 | 12/31/2023 | `qN1Fm+zcCQ4xEkNTarKiQduCd9S+Aq3vH8BlfCaqL74=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN6KpNy9XBIlV6jsqyRDSxPO2niTAEesFjIScsq8q36bZpKTXOLV4MjML0rOTD4VLm0mPGCwhY5riLZ743fowWA=` |
+> | Central US | ecdsa-sha2-nistp256 | 12/31/2025 | `qauInQWUECwYnaX7TZX3fiUK8Ik6JvqcHPiGZ3t2USE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNK4jYX7nbriJOOrDSuKDqRIplMn2QXJc1WjTu/nJWVP3Ajq+Q1GhtuFTnVGqTaqhrVnlqwr7z4aPTwb9SKcO3k=` |
+> | Central US | ecdsa-sha2-nistp384 | 12/31/2023 | `9no3/m09BEugyFxhaChilKiwyOaykwghTlV+dWfPT6c=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCiEYrlw9pskKzDp/6HsA2g0uMXNxJKrO5n16cHwXS1lVlgYMK3mmQdA+CjzMdJflvVw7sZO2caApr+sxI3rMmGWCt5gNvBaU6E9oUN8kdcNDvsfFavCb3vguOgtgbvHTg==` |
+> | Central US | ecdsa-sha2-nistp384 | 12/31/2025 | `ZEDS1pjRAIEjCgX2QiX+rHtanf5xtfkfoa9bSqt7+PU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDsC/6PC62ViNxNREq5R7gDOijn6iff8JN0tAskmv/GnzOLePqF/h7XFllfUb8/cBO7912wagjKgl/o7t4oGCs2u4qIW5XkJROAM+lNgjBOb8B2GgxUGHThzbd0z70I2kg==` |
+> | Central US | rsa-sha2-256 | 12/31/2023 | `GOPn34T1cCkLHO0xjLwmkEphxKKBQIjIf9QE1OAk3lU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9oA4N2MxbHjcdSrOlJOdIPjTB2LpQUMwJJj+aI2KEALYDGWWJnv0E14XjY1/M35jk8z0hX4MHGE/MEocSsTVdFRdWdW9CKTWT6eICpg9frTj6wfkB/Dxz/BAYb/YXq5OMrFlkFJUG8FMp9N80W6UWichcltmSrCpRi5N3ZGpVXEYhJF+I0mCH7Yheoq2KzIG2iWU/EJT5fui4t51wD8CQ1NWG8/THnNr0gjCr3AtB+ZPAl/6N7i2vO3FlZEHUj6BHoQ4dhIGjGCkgFDNU6RpdifqMJRihP9fSMOq4qksch1TE5sOnp0sOaP/RQvChb4oXB8Pru+j45RxPzIvzzOZZ` |
+> | Central US | rsa-sha2-256 | 12/31/2025 | `JfKCn0CJEScjYafW9PpANzQdTnOw/EdN3gJhbMI8gKs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCmhK7qQ1FcvmISoyHhnfTIiH+IelL9xqZaoojvmy0EVhra95YptGOMkTn0CDWICXmVynAE0nBd4MTkztJbp/m+FWyGzKRn/aA4AfAztQSngo0pJm/lFqRCEbVlqpVaYzuG7ev1OL3FFzJnVo5jYMUqfo8VsAC44JTLrDvCq/FLhAqUxfzzluqy5T9GqxvsnV4ghAN9iHpKF3evm0eZHgeqmmgNbNbUGJ5xcR2c1UJ/kuKL5gfiJaVQhBY9Ps7Hj4AmXfUkcKboPbfssmvrhsWnrHUFZV7zs2FHGpZJ+OYwKCnRkNhIcdfgA7qUhnFU6wR8Y/T0Cc1bPLmhqMQ++wsJ` |
+> | Central US | rsa-sha2-512 | 12/31/2023 | `VLhZbZjHzoNRMyRSa3GYvk2rgacjmldxQ2YNzvsMpZA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDPnuJixcZd6gAIifABQ377Mn0ZootRmdJs1J3R8/u7mbdfmpX2ItI0VfgMh4BzGEdgCqewx4BjADhfXRurfimuP8P9PLRq89AHX2V+IfeizLZkrnrxKiijjGEz640gORzzwIp2X+bmnBABWzEZjSNOeE3CKVr4ONvH80bYGFFqR4+arOelDqWEgxktM1QBlId7xR7efmtEGAuAhFbZVaqjBNsbqyiR/hlkMQfmWn1bjGSoenUoPojc7UAp9+Xf6ujkhCihRV/O4A69tVvp5E0Qv5MJ1Qj3kzAYbHQcIQ2l47MQq1wdZYxkYBHmH5leAjHgQbbccPalOLSbLRYjF169` |
+> | Central US | rsa-sha2-512 | 12/31/2025 | `32PYrgj4NuDRkmx8YFYsHltumXVt1latrxD0JFIA7/s=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDC93zGJh5WJUWl1b7kX89hUDhla14XyiWH5aSiBY39rm2spPCh9kaZZJ20wkLNkUoqKsc8UpD+c7rWlUWKsNlNVhJgTCuvH6CRpZD/BP1qZK0W9NHGDl2VwFdFiVUj0Q4RtI5KzZhY28zo5avq/9FHKEEq+eQxNGz/G9JXmm+R/HjfIF/wfk1MbtISvveCRMyv/6VDCWTlfy5Th25keC+HunvslAfHr+Z1EJp16pOjKWWmKzXyBAOuTPrp8nSjJA9PPBObxzkinBiLsVK7edL3Zej2HPdbqUb959dQtFRqmrG4MKhFcQ8yqBxR1NUoJSwt7sCI4DlBnBjhmJ7By6YV` |
+> | East Asia | ecdsa-sha2-nistp256 | 12/31/2023 | `/iq1i88fRFHFBw4DBtZUX7GRbT5dQq4g7KfUi5346co=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCvI7Dc7W3K919GK2VHZZkzJhTM+n2tX3mxq4EAI7l8p0HO0UHSmucHdQhpKApTIBR0j9O/idZ/Ew6Yr4nusBwE=` |
+> | East Asia | ecdsa-sha2-nistp256 | 12/31/2025 | `xwUJoTMUBmM81ZmYjjfxfgSE6Yks2woMI2hetcEfU4k=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNlFiBRJEgLR9csCbx7kXJ0G+bPbK0bW09CumJQtdTRVYWKxpMejRY5fY8prqtsQTJ7o5ec2O1Ym4nvjLo2okfA=` |
+> | East Asia | ecdsa-sha2-nistp384 | 12/31/2023 | `KssXSE1WC6Oca0dS2CNySgObkbVshqRGE2JcaNsUvpA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNEYGYGolx8LNs5TVJRF/yoxOCal3a4C0fw1Wlj1BxzUsDtxaQAxSfzQhZG+lFCF7RVQyiUwKjCxmWoZbSb19aE7AnRx9UOVmrbTt2PMD3dx8VmPj1K8rsPOSq+XX4KGdQ==` |
+> | East Asia | ecdsa-sha2-nistp384 | 12/31/2025 | `gSiSTfoGmkLGgcJ132d+URA3oQ2p/a3pnctN7BC+PJ4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIbUwjm0IuyZV7515jFCyrIsM8KfyBEhT2ZuCASOnMlETbopf/IbFhU/aXkmvUVp81KbcoXQqAiYolDvcnC28HlsXLlYbEQNXVMMNBDJbVAAQv9Odx0+Wn23XHv1bZO6pQ==` |
+> | East Asia | rsa-sha2-256 | 12/31/2023 | `XYuEB+zABdpXRklca8RCoWy4hZp9wAxjk50MD9w6UjE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNKlaGhRiHdomU5uGvkcEjFQ0mhmNnWXsHAUNoGUhH6BU8LmsgWS61QOKHf1d3qQ0C9bPaRWMpemAa3DKGGqbgIdRrI2Yd9op+tqM+3hrZ8cBvBCgqKgaj4ZitoFnYm+iwwuReOz+x0I2/NmWUxuQlbiHTzcu8TVIln/5sj+n9PbwXC8Zk6vsCt6aon/P7hESHBJ4yf2E+Io30m+vaPNzxQGmwHjmBrZXzX8gAjGi6p823v5zdL4mq3tT5aPPsFQcfjkSMRDGq6yFSMMEA7i2dfczBQmTIJkYihdS8LBE0Ir5islJbaoPQxeXIrF+EgYgla505kJEogrLprcTGCY/t` |
+> | East Asia | rsa-sha2-256 | 12/31/2025 | `Av3JGShpQfhXUp9gKKTqBSVyHZw/+EuGP4Crz9hw1UY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6MlC6jYSV8yPsEVEi3F15kFdLhcZL5s0LgkoNcNjWL/fEem4i2agaThOJRDI4BEHIsjlQvERxN1UPkQz20LJ208gSfE+VMHg/CbDqWZy2KLWDWF32+/1QizFVfsUv2KEMOce8FohMfqUOfEwrCpGAjvHM+0Fhb2XylELXSHzPntxEop3ZVRv+1HyGIPRF5H5i+FuO4XaWc8COZo6FTnXSeXt/f4nwztPo8pNV2/q3IQWDbQxyhfvmQj6p8ZJyvLZLHd33ouFSvGzYBZwFLzud0l+TMK8nbS1eI24D2GQwhZbdxo/W/X3qkDse2SM4+5VoFRn9w5i96fQ9NALuXX9l` |
+> | East Asia | rsa-sha2-512 | 12/31/2023 | `FUYhL0FaN8Zkj/M0/VJnm8jPL+2WxMsHrrc/G+xo5QM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7x8s74EH+il+k99G2aLl1ip5cfGfO/WUd3foiwwq+qT/95xdtstPYmOP77VBQ4G6EnauP2dY6RHKzSM2qUdmBWiYaK0aaI/2lCAaPxco12Te5Htf7igWyAHYz7W99I2CfJCEUm1Soa0v/57gLtvUg/HOqTgFX44W+PEOstMhqGoU9bSpw2IKlos9ZP87C6IQB5xPQQ1HlnIQRIzluJoFCuT7YHXFWU+F4ZOwq5+uofNH3tLlCy7D4JlxLQ0hkqq3IhF4y5xXJyuWaBYF2H8OGjOL4QN+r9osrP7iithf1Q0EZwuPYqcT1QeIhgqI7OIYEKwqMfMIMNxZwnzKgnDC1` |
+> | East Asia | rsa-sha2-512 | 12/31/2025 | `R1a8tq1zGulHLnMhM6C4Ee4Db7s8hjYPeD/ofFLUAvk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCtcwGvbsP+jxy7gsdsXCX2ZAMLsTNE02dWWyFpJPd94BHS8QyU0PLG6iJdNKhhqjeqYVTDOlgSHW405/dl0WGEm7yTmHDR/F3/f/JzxIHNQbSbUJqsyNbWrYb2KMJ2+VEkgrvvkvOIrWafNEnv6gAlj86qNz+WU+ZnDIX48GOrZAKBxmEnv3SzSH/GdnmEcXuOMQlQIxe0JGEl576DHp5yByfzwFcSuwurm+VheWmP4xFihl0fhmeOuRxLO186ERXrqeyzufiRU03jRz4v/pEoh10/TX6A2YHC/kbtGe0KyEkz1l` |
+> | East US | ecdsa-sha2-nistp256 | 12/31/2023 | `ixDeCdmQOB9ROqdJiVdXyFVsRqLmJJUb2M4shrWj8gI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNrdcVT12fftnDcjYL8K3zLX3bdMwYLjNu2ZJ1kUZwpVHSjNc+1KWB2CGHca+cMLuPSao4TxjIX0drn9/o+GHMQ=` |
+> | East US | ecdsa-sha2-nistp256 | 12/31/2025 | `eMxQHe6f1/jYEKvKWMYQ28EUYrSF5e/km5Nw9mNY9Lc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGqgdtuQlZCFnVoC07xb1yCqS/6ncURKIwHuxgLGjrlXuGqgOwTu0AkfNIXtpe6JHcufVUO77r+KFYFblDfHDrU=` |
+> | East US | ecdsa-sha2-nistp384 | 12/31/2023 | `DPTC6EIORrsxzpGt6IZzAN67nlZUXzg5ANQ3QGz987Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEP3CUvPVWNVnFuojR43KRxTQt1xiClbgDzqN/s9F5luivP+Gh0QrK5UHf6diEju4ZQ9k2O10MEDs6c46g4fT56rY8CQkeBsaaBq8WYLRhSQsFZ6SZuw14oFNodniAO33g==` |
+> | East US | ecdsa-sha2-nistp384 | 12/31/2025 | `eZl4tJ/efkL0Z5yDapDrvQ6QbEfGWUeHhk4wtIQ0cd4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNPqgUMYmU95Jbd5LP9dBw1leS7Truvk/szkErBIrDH3eJT3AsEQG80Zbd/DysTwx/yRtUg1cmAhgh6GyCIKu842RaWRxeMOHAyOla9FLEEQ9kQdp6ugJed8JGVGi9mVAw==` |
+> | East US | rsa-sha2-256 | 12/31/2023 | `F6pNN5Py68/1hVRGEoCwpY5H7vWhXZM/4L442lY4ydE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAiUB94zwLf0e/++OeiAjE0X7Od2nuqyLyAqpOb7nfQUAOWyqgRL04yaan6R2Ir2YtI0FRwA6yRETUBf2+NuVhIONgLNsgPw3RakL1BUqAEzZAyF4sOjWnYE5/s/1KmYOE052SefzMciqjgkBV2+YrPW1CLivNhL4d1vuQh05kADLgHJiAVD6BqSM7Z6VoLhW+hfP4JklyQAojCF6ejXW7ZGWdqQGKLCUhdaOPSRAxjOmr9gZxJ69OvdJT2Cy6KO1YQt2gY2GbPs+4uAeNrz40swffjut4zn1NILImpHi8PTM+wcGYzbW4Nn7t5lhvT9kmX9BkSYXLVTlI9p1neT9t` |
+> | East US | rsa-sha2-256 | 12/31/2025 | `ZuntI4L/vzc9NZ1djZKixk7/b/LBTS/QMTewKLlyTtE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCfGNZ6SmAifUduo3pwcbgv/7tDxxluqhIupm2kliXQjfgvQslVHxeBeYwmPk/bxoSRGybLnrIUUtYuxqIeVpWNi2VaFCn0gtcRlJdI8IhKP3d+fq8sw9/FfUQCh6pxvx+BczQSmsIPLGCiMknnSS5ffCtvk3rEYvOpH1T2tmJO6YDqsC1lcJbZPSI5kQttJXw++1xk/67/1KWHYyFTVlOXD4ikfvS7wTjIBbW+jVu2vFPzj+287Zo8oub2nN1HbUNOS1NdlhT1lv4Yg8c8eXyjmHTDanrR0ekjGkxGrnj5mv/GWC1kSzHwStOjip6fXaKFpBgV4iP2uLICLpeHWd7t` |
+> | East US | rsa-sha2-512 | 12/31/2023 | `MIpoRIiCtEKI23MN+S2bLqm5GKClzgmRpMnh90DaHx8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Ut7Rq7Vak26F29czig5auq334N9mNaJmdtWoT32uDzWjZNw/N8uxXQS51oSeD7c0oXWIMBklH0AS8JR1xvMUGVnv5aRXwubicQ6z4poG5RSudYDA3BjMs61LZUKZH/DRj7qR/KUBMNieT1X+0DbopZkO9etxXdKx+VqJaK3fRC5Zflxj5Z9Stfx/XlaBXptDdqnInHZAUbZxnNziPYrBOuXYl5/Cd6W4lR7dBsMCbjINSIShvrhPpVfd3qOv/xPpU172nqkOx2VsV4mrfqqg62ZdcenLJDYsiXd/AVNUAL+dvzmj1/3/yVtFwadA2l83Em6CgGpqUmvK6brY3bPh` |
+> | East US | rsa-sha2-512 | 12/31/2025 | `VhbsPBUzLUym31p7u74czET3oer59WtFIIgfxFs5ppg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCxCnn/udlkksnGAo7oaReFeIadPCUA+edUXEf4Y/4sUafDdwYmxvm7ryS6DbpbDHDB53Z0iePiKjCuBDe75X7/qulFBx6XIWc9Y6orRaqCj1De7IEHuATyMXBcnY9XZyRvqupLX80nvWcwD4Iiep2DRt4uqP8aLrww3gUv88Oqozy52psmR0RR6p/f63CcuI5G/agD5QzjSKwNmkInelc64pfNJjgOnwOPESf7M9p+GV6xjoS0l9nHMyjz3vh5GXpfUuGtffrpjd8S53jtftloBqdGDT8FBKyP8eWhYj4m2Nb60VqgDUru2L6rkWriJ41wJ60yzy/3TyuJOswnTlal` |
+> | East US 2 | ecdsa-sha2-nistp256 | 12/31/2023 | `bouiC5HdtURUU19RJbym8R94fbMOTw/bUxFUkoAByoI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJshJI18IECu6neLrash/Q622MAXO07C+hbIOiVPC6M/ZIJM8HyYvQEh4DKI1CMEaeAIs/HA905QKeU/syvt7QI=` |
+> | East US 2 | ecdsa-sha2-nistp256 | 12/31/2025 | `yrYziYjpobvWek9eYu+D8L4hctcCq0VStKtzhB4aUck=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHVF9WzUs5VQm/gWREot7hIKhthQichwFg7TK0bk2itpGZTHZbih1Jq9yZbkWZ+aZdH3wP8DxKJB1W3zFAk3l6E=` |
+> | East US 2 | ecdsa-sha2-nistp384 | 12/31/2023 | `vWnPlGaQOY4LFj9XSQ2qN/NMF92+UOfKPjGNSPA2bOg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBByJNAblwxCNVqedg5FcdbdwiuzTMVEWj/uF3uzI8wp890Xv2M4H+aMTpeItxgQsuiQCptgITsO+XCf2dBTHOGWpd90QtvcznzHyy/FEWVAKWs9brvyaNVe82c4TOFqYRg==` |
+> | East US 2 | ecdsa-sha2-nistp384 | 12/31/2025 | `CAtRIpdqubfEKm6LDgMHmf70ID4gd6C/eBQ3WVIEdvA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBHynQxaZBSfmU3Irizom4OrhSxqjLn3v3aGqOob2wlqsvbyNQTwuLBvSjJUPLngsuUlQqfrDBTJknPD3VSc9XzNz3QuEcq8/7DfvKxikI4ZiVy1ET/uawH+zox1Y6LokFw==` |
+> | East US 2 | rsa-sha2-256 | 12/31/2023 | `K+QQglmdpev3bvEKUgBTiOGMxwTlbD7gaYnLZhPfe1c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOA2Aj1tIG/TUXoVFHOltyW8qnCOtm2gq2NFTdfyDFw3/C4jk2HHQf2smDX54g8ixcLuSX3bRDtKRJItUhrKFY6A0AfN1+r46kkJJdFjzdcgi7C3M0BehH7HlHZ7Fv2u01VdROiXocHpNOVeLFKyt516ooe6b6bxrdc480RrgopPYpf6etJUm8d4WrDtGXB3ctip8p6Z2Z/ORfK77jTeKO4uzaHLM0W7G5X+nZJWn3axaf4H092rDAIH1tjEuWIhEivhkG9stUSeI3h6zw7q9FsJTGo0mIMZ9BwgE+Q2WLZtE2uMpwQ0mOqEPDnm0uJ5GiSmQLVyaV6E5SqhTfvVZ1` |
+> | East US 2 | rsa-sha2-256 | 12/31/2025 | `RZPLfTsRLm+N/RPnXwxR1IFIu9Cv2tPnA9sMYdaOVVo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCyiiKvJPcYD0JV+RSjmTSbsNlJbwtkJAhWlwsM4ENc2HyPVLtIWraA4QPSIo9Mrj4otUS8HXX/NMyCWpMScvZ5igCDcxMGATJo3GZTflAvzX6xomIPiSx+hVBOVUDlxWxoeebv8zqBBK9ZNDUMzZFlqI98X9SmgWGgSAWQLuBl7SamCoc86QlCMRguPEOmOs66tUlKzYL9IhWtKWCfCHYxO9GFQKkW2aVxdWXby8RDhRhtRvZKmU55701Cak9G7iVrdpzw/4jDodJzogjMUpU6dyAFJfDJoeaADnvCuem6LrNrLH/Dw5slOrluwtb7c+vBbPdYBRzh5r9w/gTEscsd` |
+> | East US 2 | rsa-sha2-512 | 12/31/2023 | `UKT1qPRfpm+yzpRMukKpBCRFnOd257uSxGizI7fPLTw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/HCjYc4tMVNKmbEDT0HXVhyYkyzufrad8pvGb3bW1qGnpM1ZT3qauJrKizJFIuT3cPu43slhwR/Ryy79x6fLTKXNNucHHEpwT/yzf5H6L14N+i0rB/KWvila2enB2lTDVkUW50Fo+k5U/JPTn8vdLPkYJbtx9s0s3RMwaRrRBkW6+36Xrh0h7rxV5LfY/EI1331f+1bgNM7xD59D3U76OafZMh5VfSbCisvDWyIPebXkOMF/eL8ATlaOfab0TAC8lriCkLQolR+El9ARZ69CJtKg4gBB3IY766Ag3+rry1/J97kr4X3aVrDxMps1Pq+Q8TCOf4zFDPf2JwZhUpDPp` |
+> | East US 2 | rsa-sha2-512 | 12/31/2025 | `ZGPvMmPh7ifSqyxf1Tzbl7yT3oWby5SH5lUghRXwCKs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/5VjuQpUIDk49mHD6UR4hPUrphDmpDxsWXNI70myr1ExXFPn7U2oTsLU2PXjsPwCt1PnJlNiVp9IsSF99FWyKAfdE13RjuWUckNl+ibYWEGK7JkxXFbWcZtGxUXPa4TopP3mDrOD3ag03uaTBHqJeHjVenLM0yy4uM7uQrrMc+sglGThJ7UNytz7jqS2ZGZ9OSxOFizw9aMc4sIVyqhcjouglrdv0Pp5s1kZ2uHHCf6q9Y67SuumgZ1BNSreSuINhmJsibIWhIaJxh3Z8Yaia6gt8rgVufFI2Xs7ift2QiJLMT4S8Z6stvRKv6sP0bad3jnlQ0nMFKmgOvbR+hBKN` |
+> | East US 2 EUAP | ecdsa-sha2-nistp256 | 12/31/2023 | `X+c1NIpAJGvWU31UJ3Vd2Os4J7bCfgvyZGh35b2oSBQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK+U6CE6con74cCntkFAm6gxbzGxm9RgjboKuLcwBiFanNs/uYywMCpj+1PMYXVx/nMM4vFbAjEOA20fJeoQtN8=` |
+> | East US 2 EUAP | ecdsa-sha2-nistp256 | 12/31/2025 | `V21Ku/gEEacUyR8VuG5WjVOgBfWdPVPD1KsgCpk8eqI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPd+eEm6eCdZCbpaVGZPvYmetmpOnrDsemOkj9KMmVimESN2k6I0sKNUhwntMTXGx0nPNeKWG3g/ETzKF3VsYn8=` |
+> | East US 2 EUAP | ecdsa-sha2-nistp384 | 12/31/2023 | `Q3zIFfOI1UfCrMq6Eh7nP1/VIvgPn3QluTBkyZ2lfCw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDWRjO+e8kZpalcdg7HblZ4I3q9yzURY5VXGjvs5+XFuvxyq4CoAIPskCsgtDLjB5u6NqYeFMPzlvo406XeugO4qAui+zUMoQDY8prNjTGk5t7JVc4wYeAWbBJ2WUFyMrQ==` |
+> | East US 2 EUAP | ecdsa-sha2-nistp384 | 12/31/2025 | `Yv87+z8s9fDkiluM3ZkbsgENLGe48ITr+fnuwoG2+kg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAYVtgfJ36apFiv6gIxBa/q4n08flTyA0W0cGTsN0ot59nbl6pPCrRCfSByRtzgRY+id9ZOeuZTvN8VpPsZWOSfUOwxE0/GC2c9kS0F4SrFzTALaMY6pY3/GhMrQelAmFw==` |
+> | East US 2 EUAP | rsa-sha2-256 | 12/31/2023 | `dkP64W5LSbRoRlv2MV02TwH5wFPbV6D3R3nyTGivVfk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC3PqLDKkkqUXrZSAbiEZsI6T1jYRh5cp+F5ktPCw7aXq6E9Vn2e6Ngu+vr+nNrwwtHqPzcZhxuu9ej2vAKTfp2FcExvy3fKKEhJKq0fJX8dc/aBNAGihKqxTKUI7AX5XsjhtIf0uuhig506g9ZssyaDWXuQ/3gvTDn923R9Hz5BdqQEH9RSHKW+intO8H4CgbhgwfuVZ0mD4ioJKCwfdhakJ2cKMDfgi/FS6QQqeh1wI+uPoS7DjW8Zurd7fhXEfJQFyuy5yZ7CZc7qV381kyo/hV1az6u3W4mrFlGPlNHhp9TmGFBij5QISC6yfmyFS4ZKMbt6n8xFZTJODiU2mT1` |
+> | East US 2 EUAP | rsa-sha2-256 | 12/31/2025 | `0b0IILN+fMMAZ7CZePfSVdFj14ppjACcIl4yi3hT/Rc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDE45HQiHTS8Vxs6ktkHVrDoWFYnDzTOFzVF9IE0EZp/NMVIqRSnveYyFcgWtg7AfG648DiPsEar3lHmcGKT5OxGJ7KGP6Z8Nd1HxWC75j59GDadLfkuJyFLnWuSQIyiLV9nsDgl2e/BQ4owhHZhlSUCBlsWkECBaACptS5AvWG5CQN6AQnR2L0CEEjPPUSPh6YibqHCITsCAAduH1N8S2B+xj+OqPLpEqbIUpF6aEHggMrb9/CKBsaRzN9LXXIyJJ2Rovg54bkTUDhQO80JnGzCWQvqT1JX4KSQcr0KzkzoOoPLwuQ6w0FxP3UD+zPLYi2V8MNlW3Xp86bNHoUDfhR` |
+> | East US 2 EUAP | rsa-sha2-512 | 12/31/2023 | `M39Ofv6366yGPdeFZ0/2B7Ui6JZeBUoTpxmFPkwIo4c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC+1NvYoRon15Tr2wwSNGmL+uRi7GoVKwBsKFVhbRHI/w8oa3kndnXWI4rRRyfOS7KVlwFgtb/WolWzBdKOGVe6IaUHBU8TjOx2nKUhUvL605O0aNuaGylACJpponYxy7Kazftm2rV/WfxCcV7TmOGV1159mbbILCXdEWbHXZkA3qWe4JPGCT+XoEzrsXdPUDsXuUkSGVp0wWFI2Sr13KvygrwFdv4jxH1IkzJ5uk6Sxn0iVE+efqUOmBftQdVetleVdgR9qszQxxye0P2/FuXr0S+LUrwX4+lsWo3TSxXAUHxDd8jZoyYZFjAsVYGdp0NDQ+Y6yOx5L9bR6whSvKE1` |
+> | East US 2 EUAP | rsa-sha2-512 | 12/31/2025 | `pv4MPlF/uF1/1qg6vUoCGCTrXyxwTvTJykicv0IIeZA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDu64NcnMdsh2vvxfC/2PtYXRYk5IoGB1PSXkrbqov5VllVbJAF9du9V4ccHoLVppux2W1jDlFQ7E+TdOT/hnwmnQurUTAvW355LPG0MtUFPcVCEfEPbxKuv7pxCPKZAWUpMX1aLbmEjt3CX157dtKMhmOkyExLRWu4Ua65LrqpGlKovg8Pzuxc/k6Bznxmj++G3XbHv82F3UXDsXJvUOxmF6DiuDuRWBUIwLGBNJOw2/ddyan34qK2fPBUP+lPSrucinG4b+X7aJHFhTt1E6h9XBs8fYp/9SIZ6c6ftQ/ZbET66NRSS7H7D72tSFJI5lhrKCeoKU/e0GAplSEiPNLR` |
+> | France Central | ecdsa-sha2-nistp256 | 12/31/2023 | `N61PH8SVCAXOq7Z7eIV4mRnotafmNoPrpc+TaLxtPX4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK3UBFa/Ke9y3aLs1q1b8gh/tXiS7lpOTzUiDFpXdbq00/V9Ag+v2z5MIaicFdum9Ih4fls1Mg07Ert16bi5M8E=` |
+> | France Central | ecdsa-sha2-nistp256 | 12/31/2025 | `p7eHtX2lbIqu06mDFezjRBf7SxlHokVOC+MdcpdO2bM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKtYOFWJFlknTvpl2XpxYMrkb0ULCF+ZfwVxwDXUY3zIMANy0hmbyZ73x15EwDP3DobilK149W570x3+TAdwE7o=` |
+> | France Central | ecdsa-sha2-nistp384 | 12/31/2023 | `/CkQnHA57ehNeC9ZHkTyvVr8yVyl/P1dau2AwCg579k=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBG/x6qX+DRtmxOoMZwe7d7ZckHyeLkBWxB7SNH6Wnw2tXvtNekI9d9LGl1DaSmiZLJnawtX+MPj64S31v8AhZcVle9OPVIvH5im3IcoPSKQ6TIfZ26e2WegwJxuc1CjZZg==` |
+> | France Central | ecdsa-sha2-nistp384 | 12/31/2025 | `kbK8Ld5FYOfa+r1PnKooDglmdzLVGBQWNqnMoYOMdGk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF8e5s445PAyVF3kgnPP6XoBlCUW+I6HCcQcC+xRti9OTciBAQReKX9c39J15Xoa6iSWuQ0ru9ER5UzXS+bjzhXBKXOmgAcR3/XEJMonjS2++XMldlGhgt1c4hEW3QQGVQ==` |
+> | France Central | rsa-sha2-256 | 12/31/2023 | `zYLnY1rtM2sgP5vwYCtaU8v2isldoWWcR8eMmQSQ9KQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDCmdsufvzqydsoecjXzxxL9AqnnRNCjlIRPRGohdspT9AfApKA9ZmoJUPY8461hD9qzsd7ps8RSIOkbGzgNfDUU9+ekEZLnhvrc7sSS9bikWyKmGtjDdr3PrPSZ/4zePAlYwDzRqtlWa/GKzXQrnP/h9SU4/3pj21gyUssOu2Mpr6zdPk59lO/n/w2JRTVVmkRghCmEVaWV25qmIEslWmbgI3WB5ysKfXZp79YRuByVZHZpuoQSBbU0s7Kjh3VRX8+ZoUnBuq7HKnIPwt+YzSxHx7ePHR+Ny4EEwU7NFzyfVYiUZflBK+Sf8e1cHnwADjv/qu/nhSinf3JcyQDG1lN` |
+> | France Central | rsa-sha2-256 | 12/31/2025 | `j6w0LC+jzdLP0PmukCCModkIXidTNnprrKSTOmTCtQg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCmTBRuLwUDIMWtwgvsmwymYlCEg3N/uO6OpXnLQe59W7zZ1FeMN5uifWGvykHyJnkg15MZyQOsWkzhE3ERijY+iuzAVz8gcYjTlXmKNr3nIqJpC1W8/2OH43zdsxss6qTi0IpOY4ZWKH9Y/tP5ebpT6nzF7n7ETqkvnuFmKtvZgYkbxV8IS65DsRVhaN4FOAR3lVdYyKgkPkxGOaucfR+KOstE48YU8270ivyu2P1cCy2WYXa9ensw8e0VKOyLjPaiK/hFpLreEFBAM37eFeHJui5qha0EWR7byDzo+DXpaKJTd/aIXxBn/alhMoqBYt6A2CeAYEjTEZcQ4tssJ7Ft` |
+> | France Central | rsa-sha2-512 | 12/31/2023 | `ixum/Dragma5DAMBzA/c5/MY02FjUBD/gI8+XQDzJvc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDjTJ9EvMFWicBCcmYF0zO2GaWZJXLc7F5QrvFv6Nm/6pV72YrRmSdiY9znZowNK0NvwnucKjjQj0RkJOlwVEnsq7OVS+RqGA35vN6u6c0iGl4q2Jp+XLRm8nazC1B5uLVurVzYCH0SOl1vkkeXTqMOAZQlhj9e7RiFibDdv8toxU3Fl87KtexFYeSm3kHBVBJHoo5sD2CdeCv5/+nw9/vRQVhFKy2DyLaxtS+l2b0QXUqh6Op7KzjaMr3hd168yCaqRjtm8Jtth/Nzp+519H7tT0c0M+pdAeB7CQ9PAUqieXZJK+IvycM5gfi0TnmSoGRG8TPMGHMFQlcmr3K1eZ8h` |
+> | France Central | rsa-sha2-512 | 12/31/2025 | `DbtqsAbpqaqaGigg2nSDFt0QvDIwOHh/xiu95Dm+Bu0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCmPUn9acrOhsAEukuCiq8WIJkEOJ/iOvaEvTzp4+UsqljpAgIYsUcPwkBQ3nd+nIcYDEEtzHt7/eHdYa5zETNXcz/EGQevQ2PXbwPB8dEN5L5whCqbwpmPDdLufunlwfV6g1Gkb+WmzNM88fYBObr6rf1xMtZy3mUFak4LH3umPmmMqhFnY9Efu8kP1MQYyZSLUNm0Zr3U8Werv+IJ8Ta2SBSpsoMZLCvuSbk4/o60J9n6XOpxNTitxoWea9lcjEO1TLqeU1G6MN7MpqDxVl21IuSeRS/b+62jYoCUtHxfjvT7Ha7lynJqZp9AzgGMSIS/RUbgToWUXUVbewdSMZN1` |
+> | France South | ecdsa-sha2-nistp256 | 12/31/2023 | `LHWlPtDIQAHBlMkOagvMJUO0Wr41aGgM+B/zjsDXCl0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHdj2SxQdvNbizz8DPcRSZHLyw5dOtQbzNgjedSmFwOqiRuZ2Vzu88m2v5achBwIj9gp0Ga14T7YMGyAm04OOA0=` |
+> | France South | ecdsa-sha2-nistp256 | 12/31/2025 | `+qtS9kC6bH8V11bQ1q9Zp9cr/gxuBNLenatWKZxOKEY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJS89KMD/L7ufMFlk+LJYWLUc6aHEv/QL3q8xUiqiHHy//Nh2wFyX8GYX0BnFQ3ayR5g6ImuL41up3ndHTWVHgc=` |
+> | France South | ecdsa-sha2-nistp384 | 12/31/2023 | `btqtCD/hJWVahHWz/qftHV3B+ezJPY1I3JEI/WpgOuQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB2rbgGSTtFMciVSpWMvmGGTu8p1vGYfS2nlm+5pAM85A4Em1mYlgHfVZx+SdG5FSYcsX4vTWt4Yw2OnDmxV3W0ycrKBs4Bx3ASX4rx3oZezVafHsUUV0ErM+LmdmKfH8g==` |
+> | France South | ecdsa-sha2-nistp384 | 12/31/2025 | `wrbZPGvf6DwF56hIpZqZ90YJli1bTCMg9RgDC1VJtQ8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLkQCx9DbWnJKUN+D6Kw4IaX3bZX6+ggzWFOn+MTf5GI+9musoQOo9s3bpWkl10QJ3H3lwQTbXuYoV7e2m8ZeHwA7P6Ou/ta4TDV02L5lYErcXAbRh2ZtlhLPfHj4ZI65g==` |
+> | France South | rsa-sha2-256 | 12/31/2023 | `aywTR4RYJBQrwWsiALXc1lDDHpJ34jIEnq3DQhYny0g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDELY4UcRAMkJpEBZT40Oh5TIxI6o6Enmlv+KxWkkcyFcNJlFtaF2Hl+afWlysrg+lB5Un4XpveWY64pl7a/dSju7aPfujcXowELIPqFSoWW7xQ+jkfJdyI0daa0l2h2oNCPqWnx8+04Vx5kcb2GktlNG4RMLx7Q6COJgQ3pGHtyfZ5fnmrWNBsuv4mvsXp0u1KGWX6s2LZtO+BpKE6DegSNLMVapAZ0ju8pagqtm6aeWEtqmkAvsI0U31qhL25FQX4DzjIbGzXd6I25AJcSXcpnwQefsaOwO/ztvIKeIf3i/h2rXdigXV1wyhvIdKm1uWwj6ph4XvOiHMZhsRUe02B` |
+> | France South | rsa-sha2-256 | 12/31/2025 | `FIwqrEbTl1XZIJ66T077NRnLmaQ0d8975yZvTmnjfco=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDN9ZUTUNi9mbqb2UVvOr/DtMiGx70OVWpoYa9jQ5hGklnqo4vy+Yoq3RFhNjHcI7u2jHG3hxvbl` |
+> | France South | rsa-sha2-512 | 12/31/2023 | `+y5oZsLMVG6kfdlHltp475WoKuqhFbTZnvY0KvLyOpA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDmsS9WimMMG95CMXFZiStR/peQU1VA6dklMbGmYwLqpxLNxxsaQuQi6NpyU6/TS8C3CX0832v1uutW38IfQGrQfcTGdAz+GjKverzaSXqZGgTMh/JSj06rxreSKvRjYae596aPdxX5P+9YVuTEeTMSdzeklpxaElPfOoZ7Ba5A2iCnB/5l/piHiN8qlXBPmfGLdZrTUFtgRkE4Ie4zaoWo19611XgUDMDX4N4be/qilb95cUBE73ceXwdVKJ3QVQinZgbwWFUq0fMlyd8ZNb9XN6bwXH7K6cLS6HYGgG6uJhkYSAqpAZK2pOFn3MCh8gw2BkM/Rg+1ahqPNAzGPVz9` |
+> | France South | rsa-sha2-512 | 12/31/2025 | `aYRboL5Mv0zr/aVeHgcc7NNL4uns0maI42L1dpJtEec=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPA0QlBL1HJuH6OlXJfJb9I5vZ3JIw9faZQaRs2PPuOJga53gfXGP04CFeRPcKcXF0lGeqEPOlRwYsZmZzla1+0BhSzuF5kVhMLAG4RCOJeBaQjvqZjud/NSGAoxdg5eB9KaSUTa7BREmErLBpdHQoLtDpD2/bTTKnOU+0tKR7xYlDZ9erHhMCCNYDOrNrTuN4eYldl11UJqUQbdXCXkaMzGVU6r2UmCuS9Iwcv5XywNa1Tz+ff7AjmkKBBwVF0SEvoYMnUIQdDWE/cZEIh21Skha6lXnzb6ll6ZufnXJNwu3i6Sg5tZZBDuB4Y7c2cRzJUqPpn8NrvOO53vdjAn5` |
+> | Germany North | ecdsa-sha2-nistp256 | 12/31/2023 | `F4o8Z9llB5SRp0faYFwKMQtNw/+JYFKZdNoIuO7XUU0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMoIo/OXMP7W5a5QRDAVBo+9YQg4YBrl3J7xM91PUGUiALDE1Iw8Uq4e1gLiSNA6A46om5yY/6oGj4iqEk8Ar8Y=` |
+> | Germany North | ecdsa-sha2-nistp256 | 12/31/2025 | `odPSs4vy9uet5z7+51SloNw0Ne6wtB3NkRVLjB8r1QM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYiTtKvQ4VmbpcOL1hyuKJ/oaQc1OIL/OwkG1Gfud9jo47RIvSdykw/xecSuOTpOdTMQMd2gkifTfm8r3ZWLNU=` |
+> | Germany North | ecdsa-sha2-nistp384 | 12/31/2023 | `BgW5e9lciYG1oIxolnVUcpdh3JpN/eQxfOyeyuZ6ZjI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ69kH0urhCdcMMaqpID2m+u8MECowtNlYjYXoSUn6oEhj7VPxvCRZi5R02vHrtrTJslsrbpgYHXz+/jSLplKpccQGJFaZso9WWgEJH1k7tJOuOv0NIjoBTv7fY5IxeAvQ==` |
+> | Germany North | ecdsa-sha2-nistp384 | 12/31/2025 | `9mA6c1xpgusDregeaAx1ih62qFnx0N2STx6xnfRjMZs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIDOLp9njrEr4Ophu5Kr0wkUc+IZ/H0GOka9FHmVXALpHTuaquw3ZmRiiG/YjiqCBt6/CQFFvkPwsU1yBpLTKBKF15o+xa1d3wetb67W37UthzwrtIYiN8Z7mZmJT/R7rg==` |
+> | Germany North | rsa-sha2-256 | 12/31/2023 | `ppHnlruDLR73KzW/m7yc3dHQ0JvxzuC1QKJWHPom9KU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNNjCcDxjL3ess1QQEkb9n5bPYpxXpekd32ZX4oTcXXFDOu+tz/jpA8JZL8lOBAcBQ5n+mZF0Pot1o+B1JxQOHHiEZdcdKtLtPWrI2OQyxZnvo7sCBeSk+r/j3mjqpvq3+KpwoTZKpYF/oNRXVHU4VFs+MzvqWd6vgLXsDwtJrriojtkrWy0bTa4NjjN/+olsITxDmR0TGAu+epCJptdpKjTcgcn25QuIKy37/zVW8BJ5QsZmIRwvlCYxj11UOAoDcbapJcnzJYpOmQTNpdzkazjViX17DZW17Jmfhc6Dk3H+TEseilkbq1ZjsUyGBBxklWHid7+BgKVXOoIgG6+0x` |
+> | Germany North | rsa-sha2-256 | 12/31/2025 | `IUZdXfD1QRH4EQ9QaPlKrPd9/2TTJpPBQfBl4HUhn0g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIsaKq/gZdm+3+01ASAn7/TBEUkLGD54KRUjdVTcMwM+9i0s30YIC/ikNqoawIeWO7/DbU2DeL4cAarYR83X2QY51JCRVHQ1+jZ533EYcxRgqs5c1sDmIacfvzoingaRL4ZFwLJNkSY0zHfLnxVwm02qPexwTAmcHGqhYdO87uPjwni/sjL5SFnQV4hssBuEd0OFVzcNfkavkWXgLqT9yi8m/bsBVcS/L4slZkLpmgRI8PTdGoIwQGp3mUf81RFZpTm8l0SWQiNIN65a5rRY1nw4DhSlGSoiel0FRm0po7O6qG6MvRnkjj58zKUj0G+Ka19O5rj3/aCgRrT1+LBVLd` |
+> | Germany North | rsa-sha2-512 | 12/31/2023 | `m/OFTRHkc3HxfhCKk1+jY1rPJrT9t4FYtQ/Wmo3MOUE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDkN3CN1VITaHy/CduQaZIkuKSC/+oX19sYntRdgCblJlIzUBmiGlhmnKXyhA29lwWWAYxSbUu0jEJUZfQ6xdQ4uALOb815DLNZtVrxqSm4SjvP5anNa7zRyCFfo4V8M4i6ji6NB+u+PwH5DOhxKLu6/Ml9pF8hWyfLRft8cg4wORLLhwGt2+agizq7N7vF2nmLBojmS0MMmpH5ON/NFshYIDNKPEeK9ehpaARf4fuXm440Zqzy/FfpptSspJIhbY2zsg4qGQgYGZyuRxkLzYgtD/uKW5ieFwXPn+tvVeVzezZTmGMoDlkPX18HSsuNaRkdnwpX8yk1/uoBCsuOFSph` |
+> | Germany North | rsa-sha2-512 | 12/31/2025 | `KG2CjBBKyCg7Iur1Qt+7y33ELYfF0M6/uHbuuoAJ2YU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDQj4T+NzUUmIKF+N1tKsA44u+Bjsx4nIzwhAJPdq7YzbvtDyVD/Lkm7fCIsVMLcKzRCuIVM/5g+aer4LvfuHtR8jqtZNJvFAbwsBSOat18mzWS+KpB0G9iW8QQlXcCnXKgatUYhAoXabHQDF7Qbv5Ap/ImMyt4Y5wN8OnuSOBU3nPKnDYxt/kfxNoY5F8wVigcT399QwBUnr9l6+cuXJ3janPBfuf9/o1SPvBj4ePg7JoZ8EXM7q8ruRRXv52NmKytFJgntnJvH8nRq0Hz3D3IchXAHhhp1VlmphwVo79f4LWbZtb0dkcDDE9ZjqIX2ozt4jrd8/JiTL4/l8iy13yN` |
+> | Germany Westcentral | ecdsa-sha2-nistp256 | 12/31/2023 | `Ce+h+7thT5tt75ypIkWZ6+JnmQMZEl1N7Tt3Ldalb64=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBmVDE0INhtrKI83oB4r8eU1tXq7bRbzrtIhZdkgiy3lrsvNTEzsEExtWae2uy8zFHdkpyTbBlcUYCZEtNr9w3U=` |
+> | Germany Westcentral | ecdsa-sha2-nistp256 | 12/31/2025 | `xWozWbLHPncCcUxRb2j/u4l1LDno211Ajbqs0InLmdM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA8dcmahsTDwh9DKlrRp8FeSfkH9Y8RGKtqPrpog4plwRUJPcC8DUzSeZfYEvsgOTPfhvTIrj/jW+VZRjCQ9OPM=` |
+> | Germany Westcentral | ecdsa-sha2-nistp384 | 12/31/2023 | `hhQQi2iRjSX5d9c+4714hAFvTA3c63+TGknhuQi7Tss=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDlFF3ceA17ZFERfvijHkPI2Na1wuti9/AOY5E/bDvZfP08kkmYTb9Ma6omhB0dHR6e1CmRJfKmFXfTd81iVWPa7yXCxbS8yG+uNKCuHxuNv8hFhNM84h2727BSBHBBHBA==` |
+> | Germany Westcentral | ecdsa-sha2-nistp384 | 12/31/2025 | `xmc+FeL+8s6nBwqEwp5guKLSHYOaWzYvTslXXxUJzfU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNeYkR7pPXK9/7tOyoKEymkz4nGROeqyZN9hWAO/R+0GhTp202EGapq76jCfMx7hv4ZbtLXYjJSSkc+vgVNjCy7ZUy3DAa9j/yv94659nPpRnvJbOcW0F1QzXDS3luhD8w==` |
+> | Germany Westcentral | rsa-sha2-256 | 12/31/2023 | `0SKtGye+E9pp4QLtWNLLiPSx+qKvDLNjrqHwYcDjyZ8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDsbkjxK9IJP8K98j+4/wGJQVdkO/x0Msf89wpjd/3O4VIbmZuQ/Ilfo6OClSMVxah6biDdt3ErqeyszSaDH9n3qnaLxSd5f+317oVpBlgr2FRoxBEgzLvR/a2ZracH14zWLiEmCePp/5dgseeN7TqPtFGalvGewHEol6y0C6rkiSBzuWwFK+FzXgjOFvme7M6RYbUS9/MF7cbQbq696jyetw2G5lzEdPpXuOxJdf0GqYWpgU7XNVm+XsMXn66lp87cijNBYkX7FnXyn4XhlG4Q6KlsJ/BcM3BMk+WxT+equ7R7sU/oMQ0ti/QNahd5E/5S/hDWxg6ZI1zN8WTzypid` |
+> | Germany Westcentral | rsa-sha2-256 | 12/31/2025 | `e4CL5Qok5VjcACFdiDXM39iG1fo44+YgnnMi3vEx2Yg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/A1RmHi6Y4m61EAVN7piQKZVs0qvGc2bRd1rhm0ZyRpqYVuxYnHQplw+f2KVlUnceZJq2fd7X0riW8zjY7AU3Xltb7w2j2IRI26Zut/sIm3oFhhYO6mrceqRxTD4pJk9WwjQulrD4TUL8OB34t9Y4Y3Uqd2YPllBiWca3vQS5QWDN78xqZqYpOxqtGExJ87YvJjs0v0sqhsnfOioXhuuD1V6dFIgGG480lhqOX1WUTzF8kU1yOqanbCY4cyZht2++eBQ6OtF7k3fMLjJWxXSwhg5Qlzr0ickpi9mcDYEi6um0hHvI8J3U2vquT+9nMnln2BN7+q5v3TB1O41+QCxJ` |
+> | Germany Westcentral | rsa-sha2-512 | 12/31/2023 | `9OYO7Hn5p+JJeGGVsTSanmHK3rm+iC6KKhLEWRPD9ro=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCwrSTqa0GD36iymT4ZxSMz3mf5iMIHk6APQ2snhR5FUvacnqTOHt3xhMF+UwYmGLbQtmr4HdXIKd7Dgn5EzHcfaYFbaLJs2aDngfv7Pd6TyLW3TtSgJ6K+mC1MDI/vHzGvRxizuxwdN0uMXv5kflQvnEtWlsKAHW/H7Ypk4R8s+Kl2AIVEKdy+PYwzRd2ojqqNs+4T2tPP5Y6pnJpzTlcHkIIIf7V0Bk/bFG2B7r73DG2cSUlnJz8QW9pLXIn7268YDOR/5nozSXj7DinVDBlE5oeZh4qkdMHO1FSWynj/isUCm5qBn76WNa6sAeMBS3dYiJHUgmKMc+ZHgpu6sqgd` |
+> | Germany Westcentral | rsa-sha2-512 | 12/31/2025 | `sDXbCz8K9IsknWgFHjlZHmhB9ecW65qVdaXNK9Wd/lc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCYVSqdP8Q4I0uY0sNh8BXoB8bDmP5YKH3cfcssdgnB+hSyjVcEkCXWzs2uS36sKPmPSwcIj1jsE2W+r8YNdP8jid82PZYzufWf9WeVMM+vCT91m7Xkugla/pKsLzeua8ZmbBAqIIac7RsPDmNxhcvjNS+NCSzG/dr4y2YIpQ/nXM4w8e/MUqyJDaf8uMkE5/GFUN6l86miqUF4PQzvZlaxcsaB17TMa7y/01tLuHDlBzmnwBss4+5ZJut7qH5w9o2U+n06m6NB0wFpDEfXwPdREICDCBzyMtMeJ7i7Wraop3q2d1YRsjZNIskbbEIIwS/awHi9+6+tkZGOXbgqC6bB` |
+> | Japan East | ecdsa-sha2-nistp256 | 12/31/2023 | `IFt/j4bH2Jc0UvhUUADfcy3TvesQO+vhVdY4KPBeZY8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVq+uiJXmIlYS367Ir9AFq/mL3iliLgUNIWqdLSh7XV+R8UJUz1jpcT1F6sJlCdGovM3R5xW/PrTQOr3DmikyI=` |
+> | Japan East | ecdsa-sha2-nistp256 | 12/31/2025 | `hNki347+AC3wa6Yp1qgRfxFQGku65fd3VM13B675RCA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJBYLB2TtVhVnWaLtOUts6Txhtle6v0ws60hXE3NvjFf+vHYh0yhDorQhiMHY6uDjXwS3TUOXQTcjLsBh7Ln9t0=` |
+> | Japan East | ecdsa-sha2-nistp384 | 12/31/2023 | `9XLsxg1xqDtoZOsvWZ/m74I8HwdOw9dx7rqbYGZokqA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFh7i1cfUoXeyAgXs+LxFGo7NwrO2vjDwCmONLuPMnwPT+Ujt7xelTlAW72G3aPeG2eoLgr6zkE48VguyhzSSQKy7fSpLkJCKt9s0DZg2w0+Bqs44XuB43ao6ZnxbMelJQ==` |
+> | Japan East | ecdsa-sha2-nistp384 | 12/31/2025 | `kQPmkwILyGO/5ejgfg+0D1WeI4Ax+e1UZ31+jKqxclg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGVsoOV31Dv/BYpp8cW+sReXE4nK84wSOhNmK6MmQyTgCSh5msHcnnPBQP0RpptaKUm+qtZSLPXJTEU7AteUm4UllN00YL2uOsgVWC3+oidsq4Tc6jRKp9shY4ivzCb+Cw==` |
+> | Japan East | rsa-sha2-256 | 12/31/2023 | `P3w0fZQMpmRcFBtnIQH2R88eWc+fYudlPy7fT5NaQbY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCZucqkz4UicI20DdIyMMeuFs+xUxMytNp7QaqufmA2SgUOoM387jesl27rwvadT6PlJmzFIBCSnFzjWe5xYy3GE59hv4Q3Fp3HMr5twlvAdYc5Ns5BEBEKiU0m88VPIXgsXfoWbF0wzhChx8duxHgG4Cm+F8SOsEw/yvl+Z/d42U9YzliQ1AafNj4siFVcAkoytxKZZgIqIL4VUI322uc93K5OBi9lgBqciFnvLMiVjxTWS/wXtVEjORFqbuTAu/gM4FuKHqKzD1o39hvBenyZF2BjIAfkiE6iYqROd75KaVfZlBSOOIIgrkdhvyj9IfaZFYs3HkLc7XgawYe6JVPR` |
+> | Japan East | rsa-sha2-256 | 12/31/2025 | `4NqHhLFmWOkUDU093AFLCRYxx1gp/wIIQQErFkfQuoE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDR8dvjRiVZYNYEemBmSWFdspEs5IwiZ7WB04o4XX8cgnvt0pb9tGxI+KypqcXnocBSZtSTC6dQ+kLVKJJ0AcL7WmCMk98biFj+E87/LQuEU2UifdYygwWqK+9oWtY4drFIPcU8GWWqxf/vhXUAwHf1mFiuEpbO4MHWGZfJTdbU2zlBt1nOj9mftl4s1SeoTzd3ndpja1wnK/wmPTDNbE77eSf6Y52W3p16BjdL76A/7IjZPufPbimNLzyKAkSlXiaZApHMxsb3+RmL9V93c2yGnbZAd27zT8UlDxXM1tIG1/TiKKQvU9ER5l0JU+YKRIMatr5rTOjeGO4ROrGap+El` |
+> | Japan East | rsa-sha2-512 | 12/31/2023 | `4adNtgbPGYD+r/yLQZfuSpkirI9zD5ase01a+G7ppDw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCjHai98wsFv0iy+RPFPxcSv8fvTs3hN/YnuPxesS21tUtf0j5t8BTZiicFg6MLOQJxT4jv5AfwEwlfTqvSj3db6lZaUf/7qs/X9aN1gSoQNnUvALgnQDYGjNYO8frhR7S0/D/WggQo2YKMAeNLRScT7Pg/MJaOI12UhoUloCXbTAP1c85hYx0TGKlGWpFjfen/2fwYEKR1vuqaQxj+amRatnG+k18KWsqvHKze8I2D19cn5fp2VkqXzh6zQ1s5AMc5B9qIF48NIec9FAemb9pXzOoYBDFna0qNT4dfeWOQK6tM/Ll10jafaw2P32dGBF8MQKXB2sxtcC0nU4EEtS5d` |
+> | Japan East | rsa-sha2-512 | 12/31/2025 | `Y4mVSJoE0kk6/kJ91yxyavlrDpMcB4pbRjk6yn/foHM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQClNQuyH42xrN5BODWQLLTmQZHQsQOqtAJtZ3sq6H/O1WgeFjCYAO0vxtTrtZlD6KO6NIssxZuspomQAcEkJ2mhc0dgtXNLlK2MLdqUElbb9knZR2+2K0+K9uehznRHCPiTxv9q3Dy3IzIb8zA0Ol4kIzo3Px+AkjfQLaLURLM+M5ZnL2CAiYQUrxBIxqO5mCwyLEWrJikwcI87WrkiZ8uorrXbE/ocMuCggTxuuuUUGuGWreHeNd7Cz6AAcdqz50cY7Yd5mm/9nnvpRdYmNjI/so6l9SzXqg6y7+tjEu2IEA4CyPKTg+qIm1tujFjbYs/JlTaOX0VP5fBs4qnED70B` |
+> | Japan West | ecdsa-sha2-nistp256 | 12/31/2023 | `VYWgC6A4ol1B7MolIeKuF2zhhgdzQAoGBj5WgnQj9XE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFLIuhTo1et/bNvYUj+sanWnQEqiqs9ArKANIWG19F9Db6HVMtX8Y4i7qX6eFxXhZL17YB2cEpReNSEjs+DcEw4=` |
+> | Japan West | ecdsa-sha2-nistp256 | 12/31/2025 | `ybrCO0nkrCspDE3iuezYA12jWmjgD72XcLDIlK3ejZY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNb8liGv9bPJAXwukCHD43nqpax24eQDM31YjEdJ7vhnvpBS3fvtfrth4FLspqGQcnWLZuyI8oZKHLrrg5pXMOE=` |
+> | Japan West | ecdsa-sha2-nistp384 | 12/31/2023 | `+gvZrOQRq3lVOUqDqgsSawKvj6v/IWraGInqvqOmC6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBD3ZiyS1p7F1xdf6sJ3ebarzA5DbQl1HazzLUJCqnrA84U8yliLvPolUQJw4aYORIb5pMgijsN3v9l0spRYwjGHxbJZY/V6tmcaGbNPekJWzgXA1DY35EbFYJTkxh/Yezw==` |
+> | Japan West | ecdsa-sha2-nistp384 | 12/31/2025 | `nC2vSR9tS0m6VM8HmfAYIGKLHHATc35MFKtFmqT3JPg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNY0L4vz17bEi6V5ww9oL2YVtJ2yov/xGhKXN7UCiGE+iivz0gkcsCmCgNjE/GjpJ6ClwvOTnKJihnq6n+NDVoshsFO+LfoorwdVMhszhH/fbIV4x09vrNZWl8twA8L5Iw==` |
+> | Japan West | rsa-sha2-256 | 12/31/2023 | `DRVsSje7BbYlVJCfXqLzIzncbVU4/ETFGzdxFwocl8E=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDl/rlTgQpomq4FmJKSR2fjgAklV818RcjR/e/C1VUJVpbntJoWUlBhKYDFPTVQaHXDTK5HyJU5APsdy6CJo8ia32qc2E/573LDNk4dgFFrh+KFRiD+ULt3IH15i1DieVw61MAVOvzh+DmTJHPLaTufXoQ62YACm3yC1st1kXv4bawfXs0ssmeqrBcCOQvMvW/DexnnGXO6QXYTcjUktNrO2h2dd355n5FP4fcsBEdGmfT79HYPM6ZoqkItRZEO6Nel65KxtenAwQub8SK3iJgFyJwd3zIH4OCHp3z4tcGXw5yNAX15dJMSnls0zvzhx0f4ThwfgB4t1g9jVb47Ig7B` |
+> | Japan West | rsa-sha2-256 | 12/31/2025 | `P1paDhO48HuP5smazNHhse4IOsvNbsXkiX0wCYy7FAE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8we/tpjgMEjmd+iyVNJWErV69vABxcnEflMamhvyidR4XO1E0xVbCUzLkeMk0h2f6ICXCk6NRpY8A6lPp37QGYY+7gZqyNKXgOO5OBGVyTb1bzafP2q38lEi7LSkcA1fYXRfSlrGFktCFkCa5dpKzWxr3F8jvQPIukWUuvAVVbQpamL93jmlIIewNcqrom6oGgU8ehKPcnhONY84DNMJs0b3krksPOC1lk36QptpZtUCUA112X+XU62f7O+99PKrjVMGzjzrQkjs8dOyVUNc7LACafo9uslxZW8wsaKibuERWunDdXlC4S8pDlfwmXaoJMWlOZXJnUv1uwgc8SaJF` |
+> | Japan West | rsa-sha2-512 | 12/31/2023 | `yLl9t2jlkrTVWAxsZ59Wbpq+ZCnwHfdMW8foUmMvGwI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9zrpnjY7c0dHpE1BMv+sUp+hmvkBl3zPW/uCInYM5SgtViSQqn/DowySeq+2qMEnOpHGZ8DnEjq55PmHEumkYGWUUAs38xVGdvRZk6yU7TxGU42GBz0fT/sdungPHLQ2WvqTZYOFqBeulRaWsSBgovrOnQEa2bNTejK9m353/dmAtKHfu68zVT+XYADrT3PY5KZ1tpKJA0ZO9/ScUvXEAYs20WSYRZBcNDoSC9xz4K8hv9/6w3O3k0LyBKMFM5ZW8WVDfpZx1X0GBCypqS+RNZuVvx81h3nxVAZSx80CygYcV4UHml7wtnWDYEIBSyVRsJWVNGBlQrQ4voNdoTrk5` |
+> | Japan West | rsa-sha2-512 | 12/31/2025 | `RWw7+FvEvquzP8KS0w1UrHkrNhmm9OKP12MujEWgpAU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDO3u8afk9VvwkvpebBX5yDl992D7SPS+4Pt5NreLgHY2UBvMEyx79PS9vuQXEE1Iv1dh3adbY15V50ZDEILbRe8DaIPNXRHVj0QK2AOIO3h8MJrsuGQk9c2p8LiJx+lCMzYf0xgD7gbffEwUfUG2d0qBcuomgfBzuX7i1kEJetliwOS79Df2OfeLlFfvPUMO5mSVkd2AF38jyl6aOqDu17yofQxDTHhUdaSpniT+tbc6IJin6WDZFHMipb6FQLmiQcJSbAxaQUzf1/XAbndz6qES5wThm+pg73nYhB6ynPqX5VOVOP/t0ZVkkv9rcQ94c7omY6hSrNhUXWq/VouJLt` |
+> | Jio India Central | ecdsa-sha2-nistp256 | 12/31/2023 | `zAZ0A1pk0Xz8Vr/DEf8ztPaLCivXxfajlKMtWqAEzgU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDow29ds+BRDNTZNW70CEoxUjLiUF+IHgaDRaO+dAWwxL13d+MqTIYY4I0D7vgVvh0OegmYLXIWpCdR8LvVT7zA=` |
+> | Jio India Central | ecdsa-sha2-nistp256 | 12/31/2025 | `F4I61T+soC7yfrE9ZUPLtRb2ZoQozdboHwP23xQ+Y5g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJFSwEH2udhlvtUayxa++ajapReFdnuqtAzPVZtQa/LDt3Je5J3JW5GUqIUdO3GFAFXss32UAxYOC1teT5B1gew=` |
+> | Jio India Central | ecdsa-sha2-nistp384 | 12/31/2023 | `OTG7jxUSj+XrdL28JpYAhsfr6tfO7vtnfzWCxkC/jmQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ/Bb3/3u/UIcYGRLSl7YvOObb43LO5Ksi0ewWJU+MPsPWZr7OTTPs76TdwXMvD8+QuY8U9JxgQQrNmvbpabmbGENkllEgjGlev5P2mHy/IZZAUQhAeeCinCRvTsiOOoLw==` |
+> | Jio India Central | ecdsa-sha2-nistp384 | 12/31/2025 | `HkXwB0/d+gziTWHE9tmdTeXqPOlGU5moOy24VZW/1R4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMjje4Bvw0jMsOUEhkD6mhzaeQILgDpjjkoV/16gqMd+VaMVdMP4fDyBR7cfbTo2N+lZDmdIrbdHfLlKGrNOYoQlSBL/ANBQfpnfyzEX+Z9Bsz5jE7CyXML7SQAVm3YYhg==` |
+> | Jio India Central | rsa-sha2-256 | 12/31/2023 | `DmNCjG1VJxWWmrXw5USD0pAnJAbEAVonkUtzRFKEEFI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC/x6T0nye3elqPzK8IF+Q70bLn2zg4MVJpK3P6YurtsRH8cv5+NEHyP0LWdeQWqKa9ivQRIQb8mHS+9KDMxOnzZraUeaaJLcXI0YV512kqzdevsEbH6BSmy8HhZHcRyXqH0PjxLcWJ5Wn9+caNhiVC40Oks7yrrZpAVbddzD9y/eJfguMVWiu1c8iZpYORss1QYo7JqVvEB6pLY03NXWM+xti1RSs+C6IEblQkPvnT3ELni9T1eZOACi12KGZHVLU9n27Nyg/fPjRheYSkw/lkkKDG0zvIQ7jr/k8SCHGcvtDYwRlFErFdGYBlIE888le2oDNNoKjJuhzN6S7ddpzp` |
+> | Jio India Central | rsa-sha2-256 | 12/31/2025 | `fZEtfkvGAXf7QhIJWDZB37fRATEkjjebgGDdXZvJTr0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDRGylVPtL0MgUInVkEgS8017YRvo/59b9+Of1weYoOz9ICLlRSuk32X/r8tXnhmWPsai2H/DoLxMTzS/PlvQGJ8jO/46DmL3r8uwkgPR73J/KFMSkg8GDYAWjMRrDs4ezkB+RVgW9iO9R6o6Abqj6yXrhlZ1YRMXCHXrkuI8tDefh8TmV2quxNAn3HM+Q11WqUh9BS7hXcY2J+RUn0R` |
+> | Jio India Central | rsa-sha2-512 | 12/31/2023 | `m2P7vnysl2adTz/0P6ebSR7Xx8AubkYkex6cmD9C0ys=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDQHFDt8zTk+Hqh912v0U8CVTgAPUb8Kmuec+2orydM/InG+/zSuqQHsCZaD2mhEg8kevU8k2veF5z2sbko5TR/cghGg5dXlzz4YaKiNdNyKIGm2MdynXJofAtiktGhcB6ummctHqATfGSgkLJHtLvstzTVbVK1zgxXcB8hA52c2EPB1cN1TkAKEyiYNX7fKFe1EEPCxdx3fC/UyApKdD+D432HCW/g8Syj/n7asdB8EQqcoCT3ajh2wG2Qq0ZxjVbbrFImlr0VoTqLImJ4kZ9d2G7Rq2jqrlfESLAxKVDaqj+SjyWpzb3MHFSnwJZybCKXyTt+7BXpKeeGAcHpTs3F` |
+> | Jio India Central | rsa-sha2-512 | 12/31/2025 | `TqQRg3js6McwK8pLUIzXtCuCCoDkHFmOJkF0P5Qy2T0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC5gg7SwMc7NaBDbEk5LSHZnfE7mx1qOhs8G5G53lC7A7q8vUF4RzWP0BE9mhKb/Wbx3G5PwgXGqE4yP2J2ohNYRudzB7LJyGNaDSWRkx9n0tyfaza3FuUrUKUTu8UKrMJzsQYhR6/3bNZjFkDTMbrhFmKU9k8/9MmpfAKNt74rAHH9PBVyhXvsFEm84J4wDdfi46gzLksV5XKYEuEz7GpTK4QhdXAYUOq8OOvWiDa2pP/dEiE6DfpPYEMrKtFG58D6hhamXDxo5PK8V1R8NFPQ3VgWZuVhYYwnslDq8a/QhRq3Q8HPUSxRKrwCQ9zs7HZxAtofpE1HTHOD11rcZJG5` |
+> | Jio India West | ecdsa-sha2-nistp256 | 12/31/2023 | `mBx6CZ+6DseVrwsKfkNPh9NdrVLgwhHT4DEq9cYfZrg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPXqhYQKwmkGb8qRq52ulEkXrNVjzVU4sGEuRFn4xXK8xanasbEea3iMOTihzMDflMwgTDmVGoTKtDXy8tQ+Y8k=` |
+> | Jio India West | ecdsa-sha2-nistp256 | 12/31/2025 | `LKIwML4VmHO7WCRtLKz315NKhUsf3pn9q8UggCsT2ls=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLv40BCM762yvf6z/gbySSUjxvswA3Y4L4kDEENRBu4L/xju3kmN4BiuRVkCVioL4Z3qDRt97wSK4uyMi8E18wY=` |
+> | Jio India West | ecdsa-sha2-nistp384 | 12/31/2023 | `lwQX9Yfn7uDz/8gXpG4sZcWLCAoXIpkpSYlgh8NpK1E=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLKY2+wwHIzFOfiKFKFHyfiqjUrscm0qwYTAirNPE1GI6OwAjconeX072ecY3/1G0dE7kAUaWbCKWSO3DqM4r6O+AewzxJoey85zMexW23g2lXFH7HkYn9rldURoUdk31A==` |
+> | Jio India West | ecdsa-sha2-nistp384 | 12/31/2025 | `Oh8tm94RmBr3De3CtRgSNYFdCk4GuDu2YEupO+rXV+g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAAfMbIXcSz+/3ZUPhsmjFrdNZJRH5vV3zzAE/O/LEbTA8zZcOD04fhbyEmohk0z6qPQE0tVCp/Xi84gC0LMK7AuaFH4kJmuzh8tC2CbRlpBV0TWK5oVjRjBeLGj2gocTg==` |
+> | Jio India West | rsa-sha2-256 | 12/31/2023 | `hcy1XbIniEZloraGrvecJCvlw6zZhTOrzgMJag5b5DA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOBU9e1Ae68+ScLUA5O1gaZ3eq0EGqBIEqL3+QuN8LYpF3Bi/+m43kgjhgiOx5imPK6peHHaaT/nEBQFJKFtWyn8q2kspcDy1xvJfG8Jaks1GQG33djOItiHlKjRWMcyWFvisFE2vVkp3uO0xG4nMDLM2rFazkax+6XA5cf2iW2SfL6Trs4v1waakU/jQLA7vsrx14S+wGEdVINTSPeh5DHqkLzTa3m2tpXVcUA4CG8uQZM8E/3/y0BuIW0Ahl/P6dx35W1Al7gnaTqmx7+idcc/YVe0auorZWWdyclf1sjnAw6U8uMhWmQ0dZgDehDtshlHyx84vvJ1JOJs0+6S2l` |
+> | Jio India West | rsa-sha2-256 | 12/31/2025 | `ZD5Vw+3ipQeZYOwHpwIrfJIDBfZcTpydzeq7HSNrmxw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDRX7fdrzYX7M8CRXXZG44+MRP30m42vmzSf0xwugiR05ECtD+rI1VNH4VwhviQ75st+lIU5DzkNzxInZiof0/MgfaOnjzjpHfVV+CERbmbawaMglAz4c5LA9k76TDemRl/367h3PizXW7zVyNj4MKoJLzn+FEq77f9Zeo6TnVW/ZDifsTSyAYfwgJKxRJCHoDi0XZVWpuuLJcV5k28tH4OTBWUE0+lPCuu3e2bPzNKXhm+XzFjShMWUv16pErxBFmkCaGSVpDbeW+I1nIkjQ02dsvrDxyYGOZEbd4cWJX2wgYSD+jt3oiEXCqG2VyX9uVRHCslXu2ezTDUIiCFLs01` |
+> | Jio India West | rsa-sha2-512 | 12/31/2023 | `LPctDLIz/vqg4POMOPqI1yD9EE9sNS1gxY6cJoX+gEY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOH+IZFFfJN4lpFFpvp5x1lRzuOxLXs0WfpcCIACMOhCor2tkaa/MHlmPIbAqgZgth5NZIWpYkPAv7GpzPBOwTp3Bg5lUM7MXSayO/5+eJjMhB5PUCJ0We8Kfgf/U+vbaMIg9R8gJKutXrANd3sAWXMwWqKUw+ZX/AC7h58w04gb1s+lNOQbfhpqkw8+mrOj2eKH8zHYUJQBUYEyDHqirj565r7HhBtEZImn/ioJS+nYT5Zl/SNtW/ehhUsARG9p6O4wSy20Ysdk7b9Ur2YL0RyFa6QhWQeKktKPVFQuMMLRkYX7dv35uAKq8YN833lLjGESYNdCzYmGTJXk5KYZ8B` |
+> | Jio India West | rsa-sha2-512 | 12/31/2025 | `M/GmNpPBZHx9Gi6prlLDV5NZbknqFvdLPBt3WhGroH4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCaPoHixXf5KMFCIJx5ZIDymatZcqqC+YLz2DpXwvBFiHt2QYQA6w3ZkZNpimjtWJUPyXBLUABMMrnD5WbWfIgYZ/bIsZhsnzMJmcXejD+vOkCoI3iBh2SzlUJodpSj6ahX/9JmWqU8mRB1zITB7XWdvkyjAC3TS2ps6G7wcXHumk9MbuktrbPYNKHj8CBjrFfAEggG2IJ1YTHHmBqV3Gl7+JqFSH5VO+PFnvNSRb0ATurp4GLsOB7syr2hy0sdFG4lLcYSlIAbYgVvT4x2LEpq6HFxxPOCluSgu93Slg9ZBW/z47PSwdGMGkwENyy0Xdltae+OzTxZ4zoimSitRWOp` |
+> | Korea Central | ecdsa-sha2-nistp256 | 12/31/2023 | `XjVSEyGlBtkONdvdw11tA0X1nKpw5nlCvN/0vXEy1Gc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPYiomaLB3ROxZvdfqiilpZ+2XJiPDeIIv4/fnQRZxnCBCFrUm7ATB6bMBSUTd00WfMhnOGj4hKRGFjkE+7SPy4=` |
+> | Korea Central | ecdsa-sha2-nistp256 | 12/31/2025 | `9HlPpVNUWFMksQe7WrfMKiglruSK/KtPlEV4QgXBv2Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJF52Xf+DqG3cFdeTGRWzhKAd7wRrgOGs6++7K4spCmABa2thto/U1pZdyxZkq48+nk0U717raE4mgN5GkJpWxc=` |
+> | Korea Central | ecdsa-sha2-nistp384 | 12/31/2023 | `p/jQTk9VsbsKZYk09opQVQi3HzvJ/GOKjALEMYmCRHw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBN3NA7U4ZC576ibkC/ACWl6/jHvQixx+C6i2gUeYxp7Tq6k4YLn7Gr1GNr+XIitT6Jy5lNgTkTqmuLTOp7Bx9rGIw9Or37EGf7keUM42Urtd+9xF1dyVKbBw0pIuUSSy+w==` |
+> | Korea Central | ecdsa-sha2-nistp384 | 12/31/2025 | `vy9cmbZQT0EgwifI+RHoQnGbV3tAjUIFP1Bl8zyZxIU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBTAnIdrs0h9CFZhTOEXmo89VTCOtNl0kxnXGazFpBKAmtPu6TAvdEBlKA3xjppM74h2e7Jv/tnr/SsZJK98BOKrFCPwZC+oFNoZ1SdRYOuoqp9BoXVPS8pAcisS2eFTCQ==` |
+> | Korea Central | rsa-sha2-256 | 12/31/2023 | `Ek+yOmuAfsZhTF4w7ToRcWdOevgZPYXCxLiM10q44oA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCyUTae7QtAd3lmH+4lKJNEBNWnPUB+PELE9f4us5GxP8rGYRar1v3ZGXiP2gzPF1km1cGNrPvBChlwFMjW+O5HavIFYugVIe8NzfI7S3t+kgTylXegSo1cWen18MAZe6Q5vxqqFzfs+ZChWEa/P37lTXVkLVOYCe5NJUPm8Zvip7DHB2vk25Fk3HMHG9M50KNj1Hp4etPI7yiLNLNCh5V410mf3xhZChMUrH6PMl/A+sVv68ulcVeIZ68eMuQktxz1ULohBdSExZGmknVrwfF/fLTKWxHlVBjB3yDlLIJO3nTFKaQ4RzPa/0If+FcbY+hIdzSjIAK6W3fRlbVuWHYR` |
+> | Korea Central | rsa-sha2-256 | 12/31/2025 | `BWHK5p4dmTUH0NU99TJm/stulp/+yWT26EWaNYddwv0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCfRvjPUGmZEi/70Vl12uUsbpaPd0Rdh8vElRKFpp06Uy3tcYpUdfwHQC5djjBEuniiK6V3BkyZb6/LPwCrxbrwzuUcG7aP929DeSYoe86N5X6vTpU8tyffkotTDxhzXuu5WA11252rgtt3GIOYLOGHR1Itpcl+P4OZ4ELnMrsCXZcewD9YphNEVgi7Ez9yi4rdsulXTk7qdlTj07pOMO+CpTx9H9MHhw0v9JSy2LBxU9bmNFU+megWA9jTnLqSdO+xiLBmlbwEbrPBDuZybbM4Idz+DB45os+NsIbpFTB9XKZ/eP2ijtUoGagytX3yp1DDcdGDg+beOyI3gzxOvR7B` |
+> | Korea Central | rsa-sha2-512 | 12/31/2023 | `KAji7Q8E2lT3+lSe7h74L6rfPnLEfGVzYZ/xyM96//0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDxZYb5eIWhBmWSwNU6G9FFDRgqlZjYYorMSXJ4swHm4YYHKGZTf4JOE5d87MNtkVgKe2942TQxA1t2TaENlmNejeVG5QZ4to+nVnwsFov2iqAYChoI6GlhpwzyPsO0RkqLB8mvhoKMel1sNGfmxjxYVFt4OSPHDzNIU4XjGfW24YURx/xRkLU1M9zBNADDx+41EMNRT7aBXrKW9MzsxkfCM3bYwjdBbI2Yi2nUqARm+e/sBPLTqVfjuMFvosacYc43MqepFSQoZE5snwYxkLJzltAbxNUysJs277isnGgezh9p5T2MCxtCERU0lvp7M52hd1p75QEtNrdadfDprzT9` |
+> | Korea Central | rsa-sha2-512 | 12/31/2025 | `Lwixdb3Fx5yvcsFkjBMeAVLFTj4ihngqAUvMDKWLrx4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hp87cOOR8dC6B3tjUJIzLu6Ti4LB3jLep921EnhrXjEYwXWsWrEIyacsmoVxfbXJ2NZynzpInaKk2XiK1mQg2raLggao9yJ86NLQKZYQD8s8+74bO6gMoMgsGRRoPSRXv2iis/t5KEpKWAC+fC1qIQnwKOGscIgo5AWMDaWA98RoL+4HnRcQIzNvWwN14lebZ0H39Ijs/D6rMWIWibSXE3OWaJ7200lQ1+oVRmWT+mOo+QtQ0EVOKsFlynEkxgIysqEieED4dT8nE+bnAUrrOFGXjd0WpuHDaaEqldfHkmBX8FGLIei/1+KeVqIiKkeys/vbdyhjpQu5A2pdeDm1` |
+> | Korea South | ecdsa-sha2-nistp256 | 12/31/2023 | `XM5xNHAWcYsC5WxEMUMIFCoNJU/g90kjk/rfLdqK7aw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHTHpO85vgsI6/SEJWgEhP5VDTikLrNrSi6myIqoJvRx6x8+doTPkH87L/bOe/pTU/rCgkuPi1kXTC7iUTSzZYk=` |
+> | Korea South | ecdsa-sha2-nistp256 | 12/31/2025 | `fOxnPL6yD3NfoubIfYyPCT1/LShV6zOSx/2+swvo5Gc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAKFsE2xKTl5AhlcV7RaVykUTRz5zLNgQomLPNyQoAKrT4sEVUz36e5apDqquC0Xs83Jg3d2by4UQVmYEcSB7f8=` |
+> | Korea South | ecdsa-sha2-nistp384 | 12/31/2023 | `6T8uMI9gcG3HtjYUYqNNxi99ksghHvsDitIYpdQ4BL4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAgPPIDWZqvB/kuIguFnmCws7F4vzb6QG7pqSG/L9E1VfhlJBeKfngQwyUJxzS2tCSwXlto/1/W302g0HQSIzCtsR4vSbx827Hu2pGMGECPJmNrN3g82P8M0zz7y3dSJPA==` |
+> | Korea South | ecdsa-sha2-nistp384 | 12/31/2025 | `WMARPBxgBRgT+w+qU1USQ7AJv0vVsqUkJl1uDqQ5sAQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBC+3iJNzYWq6KSjd72sIJYQfeoSxF70re24Ps2SLcDLXiK2sZ0qsDSrjG7Yk2qVXYKydLQbUZuokhfQyV5zKYjcNQ5VHIblwd+10GlvZeqyCZibOuoUsMNxhMx1eAlo8KA==` |
+> | Korea South | rsa-sha2-256 | 12/31/2023 | `J1W5chMr9yRceU2fqpywvhEQLG7jC6avayPoqUDQTXHtB2oTlQy2rQB` |
+> | Korea South | rsa-sha2-256 | 12/31/2025 | `sxw9cyrpek3T3ZcO0+ghUoNn+M9dZD72br4F1GXV3iQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD5wHnNSXU7mmafdb4eSavGZiwaYIweYtGrLSj6IYxDafpk4+RwX9Grr7gG3yAG7wh/t9AzTt7Aj7mh5H2vNkJIkfS8efZgaW+BUJjatQAVu0pXUv0vAbIaioBvUJEeNlCYrOsSvfI+fLP+8JnZWPIkFi8jg/2cePOVFD/ZpTdq/d2b1ifOlEi2EtwkPK4U49asfwfogGpWShoRSufBiGdH5L3Sd157r2wJsUqUyO4x8CPLgT/cRR3HnQxWbGJOwalkb1Da1EX9gnHE639jTv5RPBUEbLA5JfAKWi6W7W4Wp91Se262Qva7fXeJv7lB1aPignIaI7XiZJYMITUAY2wh` |
+> | Korea South | rsa-sha2-512 | 12/31/2023 | `sHzKpDvhndbXaRAfJUskmpCCB3HgPbsDFI/9HFrSi3U=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCfGUmJIogHgbhxjEunkOALMjG77m+jgZqujO3MwTIQxQNd/mDeNDQaWDBVb2FJrw15TD3uvkctztGn2ear3lLOfPFt0NjYAaZ8u5g9JYCtdZUTo5CETQFU/sfbu2P2RJ/vIucMMg8HuuuIMO059+etsDZ5dZHu9cySfwbz/XtGA0jDaTlWG0ZDT+evOE0KmFABjgMFWyPnupzmSEXAjzlD/muGeeUhtXUB8F6HVUCXLz7ffzgYiYj+1OB0eZlG/cF8+aW7MOpnWvfpBxwm16soSE1gmZnXhPrz/KXlqPmEhgIhq7Cwk54r3rgfg/wCqFw+1JcbNOv5d4levu/aA7pt` |
+> | Korea South | rsa-sha2-512 | 12/31/2025 | `HKrQz+1svxtsfHSYoPt+DK7xN7zI8tCGKqcohLpKiFE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDXjEE9ikBQMHmepDgS7yNbQ7BUEHR/KB5xMUH3+bdmx/YctR0M1cVGKpRDlc6ME4F30cNDayAEwP3kgEUYD8nD8grJhIBg16zb3J3AJF1FaKBjdCG52Az+pbwywnanl+mG+vvvVS4m1gNc/f+blb3hNkgtE2Tk45jlHiPAD671Tj+E5HVZDYoiDaudk8IazT9JqUIKXMcw2HMG8YOwcap21gKedTQoBKGCfgYjrKapbwj8AXbR+TxZ/2fu2YtLk4MYsRxYK2BlgF3GqJKcrCT3FI2fW/1fnP8OI8XKd` |
+> | North Central US | ecdsa-sha2-nistp256 | 12/31/2023 | `6xMRs7dmIdi3vUOgNnOf6xOTbF9RlGk6Pj7lLk6z/bM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJw1dXTy1YqYLJhAo1tB+F5NNaimQwDI+vfEDG4KXIFfS83mUFqr9VO9o+zgL3+0vTrlWQQTsP/hLHrjhHd9If8=` |
+> | North Central US | ecdsa-sha2-nistp256 | 12/31/2025 | `s/ZY4uDhgUqq1e5mJuKJqnB2tWKrmCSxsDFUdI53crs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIIsskPKndr1JuwN+hz/5EY3EvGrDSbz8kQq+vlzYTm26jiS0Uw7OFBRhaZLMM4Cnh6qT7xQ5aNwnzuVFVCYitc=` |
+> | North Central US | ecdsa-sha2-nistp384 | 12/31/2023 | `0cJkHHeTNQpl7ewPTZwug5+/hfebiH6Yxl2rOTtYZQo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBG8aqja46A9Q5PmhPzhxcklcJGp+CiC3MCjVR6Qdl9oQGMywOHfe+kCD72YBKnA6KNudZdx7pUUB/ZahvI5vwt4bi593adUMTY1/RlTRjplz6c2fSfwSO/0Ia4+0mxQyjw==` |
+> | North Central US | ecdsa-sha2-nistp384 | 12/31/2025 | `2vN+aOTY7FunWJ9DjrDCDWYxsr9Wme8hJ5w+Qx54624=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFcdbWr5Q3sOjz3ymMuUEN5W4FV8aYJxf/TeHm1nq2r3S79dX/QyQs2mDUGgkHlZW7oWB6rrDGXDkNI9ur0wMh1gKBS0JgkjzH/B3knAKiPNv8rPtxpI8aMY7RJy/pAGiw==` |
+> | North Central US | rsa-sha2-256 | 12/31/2023 | `9AV5CnZNkf9nd6WO6WGNu7x6c4FdlxyC0k6w6wRO0cs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDJTv+aoDs1ngYi5OPrRl1R6hz+ko4D35hS0pgPTAjx/VbktVC9WGIlZMRjIyerfalN6niJkyUqYMzE4OoR9Z2NZCtHN+mJ7rc88WKg7RlXmQJUYtuAVV3BhNEFniufXC7rB/hPfAJSl+ogfZoPW4MeP/2V2g+jAKvGyjaixqMczjC2IVAA1WHB5zr/JqP2p2B6JiNNqNrsFWwrTScbQg0OzR4zcLcaICJWqLo3fWPo5ErNIPsWlLLY6peO0lgzOPrIZe4lRRdNc1D//63EajPgHzvWeT30fkl8fT/gd7WTyGjnDe4TK3MEEBl3CW8GB71I4NYlH4QBx13Ra20IxMlN` |
+> | North Central US | rsa-sha2-256 | 12/31/2025 | `AT+uuHy3KWpXQX1o6xvepKloVxWW/hHclRucH3CQ8IU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC1etuSzvJZ1idzgvO4r8kZ0XqGM+AzonnYHMs3CyG9+IuBG4JPRq1cRvj3MkHLt+5V+RXp10c3TSyxit62awNjlWW1e6/v3R1IMjqBh85+biHDIJ7TtaNl8zBOvdzS7jVMXxcOI/2QySEFwZq0Kp19S6HBxVXNYDi0Imccxl6SpU/dLqJcJQpmJjGfOQamO0fVU5kEzNvTy6j1ivLQtdjwnbhJCzohplqMHVm2mzCr9Tl4YPHp2VRdrtH7vLpml/uu27sL9lZKzQMXDc6kQsDoORukblfu2CDhO3x+UL6+5fcbG4gYilt96JJy8JqIUc1FteR+BPpKHuUzM2LmLHb5` |
+> | North Central US | rsa-sha2-512 | 12/31/2023 | `R3HlMn2cnNblX4qnHxdReba31GMPphUl9+BQYSeR6+E=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDeM6MOS9Av7a5PGhYLyLmT09xETbcvdt9jgNE1rFnZho5ikzjzRH4nz60cJsUbbOxZ38+DDyZdR84EfTOYR2Fyvv08mg98AYXdKVWMyFlx08w1xI4vghjN2QQWa8cfWI02RgkxBHMlxxvkBYEyfXcV1wrKHSggqBtzpxPO94mbrqqO+2nZrPrPFkBg4xbiN8J2j+8c7d6mXJjAbSddVfwEbRs4mH8GwK8yd/PXPd1U0+f62bJRIbheWbB+NTfOnjND5XFGL9vziCTXO8AbFEz0vEZ9NmxfFTuVVxGtJBePVdCAYbifQbxe/gRTEGiaJnwDRnQHn/zzK+RUNesJuuFJ` |
+> | North Central US | rsa-sha2-512 | 12/31/2025 | `KmGVFgihOp7BEJgoOQ28QGCVpivhWOUJVpoWSf1DzLY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNhjttgLAC1yCwlPWPS0Ts2kHQ7RuGvnbZ0yrCTB3URS4SeMSkrQP5H2lBqaj/ZygNeH1JPcy4rsDopP5g9S78tSVUSwwhd/TY1qw2yMQgQKBX2540h2ErLjnW1nqfUliLEGU6lxY2JEui9XfiFjS0ct2LdWzoWk/2rhDLl2CJej1j6u4gopjaLewhndd/yiIwM/tkcMmTUL4zV1X3esbDbKHCKVCOjeVK1KIB7eA6pg9HfBcIFacVUraTsn/curAgsi7Q/X5o7KVHcCGRWGyrHD2qjrPTbGOS9dIBq7hwpBGHi1estt1KiavuHNMCPvwKdhLmIYA+6raz9w4rOSwh` |
+> | North Europe | ecdsa-sha2-nistp256 | 12/31/2023 | `wUF5N8VjGTnA/PYBVzQrhcrMgHuCfAYL1tu+p6s28Ms=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCh4oFTmr3wzccXcayCwvcx+EyvZ7yANMYfc3epZqEzAcDeoPV+6v58gGhYLaEVDh69fGdhiwIvMcB7yWXtqHxE=` |
+> | North Europe | ecdsa-sha2-nistp256 | 12/31/2025 | `wnIXnbkmXRuxP+60TeN4mn0kplC2Lb+ohnlC9u4cZpk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFIx6kxnNFhCoIC3SdEFUFNZlQA+2Pc1gMMAy59BkCIP7PWhEF8uejxGQOfxwQO17AW0o6anFFWhyWoxTI3vpXw=` |
+> | North Europe | ecdsa-sha2-nistp384 | 12/31/2023 | `w7dzF6HD42eE2dgf/G1O73dh+QaZ7OPPZqzeKIT1H68=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLgyasQj6FYeRa1jiQE4TzOGY/BcQwrWFxXNEmbyoG89ruJcmXD01hS2RzsOPaVLHfr/l71fslVrB8MQzlj3MFwgfeJdiPn7k/4owFoQolaZO7mr/vY/bqOienHN4uxLEA==` |
+> | North Europe | ecdsa-sha2-nistp384 | 12/31/2025 | `7YPYAsFrQ6BRtsVcL7zXP1IClrfuqi6ruN3w9ri6UmQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFxP4POMxrfU1ca7/LmaMlJY+6gtOGUupVmFj90ZFFGxXEccxknT18phpIy1zu1n+oh0kmyqE3JKac71Jbpt0ypM615lrnC5xH9Ayxvi05nFYA/gXAbC/oAqSMGNtuaNxg==` |
+> | North Europe | rsa-sha2-256 | 12/31/2023 | `vTEOsEjvg/jHYH1xIWf2rKrtENlIScpBx450ROw52UI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQChnfrsd1M0nb7mOYhWqgjpA+ChNf7Ch6Eul6wnGbs7ZLxXtXIPyEkFKlEUw4bnozSRDCfrGFY78pjx4FXrPe5/m1sCCojZX8iaxCOyj00ETj+oIgw/87Mke1pQPjyPCL29TeId16e7Wmv5XlRhop8IN6Z9baeLYxg6phTH9ilA5xwc9a1AQVoQslG0k/eTyL4gVNVOgjhz94dlPYjwcsmMFif6nq2YgQgJlIjFJ+OwMqFIzCEZIIME1Mc04tRtPlClnZN/I+Hgnxl8ysroLBJrNXGYhuRMJjJm0J1AZyFIugp/z3X1SmBIjupu1RFn/M/iB6AxziebQcsaaFEkee0l` |
+> | North Europe | rsa-sha2-256 | 12/31/2025 | `ai5VaZSIlMqnIjownVEFQqW9U8woOoBGFY3hSbrdnHg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDHFi3P1ykPMMhPNqYLM5l2tTOvC7UXCY635w5SrsL+8rOFTAqNFfwhZrccGgWhuzO0LNt7khMjHgYKn6yG67HyHvL9ZXC5rTS4mDALNDyPNCMzyAI3fuDZOWlGpDTzMhfzTeZzbK5x5T9MSGDfOlsdnQt8p5hEDCAnl5oSOze5k6ZUXV62LNXLEG5+xIYr64Raz3oaOsEVfhzZws18GgdMfCf0Syiw7rqjfPnPWmJnyxzuGvIGDEyitxi5y1WyzBe/Hwko0rFCQLwSFiEEm6ZAMJzvsDWzfKvIowZV8RVw/avN3Yvz6B6VBVbX1fHpMoVqzCdsS/38WwfGbdY0HoqJ` |
+> | North Europe | rsa-sha2-512 | 12/31/2023 | `c4FqTQY/IjTcovY/g7RRxOVS5oObxpiu3B0ZFvC0y+A=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCanDNwi72RmI2j6ZEhRs4/tWoeDE4HTHgKs5DRgRfkH/opK6KHM64WnVADFxAvwNws1DYT1cln3eUs6VvxUDq5mVb6SGNSz4BWGuLQ4onRxOUS/L90qUgBp4JNgQvjxBI1LX2VNmFSed34jUkkdZnLfY+lCIA/svxwzMFDw5YTp+zR0pyPhTsdHB6dST7qou+gJvyRwbrcV4BxdBnZZ7gpJxnAPIYV0oLECb9GiNOlLiDZkdsG+SpL7TPduCsOrKb/J0gtjjWHrAejXoyfxP5R054nDk+NfhIeOVhervauxZPWeLPvqdskRNiEbFBhBzi9PZSTsV4Cvh5S5bkGCfV5` |
+> | North Europe | rsa-sha2-512 | 12/31/2025 | `ralX3vX5MZc4oSa+vFRXYb57sOw4Q30iZ0jx+s1LbMs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC04Y+mJojbEI6L590NFYLYcWI6Zg+WCVIFSIz2ABoawbKHmQpEh6Gz56dcw8gbv6q9zNn8CVD+i4+k9QLycMhuxoR5kRJO6iJexoasY9W5v7nGnIpp/pg6IfOsQ97nwRtD0dOL3Rg3FuPqXLA9mckhc70gp2I8FK52sfeZvJEUfjRlYzgtsZbFVpj1mLnEr18eLZTUzVAPz2ABHhXNCuBft58iue5dO28a6boR0dVBPTy0wI1hJ3CyiFZj6EQKceK4kxv2b0TQ/H8E3PGb6wh1PoOel4IZ0CiKGCovJhOOfWZX5CYjNW34okNZONYWleI3yYFQetlGTXxvdMEV61sx` |
+> | Norway East | ecdsa-sha2-nistp256 | 12/31/2023 | `mE43kdFMTV2ioIOQxwwHD7z+VvI4lvLCYW8ZRDtWCxI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDWP6vJCbOhnvdmr7gPe8awR/E+Bx+c8fhjeFLRwp6/0xvhcywT9a1AFp7FdAhkVahNKuNMU1dZ0WTbOEhEGvdg=` |
+> | Norway East | ecdsa-sha2-nistp256 | 12/31/2025 | `LX3xXaXt8vEj9GexgUl5FQPn6kgHgqJyqbyKUUSXI6Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNfWlwwKQz69ViXpaEe923CbQgSMjpxCn0fMQDjdGz42v8mrwBLTNYP48c4pzLm8eiWtb5IU07Au7rl+h2OFAUY=` |
+> | Norway East | ecdsa-sha2-nistp384 | 12/31/2023 | `cKF2asIQufOuV0C/wau4exb9ioVTrGUJjJDWfj+fcxg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDGb8w8jVrPU1n68/hz9lblILow6YA9SPOYh5r9ClAW0VdaVvCIR/9cvQCHljOMJQbWwfQOcBXUQkO5yI4kgAN3oCTwLpFYcCNEK6RVug9Q5ULQh1MRcGCy3IcUcmvnYdg==` |
+> | Norway East | ecdsa-sha2-nistp384 | 12/31/2025 | `Y1NKi875wtm5Z8fto3UZft09cvoZIE/mbEvVbxEq69o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBP+K8187kNSjyrGOu9exSmSvVDfRQDHoe7EOpD6JLOhDnT8/UeAQqzaviiVppMF1BqVuBplzNyV6NCQPxwqVlrJsXsvNOnneJOVJf+E4oNz2I6kF5rZbzc53cWUqnD4rAA==` |
+> | Norway East | rsa-sha2-256 | 12/31/2023 | `vmcel/XXoNut7YsRo79fP5WAKYhTQUOrUcwnbasj/fQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC4Y1b2Bomv8tc/JwPgW0jR5YQhF031XOk4G0l3FOdZWY31L8fLTW6rOaJdizOnWCvMwYQK39tyHe6deN9TZESobh0kVVuCWaZNI6NUR0PSHi0OfbUkuV0gm/nwtwJkH5G9QbtiJ5miNb4Ys3+467/7JkqFZmqN6vBLhL9RVInO00LPYkUGtGfTv+/hmsPDGzSAujNDCFybti4c+wMgkrIH6/uqenGfA1zW3AjBYN2bBBDZopzysLHNJYQi3nQHQSiD4Mdl7IGZtJQeC/tH9CKH5R4U4jdPN1TmvNMuaBR/Etw4+v0vrDALG1aTmWJ7kJiBXEZKoWq/vWRfLzhxd4oB` |
+> | Norway East | rsa-sha2-256 | 12/31/2025 | `+Bf5PY3s9YEjAx4iGC4T2qiuJSpfc+2j9cAH0oz2K+I=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDSpVn1Tw8w4zdnknXitlR2xjrMQzazRDf1PY+jvXUQNdgHBbH0fGE/MQwDQdejngoPijoXm8F43sl0DkEqLwDBDCjiTDBa7jaIZo4xlOBCJ5zmN9/I9rOJgYsk7wF5KHXBLkOXKWh460uerxUj4i9n+NTiJzoV+3x71pE6t7j5Q9TwYA6WlOm0m8ejtmMycuzlG76y5py0EMCF/t5RCk0UPn4PMMt/m+EOARXEv5A/JxSID+tk2xSOtO30PHtQFbKvEG0M4FuawlpWm5hvCT0V9VDRm/X7EH51ivKi2Xu9Hvec2FrIaMLy8a8buC0lhosyubpe9d/lMzs7VE81SPLl` |
+> | Norway East | rsa-sha2-512 | 12/31/2023 | `JZPRhXmx44tEnXp+wPvexDys1tSYq9EDkolj9k6nRCM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC11j19LeEqRzJOs8sWeNarue+bknE3vvkvSnsewApVMQH35t9kpqRGMSr6RTU2QCYDiQTCKI2vzLSTLGoizoPBiY/7lvdylDRCbeEpuFUkgvKZrapkJ6JqKOySPpFNhqCs27rdY5dJ2C7/nmTL/kvcyhXFXZT2lJaOIdRSKv/1Q3DAWQ9icNGbDokQDubF5etlkquqTV6r/ioFuh7hdKE+fJooyHa2oYTD+j5cNDKBxrJWBEidOe2HwplR4lYPggUcVtGu9aoSVIMmswztFF6+MNIdOT1kdvHewKLjkVB1hbIHl/E+uexsyMGcCg5fPy7dDIipFi1aED+6R7CnAynJ` |
+> | Norway East | rsa-sha2-512 | 12/31/2025 | `+FdWhzWXTs3opklJIbLQeXAWhB8m6SWWY7+FdMzFAiM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDN0QhSmq9RG/FDQu0OhXHP0CKQfR9XRLM+4sK78l8oHGZJUIGPfNuAM4a8rixwwQiJpJHpRTnhjG+8jogdwJaBx6HJIEJCUcorWr2QAwdGq01A4aLcDkhHka9Dw2GYiDCYtJDolSW4n0ir1oWSIetAv0sjkSFMob9AK33P5shQC7OjWBSSAZoDolkIxrLOFQy4KCl5YDO+heUTOaja0ymcCKrDVzWxYaQoonIznYwdzXC1T9YIYjR5FsDp/Wn5OvPFNCe4mdKLasU+pN+kV7oGrPMULvPbOvBzGb4I0ozfShbRMt0H8nPXLXG7+LkD8YM5NTFxiaKiZpNPdThycHQZ` |
+> | Norway West | ecdsa-sha2-nistp256 | 12/31/2023 | `muljUcRHpId06YvSLxboTHWmq0pUXxH6QRZHspsLZvs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOefohG21zu2JGcUvjk/qlz5sxhJcy5Vpk5Etj3cgmE/BuOTt5GR4HHpbcj/hrLxGRmAWhBV7uVMqO376pwsOBs=` |
+> | Norway West | ecdsa-sha2-nistp256 | 12/31/2025 | `nI5iKgzoS960Hf8VzZ+Z+qJqlhG3We9wUsisCqEv0HE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFYTmlTdycyDk8yLL3HRZFQtk3Zs8iG/IwJJO9LgpDAlr6oxTbHHyLBJnhvAgNl03EfMGMQs5Z0Vx7fcZOL0NzM=` |
+> | Norway West | ecdsa-sha2-nistp384 | 12/31/2023 | `QlzJV54Ggw1AObztQjGt/J2TQ1kTiTtJDcxxIdCtWYE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNYnNgJKaYCByLPdh21ZYEV/I4FNSZ4RWxK4bMDgNo/53HROhQmezQgoDvJFWsQiFVDXOPLXf26OeVXJ7qXAm6vS+17Z7E1iHkrqo2MqnlMTYzvBOgYNFp9GfW6lkDYfiQ==` |
+> | Norway West | ecdsa-sha2-nistp384 | 12/31/2025 | `9ElS1gKYvwii1fb2GffZ1OI8ge5TQiqAda/CL7N8vgY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBN8A1zgtX4PxY0zkK7YmA4vasazPyPhXMVsXz+bINiscC37R9xePSah2A18uIT8M1s96OMhukXKxQrrcWGAGYIIOlDQ8mjb/HsXu5HZsySTfb81bw0Fq6YVD/8u35ER7Ng==` |
+> | Norway West | rsa-sha2-256 | 12/31/2023 | `Ea3Vj3EfZYM25AX1IAty30AD+lhXYZsgtPGEFzNtjOk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDuxOcTdADdJHI8MFrXV00XKbKVjXpirS3ZPzzIxw0mIFxFTArJEpXJeRfb0OZzQ1IABDwoasp1u+IhnY1Uv2VQ8mYAXtC3He08+7+EXJgFU/xQ8qFfM4eioAuXpxR7M7qV/0golNT4dvvLrY4zHxbSWmVB7cYJAeIjDU8dKISWFvMYjnRuiI7RYtxh/JI5ZfImU65Vfxi26vqWm51QDyF5+FmmXLUHpMFFuW8i/g8wSE1C3Qk+NZ3YJDlHjYqasPm4QidX8rHQ1xyMX9+ouzBZArNrVfrA4/ozoKGnPhe4GFzpuwdppkP4Ciy+H6t1/de/8fo9zkNgUJWHQrxzT4Lt` |
+> | Norway West | rsa-sha2-256 | 12/31/2025 | `Ok1QW8mYdmM2ydj0kSV0q32mtjj9rWNVKU09EAAl9Tw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDcv8atttWdhSTVwpV6v61hhBlf85e+Uu3Qjpm0Fa09OuUrK69pggYU6JHHv1AHlMMCapuo2ReGc66tv4dmICijxRYuejZG56uproG4rARSK2JioXB4Yq1qTr35+uXaRj+w5G8/T0zxsvE6AliGBbZDoa07+R4ZQ4PLKcZnxdueHiDoNsZQOvfEtqtksK3LpDD4JU5/mzfDkyGaKejFWQ6DnnGxpE1cEnBdae9ETHOFWbbB0sYd3vMRMsyWlQWUX2MZ4NoacwnzMl2mqX3hDIbzlitxeZqRixJitnL0rX1gPpQg9n/RfCaeynsMjKXA0pprylHLywnKzpaj9UjMeGw1` |
+> | Norway West | rsa-sha2-512 | 12/31/2023 | `uHGfIB97I8y8nSAEciD7InBKzAx9ui5xQHAXIUo6gdE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDPXLVCb1kqh8gERY43bvyPcfxVOUnZyWsHkEK5+QT6D7ttThO2alZbnAPMhMGpAzJieT1IArRbCjmssWQmJrhTGXSJBsi75zmku4vN+UB712EGXm308/TvClN0wlnFwFI9RWXonDBkUN1WjZnUoQuN+JNZ7ybApHEgyaiHkJfhdrtTkfzGLHqyMnESUvnEJkexLDog88xZVNL7qJTSJlq1m32JEAEDgTuO4Wb7IIr92s6GOFXKukwY8dRldXCaJvjwfBz5MEdPknvipwTHYlxYzpcCtb9qnOliDLD2g4gm9d5nq3QBlLj/4cS1M9trkAxQQfUmuVQooXfO2Zw+fOW1` |
+> | Norway West | rsa-sha2-512 | 12/31/2025 | `4OjYruCQ3UATeLz7ZDyXumfZVCvED5stvmAbVeGhYFY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC5SJKaXLtWBtOxSti/Ag6KGC5Gyc2CQMj6lMl8qEUzChtvQrE4a05HNtudc8jS4zbkINtfdZHJ6MvsrhsrKOufTnNlNBbd75lG0KciYVWVXZudFxi9PITMV12lBGRNnKXR9YDY3sQsAF9xVitP8c3qOqX0r4/99KVx0uJg3YrcVmyLQR5it/QLYYV3XHuo1wo705f3EH/uAXrs03b3Mf03XUCk5HguAwyhvB0CIAgI4CALS6mCMKosZ+KVsV50GB9lWsh/bDpAGOLzBon9g/1nilgmL79EbnYtJ1H8Ia5CIjLtkS+qSTeycLjjmGa79Wh9ysWl5ek8WghcK1u+guVR` |
+> | Poland Central | ecdsa-sha2-nistp256 | 12/31/2023 | `aX1HJKXvnL8pJ1upt1OnBQT0vLbQXDrBeThar32gyEs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOTFAOA/iJnf5S+3tGqyGEpFspwR86HChkrkloJnehNvYhecP4tGhJx5Z15j9TJqHWEzpBFPIcxF+O9tStiv+oQ=` |
+> | Poland Central | ecdsa-sha2-nistp384 | 12/31/2023 | `jNH6sSVNE+1NhyZzA3tzk0RaJpZoLVZHd8yjQG64DDw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBFoLS+6QCyjyibWZvldjErzY9ptf+LXhyeQQDu7K+UajFsLk7xzx4vIRLsPJ+UhRyu81Lwo/pxcgoDX6uyB2M82JfQAWF+jniU7RfC/QzO5Jxbsj4mlY1kVO+R7/vdLTyQ==` |
+> | Poland Central | rsa-sha2-256 | 12/31/2023 | `Ph2MhHZIZtRk76qOvea61JQGRMyxbHeYqbQYo1bDorc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCplMMhYJaBSEOXRYRvUACL1zoisjy7BRVdsKORsnqKtMimDqvl8UY304znr9Rn2DBT55EzRQIPs4V6tKwUMe4+FBm9Ef32/jxRdlJ7bM/eMRwFwmo4PxJ1pVpP8TYkpLcXXx5T+zCtphkSXUBHrZRas0OLJIw6ooj9rt60PeCvEIl9HBA8sMt8u7882KKGIZra7C1PK/0/rKub+7oRBEgXoxZxKYFmu72CJV4/4FmxQsYpqcwKaFgMnDYEzpJexL+XlGJ+GkeX8tngy38lwlwGdxi6s6w9e20TUSYtbfPJE8OBq08cHN1OhpbL3bS2Ynr5QkFwHIcwa0seSuXJCIj1` |
+> | Poland Central | rsa-sha2-512 | 12/31/2023 | `aSOu8q60R2fx2C9eoCX3ReG/wKQbXzHf5XoTaEww6GQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC4c5mGbfEkwSgXnhzF4zrguh9X1aHMn1p6pTwJhCjGTQ54ZIFYgfA294RXTYJdL84Xi++qCXHeENVeTWfD9dRlz+KDCOST4JpHauGKnKUF3udsHNNItai88CpDHj8JM6YYxfUR4/BHCNJQ8BrVnvrljWaj7SYJhyUuwChZkTeycZSQPOVJRoHKAnfI+KVZGfQp6dfJx1M11Ojz6a72E6cDDeu8YBNEGiWfYARTi0FJWpy36CsA6aLjXkWTLgM4ZD7vIhLOCLholei+zR43jpZUNKRe7Ym4nSliRsrlEsYkblxsIxotpLt9Al+ftn7GBAjU4HwhC13o8K3yWw0z3daR` |
+> | Qatar Central | ecdsa-sha2-nistp256 | 12/31/2023 | `QOdUXQx3Bi3ss/976Q0n+aIt/vkWjfmGH4fsgk1mBvw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJz1f9SCaXyUAatHKEr/sfY2uRJWtftsigePCckBp+l/VenEVY22vVwstmrIeu02JKz1+IfePfGQ2bWOprpodXA=` |
+> | Qatar Central | ecdsa-sha2-nistp256 | 12/31/2025 | `rHB1fi4XAuQvabHUxHlsdxtBgvZur4W5h4SDCM+OaZ4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMsNj0SFCAb8D5igdFlWaeZxYvP2fthgXjb+a+Fb3AcqPIjHFQPX3iImnBW8SHguqTOTi+x08P35/LjXzUSrZEE=` |
+> | Qatar Central | ecdsa-sha2-nistp384 | 12/31/2023 | `znqSno+29X1UUZV3ljgE7qSoYZtAybbH4dWNoSZIg6w=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKkIRyyU0RVr0/xTE1pce28UeVStaqyw0daAWkChabp9SQb9ONmJ5UFzZ0p3bvcy2ZWeYiJCvg63qKojPomVCwT8ZtRtgeewRMWPS6kKAJDQfzl8r05dNjwbd8Y+1BerHw==` |
+> | Qatar Central | ecdsa-sha2-nistp384 | 12/31/2025 | `HZrKR8HYd2G3Oz7inTYPi26qFPFJvCZLnW13V1U+kIo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNWGC3x/5+z0aEkRJ7IM1Q1FU360gKtERjFSDiPejwsJVTuvSMrBTFTWYJXeaBoK2rcQUmMBE9KkhlCczQYVanCZc/+qeyuXhdVAsUiTK6Fsj/A/G6Fx26bUFaJ5M+4vEg==` |
+> | Qatar Central | rsa-sha2-256 | 12/31/2023 | `iHCboIvdshFEnYt/6+vvLQnjyUZQ550Pm7dkFX/Q43o=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDW+RNosbUkJxEwcZ0i22DPBTOgStdqEdaL+jRzzi8xs6n9hR2I8Mnv6PR+ujaejqAzXVmI5LLnMrQA9efsUR4F0Is5ruJgrK6f2ORiLsaYj7PgTOsoaItdjWxXHFQ7hZA1FmYLgody3Js68akvGkp8NwnW9goFq3qBrtpHRcvxFxWixeNTy4a4azVjmoN8SfZxiPa0mBT61fjpVttUrb+sJeZ3jo6Ox2ZQxc0My8kPY+8J1qNxjsoCUirHZsgsmYTM5F7lWSdszB7h2irIiMEi+cmcowhez6LJd3TcDxnElOz2Wva/wSNo0JJx/VLdZvP06hJTxIw2QsX2uwI7lyF1` |
+> | Qatar Central | rsa-sha2-256 | 12/31/2025 | `+MFJZug5lX4udxKKxlBnxX6E/bRmCHgCYX+1k0V7dHU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCtibZZg1XYG6nFP57oOWo75icpoDy8b72OwuCQh2asjrrTxNDpdJPsb8euQc3/p1TrWRR0FBiDB5Dp3uuC8aQKFFc9xfnbzGu+neofM9ndCfItKpJnS7+Hn64SEAowGyZ8PpdBIj5T8ZQ9TgQozWat/JEL0zvcHe6RAfCy17LYOt0VNaEjTN4LNu5NDsuSvdoAtnViLa7sW3bvd8tFrCIAyDfRC7cqsy2ZHQvVsMmj+uRroXFB03AnF0Pg/sUtjTYTWbxj++vxeI/PirKg7yGOawdmbCHka11wBRg4ELcN2I1E+0veXWJZwLJVloAsAnFB5vD7gt5WuntFKXI0HlAp` |
+> | Qatar Central | rsa-sha2-512 | 12/31/2023 | `EMxIi2rduXMod/OMKHrHRZKo9t9oYUdnw3sw8Txyaj8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDqTnxkToyGf9z/+6fXJ+DvHvKqADITDu+JqvJX2kaPSbkxEBvR1uW/jFT3DD7SL8ZS8qm8HD1MYyoiHE6yvM+K9md83GMNqBiuxIceHH7uW5mEUt25j519R7a/fQUXApt5ZXZTG5e9eUSP0W9r/HvwA+LkE66gDwamPZrF6OkBQnu3DEK1AcZNufM31lnFBlu0yzdLMFZh/L6yXRi9sh0ATf7aZeR2lgGuTuoaOUAx3F2xTt5lRNGpy8O4HV8uZKW0EsEcGYANguOEqiNEgjiw1sHIZ4XPZSYe+sXAkafVl6X07nu9CpEncrRnTcQIfZXnwbneOetDWlhZH/vk38ZJ` |
+> | Qatar Central | rsa-sha2-512 | 12/31/2025 | `j1O37Xflf7LJS5OVx20MVukIxYI81OK8GkbYGVPWxEQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD09DhL3Tj9xPjsKFpO4rAE50nVFvRQ53/a6jZO0mJd/6B6lQ7EiuXnIET/M8IKTzxchfc0CDcuhdVpYQ1oUgh7ZZSPYmdrTE8ouQnJuKhUPFINiARPm97i2huVFK6DNgb23k8N9/TpUN8adrD/jJo+4rwqBF0OBYpjSlzP7j8903FZ8GNvEEZKYVG5xR+73JVzwyBaIBX2Qoj3WnKyctH+XhF80oP/NaaNPpPvtT5YJuHCjgPGodUE9GEuAPGz0PYHKTvt9gFKA7ddKqDxcPZjIxPzjiby0aYbiKuIrkYGmehF+LIZeU4cfzhTA0sx7cKC67L/+1pTTFHvVnWUGrWx` |
+> | South Africa North | ecdsa-sha2-nistp256 | 12/31/2023 | `e6v7pRdZE0i1U2/VePcQLguy7d+bHXdQf3RZ4jhae+g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIEQemJxERZKre+A+MAs0T0R7++E6XanZ7uiKXZEFCyDgqjVcjk8Xvtrpk5pqo4+tMWM7DbtE0sgm1XmKhDSWFs=` |
+> | South Africa North | ecdsa-sha2-nistp256 | 12/31/2025 | `x6Veo25rnI5ZSlKsrCCSCeY02mf+lAF8mutAOqmqoy8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEnfTZN+LkvW60gdn2uNROCvn1+GpFGTb9hcNha+WaweXzvxusSbpEn/R9BHb30J/LrwlBfxa5IsLXgXdprt2n8=` |
+> | South Africa North | ecdsa-sha2-nistp384 | 12/31/2023 | `NmxPlXzK2GpozWY374nvAFnYUBwJ2cCs9v/VEnk0N6Q=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKgEuS9xgExVxicW0HMK4RLO5ZC6S0ZyENe5XVVJY0WKZ5IfIXEhVTkYXMnbtrYIdfrTdDuHstoWY9uu4bS8PtFDheNn3MyNfObqpoBPAh1qJdwfJgzo5e7pEoxVORUMnw==` |
+> | South Africa North | ecdsa-sha2-nistp384 | 12/31/2025 | `SSsuQXpWj2Jd0k+pzB6g5Emxfms+/seJ6ONarTSgnL0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOi9aODZI9qqXCcTq97tCNG/UEuGp1SOzq9zgGBw2dQKIjq+OGpWR5l4SGRHf1g+HYwD/I2pz4aZvGUSOPCi+wfPosbQuPdfCtg2+McgpK7m41/GzZBNYe0KClOaDClQdA==` |
+> | South Africa North | rsa-sha2-256 | 12/31/2023 | `qU1qry+E/fBbRtDoO+CdKiLxxKNfGaI9gAplekDpYvk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC2UBC1KeTx8/tQIxVEBUypcu/5n3B/g0zqE7tFmPYMFYngrXqEysIzgAdpiu2+ZX/vY8AF/0UkhYec/X/rwKQL8CCVwYqa2hufbSrX/qSuUHZd/95LFB2Nh+hJ23fn3EK8Gpgo/Xkmx9YVZoaQPGPsWVWVKjU6aVpM54cd6iuDT3y9SAnqbUMqgwwz3mK7bQGFPrbUVOUwVIcYKZD9HMNZhpo8HpjllKYIt1AFy4db8lSrLyuX8Nn/U7XAlPUndUCpKsAfWw8SemyuxSHziFDHF5xo8eLU+QYxdtzirgDAgEYWv9aa0TSx5Q2Mq8XJ7POffQxKj44ocHzmMGq/wPS1` |
+> | South Africa North | rsa-sha2-256 | 12/31/2025 | `8DyFjcm9czi/Sa7NNdtb112/PYMQ2HlSfKDNShkZbUA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDW5n33PoUfv3Jii4pNxQAdY1HdzeMbs0zlQUDKU+0c0QrCNHg9bnlJXW+wNVD91suKdy345m50TP+hDB5DbZACGgoAHiMHU/lBDrL1TIIVuQ13LbFx0jBL+SU1qqFwB3U/9ckNLlMe5qM4PB/eZr0tEVQhQL/melYMbyA6s4kX/NFozxiNNR+Yz5fhLjhHz6cwCGN7Zj0js2KLWbhyaKxmmdrv+YN4E0EZ6MYdZwy3iV/lrX/0OlORvOA/ImputAvxJgAxOFLQsbTuIiMm1ccHVRpzBxsslSlgss7GeRCceQl/Kgg9vnInptlD3uqlwWUfYmc6PfPcapn3diLzRVrV` |
+> | South Africa North | rsa-sha2-512 | 12/31/2023 | `1/ogzd+xjh3itFg3IpAYA2pwj1o3DprEabjObSpY/DY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDLAkEygbVyp189UwvaslGRgaqcGWXaYJVq+gUB0906xkkjGoJeqSgTW5C/77vOk0zBCZM3yBgtDFZL1d6lze1QJZ6kGGPynJa5SeyydAds9G745yaFFuE53zJUyMy+y5I1ytfx003PKvk8+fHZK3rPYYr+LKm2u+9BmnuDB/0t561oFg1ZiMCPgNnDdUwkya2EtsJAifkUaBlYmzBZAFbIYyGfb898utZHyI+ix2TrMS/RHEDIchG8qSBMpOPmcpa29ADVsmAQDd5ds5D7WjirfMXwBxgJTMyuy+N9rJRgHoqDnt/GsgI2GtoPM7YSET8uYug941hAvFm5TI/dW3YR` |
+> | South Africa North | rsa-sha2-512 | 12/31/2025 | `gEIAzMNxs3nDD8FVwhgZvCHxnJ7nGQqwjs0gpcA8fBI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCwaG+2gbF1WVAS14Uxhoq98wdp3U7hFbMnhdDrK4zxAMHojdiVvEj41m8EI1DcDjSRAi9/h7As7SIRQ9/bOXo6E5kiLl0kj4ao2KPtuTobAuj3IiN6iVHAtiCwIEG8I/mtAjGMLBtk3uplSJnCBRiMVduBsV3GpCJKdMkNuntbtzPCntEdpzqtOhxj3wftiaQq8aGomQjFRU6mKScqoDylnZPF19gw2f9XrUwElE4EoeE0V1izNtLmgxbDz2kwpt982fhuLUZgNIHxSU/1SVAwUX1qxH9aTFzjXc5dSFCQHsK4qnLRKNtlXmUosdwk7UjndL/nwUna8p3MuDm1gcZZ` |
+> | South Africa West | ecdsa-sha2-nistp256 | 12/31/2023 | `pr1KB8apI+FNQLKkzvUXx0/waiqBGZPEXMNglKimUwA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPvbvOfXQjT+/3+jQtW3FBAnPnaypYSUhZMkTTSfd7RQMmSxsLNmDooERhVuUTa7XCTlpDNTSPdnnaa6P1a+F6A=` |
+> | South Africa West | ecdsa-sha2-nistp256 | 12/31/2025 | `2EJmwCnQAIo392472FjThrwXmowmdeNnYZZZR7ttBVE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBGif4uCAd5hx/m9dqrLKCre1ns//8w2mT2i/v5dSu3m4xP9EvFq4FN3w6LlXQwov7BmJPMdZxoDByvQDT3QHO8=` |
+> | South Africa West | ecdsa-sha2-nistp384 | 12/31/2023 | `A3RfMOd6dGgUlcrkXL1YRKNXIdAB8M1lF9qwmy6PjFg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNaJmo4QGmo6pbLHOXh06Rz9inntdxmuOtVxlJBO1i/ZK5les/AuaILMW7oQCxOKvZs/xI+P0MWRfrNgWSSapy5hNuTkbl8IqO4pH/lO//zdaHmVBC1kPnujDM9znJs6Rg==` |
+> | South Africa West | ecdsa-sha2-nistp384 | 12/31/2025 | `4XfJaEuZWJlIfVh4fHn7UU4kOYA00wQo9HA0ngFYxic=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK2ek0MyrQfjRM6UERylxjO47fmo91Xk++b4yQhi4BpiWe/7LtYKaz3ggX7OJp2Gjug2Yq53FGyCirfyJYiR0Pck5QNEqSUtH0kpg7E/ULd4HUoJ88zYac4eDQoE5O8fKA==` |
+> | South Africa West | rsa-sha2-256 | 12/31/2023 | `aMMzaNmXR+V1NrwLmovyvKwfbKQ6aAKYiA5n8ETYQmU=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDGhe98UTnljsYaeJwtP3ABvT/hZP6Mp1r5beyJ2SWpdqZSZaKC+UQlWLu6WhLxLZ+5snB+YAlC56u4qOdDHLoid6vbAR/FPIcJlvQfcFJD88nihv9sq1kUX3JXrh0ZUrl2/Zj71aNlM/RL1OnXK/Pg2E+wu4EfnQTrzlWMhR8bxlQA0jH1zmfFN/6BTwP2if29TNlQkWuW3uq3rccY1GA6n0QtlucanPNRzsBtAzsH5/oFuB5R4sD/Msw0itvWuQP4e0y+Vdov1My/rjK19xLce6AhWmmhwkn5qxHdIy158C4cWnSkQvkYzPnwsi7KT9WRH7vfr8qD9zlA5mO+IDxJ` |
+> | South Africa West | rsa-sha2-256 | 12/31/2025 | `pdygRGoDnYZwMvX3uxq02X9KIgrqWHBvkltuMpknXPA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDDDjYrrvYHkbn5zHGLiEv6DuzvK/1oKoRCxPPl35kFMhNAltRyACtvXBeeqxW7KYVLDu6pMSNvqtboaMcSIGxoEfjTsdQrBaZq8GWq7E9VIqXT9wOWLRUG5NnDbH4L47dLNuKQC4s/KBhUC3cF+yQGspK2v5wWHR2FwIhbB1otLcxkj0b2ufAe8FZiPxe/HoMXq36cJ+z/wgYwrB59ZGneJfNG9PVdmk8w+kHr6gqDCPOjU+SKcMNqqJ1PEk9B5b6om7RsInV3cKv6334+s4XYxh/+O3gP2qX9Bfsa7FVRhuGF3TLFJOQjCQ5nXjbFjofqpLnR6ReBdmqrj9aavdvx` |
+> | South Africa West | rsa-sha2-512 | 12/31/2023 | `Uc7QB0fT4NGyBp34GCAt8G4j1ZBXh/3Wa2YRlILu818=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCijtmaOHIcXjI07fVugz1M33+amlOEqdqtVgOlLmFRKSehPW2+6iGpAjQVwzsYOx32Hp5O07xj/PhiFsbBBqZXGHmuSIOJYa7tQSFvwclO+JW/kuoELXQLwnHxUfPyq4tYoj83GSZ5k/KRlEtbmjEwcozMQVya/7MzulAeV4nN6PDxoLjXlfGEQU2ZCGz2neeisQEM8+hZNuEH+O9O03g7CW8bwiI1Y70/bnNq95xJ5F7lRpwtJNWlx+kmUiNpfXOUPxZAUsny7z1Ka5XKEB1fDP8E/jAtrSWrRPDJew8lFpQeWukwB5tf3F3bh1SuSKaSQqKBArnSpJizWxp0brZZ` |
+> | South Africa West | rsa-sha2-512 | 12/31/2025 | `ojxv106v/Bu1Vkzi1Rp1dIgH66vthYrfAVL58OuYJ2o=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDKRZJEAOvsRRtNNHtloaHBkYpowhSbkUw2ldA4gLeSwScTbWk1vxUqlq5YbTtQRNomnvbMyTvgOItH28zALeooIreQVb4WhixabgI/kr9MY0eoSpK+Tmb6jbyLdNe3GEX6CcltaOpu/9+SvYmWUcet0AtuYo/lSNofEIjd5wFKCtddwXR+4fDHwOc19eXI0Ms1n9ZRtzxSMVf3ieXVnw+JrxC9iJLnHUiWYXNB+BZzVT3xYBFNIxqWAe9RneyP4fCzSL8CmUy/EWQ191kZhBnbBdyrxMJJ9ttb74NZRatSAh+KwlwUnaRu4SzMteLwXSdtQBirnzZyba2L86K1++HF` |
+> | South Central US | ecdsa-sha2-nistp256 | 12/31/2023 | `Wg9hTlPmrRH9aC9lTSf8hGFqa85AnW3jqvSXjmHAdg4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJnEz4iwyq7aaBNKiABce+CsVIUfiw9Jw3pp6pGbL6cUaJs9mEVg1RMLHgPg2I+7XV0doisYhYb/XtufxzGCe94=` |
+> | South Central US | ecdsa-sha2-nistp256 | 12/31/2025 | `3tB3bjGZghIljXt6ni3ZVBm2s8OyBi1LnsN2XQdWorw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNqW4dj8VbdJuw2hL2LSgU+Z9rIc1C3xD54bzL7+R2cplFQ0CCzvXlMk0lfHU7SFT8jikgvp/yZu2S5diUxA9Rw=` |
+> | South Central US | ecdsa-sha2-nistp384 | 12/31/2023 | `rgRhPelmxAix6TBDahmGqXnKjdImdI3MnDPVc6qhF2o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKXGKbWfVe18G9gbCxFQiBGkGYM9LktSPKkRI18WRQ50qyuxVRXRDoV+iIEJyCQTpuFTPprQ6glQYeF+ztEb4MZaXpVrcs1/Og191dcEtty3UWuJBCrv/t1kezlwBWKyXg==` |
+> | South Central US | ecdsa-sha2-nistp384 | 12/31/2025 | `lUCcxfmejqKtJ5F/0KNyGGPOBCTjsARC76RwhwsIXE8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOXYAeDTv4msUprW8sdbJKfJyUamYjzqw7Y22cmO7sqr+2kHAdGu8oB+geC7gpwLA9PEdZLNJZstAOFzkw5BERULmwb0/cQenJNRLeNk1HVXVGvPTAsm1RHMr2VI1ll3Sw==` |
+> | South Central US | rsa-sha2-256 | 12/31/2023 | `n7P8NrxY8pWNSaNIh8tSZxi9rXi11g3JuzWZF93Ws4g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQD4PgB8PxPPpGfvrIUGSiiDFIfkRk2/u1DmhcoGoIfW+/KR8KC2JA0kY4Yj+AceGnDUiBbSPz7lcmy2eGATfCCL6fC5swgJoDoYDJiJoaKACuVA0Nk2y0OeO58kS6qVHGX/XHzx8+IkfGdlhUUttcga7RNeppT5iqSz49q9x6Ly42yrV3DIAkOgh+f9SsMMfR6dQQmvWN3HYDOtiO2DvVN+ZenViQVcsynspF3z4ysk53ZYw5YcLhZu8JFw4u0F6QJAznR6TfNqIlhSjR1ub8DiHvIwrmDNf8TgG5kPVGhIcibYPf+y0B0M8nr9OKCxZzUTlXX4Xcnx+VOQ1e1qGHvV` |
+> | South Central US | rsa-sha2-256 | 12/31/2025 | `3RetSIyPW4H3vczS8LcAfdVLTnnD+MATFZx0fs9vtnI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6LnHbAg+pkIxYoEI/UIhC3ko98md1tB/moOLAOGEuZJ90V0DLuqSmp9txhA1/wVk0mepqjsOxtCui42+1iUk7T9ugH8LIFzpqEaBfRlTtjDfmgLcib7ufFBnbIYivdwMcuJtPYJCqtnmjNyehYOHuXbHjeHAeiGGJx4B7kiocYBZELvnIiJuD5hxXcc/t0mWXOI45qGM5eF2MgDiKDkvVdnUWXzHUCUM//OfiCYDZjm3TPRroDqoEJPuyIh1ltZoM6MMqUqhxViAghyDi+N9bh60fHVwbw6W9dZNBIotAruoN06+Z+aizHFTKElIoSopVkkKjXCPVBAwWIaw2kjDd` |
+> | South Central US | rsa-sha2-512 | 12/31/2023 | `B2oOtHpXzwezblrKxGcNBc3QJLQG/TiVgOjnmNorqkA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC+LJA8W3BcwITzJv6CAkx/0HBPdy3LjKPK2NQgV9mxSMw8mhz4Ere59u2vRsVFcdW6iAeGrH66VF6mJSCgUKiYnyZAfTp1O6p6DnUg4tktMQFo4BEwSz1S5SGDuRhpWvoKjzvljESf/vZBqgms7nMRWe3MGuvlUWBqB+2CnJ7bxhvGQCdBTQeoPO9EZKYKi/fPlcxBmLFGcZnRRpB6nu/Cxhhj1aHLJdjqCd+4ahtjBHeFrPxeQv9gTJ1B+EipJZu7WgPZOTI8iZaIcnCbhuGOy0iOFXeuexC9/ptHDW9UEgKVLyZ4UIPJkSLFVgW5NRujWyZ/thc5+EfHY9Db3UAl` |
+> | South Central US | rsa-sha2-512 | 12/31/2025 | `cQiVt8IzioXXFsxFZUCC1dGG/i2L6+uWgTxnEXI+ya0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDESCWljL0fUj9B5Bvb6kZCqvnOll5UHe2s0Z5rk/9kIOXACIcQ83SdeP/4jqllBFW+XmEp1hlR81BXlxCGYe2mpHWSI0Y2NH8HvUwvuRPX0wsOqNa6HcA27mefmTa+UahJfKRQe/0op/ydPAZ+JbTquEbUHOpnVr2eLmWEfQBGL5HfYdB1SF1ZBgN3Sb+v7SEKR5NYNBUuhMMyV5nK/1thkATxSc9RCvZp8fy5/EXoZshbnvSQ/zH5Y2ct9LCDLuXOx1DJxvCUNX24W8jTELwLqCNigZ21pA6Y0PUSGLWpBSerrBo18AGHh/b6wchuBspYGCuoGu+Me+ZRIu8O0HRJ` |
+> | South India | ecdsa-sha2-nistp256 | 12/31/2023 | `7PQhzR5S6sEFYkn2s3GxK6k8bwHgAy0000zb07YvI44=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLgZw/ouE23XQnzO8bBPSCJp/KR+N/xfuJS5QtWU/PzlNLmSYS20b65GRP6ThwZdaigMhwHOEc8twpJ7aA7LBu0=` |
+> | South India | ecdsa-sha2-nistp256 | 12/31/2025 | `7jiSfTGnIW0hqUqb/FPYtnriWukXLwTtp8qzMbZBG7k=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJBiyXxWm42lrf8j1/AcTOcpTjADDrckVLQOyM2VY0TNi01Mev+bOm5C3L5MFq1RB049AbponZwkNibyhq25me8=` |
+> | South India | ecdsa-sha2-nistp384 | 12/31/2023 | `sXR2nhTTNof58ne5K+Xjm9Pu8miEbKJn4Bo9NYoqQs4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLwbzUI8q9f5YTLIs6ddRTPlHdb35xrbsJeOQII/nEXhlNjzpdL9XnDJjQunQL2vg6XND1pfp3TNBJ9LF3mud442LbpwSt9B7EZD8tQ5u0+2NeNjn8JnCu6/tdvS+xoNiA==` |
+> | South India | ecdsa-sha2-nistp384 | 12/31/2025 | `rAy6sokWeYmursG9QRpffxof6p7MAoaxgi5WLvlShzc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAG0ZERy7D4X3KwanylXKnaKHs6Sj1mrAYKV7bEkvApUOk0Bxa8IXr43/UEN0G6fwMc9TLKPl1Q3c7Vp+PcEpKEB8MT5vMTLZM4oQjBPcrXuaWJ/HZb3Q1yObngMtbT6uw==` |
+> | South India | rsa-sha2-256 | 12/31/2023 | `5gFLJvQvQodZxKBi3DnGywpf9dliWguiMTqcgkTmtu8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDlxVnaYnmg1cK+g/PI1jB1fgQQJiX39ZmfBss3mSW3kUxP3KWhm7lHBTkrbnfhVHnGpP6GcGFy09YBQa6UiyVpD8p8APtx0j9Jp8m3yhhgqOIjup0C7crl49NqMVryOZmCLOvA7KTyTxxV37GpRI+ffqQ8LOO+anWVWVaJlVCYBMct/OVhA7ePXblcbJg5eu5JjUiWW+cPdVqAqWojNHZzzprCFEBTCvYaZtzBx4kFGiipPmJSN6yvBPEfnA7Lzr/T9iXV/XkmI1txuJRBasoQMt+4jCZG25sCCN8y4iuUJCioUELr//TWaDyTsQAR4MbRW+L/GSIM9VUY4Uc+Impp` |
+> | South India | rsa-sha2-256 | 12/31/2025 | `ICVQTm1JPosrx78nPlaWgY0chlk7hIIdJddWAixH5is=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC1BCEpP8RbIYogWsgCEc7w9qkfdoTdVY+gdSYykIIL2qAw018POKZCztD5obn5Kgj3qkbWy7G9RH77Bmz6O1kgbAjReJw/r/NDRW3cb24K6dLem5aWQTTmUu9zk1W3hj7pdFOjXaju485O2G1YAyscE8Awc6mRwI9LJmm6eEBhfsFAKMEPf+TsZ/uxpqoMVk/2XP7GHe8zA2/X83F0wK8OBAW7ImjBEEx8peBY6Dh5LMD+HK//HdRKf+5MkQUGHxRfiWh0l0VItjVsD0tZ4ebyLAgzah0MtsqSj7DRb+HzIOMi/CoL7gPRixxcAPyUb/OO/301m0j0+aHahH5TN/8x` |
+> | South India | rsa-sha2-512 | 12/31/2023 | `T4mrHCEHbFNAQSng//m0Viu/hXfi11JMnyA0PqAuTtg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCz9tQa7D4dyrULCLH75yKwH27AQMRNWFUqgUQQXYHR1MYegLf7JEmFn126bxgEHPRO0bNwBM9S626Gcr1R1uDI/luL6uvG0Q57k+Pmv7HNQtv12J3fAuxuhSPcppE5IE5QR94Qgd1RzGXv954TK1Z+kCXHyLA583XTQ4btOEwqUo/16tSCqaoTSdyNp17q8BrOCPaTWMqT774lSGELIDc6RaGKHRu/Qa+F5FRMswdZt5YJDEKtlKdvbyIiSfIP2GZGhWBiSW2D6xpnzSjstR3LfRfFek/ryGkDPu5c5HNaVJwc1fatP6ggAbhVCcyDgWiCCpEBICV2wnPpGfDUdbRh` |
+> | South India | rsa-sha2-512 | 12/31/2025 | `ZhFwP+ZtMreoId+Hv8bje290LD9Zq3fLVLnbiIZ2gho=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDTIseic5715ZZm+KtkY2Rjre8E4jSuQKmCTwXhLB0psfOfPRMvZj+sMRdscEyMdathN0Lhte5jiHIVJFplDi0KbA/2PLNDh1kghiJLJUzaC0UHzOOiUgP394iDJhWgYMehdjGvcxE1+JDVtE63na6wKpXvl34lNBAaZ9Mk2lLbWe9iWvM8NZGP9oDqfVNc7+Sin5HfA8aksS8b0SwxdOLFox/4vTF2c9c5O0bhUKOQMYcY+OXMgYuPMpiA+A0GxwbPtFLZdmC2T5ufI2dO+EC0ixG0YXpi8jwgTauiTyf9aqVbdPmB06YQCGaMqLsQ7Qw6/M1oIVU/eckHj1L8IaKR` |
+> | Southeast Asia | ecdsa-sha2-nistp256 | 12/31/2023 | `q7OsE02p9SZ6E63b+Mxri1wbI5WfkdWcIJgAP2+WTg8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEbvjkwSA0RQuT2nQf8ABKc21s/kcC/7I5431oNEwQPZQ8S18RAKktv6ti19Ju8op6NOZZ3Up9lOn3iybxHgy+s=` |
+> | Southeast Asia | ecdsa-sha2-nistp256 | 12/31/2025 | `1KqLiMUAewB07jisgpX8wsiu9inheicc/vcvCamDupI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKt5joKBVS7qZwmxQfCxzVy1byjEUSGuaSGsqg/ijVOwPY1qKTe09C5c4VfLZs3c1RBNm63o6Nt8peMJaqjCzlI=` |
+> | Southeast Asia | ecdsa-sha2-nistp384 | 12/31/2023 | `HpneuSwbRG7eiqHGEAkSXF0HtjvccoT3OIgeQbPDzoE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMGAMUN+0oyuXuf6rkS+eopeoISA2US3UrgAovMwoqAeYSPoHKy9n/WKczsHPy/G+FKsXM4VlMHtNhEAxYwjtueF0Sb2GRZFzngeXMfVZPVL5Twph/pT6ZJnUD8iloW0Mw==` |
+> | Southeast Asia | ecdsa-sha2-nistp384 | 12/31/2025 | `R3xeWj9DkW/6Dwxv3eMyraHhhZfoeQ1TODsts2gdM3s=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJBVL9OHUHPAQLDpUZk1cY6OAvATvWr834g83bx40mEHJfxALy1f/EnT5Ihw6r1YDlY4vfUBbm+KZz3MjOiHx4CNHCZc6qRGOUxGd2vWC3yVG5xkEIt3MaxnzDAyP2I4Ig==` |
+> | Southeast Asia | rsa-sha2-256 | 12/31/2023 | `f0cyRMVxUgtpsa9J6pwAMysk2MY/sybo5ioPjhy9LZk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDWPK6PAGMTdzNkwKZt+A3Dhbnete6jyLLboOXWdv/QdhvjR2pNCMhGuWUxadaiLUxzZM7IvugSLGexQlZi5aCJ06DpaVYqZk/Q8l+QUydp9TfNg/kP+0OJXCJ6XdsVggboDIfrEN8ku4nfasD4QTo2tnmqZhmbIDUr38SP16PsH2bQAi2lZKg4DfWgnSFyj5sbMSDLljBEY6JQkLGiPcbqlYEN4kjB5mudE9c/ts6Jn1fhizBwJY/pE3kOydq8dCMXYFMZ6NafPacCi7Pe5zcTKfi/daioVlSXQhWK3jNzCVENonF2xWSPH+1T5F2IOV0wb0HL2l8d02x5Bw2Su4aF` |
+> | Southeast Asia | rsa-sha2-256 | 12/31/2025 | `tHnkpkRSu9sLkbs3aUQcKYFKAnxRz0b9N8byIPvFjzw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDgvpfP6qoRNZ8FOuauaSDONsbEv4PE6T6EUMZOrCq2gLL64uan9reaYD1c1i52gD1Xyva8SOq4AYMEoCpBuDyVm9PsseuNXXDBH+I1NiKyid+E9UmANYS5a4cV5Eg1fIVyEOl9qDdMLQMXyAhPr1X7ol0/XDZ/CG1fclCKje3oIwLvlKXE/ZLylyKBGr1Kf6vqKVlbIXqhZ25jZ+iMU1w8YDyV5DpZBJFFNT2hitLPj4dKqy1QXkGT6VqZ0T8+q7hwBkS1tU/Ah84ddSuIpaHb4PPQiEtrw/GCTu625QHxAgabE6kuwCuCVRR0vBGss0xFdoJqIMSeivTq/t5DnDHx` |
+> | Southeast Asia | rsa-sha2-512 | 12/31/2023 | `vh8Uh40NCD3iHVh5KEcURUZrT3hictlF9pMDEoK5Rxk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCdL+E/W2RpmJiWMRg5EtMs0AE7BF2Qb5jnXXaIbwqr5/BGuUPLm43eVJJt5R0BmEJe2lYfYLAzinC9MhsxKSTHIt5u8QleyIAxI759M3DWZwFSKngjsHFRe/SvZOzc7gvtR7osdnVaXCTXY5NccLT34gDybEbjlmp+SEvSZZmXyy2wmUR3O022euBifKN0t9Tk1mkLYhbfRySQi0ZADWazjd7loM9ZHArVe8y9oDrs7QYX4eHIVRbgtsBbkR3g9zP3VWVMERFyi6cU0Dyvue8DCx9YzNsdmKjkB2dvYTMVcUkad81pbO81jpLb1wL25WPHIPHqTOLZhdn9JxLn245Z` |
+> | Southeast Asia | rsa-sha2-512 | 12/31/2025 | `PORwL5d763G7hlwniaxxWV2GnWBwiwvFoCof1ko/I0k=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsqpGatUt090vKyIFszT/yKjAkiB7JJ7S+6iHKn/t346XsnDGawWTJGnB7HypYGN5l6SniBlo/+z643xXiM2Z+l12XThuyB3mBRMuVzhaHL2PeJre+W0Usrqm6BkhRFy9x2fbgQjjtC+axGSXR1vfdYX7wELasmM/cxCbBk2o3kogx2WKPm7WMxHPw0yIr+QvDQX2zuNrtpq7GOeih5K6bGCFauB4f8+qEy4LTJC2tJJqposHqtF91O0HO+X3Ek6N2ktkexsmyibyO7QCDUrWZfeXZkPKHyDgk0U8NXEendG8xxGmAEdLh7177iq1BICYqE7MrI1DrnXEn/6/hT4l` |
+> | Sweden Central | ecdsa-sha2-nistp256 | 12/31/2023 | `6HikgYBMSL9VguDq9bmwRaVXdOIUKEQUf4hlOjfvv6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBErZhZNNmDhMKbSUXLB1VcTmR7pXcXWAqfFpdI81OP1FeCxBtpRNpIeWMyVoP3FeO3yWcODLm/ZkK7BICFpjleo=` |
+> | Sweden Central | ecdsa-sha2-nistp256 | 12/31/2025 | `xDz64cW31AuzMVItTp3uUcaBXsr1XHTyfebMvYL45AQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGA+cgwzZYKp/Y/kjwdKGWUmZN7wtzDettBJ4G1GfdVSUCvDuHbvdd2TAGOkHrKLtYH8GOzTlDxiZDr/fU2UhXE=` |
+> | Sweden Central | ecdsa-sha2-nistp384 | 12/31/2023 | `apRb96GLQ3LZ3E+rt2dyr9imMFDXYbaZERiireEO6ks=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKA5kwsqDKzZWmQCjIFBBjZun3rjg62pv8BOULwvwImaPvMFuR2OipExQZIyKSbR7wS9HA4/QKVA5rLRrSGpYvOBG438/7fwVZy5rOj3GXq6X7Havr1ExRXwsw5rJ56acA==` |
+> | Sweden Central | ecdsa-sha2-nistp384 | 12/31/2025 | `N2hag9eHkJ2bNWMXAVEN9i+nuQtmdXgEcnOVGBltoNI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBJ5jrcbfIGsC3O38klFCtG8pdqRKfnScEZaTDZLC7QCSbxzHtr3AIiAESerQlsH9mixFZCoEUrqK4ThG5X4x72BQLqR3Y2ybVdN2Dk9y0CWbBS0nwPsqvoRo3E5TN+Wovg==` |
+> | Sweden Central | rsa-sha2-256 | 12/31/2023 | `feu0rEf3KhvHGfhxEjcuFcPtIl+f0ZVzOMXyxy+f8f4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOimUzZHr0DxrjdWEPQqkrBudLW2P2dvPE9DoaXSNbehU13bxzsF6lzO65JBPh9rlNwwyt2yWtrR4XI0Qh/QSXmBntefOeH6BZVrN06aHrsd1dQBr4UFT5chCwy6Keu0ARW3fY8kO9lycTmMIeoiaYahicxyRRC8WLs0cSCH8tO0dA2aoaMxafBWqR6D5dNzu00rIcsCxvyjtN3Y8C4fw3YnNvPB/qWHdZ4aNcu7sQMRhCYVNPqX9UNGeXkbw8gHf9uL9dFu1c+P+VFIEs5bIecgT5HiGvtuXsWRdtEcM1v3mrRnNdmeWWQIqXzLrs5svipMIbnYXekhhLYHIlVo4d` |
+> | Sweden Central | rsa-sha2-256 | 12/31/2025 | `bUYNGSyu33/3FP/umDeNOjMyyWTH7cS9SN+uNEZAxFM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCiMXkqHOU3fEwKm+vTmV62p/Uougg69HEZGnywRuTjvSVgPOB++q6zPinJGox20fvK0Rbh1hlXw2uXKqv6pgsa/54Cey/IDa0V68+aSdKvT29WNynFw0s4Ba52t5S/GsbwzNxV1pxrXNuv+d9874GrPiOSysPLGJGO6qMZEETzkewhgY0Vx4iSZTclJJvWozfVX+o0NL09c5iTOl6WaHptAMnaQpuuZey1DFTOzLZjYvsXrJtBuSlR2aPfUDxZXZ9IHbaG1/XoDHaK9OLujauXubVWdiPCn2JAHyRn8RHeaQBMXKEIYBjHEdEqnqu2x3x/xgLtcMHvZNtMbSUYa2gp` |
+> | Sweden Central | rsa-sha2-512 | 12/31/2023 | `5fx+Ic5p/MMR6TZvjj2yrb4HMHwc1TgM4x1xQw4aD3Y=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC2nRaxWTg4KGLClTZLQ5QgPZPyQ/XYbH4prjhg1uK7m/JKlmJw5LjmIUVKnlXS38qTKpWpJZyGU/eBCa5FPQODvoAXfNncgtIQxd7j00P8aO2tho+uIxSgiTCte8sgrAyx22uIJlORJn2x1cBFBJrlgQDJOKEAs9IakMNdLvlfjJV405gk7pstF4eeIANRWC3eOTrMs0O1gCTt2rnWR5BNQJu8swj9FEWreNQ3PvUliM6Ig6u8b+4d8ryYGuzh5+E8wy/aNxlowkoCI4D/+dBnH43pSYyjhrVx966JMlrJZjDmbgtygkJI+FoEEfBoFlrpIGfisqIX41Np9ZRre4Ux` |
+> | Sweden Central | rsa-sha2-512 | 12/31/2025 | `S1u9eFkDBfG+Pi6EwEuXcjHaTKFj5OS5DoDlKMQQgeA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDInv9tOMOI0vEIHPDGgVAjNc6bndxrRCtHoScAiWNdgzUZvsilkiSLyoeQxrZ43yOIazCjjdDCffsGFchCParJeHtAibjuAU9mxPzJ/Bf423TUXpZ1Ue3jzNSGIwDSGT7Zx6FzI7ogAjoksTgbV6xPBs4eNhliYVTpXic7KWrnjIWz78IB0SgXs7QugVufsp0ujOqJAnIJg8WVLidQ7SZb60AeGQZD2WFrSGNBiMVJhv99krHRQav8L1aS9mGG0qJlopbEeaJLrAmuWX8vih2HVERSnZKBHK07L033NzEqKMINKdHsx9i7jjnhbawqVnVcIkFrbt5HsAOMPV5NJnB5` |
+> | Sweden South | ecdsa-sha2-nistp256 | 12/31/2023 | `8C148yiGdrJCGF6HpDzINhGkB5AAyWDqkauJClRqCZs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEREKXJT7obM0RXGFrUPmJOoEpJD8T+QT29UEt3/jZrUzVzqXLV/9+VK0xqv1suljhUoUoClBdKqx5E/Sv1kSV4=` |
+> | Sweden South | ecdsa-sha2-nistp256 | 12/31/2025 | `CFONQqzubENS+SkpKNt07pdZH4SQFBpSJBzl35MxCDI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDKUwlETDPLRZFPiecD8Ik+RS3gCySkM7xk5ntfBQ3QeKJ6dXZQK3OciXfLaBcX3Nh6kaMvF/lHP2Dxo40aj9oU=` |
+> | Sweden South | ecdsa-sha2-nistp384 | 12/31/2023 | `ra8+vb8aSkTBsO0KAxDrl2lN9p41BxymtRU6Seby83M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBIMby6y3wzWnzE304DjregQcSqKTsoMx2vPGk7OlBtjFKoubZlBRQH4jQrtPbJv/Hpf8f+D0JmvPe5G75yZFG1BcP5eB4aonAr0NNCw+3sCb50JVpoT4yoT787KKYf+5qg==` |
+> | Sweden South | ecdsa-sha2-nistp384 | 12/31/2025 | `P63Jg3B8b/U+t8MjBWJjkeu0i9a1wB/ua4qSesCfIms=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBXXSBA7P4mqOkXjec9XDJcOk+qS/pEIiAp2KRbHEZGGf0m4NzBGGZyzxSqSDzV4GGIgCvoFTKtYuEt+D5WGpoCmyslD1lSM+GAnLpwbJBnT/Uh8F/uiWuAdmT7RhyMqdg==` |
+> | Sweden South | rsa-sha2-256 | 12/31/2023 | `kS1NUherycqJAYe8KZi8AnqIQ9UdDbpoEpcdHlZ702g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDJ+Imy6VuOvZsel9SCoMmej4kFvP8MDgDY9EdgfkgpjEfOSk+vmXBMCFtthI7sHRggkuXQE5v6OkOPwuWuVWjAWmclfFIz+TTNE5dUUY6L+UMipDEcwFxtufnY3AW0v2MW5lOFHWbx3w7605yb2AFQuZjvngkjdelhDpVpX9a0XdPa7zUYBwXdxWeteH+i4ZJ62sjlBGzYRjFhK/y1rUKR3BVR5xtP9ofzqE1n/TRLpViU8iy4bpsQntTWa71xVoTFtE29h3ESw4QG2lRCwk7NIf8efyNdR25+YpVGIysAxXG2smGAi2W/YXUjteCE7k3IU+ehHJdWKB3spUBSoF/V` |
+> | Sweden South | rsa-sha2-256 | 12/31/2025 | `jDAz2Lzm0DVWZUuijXfWc1pr7GWKY0Pj8VD/DDSxa5k=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDXFtDF2qY06eUHr2SSo8S6UFZ2X++ZCLn5d8P0q9S23k9bdwx1whNAAu2uqDEr2q4db+bKISHWlahb3dGDhi0FvXsOGTPWrWjjQ13IqyZR+vV/tKkz5ZZ/LKOgSMpNO/phJfToKqk0cF35Ai9L+Gg/vmnTzbaYmLBj0tKKq3d/DN2JX6Fb01mHedHvGLqaJryJX334ZR4QyiLn2Sr0Q9mTtqZibkl50dxYyJSXsHi/W8Sy/cPEpG2z7p/iUwnOzz0yXPR/EMkWwuU2RDWJDCNt4bXKRE6Ox1kbrF` |
+> | Sweden South | rsa-sha2-512 | 12/31/2023 | `G+oX014UJXR0t1xHrCi715XuoHBkBxJMdH8hmVMilJc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDCa5Ny0EUd8yLOgzczm6Zge+D39VY7hpG+et2ln0i/HdYLd1aijEiF/0RDgnJYxZM4RhPZHxrVZXJXLsLa2T+ud+cqifvsjudsUSCzWNY3pHAwKBTSuu8Po+TrJXx8b+ogg+EhTh1BZQzIVQbtLwqRFJ3beLtvhp+V1pPWOoXRiN6Rq+x6ciT37jOdp033rbEM3AtzWdRBvRxUiVxKoRXcDYwAAIb3joaZ26p69Vj7HpD0HAf7w9f70zIwIzqrW4RcHcP+RbDVzNukK8gWP66OgSKrAQgRmibS6SEJx4kgkaghiQfm1k1bXkTnlKlz956DHkTkpMQe21/eW1Prs+q1` |
+> | Sweden South | rsa-sha2-512 | 12/31/2025 | `anZywk1gGkJMWIN6REl6n2o+1gvpXzJ1tuqpCBi3eGM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIld4L9tOAD8hutLCAQj5yhFN+01CDMlzAiGfDPZbcJ7Wewm+vSQkz8CDgqLxL6nS5PtCiDIdi66Ogluvh8vURfOOCMOd0FVzVblJnrvHAMp7gBqbSP94obGLNVlvQGMNrKSTr+PMXQ/acRaGgpw66sMx4s+mgkpym12jhHqQHTU2GUf1OQOUz8x6kr8iUr8gxM7u2kdb4JjMBqjp6MjRsC1MErDhP39tgsqa2YuZ1LWHsEApeuiA6OLFeGdt8mCnNqvs7oZSnZ0KgO2EgGYv7SJp/yaWVXV+M7HIKs6/re6KmrFQmLpsSPFaY7KuUE8rBsgwBNlW5anzX+8bZ7BEd` |
+> | Switzerland North | ecdsa-sha2-nistp256 | 12/31/2023 | `DfyPsw04f2rU6PXeLx8iVRu+hrtSLushETT3zs5Dq7U=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJICveabT6GPfbyaCSeU7D553Q4Rr/IgGjTMC8vMCIUJKUzazeCeS3q46mXL2kwnBLIge9wTzzvP7JSWf+I2Fis=` |
+> | Switzerland North | ecdsa-sha2-nistp256 | 12/31/2025 | `0pZsKdD8Mt2Ycp8eZQP3V7jE/KcVg0G9SHtKB9ZYtp4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMhtGLo1R2YN4YI0+cG7+lkfhsHiOohzccGbvAJL8GDsSQkGT37nv6v0UXwBOK05RqqYbXClQmVlzmeNEj6PlFQ=` |
+> | Switzerland North | ecdsa-sha2-nistp384 | 12/31/2023 | `Rw0TLDVU4PqsXbOunR2BZcn2/wqFty6rCgWN4cCD/1Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLLhGaEyHYvfVU05lmKV4Rnrl9YiuSSOCXjUaJjJJRhe5ZXbDMHeiC67CAWW3mm/+c5i1hoob/8pHg7vmeC+ve+Ztu/ww12JsC4qy/CG8qIIQvlnDDqnfmOgr0Svw3/Izw==` |
+> | Switzerland North | ecdsa-sha2-nistp384 | 12/31/2025 | `ooXk/r73YrYkElA/yhZktLu+jqjQ1h/Ph1QJGCl8Wwk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGpDYh+kklKbttOEbLJcoclTpIbfybZH20LFSx98stuDwxl02ZMZ5kUR99icKv1a4rLVHE6jhMK7uOA9dpYUob7VOEb+BBNy7zCeEzY9gW6gYLbLx8KHsGVyYJOu0khvkw==` |
+> | Switzerland North | rsa-sha2-256 | 12/31/2023 | `4cXg5pca9HCvAxDMrE7GdwvUZl5RlaivApaqz8gl7vs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCqqSS6hVSmykLqNCqZntOao0QSS1xG89BiwNaR7uQvz7Y2H+gJiXhgot6wtc4/A5743t7svXZqsCBGPvkpK05JMNZDUy0UTwQ1eI9WAcgFAHqzmazKT1B5/aK0P5IMcK00dVap4jTwxaoQbtc973E5XAiUW1ZRt6YComeoZB6cFVX28MaE6auWOPdEaSg8SlcmWyw73Q9X5SsJkDTW5543tzjJI5hnH03LAvPIs8pIvqxntsKPEeWnyIMHWtc5Vpg8LB7CnAr4C86++hxt3mws7+AOtcjfUu2LmLzG1A34B1yEa/wLqJCz7jWV/Wm21KlTp1VdBk+4qFoVfy2IFeX9` |
+> | Switzerland North | rsa-sha2-256 | 12/31/2025 | `UJCUXnlP5GE7WdONurCmOsBT2dX4EvoNglb0SkNUGVc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDfokyfs8exkQ6lwYhndILtNfJzSgENTP15rxcJ7GUi+GtcwtCrg1SobyH/t2pAkc5NnLn/nc6CZO97+XGsDrNI/A9uyo2FzbUtbMc6orqyjBfmaOb5haoMrkOJ/HzcUBAzRfQgJyGZsjyvPAiG1xpRf7dFjKJ18D38FpJk7jpZTdEBdeMkFpvi509ASrn+htnOLLSkIDOJRinnMapp+g4dOa99+rQgmfOb0U/8FUuS68cBetbwbdRrQhxqwQleZ0F9wJM66slb4R3dXKr9uPZy5nNxXnxTicfZTgEUdcBxs0PfNVzJ9NS408aRftnxmBpE8vHO20fJpKW+VbAkkHfF` |
+> | Switzerland North | rsa-sha2-512 | 12/31/2023 | `E63lmwPWd5a6K3wJLj4ksx0wPab1lqle2a4kwjXuR4c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCtSlbkDdzwqHy2C/pAteV2mrkZFpJHAlL05iOrJSFk0dhq8iwsmOmQiF9Xwth6T1n3NVVncAodIN2MyHR7pQTUJu1dmHcikG/JU6wGPVN8law0+3f9aClbqWRV5tdOx1vWQP3uPrppYlT90bWbD0IBmmHnxPJXsXm+7tI1n+P1/bKewG7FvU1yF+gqOXyTXrdb3sEZOD6IYW/PusR44mDl/rV5dFilBvmluHY5155hk1O2HBOWlCiDGBdEIOmB73waUQabqBCicAWfyloGZqB1n8Eay6FksLtRSAUcCSyBSnA81phYdLiLBd9UmiVKPC7gvdBWPztWB+2MeLsXtim9` |
+> | Switzerland North | rsa-sha2-512 | 12/31/2025 | `xqR6ZvYjMlFYY7lQWQSe+jVasTn/Z1dj1YZ1VVilPCo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDI1WEVac58t60BTau8gagXm18Wsqdw58Qj9YIJ5FiREJVgNu77S94bdp8uDiHD5pcucMtf1piaExEhNj5cJccbz7ZsXyKpp3ElZIxQFofGKwwLbgeyAuNenufnGd+1deN3ubVFbcuV8Fzw8XlQUJt/2mFzWj+c9F4619XheailZGKnRdj+8vEaoAHlUGy0xeTqr09vDwNJrkJHksCdRK2+vu7OOGTY684oi1zEKXVZeMIuu0Aowk4Z8Uh+7emfq2MRCr+sjZreMdxcSbGqQAeIHGJQLtdnf89pEm6UrXDyzmQSD8WGlHkivICPGctKhNPsrgcC3oCMSD5vQUD/AECh` |
+> | Switzerland West | ecdsa-sha2-nistp256 | 12/31/2023 | `5MyZiuHQIMDh/+QEnbr3Zm6/HnsLpYT2GXetsWD6M8Q=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEj5nXHEjkVlLcf9R9fPQw9k2QGyUUP6NrFRj1gbxKzwHsgG2YKWDdOJiyguiro0xV9+JRdW3VC49/psIYUFDPA=` |
+> | Switzerland West | ecdsa-sha2-nistp256 | 12/31/2025 | `SrAdmOe1SSj0aFzfwLaLgRdqhkqk44Q3ffJ8Qv7dunI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAi1QaagaxBduq+yLgr68/MIwaYmaFzV84v5PyZfNP/MM3d2xCnY4w3FFxte1Np97D6f+J9bzufxzCxU/CVKZbg=` |
+> | Switzerland West | ecdsa-sha2-nistp384 | 12/31/2023 | `nS9RIUnm5ULmNIG+d7qSeIl/kNzuJxAX9/PcwfCxcB0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB/Ps4Wp15xhNenavSHZijwVXdZcvhzVq8IcfHR3+Gz3tKLed36OdHRTdWpvjrg0mENw4L1mEZnHnDx96WMtA+FfagGWXMVMMfcyM4riIedemHsz45KAR2suqcdkNHfdVA==` |
+> | Switzerland West | ecdsa-sha2-nistp384 | 12/31/2025 | `3c8hd5migbtN7TxKAAcCvHZ0s/sB33vs9KZcUODIr/I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAcy8+3i9w8SPJfdqyxXrt4OuuQMkY9wUN1V1F9yDDt3HhOfZOUj5AHMnwRqC8qwkiC2QqQyx2JqugInqjxDEmTtE9x+Soaye38a/u7WjHIfr3gM5NvqnPy7sQ1ZlTdLAw==` |
+> | Switzerland West | rsa-sha2-256 | 12/31/2023 | `yoVjbjB+U4Cp/ZpMgKKuji9T2pIFtdeXnJudyeNvPs0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDFl9NO3CJyKTdYxDIgCjygwIxlT1ppJQm/ykv2zDz6C7mjweiuuwhVM3LRua3WyP5mbgl3qYm+PHlA7UyIMY5jtsg7GaSfhiBSGZAdfgfDgOp3qRkgyep84P69SLb2b0hwgsPVkx8eWLDDVbOEdQLLx7TVndyxtdw+X4bZs6UdEcLMvLUWl7v3SoD5oiuJN6vOJPQl0VBeEaK/uhujjFgnlEu7/31rYEKQ8vQBbx22a4kIyBtUSAGo/VfKGRWF9oXL7Umh2xHAPwNbGwP+DdCKUY27wWG7Qe18O+QS9AOu0yL4+MRIHZg8ODLQsk0Hp3q8Iw2JjohSkk4lcjHYgb69` |
+> | Switzerland West | rsa-sha2-256 | 12/31/2025 | `7ND7kGDrt9lN5QLEOCrZuRPh8QiKNaO3Up2yCU+8Q/I=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCiAmb+xePomfMqT6MLZxoPMxUL8dyXuF6JgF6QI0NC05tEilsv7og35mgLlDug+/QrAQVrNq9uFdVWA4YZgQXc8dY+QKHcv4PoDUnYKkRQLij1n9GttQPnAf+MOTrN4Ws07zeiespjsgjfpOz3LFS6GF8H/3qVWcFgAyiJqmV53dDvtFMQMYrek6scuVxOwZ2HP2U6KXjuBe+Xa8uifoLkLtxFcNivDxuDoMnch0d149HtMOwr98IjHCDbizUGvPObKQL9YLsFvk7IY11JB2jdX+I2So9bfOLvR64vC4NqXuI39VJUBQy4/devmY1+43GWqXCQ6YCIPjZJ1OM/kAoN` |
+> | Switzerland West | rsa-sha2-512 | 12/31/2023 | `UgWxFaVY0YYMiNQ82Wt3D1LDg3xta1DfRUUKWjZYllk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC6svukqfg7147raZZrA1bZFOO/EDFgi+WRsxoOfH/EEWGmZ89QQ5m855TpsTPZ5ZARQD9kxrYEtqefcSPuWgth4Ze5PNVwRfAwedsSfnYwHZqHRlRM54bOQ6Img7T292ERl4KNJUI7SLyF+kKB7eXqp5nMBrTZ4rSHXoeibv2yZAph0cyf4V/NnfRj6KZSf6YDs0LW1VuovWAC6S7mpBjwtabBmd1gIiJleWhB7Jj48yiyh0m7L9oIoR4NRiuFC535JwqCYhrgFwujuk6iIR9ScRdayEr6gVcv6tBms3MyR16ytA/MHRxYHfPKb1kHUrpFjDQZZZswoDJDnhQGOm8Z` |
+> | Switzerland West | rsa-sha2-512 | 12/31/2025 | `5vdBLwM+FAi6sDgIA9/k6uBRA8/XiMpD23sgxfHIILE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDBwwQq9f6JcSO8+03rBQlSswX4M5ZtoIdHvdPkSeUFm2hyZaDR4oEyI93ZupPDF6T7kq9z7WrjbrmgN8KmNP09fw3I9K750CETUSvB4tUgRNF0v9I15fdvvrTG28pQaxhYGcE7+WIOMvLpHmYQdLtgK5tmSPmivPJ8BkgVCMm+YDEJ8dWIx3sQUgk1Yn5LcBhPgmamQQZPbeOOL35MZVexKsePY2TzpQzSL3mWAxKvCzNY/lBogqPnOnoeziUYO0YXdnJTpPuCqt8odfapomRN8AGAt3uWANG/lxRYanFF1b7K8Z2ktjc9up9cx84WisD9f4FD3UTn2nlnxOYw3pj5` |
+> | UAE Central | ecdsa-sha2-nistp256 | 12/31/2023 | `P3KxgoZgjHHxid66gbkRETjPsHUsNiPt5/TFU0Kby6I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOvHAXCWC9HGJnr5SRW8I1zZWsyHIczEdPpzmafrU8drYmhpRxlD6HlKnY7iXqfq8bOIK063tpVOsPbrVevAKPs=` |
+> | UAE Central | ecdsa-sha2-nistp256 | 12/31/2025 | `eLseSgVB/Uy8v71xNcS1RTPs3Dalv/NP94UqWiXArmg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNZ7GKKOuBg1epk1QSkoewctpPA9cJXwnEtHW6SOyJvXxdim3QhGDe35m8S2hXQftBAHKfvs234t10fWGHL75ls=` |
+> | UAE Central | ecdsa-sha2-nistp384 | 12/31/2023 | `E+jKxd6hnfVIXPQYreABXpZB7tppZnWUxAelvEDh874=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMDLyroqceuIpmDQk/gvHHzFup7NZbyzjXMdGrkDvZDE2H+6XTthCGSVNVmwqdyHE4yGw88jgW1TfWTAZxCxTfXD+xF72iYyBAsejgiyYY/0x9NKM/lrtw8mnRtkZzLyrA==` |
+> | UAE Central | ecdsa-sha2-nistp384 | 12/31/2025 | `lO3lSaBB3hriPePQ3Gy/S5xoNrbw3tIjfFRIgogq+lU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNepTdgyzOXRje4JSY+mzB/k/HAmsKw8PyJFWR7tUdY5rPNghGg0pH9pos/CrynXq30lhBSS5bVA7Gy74AjjUQdWCM7/oOu97jJWkfYJzSvLIAJ8WN4H/PchBcKUex1Cpg==` |
+> | UAE Central | rsa-sha2-256 | 12/31/2023 | `GW5lrSx75BsjFe4y4vwJFdg454fndPjm4ez2mYsG3zs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAQiEpj9zkZ8F3iDkDDbZV4A3+1RC/0Un6HZVYv5MCVYKqsVzmyn+7rbseUTkZMO/EqgF8+VWlwSU5C2JOesZtKXAgNzXBSOER3NbiucB5v1b1cC+8Qo4C2+iTHXyJSKxV0bTz55crCfhKO1KTQw3uZoYh6jE9xI1RzCI1J4qP+afZQQhn3H+7q+8kTMhmlQrfKuMWennoWZih+uTe9LPHjlvzwYiXkS2sOIlKtx8eLDJJg2ONl7YKSE4XVq7K33807Gz5sCD/ZV+Bn+NyP2yX14QKcyI97pkrFdcJf2DZi7LdTuEVPx3qK/rHzmzotwe6ne6sfV+FJpowUUTbKgT5` |
+> | UAE Central | rsa-sha2-256 | 12/31/2025 | `1CPpQFd1HDc1TVCnaktsKgKewrTBvoISkyDpte/rDOo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDHSU17nm3EBbLChzISwQ6GhCNWyk7dxOYyLa8GUNLDRrlEkbEgcAPpfRosf/D60oCFCKRV9ZAKopiTN3ZFSyxmErzSB2+xxaC/P0OyIV6Iy+tJIhc6daNI0s1Dr02yideftrt7IOVegjhkkE26l7lcgrBoHjF5DFjJqJGD/f8fjtKeTJbsMUKAwPQZ7ZvRzoel6u4gDZcLS9HjekFAUWKakh0qsnajsmBK/wOd87eMYle6o0rVen8GbxvLpbjwW1ZqLYiKU6aNx8wSWA4Ax7N4DJXrd7Wq5sxYoS2HcLcEkZho6dk0S0Dn2jax7hDbHbj8EB3dbXhmAGgWFWqvW3CB` |
+> | UAE Central | rsa-sha2-512 | 12/31/2023 | `zflL4olL2bga9JCxPA/qfvT2jSYmIfr2RY6GagpUjkE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAtxSG7lHzGFclWVuErRZZo6VG5uaWy1ikhb67rJSXdTLuSGDU+4Boj4wKxK0EyVKXpdQ3VrIwC4rOEy/lKAlnI2PrkrMjluau2aetlwW0hCBKAcgEOpMeMJJxCvv9EVatmEhvCe0ARyVM539058da9LzoZ2geFnFIbh3t8fNCaJZTNSS5PW1SLkspSqYXUYJWzu8Kx9l3LTzlmJT1DukKLIKj5ZDwuzOIN5m1ePYp4MzfIeBN6ys8df8HqXLoEXE+vOZWOzwkPVWoTsYvwB8j9+FHECAVf4Gcm8sPvRZA/RKDn1dGW2THzVw/VI/F87fFC7stLmZJ1v+a9TTFE649` |
+> | UAE Central | rsa-sha2-512 | 12/31/2025 | `gUrg5GpMevHc+oY/6e5zf3v/QAUs7LfQPDuJzPDvCj4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAJnedb7pHRHXfKMPJvF8AwEydvhLJ/n7NNdxWEGM3LjKMehDVVthzt09Z2NUpw3oPBOq0D7onxohoxLVKuPPk7shs23fVV0lyBnTehYKHvVkLpTsBd2E6JEXzTRoT7LWJWJr5WWjnUagn8HprOiBLYo7kW8g0iidfzaYUSKvtz3j4iYCCogjqTgsxF1wBn/R8LM1kpZw75ym9VWmeP430ov7fyKxho+EG9Xf2ta0E1AKrkJoTo/I2PY6/44Uhxf65afApGGbQOnuAuJsSQRfTs4f1Potuv4leDo6p1awLbYAiDjdky7QNbjmznDu8J+O+F28HNI/E4WrMgmM9xsQZ` |
+> | UAE North | ecdsa-sha2-nistp256 | 12/31/2023 | `vAuGgsr0IQnOLUaWCCOBt+Jg0DV9C6rqHhnoJnwORM8=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEYpnxgANJNJ4IIvSwvrRtjgbejCpTc3D+l5iob7dBK4KQ7MB40rq+CtdBDGZ1J7d6oCevW6gb1SIxU/PxCuvMI=` |
+> | UAE North | ecdsa-sha2-nistp256 | 12/31/2025 | `CG5AfI2DZM9CuJahiKljc5R7r1fFuFk7on/fpxraX5k=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBND/xbpRM4gkyWzkPTqJ0gT43sKGDpboZnor6arGO19aT7rUvwvvrDavj6+tHQ4rspF61evvqNwgex2jXfjZl4c=` |
+> | UAE North | ecdsa-sha2-nistp384 | 12/31/2023 | `A5fa4Pzkdl0H2kVJxlNiEQkOhPzBYkrfQrcviQUUWUA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOz4ENDgFpo0547D5XCRCJLg8brp+iUyId2IdEhZAhuNX9spxlVe6uSkiQbd+8D5hHPVNuLFTFx7v2wXObycM8tr/WGejn/934BvSUhM6lDpU+d5n+ZcxEEhp4gDiy1l+Q==` |
+> | UAE North | ecdsa-sha2-nistp384 | 12/31/2025 | `ZKSbth32z81WlOVHmZQXMgKKpZtoKM51iQlppBjIEsg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBLVt41XkHBVdtvDrzNdTwH358z8nuYKXsbhOXSC5y5vO/G1lEnWXdpDhKMf6Gai0BDRkoiTg8UPeduAJhJMS5R0aptOVEHqcUoByQydX787Xzs1zkb7R9HroAQqxZkN76Q==` |
+> | UAE North | rsa-sha2-256 | 12/31/2023 | `Vazz+KIADh85GQHAylrlI1tTY8/ckoRqTe/kbLXPmd0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDRGQHLLR9ruI0GcNF2u3EpS2CbHdZlqcgSR1bkaOXA9ZufHyxuhIpzG2IgYQ8wrjGzIilYds6UIH7CAw9FApKLNpLR6qdm8qjM0tJiyHLm3KloU27FfjCQjE9JhmsbTWCRH3N52A9HXIdiVCE3BBSoXhg/mF+3cvm1JvabKr1twoyfbUgDFuF7fDyhSxJ/MTig8SpgzWqcd5J+wbzjXG0ob2yWVhwtrcB6k97g25p77EKXo3VhSs0jN7VR+SAHupVwWsUgx4fZzi2I5xTUTBdOXW+e3EiXytPL2N5N/MtFKVY/JVhFkKkcTRgeuOds51tkByteSkc32kakcUxw6CjJ` |
+> | UAE North | rsa-sha2-256 | 12/31/2025 | `xkPKadBhJcbriHJ7u9rysvVUYJJ3BgmJ/tVmZ6Pdh9E=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCg0BnGxp2p73iSfklsC7oXdXMSwwl6ZWBXRbLOb50Q+Be/SXFm8i5pbQCoWQTV02/5zQIRjyPhHNrDLGgQG3FqpTWMe47T1OdMMYvBIzaI2KFvSRnKWPy0dGw9nowmwDUsHPR+I/MO0D6x1NgYwNmcIPzMzN81XnXB+U9yBCIR/dwgaUrw2LHE1gL4JDhIXGM7dZWpnoWtLtjjqJuoTy0CgL+sxsexRDXmpE0LujyzA2xWNWo7suF1HZmVPI1cFa8+UC+o24BlBtd4IU7otIX2qgkXyeMIJuRnT+THbEAvz7U9/QH1+WDC4Jy+vlitlulz2VHyf37cXQaq949UO1VB` |
+> | UAE North | rsa-sha2-512 | 12/31/2023 | `NDeTZPUor2OuTdgSjLLhSaqJiTJUdfwTAzpkjNbNQUY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAx9LfiyVmWwGD/rjQeHiHTMWYaE/mMP6rxmfs9/I4wEFkaTBbc4qewxUlrB1jd7Se2a0kljI3lqQJ9h+gjtH/IaVTZOKCOZD8yV9Dh4ZENRqH/TOVz6LCvZifVbjUtxRtbvOuh1lJIVBSBFciNr0HThFMnTEIwcs5V48EFIT6eS9Krggu+cWAX2RbjM0VQnIgkA5BeM33MjSjNz86zhO+e7e1lhflPKL5RTIswtWbwatgkyvfM33pJql/zJz+3/usSpIA/pgWw23c8WziYXiHPTShJXN+N+9iLKf9YUkpzQUZSaRw8XDPyjJNx327Lot0Bh4YLpe37R0SrOvitBsN` |
+> | UAE North | rsa-sha2-512 | 12/31/2025 | `WW8903bkfHA2Gn59xbpwus4rOy//t2ND6iarME8FoX8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCnVyU5nye5iPn93/4jxtW2Jwjm4qtFZ3EfIuAOR9p59Td6f1uz4+TkTdernYFZFs+2VYJaniX1YiugyGhfNCcxjl3kdE3uRsaDUswKuTgwVbHdD1eatOC9dMKaFDMyuJ9l3GY31+hvurmOxSWAMbr4EVWBiHIJFhRcp6PXh8U3Q3TcSw+hf4+XM+9+ffChn7m6jxkb6hCmGWmQeSLz16hUCtt4QD5UrZ7kWlTWek0MDtCDVcds86CDACopkLUuSxc1l7KmESnV2zl5E4A337RWhSxueSEpO+pPaMEwLDySKy4QWpuD1A6lUWMjCrYY+enPNOqWZOmG4UHtRz3SuR2d` |
+> | UK South | ecdsa-sha2-nistp256 | 12/31/2023 | `weMVzOmQnlMdMp5XBoU9SdN5meBbx/8nvA8dB45w8Ck=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEnBllEm4/HsTP+ZMhlc8YnSAYWF23tibZDqGxf0yBRTU/ncuaavuQdIJ5TcJb0NcXG7skEmq3StwHT0FPMWN8Y=` |
+> | UK South | ecdsa-sha2-nistp256 | 12/31/2025 | `O/fVBsiwFR71jWIDIR8kY8UeT3NVfyr3F5O7Zgd9kwg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO1pIStRDeGkyH3Qx+A6Uyoknzu3miYLzYYgDlsByz3TfuLmEheHtD/QnBRvPWF5IqmLZn/dz3xUJQi04lwrfok=` |
+> | UK South | ecdsa-sha2-nistp384 | 12/31/2023 | `HpsZ8zoOCCsUbpD3nAOtxpuKIvn0L8KGyg1KMLuMUqU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGd/672brwX1kOhH31ZTdBRj+bcEmemcdmTEe0J88cJ3RRQy7nDFs25UrnR+h3P0ov9Uq24EJQS8auxRgNCUJ3i3ZH9QjcwX/MDRFPnUrNosH8NkcPmJ/pezVeMJLqs3Qw==` |
+> | UK South | ecdsa-sha2-nistp384 | 12/31/2025 | `2waT1L91yV7OgudDQ7yfA9sk9jSmqrSX3cy9uA6MahM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBETAKzK2eYy1m0LxYvnGtu564RmVIgkYBfY8aBSbHUUikdAQLdfEDbDO4CaReHGMJpZk3CY/gGMcSjxmazpJq0B9L56Hj/Kp8uRciVJq9wEeRUML2Mh8cuz/JBwX9eVdYA==` |
+> | UK South | rsa-sha2-256 | 12/31/2023 | `3nrDdWUOwG0XgfrFgW27xhWSizttjabHXTRX8AOHmGw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCdLm+9OROp5zrc6nLKBJWNrTnUeCeo8n1v9Y3qWicwYMqmRs/sS9t5V3ABWnus4TxH3bqgnQW3OqWLgOHse/3S+K1wGERmBbEdKOl7A7kQ9QgDkWEZoftwJ9hp+AMVTfCYhcOOsG+gW021difNx+WW2O5TldL31pk+UvdhnQKRHLX31cqx5vuUmiwq4mlbBx+rY8B/xngP2bzx/oYXdy1I9fZbWWAQ6FwJBav1sSWL0l7snRdOsy5ASeMnYollEw1IATwYeUv8g3PzrryZuru+7gu/Ku9w8d5jbFyI6Up4KLwjs/gZNuqQ5dif7utiQYbVe4L0TPWOmuLA25JJRZaF` |
+> | UK South | rsa-sha2-256 | 12/31/2025 | `Ntdjy7uYiI3L1G+QeDK2UhrsLj4H4cLEF5GPFzwqqQk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8Z3tBtO24z3kg76jT+sS7Np6cmvcSFLFTyDO1z28Ury1cnIk5WK9OjRuwlDhIfnR4mSMmcA1OuPzIGK4jIdMuj/Hy+YUF2D+jR8oUBCqZocbUH0rYEOCEo9U1n2vly5oYGTU3COqHId67eCQOs3C0hXU0Dpso+cidX0QkLArvmYvErpmg8a9EG+2Sbl4DQjAXY3HYBafl/2jkOcIVPW5Fw7Pdql/fWRC6CsinobdCaoFuqR5+VwMQPftKdD+HfykV38gjvUaNVIRyEfFkbMo1HQ+vTU04Bw612ka+xTf/npu/1g3AV9Tb3Xlr0gqoU5p7W1hAqJAZ1td9oTgE247x` |
+> | UK South | rsa-sha2-512 | 12/31/2023 | `Csnl8SFblkdpVVsJC1jNVSyc2eDWdCBVQj9t6J3KHvw=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIwNEfrP6Httmm5GoxwprQ57AyD6b3EOVe5pTGQWIOzxnrIw2KnDPL07KNa33xZOmtXro5PYyhr5eNXUkFiQMEe+RblilZSNAvc4MHbp2TVD0L9N7Pdy2SetoF4m5BCXdC48kZntqgkpzXoDbFiaAVln5zQCHB5fOuBPS1id8+k3zqG0o+K0MHb6qcbYV8gdQeOn/PlJzKE4M0Ie8na3aWHdGvfJjDdK/hNN0J+eUK8qIb9KCJkSMDj/l3rnue9L8XgeKKA2Pkvh3nch4VBXCcCsDVhgSf+aoiJ0Fy8GVOTk2s7QDMzD9y37D9V2OPl66q4pjFGOfK0mJmrgqxWNy5` |
+> | UK South | rsa-sha2-512 | 12/31/2025 | `tS7jt1nZRrT+zXYm2U5uftS9o5l/ca53XWBFHYJrLAA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDXaUQJ4GSVIs/tdFCts+bOmOBEeJ85bMAt3A3u3G4IKa1N7rrzZEJOS6MGluyX9ldjihwHLrOQsce8W5Mb/I2iv84ywo8sE+OlgArvpydO9TaSMQU0/pXgxRn9BP3cfUxyvl5RZw+54Y5rQpP/cQZFjC9OpBRZhiaq8GiNbWwrvk3Zwo1eT8B7BEs4pLPEQpnGnicAywY1Dyk3cBIRNR8FFlK1by1OXr+ZpTWx6RX4WxMvmg6EHNqOUvls0G3/1oDq8Ap55DwXFI1aNCTLevJrf+N61rlJrzF5vRj3OFL7JgPyafXPRmMlgRX81K6La9oFWOk9oPSLvW2XD7YcM/dV` |
+> | UK West | ecdsa-sha2-nistp256 | 12/31/2023 | `bNYdYVgicvl1yaOR/1xLqocxT8bamjezGFqFdO6Od0I=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWKoJuxB3EO5bKjxnviF+QTv3PBSViD1SNKbfj0qYfAjObQKZuiqcFYeDoPrkhk9jfan2jU6oCEN4+KDwivz3k=` |
+> | UK West | ecdsa-sha2-nistp256 | 12/31/2025 | `Y+t6kUTkav589Ri4L1AVG64Ugkf2g0XnHAkkQFE6+0o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOypY+rnYWZPtUYshSwOxCr/HO5f8FrTayhjuqu5SIr6beRrNmI/5mg5V7mK75rbxzkDQBtdOg0UY5afhd12VBI=` |
+> | UK West | ecdsa-sha2-nistp384 | 12/31/2023 | `6V8vLtRf6I5BjuLgToJ1cROM72UqPD+SC0N9L9WG6PA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBA+7R/5qSfsXACmseiErhfwhiE7Rref/TNHONqiFlAZq2KCW3w3u8+O4gpJEflibMFP/Mj5YeoygdPUwflFNcST9K+vnkEL3/lqzoGOarGBYIKtEZwixv3qlBR+KyoRUkw==` |
+> | UK West | ecdsa-sha2-nistp384 | 12/31/2025 | `js1uEKB1mrXNBzdNuMS5kdCxLpAkcmhNLhSxbboWey4=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBCDTQUgC8WbfDZYtQYBCwjcyw69DUduYXmedfRS1sEKfVvQ6WIC3NmimGQ0l3hZqykOVIYZSmpoKZgbsJwuTbVQE3M+vu9ZElhyrds8QWMm0iNVKZCJwn5oxdLk+KPEe+w==` |
+> | UK West | rsa-sha2-256 | 12/31/2023 | `2NQ5z6fQjt4SZKdViPS+I2kX7GoXOx3fVE81t8/BCVE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNq0xtA0tdZmkSDTNgA05YLH5ZuLFKD7RbruzuL4KVU2In0DQUtJkVqRXIaB3f+cEBTs9QrMUqolOdCCunhzosr5FvCO3I6HZ8BLnVNshtUBf2C1aT9yonlkdiIyc2pCHonds8vHKC4SBNu3Jr584bhyan8NuzJqzPCnKTdHwyWjf8m5mB4liK/ka4QGiaLLYTAjCCXmaXXOVZI2u0yDcJQXAjAP5niCOQaPHgdGk6oSjs0YKB29V+lIdB8twUnBaJA9jgECM2brywksmXrAyUPnIFD6AVEiFZsUH3iwgFAH7O6PLZTOSgJuu994CNwigrOXTbABfpH2YMjvUF///5` |
+> | UK West | rsa-sha2-256 | 12/31/2025 | `x3DuKaxnJ4GPXUY3+TS6U+Y4MwI/er1315Wtf+GSiYg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDD5+oajaLstTLolvR2fWrU57xcIE0Ho64SXtj5rWJZmk/BlSwwNOKwYiNSSDgcQFYxKc9F/zudD/o55qj6NqHUurwtsXBKzUWZpb02yYsSu0S9BMym205LUIH5zOe/+t9BiILkoATLjxOMWmp0TDIEHMky6WiUKaCQM7JPdOnp6xaAM4ZSJNe0ut0TPRgof4zD0QbQ58TpJ8bIdD2YDnAdSj697cmyNwt4gDMv3YunG1A5KDYNmZe+BVBO8m8sbL0RwZ4LwfCSkorTNyQlIG684K9v4Awx1k+VDoi9hOXyCT+IvyhkZBtljKWTnhPESiI/sjdpz6MVQK3HUw70pQsV` |
+> | UK West | rsa-sha2-512 | 12/31/2023 | `MrfRlQmVjukl5Q5KvQ6YDYulC3EWnGH9StlLnR2JY7Q=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQClZODHJMnlU29q0Dk1iwWFO0Sa0whbWIvUlJJFLgOKF5hGBz9t9L6JhKFd1mKzDJYnP9FXaK1x9kk7l0Rl+u1A4BJMsIIhESuUBYq62atL5po18YOQX5zv8mt0ou2aFlUDJiZQ4yuWyKd44jJCD5xUaeG8QVV4A8IgxKIUu2erV5hvfVDCmSK07OCuDudZGlYcRDOFfhu8ewu/qNd7M0LCU5KvTwAvAq55HiymifqrMJdXDhnjzojNs4gfudiwjeTFTXCYg02uV/ubR1iaSAKeLV649qxJekwsCmusjsEGQF5qMUkezl2WbOQcRsAVrajjqMoW/w1GEFiN6c70kYil` |
+> | UK West | rsa-sha2-512 | 12/31/2025 | `xS56JtktmsWJe9jibTzhYLsFeC/BlSt4EqPpenlnBsA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDE7OVjPPfsIrmrg/Ec0emRMtdqJQNQzpdX1e8QHKzjZKqELTDxZFoaa3cUCS/Y+y6c/xs/gZDv0TU/CLGxPCoOyz2OhhTQnzRuWQRzgsgpEipHXHbHp3/aL0I346MmsEx8KmrrIootcP+K5RLDKlRGb62tOCEX+rls4EjAbNZBOnFAytg9h5L6crV4iGeRf0tAxh0VzYze5QmelWBViVfejV99e091CAU7SnBX5FUvuvgil03sZQz4lH2qdOwKBEpVuzSkueJWMIm+EpWwVcfqoPnwB+J4Srr4qIPdJk9FkSGF5E+8VtqTGe8I+3sNxUg1iwpUOtq+G3q6ueb5h4M5` |
+> | US DoD Central | ecdsa-sha2-nistp256 | 01/31/2024 | `03WHYAk6NEf2qYT62cwilvrkQ8rZCwdi+9M6yTZ9zjc=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCVsp8VO4aE6PwKD4nKZDU0xNx2CyNvw7xU3/KjXgTPWqNpbOlr6JmHG67ozOj+JUtLRMX15cLbDJgX9G9/EZd8=` |
+> | US DoD Central | ecdsa-sha2-nistp384 | 01/31/2024| `do10RyIoAbeuNClEvjfq5OvNTbcjKO6PPaCm1cGiFDA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKYiTs82RA54EX24BESc5hFy5Zd+bPo4UTI/QFn+koMnv2QWSc9SYIumaVtl0bIWnEvdlOA4F2IJ1hU5emvDHM2syOPxK7wTPms9uLtOJBNekQaAUw61CJZ4LWlPQorYNQ==` |
+> | US DoD Central | rsa-sha2-256 | 01/31/2024 | `htGg4hqLQo4QQ92GBDJBqo7KfMwpKpzs9KyB07jyT9w=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDVHNOQQpJY9Etaxa+XKttw4qkhS9ZsZBpNIsEM4UmfAq6yMmtXo1EXZ/LDt4uALIcHdt3tuEkt0kZ/d3CB+0oQggqaBXcr9ueJBofoyCwoW+QcPho5GSE5ecoFEMLG/u4RIXhDTIms/8MDiCvbquUBbR3QBh5I2d6mKJJej0cBeAH/Sh7+U+30hJqnrDm4BMA2F6Hztf19nzAmw7LotlH5SLMEOGVdzl28rMeDZ+O3qwyZJJyeXei1BiYFmOZDg4FjG9sEDwMTRnTQHNj2drNtRqWt46kjQ1MjEscoy8N/MlcZtGj1tKURL909l3tUi3fIth4eAxMaAkq023/mOK1x` |
+> | US DoD Central | rsa-sha2-512 | 01/31/2024 | `ho5JpqNw8wV20XjrDWy/zycyUMwUASinQd0gj8AJbkE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCT/6XYwIYUBHLTaHW8q7jE2fdLMWZpf1ohdrUXkfSksL3V8NeZ3j12Jm/MyZo4tURpPPcWJKT+0zcEyon9/AfBi6lpxhKUZQfgWQo7fUBDy1K4hyVt9IcnmNb22kX8y3Y6u/afeqCR8ukPd0uBhRYyzZWvyHzfVjXYSkw2ShxCRRQz4RjaljoSPPZIGFa2faBG8NQgyuCER8mZ72T3aq8YSUmWvpSojzfLr7roAEJdPHyRPFzM/jy1FSEanEuf6kF1Y+i1AbbH0dFDLU7AdxfCB4sHSmy6Xxnk7yYg5PYuxog7MH27wbg4+3+qUhBNcoNU33RNF9TdfVU++xNhOTH1` |
+> | US DoD East | ecdsa-sha2-nistp256 | 01/31/2024 | `dk3jE5LOhsxfdaeeRPmuQ33z/ZO55XRLo8FA3I6YqAk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD7vMN0MTHRlUB8/35XBfYIhk8RZjwHyh6GrIDHgsjQPiZKUO/blq6qZ57WRmWmo7F+Rtw6Rfiub53a6+yZfgB4=` |
+> | US DoD East | ecdsa-sha2-nistp384 | 01/31/2024 | `6nTqoKVqqpBl7k9m/6joVb+pIqKvdssxO5JRPkiPYeE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBOwn2WSEmmec+DlJjPe0kjrdEmN/6tIQhN8HxQMq/G81c/FndVVFo97HQBYzo1SxCLCwZJRYQwFef3FWBzKFK7bqtpB055LM58FZv59QNCIXxF+wafqWolrKNGyL8k2Vvw==` |
+> | US DoD East | rsa-sha2-256 | 01/31/2024 | `3rvLtZPtROldWm2TCI//vI8IW0RGSbvlrHSU4e4BQcA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDv+66WtA3nXV5IWgTMPK9ZMfPzDaC/Z1MXoeTKhv0+kV+bpHq30EBcmxfNriTUa8JZBjbzJ0QMRD+lwpV1XLI1a26JQs3Gi1Rn+Cn+mMQzUocsgNN+0mG1ena2anemwh4dXTawTbm3YRmb5N1aSvxMWcMSyBtRzs7menLh/yiqFLr+qEYPhkdlaxxv4LKPUXIJ1HFMEq/6LkpWq61PczRrdAMZG9OJuFe/4iOXKLmxswXbwcvo6ZQPM6Yov1vljovQP2Iu4PYXPWOIHZe4Vb90IuitCcxpGYUs0lxm4swDRaIx0g+RLaNGQ7/f/l+uzbXvkLqdzr5u6gLYbb8+H6qp` |
+> | US DoD East | rsa-sha2-512 | 01/31/2024 | `xzDw4ZHUTvtpy/GElnkDg95GRD8Wwj7+AuvCUcpIEVo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDrAT5kTs5GXMoc+fSX1VScJ4uOFAaeA7i1CVZyWCcVNJrz2iHyZAncdxJ86BS8O2DceOpzjiFHr6wvg2OrFmByamDAVQCZQLPm+XfYV7Xk0cxZYk5RzNDQV87hEPYprNgZgPuM3tLyHVg76Zhx5LDhX7QujOIVIxQLkJaMJ/GIT+tOWzPOhxpWOGEXiifi4MNp/0uwyKbueoX7V933Bu2fz0VMJdKkprS5mXnZdcM9Y/ZvPFeKaX55ussBgcdfjaeK3emwdUUy4SaLMaTG6b1TgVaTQehMvC8ufZ3qfpwSGnuHrz1t7gKdB3w7/Q7UFXtBatWroZ10dnyZ/9Nn4V5R` |
+> | US Gov Arizona | ecdsa-sha2-nistp256 | 01/31/2024 | `NVCEDFMJplIVFSg34krIni9TGspma70KOmlYuvCVj7M=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKM1pvnkaX5Z9yaJANtlYVZYilpg0I+MB1t2y2pXCRJWy8TSTH/1xDLSsN29QvkZN68cs5774CtazYsLUjpsK04=` |
+> | US Gov Arizona | ecdsa-sha2-nistp384 | 01/31/2024 | `CsqmZyqRDf5YKVt52zDgl6MOlfzvhvlJ0W+afH7TS5o=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKwIkowKaWm5o8cyM4r6jW39uHf9oS3A5aVqnpZMWBU48LrONSeQBTj0oW7IGFRujBVASn/ejk25kwaNAzm9HT4ATBFToE3YGqPVoLtJO27wGvlGdefmAvv7q5Y7AEilhw==` |
+> | US Gov Arizona | rsa-sha2-256 | 01/31/2024 | `lzreQ6XfJG0sLQVXC9X52O76E0D/7dzETSoreA9cPsI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCt8cRUseER/kSeSzD6i2rxlxHinn2uqVFtoQQGeyW2g8CtfgzjOr4BVB7Z6Bs2iIkzNGgbnKWOj8ROBmAV4YBesEgf7ZXI+YD5vXtgDCV+Mnp1pwlN8mC6ood4dh+6pSOg2dSauYSN59zRUEjnwOwmmETSUWXcjIs2fWXyneYqUZdd5hojj5mbHliqvuvu0D6IX/Id7CRh9VA13VNAp1fJ8TPUyT7d2xiBhUNWgpMB3Y96V/LNXjKHWtd9gCm96apgx215ev+wAz6BzbrGB19K5c5bxd6XGqCvm924o/y2U5TUE8kTniSFPwT/dNFSGxdBtXk23ng1yrfYE/48CcS5` |
+> | US Gov Arizona | rsa-sha2-512 | 01/31/2024 | `dezlFAhCxrM3XwuCFW4PEWTzPShALMW/5qIHYSRiTZQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDIAphA39+aUBaDkAhjJwhZK37mKfH0Xk3W3hepz+NwJ5V/NtrHgAHtnlrWiq/F7mDM0Xa++p7mbJNAhq9iT2vhQLX/hz8ibBRz8Kz6PutYuOtapftWz7trUJXMAI1ASOWjHbOffxeQwhUt2n0HmojFp4CoeYIoLIJiZNl8SkTJir3kUjHunIvvKRcIS0FBjEG9OfdJlo0k3U2nj5QLCORw8LzxfmqjmapRRfGQct/XmkJQM5bjUTcLW7vCkrx+EtHbnHtG+q+msnoP/GIwO3qMEgRvgxRnTctV82T8hmOz+6w1loO6B8qwAFt6tnsq2+zQvNdvOwRz/o+X8YWLGIzN` |
+> | US Gov Iowa | ecdsa-sha2-nistp256 | 01/31/2024 | `nGg8jzH0KstWIW2icfYiP5MSC0k6tiI07u580CIsOdo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGlFqr2aCuW5EE5thPlbGbqifEdGhGiwFQyto9OUwQ7TPSmxTEwspiqI7sF4BSJARo9ZTHw2QiTkprSsEihCAlE=` |
+> | US Gov Iowa | ecdsa-sha2-nistp384 | 01/31/2024 | `Dg+iVLxNGWu0DUgxBG4omcB9UlTjXvUnlCyDxLMli4E=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBAsubBoJjCp1gO26Xl0t0t0pHFuKybFFpE7wd4iozG0FINjCd4bFTEawmZs3yOJZSiVzLiP1cUotj2rkBK3dkbBw+ruX0DG1vTNT24D6k54LhzoMB0aXilDtwYQKWE+luw==` |
+> | US Gov Iowa | rsa-sha2-256 | 01/31/2024 | `gzizFNptqVrw4CHf17tWFMBuzbpz2KqDwZLu/4OrUX8=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDMv5Y4DdrKzfz2ZDn1UXKB6ItW9ekAIwflwgilf8CJxenEWINEK5bkEPgOz2eIxuThh9qE8rSR/XRJu3GfgSl9ATlUbl+HppXSF7S1V1DIlZbhA75JU/blUZ1tTTowrjwSn8dpnR2GQcBhywmdbra7QcJyHb+QuY9ZGXOu3ESETQBCD6eUsPoHCdQRtKk1H6zQELRPDi/qWCYhdNULx4j19CdItjMWPHfQPV9JEGGFxfBzDkWaUIDymsex44tLLxe9/tT8XlD/prT/zCLV0QE/UYxYI3h9R9zL7OJ5a92J72dBRPbptXIhz7UVeSBojNXnnOf+HnwAVbt1Fi/iiEQJ` |
+> | US Gov Iowa | rsa-sha2-512 | 01/31/2024 | `Izq7UgGmtMU/EHG+uhoaAtNKkpWxnbjeeLCqRpIsuWA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDofdiTcVwmbYyk9RRTSuI6MPoX7L03a6eKemHMkTx2t7WtP7KqC9PlnmQ2Jo5VoaybMWdxLZ+CE8cVi70tKDCNgD8nAjKizm0iMk2AO5iKcj8ucyGojOngXO4JGgrf1mUlnQnTlLaC1nL487RDEez5rryLETGSGmmTkvIGNeSJUWIWqwDeUMg1FUnugyOeUmRpY7bl/PlUfZAm9rJJZ5DwiDGjn6dokk7S/huORGyUWeDVYGCSQug6VRC1UxnJclckgRIJ2qMoAZln4VdqZtpT3pBXaZqOdY52TQSAdi345bEHSCaGxyTdT14k3XjI/9q8BZ9IX7K4fbJCX0dbLHJp` |
+> | US Gov Texas | ecdsa-sha2-nistp256 | 01/31/2024 | `osmHklvhKEbYW8ViKXaF0uG+bnYlCSp1XEInnzoYaWs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjvs/Cy4EODF21qEafVDBjL4JQ5s4m87htOESPjMAvNoZ3vfRtJy81MB7Fk6IqJcavqwFas8e3FNRcWBVseOqM=` |
+> | US Gov Texas | ecdsa-sha2-nistp384 | 01/31/2024 | `MIJbuk4de6NBeStxcfCaU0o8zAemBErm4GSFFwoyivQ=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGxPcJV0UdTiqah2XeXvfGgIU8zQkmb6oeJxRtZnumlbu5DfrhaMibo3VgSK7HUphavc6DORSAKdFHoGnPHBO981FWmd9hqxJztn2KKpdyZALfhjgu0ySN2gso7kUpaxIA==` |
+> | US Gov Texas | rsa-sha2-256 | 01/31/2024 | `IL6063PFm771JPM4bDuaKiireq8L7AZP+B9/DaiJ2sI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDUTuQSTyQiJdXfDt9wfn9EpePO0SPMd+AtBNhYx1sTUbWNzBpHygfJlt2n0itodnFQ3d0fGZgxE/wHdG6zOy77pWU8i95YcxjdF+DMMY3j87uqZ8ZFk4t0YwIooAHvaBqw/PwtHYnTBr82T383pAasJTiFEd3GNDYIRgW5TZ4nnA26VoNUlUBaUXPUBfPvvqLrgcv8GBvV/MESSJTQDz1UegCqd6dGGfwdn2CWhkSjGcl17le/suND/fC5ZrvTkRNWfyeJlDkN4F+UpSUfvalBLV+QYv4ZJxsT4VagQ9n6wTBTDAvMu3CTP8XmAYEIGLf9YCbjxcTC+UywaL1Nk++x` |
+> | US Gov Texas | rsa-sha2-512 | 01/31/2024 | `NZo9nBE/L1k6QyUcQZ5GV/0yg6rU2RTUFl+zvlvZvB4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCwNs5md1kYKAxFruSF+I4qS1IOuKw6LS9oJpcASnXpPi//PI5aXlLpy5AmeePEHgF+O0pSNs6uGWC+/T2kYsYkTvIieSQEzyXfV+ZDVqCHBZuezoM0tQxc9tMLr8dUExow1QY5yizj35s1hPHjr2EQThCLhl5M0g3s+ktKMb77zNX7DA3eKhRnK/ulOtMmewrGDg9/ooOa7ZWIIPPY0mUDs5Get/EWF1KCOABOacdkXZOPoUaD0fTEOhU+xd66CBRuk9SIFGWmQw2GiBoeF0432sEAfc3ZptyzSmCamjtsfihFeHXUij8MH8UiTZopV3JjUO6xN7MCx9BJFcRxtEQF` |
+> | US Gov Virginia | ecdsa-sha2-nistp256 | 01/31/2024 | `RQCpx04JVJt2SWSlBdpItBBpxGCPnMxkv6TBrwtwt54=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD7FjQs4/JsT0BS3Fk8gnOFGNRmNIKH0/pAFpUnTdh7mci4FvCS2Wl/pOi3Vzjcq+IaMa9kUuZZ94QejGQ7nY/U=` |
+> | US Gov Virginia | ecdsa-sha2-nistp384 | 01/31/2024 | `eR/fcgyjTj13I9qAif2SxSfoixS8vuPh++3emjUdZWU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBKtxuygqAi2rrc+mX2GzMqHXHQwhspWFthBveUglUB8mAELFBSwEQwyETZpMuUKgFd//fia6NTfpq2d2CWPUcNjLu041n0f3ZUbDIh8To3zT7K+5nthxWURz3vWEXdPlKQ==` |
+> | US Gov Virginia | rsa-sha2-256 | 01/31/2024 | `/ItawLaQuYeKzMjZWbHOrUk1NWnsd63zPsWVFVtTWK0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC87Alyx0GHEYiPTqsLcGI2bjwk/iaSKrJmQOBClBrS23wwyH/7rc/yDlyc3X8jqLvE6E8gx7zc+y3yPcWP1/6XwA8fVPyrY+v8JYlHL/nWiadFCXYc8p3s8aNeGQwqKsaObMGw55T/bPnm7vRpQNlFFLA9dtz42tTyQg+BvNVFJAIb8/YOMTLYG+Q9ZGfPEmdP6RrLvf2vM19R/pIxJVq5Xynt2hJp1dUiHim/D+x9aesARoW/dMFmsFscHQnjPbbCjU5Zk977IMIbER2FMHBcPAKGRnKVS9Z7cOKl/C71s0PeeNWNrqDLnPYd60ndRCrVmXAYLUAeE6XR8fFb2SPd` |
+> | US Gov Virginia | rsa-sha2-512 | 01/31/2024 | `0SbDc5jI2bioFnP9ljPzMsAEYty0QiLbsq1qvWBHGK4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNu4Oori191gsGb8rlj1XCrGW/Qtnj6rrSQK2iy7mtdzv9yyND1GLWyNKkKo4F3+MAUX3GCMIYlHEv1ucl7JrJQ58/u7pR59wN18Ehf+tU8i1EirQWRhlgvkbFfV9BPb7m6SOhfmOKSzgc1dEnTawskCXe+5Auk33SwtWEFh560N5YGC5vvTiXEuEovblg/RQRwj+9oQD1kurYAelyr76jC/uqTTLBTlN7k0DBtuH305f7gkcxn+5Tx1eCvRSpsxD7lAbIoCvQjf95QvOzbqRHl6wOeEwm03uK8p9BLuzxlIc0TTh4CE8KrO5bciwTVi1xq7gvqh912q0OvWpg3XBh` |
+> | West Central US | ecdsa-sha2-nistp256 | 12/31/2023 | `rkHjcTK2BvryQAFvjugTHdbpYBGfOdbBUNOuzctzJqM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMjEAUTIttG+f5eocMzRIhRx5GjHH7yYPzh/h9rp9Yb3c9q2Yxw/j35JNWxpGwpkb9W1QG86Hjt4xbB+7q/D8c=` |
+> | West Central US | ecdsa-sha2-nistp256 | 12/31/2025 | `9LD9RF5ZMvHPpOVy6uQ8GjM7kze/yn9KL2StDZbbWQs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA3aUdy4Z/P7X+R+BxA6zbkO96cicb9n+CjhB+y12lmF8vRLxfX03+SmiCul6+TTyuQYaW0AN9bcKDK4udy/H2s=` |
+> | West Central US | ecdsa-sha2-nistp384 | 12/31/2023 | `gS9SYvaH6dCqyugArvFb13cwi8q90glNaK+fyfPie+Y=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBD0HqM8ubcDBRMwuruX5zqCWSp1DaLcS9cA9ndXbQHzb2gJ5bJkjzxZEeIOM+AHPJB8UUZoD12It4tCRCCOkFnKgruT61hXbn0GSg4zjpTslLRYsbJzJ/q6F2DjlsOnvQQ==` |
+> | West Central US | ecdsa-sha2-nistp384 | 12/31/2025 | `8+sQzfhwPUFU8FsRTXr94dU9+RQ1Y+WSsRnAW2avOlA=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBK5YEuLSqd+FiuaJDVa0+YvluAjxJGGy2hhcTaSQYXKUG6UMpBWgvYN3yf7wT7JetiUcLc/LcGe1/V2gtZHMCOpYABumkWXVOfl98UDfzyHh+p6yn872y6v9KuVJjN/LJA==` |
+> | West Central US | rsa-sha2-256 | 12/31/2023 | `aSNxepEhr3CEijxbPB4D5I+vj8Um7OO6UtpzJ/iVeRg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDDWmd8Zd7dCfamYd/c1i4wYhhRnaIgUmK7z/o8ehr4bzJgWRbjrxMtbkD2y7ImjE2NIBG5xglz6v9z4CFNjCKUmoUl7+Le3Rsc5sJ/JmHAmEXb0uiDMzhq9f6Qztp+Pb9uqLfsPmm6pt1WOcpu+KNpiGtPWTL21sJApv6JPKU+msUrrCIekutsHtW6044YPXNVOnvUXv08BaPFhbpeGZ4zkrji0mCdGfz2RNcgLw0y3ZzgUuv0Lw+xV0/xwanJu4IOFI1X9Ab7NnoGMkqN/upBLJ4lRhjYVTNEv01IX2/r5WZzTn4c38Nfw4Ma3hR0BiLMTFfklFVGg2R64Z7IILoB` |
+> | West Central US | rsa-sha2-256 | 12/31/2025 | `GOVwLTexmpNcGW0BJ5vXcM7K4Dy8OyLtFHEKSOFU2Vk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC12vm3S6iVMKIGxwRyaaEr5NI7EG5ttvB8gvq03LAs0WRXlSUxswM85GlbSS40OKZWe3SxEuu5uc9mL908ilVi7YQqw11ZK+7P+tljIMMmirFoeQlCdJzVjbhqgS/xe9tsKvDxOch2IBpJTEqbA6FgI2+kS0gVR1a4NehhWdm3wEcCsFEbe/tRAKrlWHPq2+bGyZIOQkArANX9CMkMUT0d2fORyl8eH0vU9w3Pg6RdHpRBPPgGcmHpv0cxE8l8rbGyM4+tx+stmnJpjF92HWPEDb1crtatPQvRkXeP+qJIHvUD1USdeEBo2bJBPpNfHqNZ/x+0TDanpYwdzFuc52zB` |
+> | West Central US | rsa-sha2-512 | 12/31/2023 | `vVHVYoH1kU1IZk+uZnStj3Qv2UCyOR9qVxJfmTc20jQ=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9Q8Tvvnea8hdaqt+SZr4XN1JIeR43nX6vrdhcS6yyfRgaTcEdKbAKQbwj9Fu3kq80c4F+SNzh1KQWlqLu3MJHSaSdQLN9RaHO1Dd+iVK1WgZtsPM9+6U7wupMZq8Hdmao5sqaMT5lj7g+win2J+Wibz7t8YwS7g2Xi+ode8tFPFKduZ5WvKLjI0EiAS4mvcyWEWca142E8fxV9TobUjAICfgtL4vCpmLYKnSL/kUgplD0ow86k/MHp9zghDLVSVDj8MGMra+IJEpgHOUrFNnuyua2WSJVuXR2ITfaecRKrGg7Z4IJzExPoQzDIWdCHptiGLAqvtKT0NE2rPj9U4Rp` |
+> | West Central US | rsa-sha2-512 | 12/31/2025 | `105lnhGDVhkt7/KbNWNW1sMT6ezj6HYdGedf2a8tzLo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDvHbPUEzQXOZzJI2lGWDKHXztBsdwleqeQKGKfJzPlZBDtfPakRWs5BhkXBYm6hqGDO4k1huAZKqS+C1Xv/rbaY+8NkC66NLw2VyhxRLzNvOAUWcEiMji6Q7mErii0cZsjNNtnsQZj36iFGHcSihjeU55EOPt1mvo8QquqNdvBKApQ96fqy0xLoQv1JVg/CgQxv4hVkq4/yPfHZWyU29EjhHZdYwIDU6DFn1UwQw0pixnB31sFTQhYnxpMAk1xj2qkh0UiNMZThRVy/giE3OzzVcDD7bH1bZmFSAX29f8EiUEMeisHEKsQsjjGyPSQD544U4vXIznbgdHKvHNhFluJ` |
+> | West Europe | ecdsa-sha2-nistp256 | 12/31/2023 | `0WNMHmCNJE1YFBpHNeADuT5h+PfJ/jJPtUDHCxCSrO0=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBANx85rJLXM8QZi33y8fzvUbH+O5Cujn0oJFDGQrwhGJQTHsjIhd5bhFFgDvJ64/4SGrtP1LHDKLwr9+ltzgxIE=` |
+> | West Europe | ecdsa-sha2-nistp256 | 12/31/2025 | `7Lrxb5z3CnAWI8pr2LK5eFHwDCl/Gtm/fhgGwB3zscw=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE/ewktdeHJc4bH41ytmxvMR3ch9IOR+CQ2i2Pejbavmgy6XmkOnhpIPKVNytXRCToDysIjWt7DLVsQ1EHv/xtg=` |
+> | West Europe | ecdsa-sha2-nistp384 | 12/31/2023 | `90g+JfQChjbb3OOV0YIGSVTkNotnefCV2NcSuMdPrzY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBNJgtrLFy2zsyhNvXlwHUmDBw1De++05pr1ZTxOIVnB17XZix0Euwq/wZTs0cE01c5/kYdAp+gQHEz594e7AQXBTCTqUiIS1a4+IXzfiCcShVfMsLFBvzjm9Yn8qgW9Ofg==` |
+> | West Europe | ecdsa-sha2-nistp384 | 12/31/2025 | `UpzudqPZw1MrBiBoK/HHtLLppAZF8bFD75dK7huZQnI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEDYr3fSaCAcTygFUp7MKpND4RghNd6UBjnoMB6EveRWVAiBxLTsRHNHaZ+jk3Q8kCHSEJrWKAOY4aZl78WtWcrmlWLH8gfLtcfG/sXmXka8klstLhmkCvzUXzhBclBy7w==` |
+> | West Europe | rsa-sha2-256 | 12/31/2023 | `IeHrQ+N6WAdLMKSMsJiML4XqMrkF1kyOiTeTjh1PFyc=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDZL63ZKHrWlwN8gkPvq43uTh88n0V6GwlTH2/sEpIyPxN56/gpgWW6aDyzyv6PIRI/zlLjZNdOBhqmEO+MhnBPkAI8edlvFoVOA6c/ft5RljQOhv+nFzgELyP8qAlZOi1iQHx7UeB1NGkQ5AIwNIkRDImeft9Iga+bDF6yWu60gY43QdGQCTNhjglNuZ6lkGnrTxQtPSC01AyU51V1yXKHzgaTByrA4tK6cGtwjFjMBsnXtX2+yoyyuQz/xNnIN63awqpQxZameGOtjAYhLhtEgl39XEIgvpAs1hXDWcSEBSMWP4z04U/tw2R5mtorL3QU1CmokWmuAQZNQcLSLLlt` |
+> | West Europe | rsa-sha2-256 | 12/31/2025 | `m/p8MR6TSI/yjFpm0REBHzb+8MtSOKLhqgijeVFKX54=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCdC6asS58EMYOBJe6HXlOIeVdKIQ0MI7ZxUVrFIc7wylNm5d0dEQUrg6hpq7m4jFPY08TptGf0AAd75JqDDyXeVv6p78NclbYiFESc8HsDhM5gc0Co+qjQRXzrfhFa4o/BJQ9V/MIo0Ir4RfFMkjFVrZSa/IS3DFvjZkmcP1oGumJ0re1pZK2dHoxH9foEbqG2j93XclQECm/RYmaobJ6DwXWhWuFTgu2C+GE2yvi3lP1NZPrROR2VVA3xRNfPeBSsxNyEVI5EpDfAIMfUGzB1uH6Hb4P2wQmTtiDOY4hBWYNzwJyllSiGNJ26ZETgK7uy6rwCPj75NnY1hFF7wM89` |
+> | West Europe | rsa-sha2-512 | 12/31/2023 | `7+VdJ21y+HcaNRZZeaaBtk1AjkCNK4weG5mkkoyabi0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDYAmiv6Tk/o02McJi79dlIdPLu1I5HfhsdPlUycW+t1zQwZL+WaI182G6SY728hJOGzAz51XqD4e5yueAZYjOJwcGhHVq6MfabbhvT1sxWQplnk3QKrUMRXnyuuSua1j+AwXsm957RlbW9bi1aQKdJgKq3y2yz+hqBS76SX9d8BxOHWJl5KwCIFaaJWb0u32W2HGb9eLDMQNipzHyANEQXI9Uq2qRL7Z20GiRGyy7VPP6AbPYTprrivo3QpYXSXe9VUuuXA9g3Bz3itxmOw6RV9aGQhCSp22BdJKDl70FMxTm1d87LEwOQmAViqelEeY+DEowPHwVLQs3rIJrZHxYV` |
+> | West Europe | rsa-sha2-512 | 12/31/2025 | `UOJXkaV/Dphq7zGqbzdcMhKBYg5PKVoDA9d3FKoxoWI=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDFkp12XZbCzf2hNsxHuiPErkpOaEy89scBSZWZqIQdh2oEXuIS5IgxLkgcZ1oYaNh8QCHiKFH1d8TkYn37OqGGeRhHeshiusU7e6e3az4vcotyYs9vgJIkLkH+lbPL1u6AbnrT58CP/3hAgRX9OAsQiyNcK+9zmlV0wNhp8HlLSpV7EkLcD4HGMsy8h+TIczzM3PA20aRQQH1pcF55u+oULVR4bETJ2ZjQgW/Op90oagdtvNGyIlEKzHD2O8i+mW0OuMoMq1lRUEsL436MZ5h1EnolstvFZqGo2SUM6LTyNHYVDAxuzBAqG11XymsGJSGah46HrHzEKDHALm2DT0X1` |
+> | West India | ecdsa-sha2-nistp256 | 12/31/2023 | `t+PVPMSVEgQ3FPNploXz7mO25PFiEwzxutMjypoA2DM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCzR5dhW3wfN5bRqLfeZ2hlj7iRerE4lF5jk+iQl6HJHKXIsH6lQ63Wyg7wOzF65jNnvubAJoEmzyyYig+D3A+w=` |
+> | West India | ecdsa-sha2-nistp256 | 12/31/2025 | `fqnnguov0esOCv5kzyNu+QB/OdgLfJRFQiX1ZcBL9zk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJerCcVxwdgkwow5l62SLJdDGAkLU5274U+3Y0KXtn5jMffsvVPbYBp+xpzV7C/9hGvSjarTA2zZS+x9mmINLKs=` |
+> | West India | ecdsa-sha2-nistp384 | 12/31/2023 | `pLODd+3JNeLVcPYYnI0rSWoemhMWws0jLc3J8cV6+GU=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBL2PEknfZpPAT4ejqBJW8InHPELP1G7hGvroW5J3evJr8Qrr//voa6aH8ZF7Ak0HcVVOOCSzfjcEpZYjjrXrzuCOekU48DkSF8i1kKqV4iXejNNQ1ohDCbsiAyoxQMY9cA==` |
+> | West India | ecdsa-sha2-nistp384 | 12/31/2025 | `UjeoSwhOAV7RXh9oyGDVn9SLqKYkP7yeQR1V7uQozrg=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGs53qZH59WZCV1Cyk6qCHhGZOvwRLQxrl20t9D1Xit2dzM5LxJTmUHWx0iiCetUu2+btDi3QVoU4RjUkC6gVNV997fPhaCPwtskXVEfwUjGDn2lKo/5Zz6jg3hWbV4C2g==` |
+> | West India | rsa-sha2-256 | 12/31/2023 | `Fkh7r/tOJy1cZC6nI75VsO1sS3ugMvJ56U02uGGJHFo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDHCzLI51bbBLWK7TcXvXvEHaLQMzuYKEwyoS1/oC5EN3NsLZl4BV5d2zbLETFDjsky/btWiAkCvHuzxealxGgzw69ll90aWSOEY/epaYJvueOTvGy4+rJY8Xyc64VdHml8n3EEZTQmBEi3Tn6bViLwvC0iT2/noLeYGXh0/NL0T3BeblwSm3cNXyemkBQO/zyYcchqRtKJu8w8brYVZYFINlTeBu4LyDP1k9DMtuewGoeH8SmvDxUmiIGh2VDlPmXe3IkMR0nSgz10jMl3F0fei7ZJ+8zdCVbBuIqsJf+koJa/q9npstWGMFddMX3nR0A3HnG4v5aCAGVmfl11iC0J` |
+> | West India | rsa-sha2-256 | 12/31/2025 | `6o6rED61qGbOmiYN+2ZwFqhKy7yYACvHKEchCDE5DQ0=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCpdKbl4v4dOTnRaSv/Y+d/yZVgg6841dCembUsn9SZ/oTGeNojSqf52qDYpeTosWBXzFBhVVldeXU8F6lEIMaHXmWMtqgcXkEGj/dteA+CNWiP96PFGp2Ea6YQk7EDanEeG8VJnCbdXuhMlx/f1+evZKAradA5tBQsx8o/KcqlVj7YRcwVcuT7uCd3E8IEqfUkxixP/60of7UrP1e5n8FW+7yN6BOW/DI8hXPEGt30xW1cb2m+sYY7wKbPElJ35XSwji2UOUrH0EQxCHvUiXi/y27Js7bB0iMb/acEUseEnewOWg24766FeGsI5hFI/gMEwmo7LOiIK48pbhrR0evh` |
+> | West India | rsa-sha2-512 | 12/31/2023 | `xDtcgfElRGUUgWlU9tRmSQ58WEOKoUSKrHFDruhgDIM=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCXehufp18nKehU4/GOWMkXJ87t22TyG5bNdVCPO2AgLJ88FBwZJvDurLgdPRDRuJImysbD7ucwk2WoDNC39q0TWtCRyIKTXfwvPmyG+JZKkT+/QfslMqiAXAPIQtVr2iXTeuHmn3tk+PksGXnTwb3oFV4wv40Wi1CbwvtCkUsBSujq4AR7BqksPnAqPrAyw+fFR3w4iD3EdtHBdIVULez3lkpMH/d04rf2bjh6lpI9YUdcdAmTGYeMtsf/ef8z0G2xpN2aniLCoCPQP85cooKq7YEhBDR8Lzem3vWnqS3gPc4rUrCJoDkGm0iL/4GCWRyG+RPi70WSdVysJ+HIm0Ct` |
+> | West India | rsa-sha2-512 | 12/31/2025 | `MhWWguOBOabnBUZj7sfAi/bjlt+FLnbpdveOo8a55RA=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDD/dgokjPgehyaJKnjsKwHVuiq6vAkdEYIhe4Ug7Cxw+yfSdH53mXZEtMHK8aCWqR1RDq9tJDlJMTIQbTJzRN0btX4uYT2UD4TU/nG3IpZhtebTFIbf6Gc76jN91jpkZhwQ9LBtf53KFwgHb1Ll2mwROVblDOmVN335kxyz1xTnHzNYZgMLxyIyihPlipbUkiAwXAm5Vsfpj/eHlcTINZUZUAP0bRTRrqWPpjJY92am0plMn0rqxhCeiUDApXzOSzxoFEqShcBGAEecR1DlvXTDwBLsY2ZAp2G52BhWzppHmfwzc0wH1O3QvzghwJ0erx4VatorLtUiSvq+Nc7caT5` |
+> | West US | ecdsa-sha2-nistp256 | 12/31/2023 | `peqBbfcWZRW4QzLi69HicUUTwdtfW7/E9WGkgRMheAo=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBcTos/zmSn15kzn1Lk8N8QQh9hzOwqOSOf/bCpu6AQbWJtvjf1pHMuZlS2PpIV7G+/ImxXGpqpHqQlcD+Lg8Ro=` |
+> | West US | ecdsa-sha2-nistp256 | 12/31/2025 | `wperGSrWWXuMxThLydo9c1vl9FBXDsJndwHu8x2qx+s=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKW5TfLgVBOzf/MlenMuKtG/Es1rejUEQr1OQqf/IrKUSt5dijkoCJpxlRupa8DTZHM+6SzUZ4DyHhi2KLXLr3E=` |
+> | West US | ecdsa-sha2-nistp384 | 12/31/2023 | `sg63Cc3Mvnn9hoapGaEuZByscUEMa+xgw/3ruz49szk=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBGzX2t9ALjFwpcBLm4B0+/D47PMrDya0KTva5w4E5GZNb5OwQujQvtUS2owd8BcKdMBeXx2S7qbcw6cQFffRxE+ZTr4J+3GoCmDM0PqraXxJHBRxyeK6vlrSR8ojRzIApA==` |
+> | West US | ecdsa-sha2-nistp384 | 12/31/2025 | `x7dfHFGCUko41YObPl0UTf11dd6rcl96gdzhBGsRqKI=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBMz4aRR1X8ft8T6/oUNuCRNXbajgaSyKxKOe3OlkHHWGxu1vP0h9I8dHPzlG/yB796xg2ygFe/h3TaFVujYZNmP4M5uWmhxahJ6hceYRQp7EKv4n3SR2kNGSngRkj3EdZw==` |
+> | West US | rsa-sha2-256 | 12/31/2023 | `kqxoK1j6vHU8o8XyaiV87tZFEX9nE6o/yU0lOR5S6lE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDAd7gh0mFw3iRAKusX3ai6OE0KO5O2CMlezvZOAJEH88fzWQ/zp0RZ1j7zJ8sbwslA6v3oRQ7Cx9ptAMTrL8SW4CZYcwETlfL3ZP39Llh+t7rZovIgvCDU0tijYvsa1W0T9XZgcwWEm6cWQzdm+i9U0KUdh7KgsubPAhGQ7xrOVEqgB9MYMofSSdIfKMt8K7xOSam6mhWiTSSIEGgeMTIZ9TgXkgAEJ8TNl3QHRoM8HxMnRFjtkXbT3EeSg6VOqi69Cei3hrmS64qvdzt2WwoTQwTFjxHocWGgA+Ow53wqWt8iYgOudpoB1neXiIcF4p0CN8zjvXNiRbZPg9lXFM9R` |
+> | West US | rsa-sha2-256 | 12/31/2025 | `/0XElvAnzA260jbgxbbbW4ZktmIJBTR/I/8r+ap7d5g=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDctdy9TQF` |
+> | West US | rsa-sha2-512 | 12/31/2023 | `/PP9B/9KEa+QUyump1Yt05Lfk0LY/eyQhHyojh5zMEg=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC8R8bFe8QSTYKK+4evMpnlB8y0rQCqikTyviqD4rva7i4f1f/JxmptJQ/wkipHPXk6E7Du6oK/iJaZ+wjZ03tNIWwAGn0SdlTvWuwQwigK9k3JRlLYO+Uj/SSnBQWf8Dmp+cA6RDalteHpM2KwaUK65BHYC75bWKHaNntadTIU4kQ0BvFzmNRcJWL6otd5RkdYXjJWHu21zcv4EpRHGmVCD0na+UWce6UGDbLDtsZVJd2Q7IyeTrXpWxEO0fFN2Gu9gINfWC1FpuffGaqWSa4nK69n39lUKz4PUdu6Owmd9aNbLXknvtnW4+xGbX6oQa8wYulINHjdNz8Ez6nOiNZ9` |
+> | West US | rsa-sha2-512 | 12/31/2025 | `SWWxUUOar1u0jPPi4XjB5Ml8LVRI8FWCMKVR+vN3uKs=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDWNjo16W9rd72PATIzhqQfGdzY/3YkuPRtmHa0VashniM2Edqmqtjn/8Z/CFmWA1wS0CulgqLvZ9UdtHUegiJdrrY++HBGCv4DC6YcXAMczhlYDB1qMap0ELFVjqVdGe1w8tzhO02q5hhn9LdaDkyGVuaEPkzVYbRoGEYpTszFcLUJ1isCDRX/41Ek7ELyHUgv8TEyMMZ5ndqB9xuA2BcwR+8U0+3iHY0JhwAQZvRyzeipUh0S3eEF96IraMvMCAg6hA5axlEZYC/t1ZoRnmdAuNpFwRCQTd0tNL8g+nTE1GK7SoITSl1/YVfTqtiisFCoDrEHWanrdFiBogZQB1mh` |
+> | West US 2 | ecdsa-sha2-nistp256 | 12/31/2023 | `rt5kaA0neIFDIWTP2MjWk9cOSapzEyafirEgPGt+9HM=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKEKP+1QZf3GfEvkNZtzoKr05iAwGq+yPhUsVdyA7uKnwvTwZAi7NBr4hMkGIIdgQlGrMNNXKS0V+rhMNI1sH48=` |
+> | West US 2 | ecdsa-sha2-nistp256 | 12/31/2025 | `68JQ/P3TUrEAk2hMHXUF12kiH+J1s4wNbw2QsGHiX6g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKVvUWrwtZRU8DdawVrzYz6zLkmjC/I+chcu4KxSwUnHP/QyEcKJHbP45XU5dQ884MKKV4jo+8jXwjdzOx/f/kk=` |
+> | West US 2 | ecdsa-sha2-nistp384 | 12/31/2023 | `g0vDKd4G5MKnxWewbnCYahCv1lZgfnZeEXfPAhv+trs=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBB1+/Qu9Y1BqqV3seN0+0ITYCueuv0TFAnfG9z1Io8VYjmxLvdmaDvTi9kJ0ShjFJRKjbCfYKNekqYZDW4gBfmE9EyvMPI6VXPVLNY3TQ/z+Y7qO/oa28cSirW9fhp7vbA==` |
+> | West US 2 | ecdsa-sha2-nistp384 | 12/31/2025 | `uUGvuCxgDLpe1SHg7gwm98iqzdw3NBKcg2UWPhfZ5hE=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEYPlipfp0E7RMEm+82OTZDCRM2Ll7Ag9g0o/RFzNNs5KbSbwjfBFSq8W1+DM/m1s45I+LY12jxPNs+8tRbNMARl3rnG8ZC5oSDPtQNsedIhkNzFvaMl9DVSdfWJ/1nflg==` |
+> | West US 2 | rsa-sha2-256 | 12/31/2023 | `ktnBebdoHk7eDo2tvJuv36XnMtfauhvF/r0uSo6DBfk=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDoskHzExtM+YSXGK6cBgmnLlXsZLWXkEexPKC7wHdt0kSqkIk9F31wD+2LefZzaTGfAmY5/EWrOsyBJvIgOoksH+ZPMnE9+TOWqy6vsS+Ml/ITvUkWajS1bKDPDSoIrCM1rQ9PlbgMQFg4o0FfyxLVCP7hcgvHO+aycOxkiDqtvwANvIn2Qwt7xwpIv1Mnc4OpcBSxbigb7ISlrvR9XWivE/piWjXS3IEYkGv7VitAlmWEoTt9L7K94bYol2nCXSXJ33X6xVVwVNpdxVtnUQBIRinN+vkOccgG0jvWtWPtrMjyDg/lyvr6lBdO/CQy4VO4VrIBuL6pjsS8KfIfTxKd` |
+> | West US 2 | rsa-sha2-256 | 12/31/2025 | `WOdi+FVzlkWLhCdljVB8m5QUGP7i9BQv+TX5dRflO64=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC9FWlQHNtLZy21Wfi9I8t721lWp30x5TjvfmoMAO/wc/ktmoQySpUJltSgGTR+LCbCvgdKE98AxoRaJS/9x4HFW6/amYIy53F/YKgybul6udkoqWQ1mdul6y4BeLjKyZs6wW9H1NwCDIBApgVfQCpIbenZ7xeiz8z4lZeYxFcHWqR6FfrTztTwx+6cuwu0276piJ4TZCj4aCt8AZSR8nsQy6Plrcti1BMKzbkqSa5pwSIxiKyUATW2enQAVz6hINPw6tr/J7/IlW3612YwgnpR1/qedpUDkrYw34O2slfOXz4d7bSbWD+WoRXMT1bGuqXzgvtQH7MDrZ2q1w4nNfqZ` |
+> | West US 2 | rsa-sha2-512 | 12/31/2023 | `i8v3Xxh/phaa5EyZEr5NM4nTSC/Rz7Nz0KJLdvAL0Ls=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDOOo5f0ACypThvoDEokPfzGJUxbkyMoQKca9AgEb3YkQ/lsYCfLtfGxMr2FTOGQyx5wfhOrN0B2SpI4DBgF3B0YSLK0omZRY7fpVPspWWHrsbTOJm/Fn7bWCM+p63xurZ6RUPCA6J1gXd3xbdW7WQXLGBJZ6fjG7PbqphIOfFtwcs/JvjhjhvleHrXOtfGw9b4Jr8W1ldtgKslGCU1mnUhOWWXUi+AhwGFTI0G/AShlpX8ywulk2R+fxet3SNGNQmjydnNkcsrBI/EMytO1kwoJB3KmLHEeijaQzK7iJxRDZEHlHWos6G7jwaGPI4rV5/S1N+xnG+OhCDYAUbunp5R` |
+> | West US 2 | rsa-sha2-512 | 12/31/2025 | `tIgpJAxfZKsvi3k9uaw7+ZjBnjATmwh5gP4PEhv1/o4=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQCukOsbGJpfRbExD2qR7RjjSNYuN0gGKTT9bkFQ24zZ+rqNCpLbg6PDISfVbPGs6rC4nwL4IaUySgmN8F/8Im0A1czVtnSsL2k0kdpVCQAaH1E8fV1lqKphKayZ3b4zzfuA9+DKQ06yPr0PmO3mUOVAv/CCBxRNpVj92P9f/CTY9wQpBSsJhl5XTAQhgTlQLcPmP9JMrSavMCnx3ablh8xrAwGcsNUBHc43KmA3CMTD3+MF4eAWmWxvzdNzrSVu3pta2yz1N8vnP0WGUBM6kY8KB2KClKkzms2kIFx2Fe2pfn1LU/SYX0MGuhKc0n/CWhzmckSDIOyWcYsTpiqwsAoV` |
+> | West US 3 | ecdsa-sha2-nistp256 | 12/31/2023 | `j4NlZP/wOXKnM3MkNEcTksqwBdF0Z46+rdi2Ic1Oj54=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBETvvRvehAQ2Ol0FfTt649/4Xsd0DQQ7vyZ666B92wRhvyziGIrOhy8klXHcijmRYRz3EjTHyXHZ4W8kcSKB4Lo=` |
+> | West US 3 | ecdsa-sha2-nistp256 | 12/31/2025 | `6p/fmVisz/bHbuWC7UucbAnBdgK4WQVkw6zzhvFhHFY=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHpgzFgmBhkzPGtDbZDxFkPf5002g5lNWvDTlmwr0w9iFcZpFo3nmb7P8hwmM1fuIIY3TP975fdWQksb0BalCVQ=` |
+> | West US 3 | ecdsa-sha2-nistp384 | 12/31/2023 | `DkJet/6Pm6EXfpz2Ut6aahJ94OvjG3R7+dlK0H4O1ts=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBEu+HpgDp0a02miiJjD5qVcMcjWiZg5iIExECqD/KQVkfyraJ3WZ8P28JwB+IYlEGa2SHQxScDjG2t3iOSuU9BtpA0KK5PGtu3ZxhN1UmZbQgz6ANov7/+WHChg7/lhK0Q==` |
+> | West US 3 | ecdsa-sha2-nistp384 | 12/31/2025 | `IOHDwYcDq5ViVX2BntqQIr97N4H2EHpnJj6VYSxvU/g=` | `AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBL2+D84rmQmiBXCyc3gEfLILeR1uZ47BSs0iPqr81qwVnbkhKgNu9yvBwEg+nzbNTK+po/3RSvHau3OGhkJpyP8V9WPPvSaJ/LwK7snZCxdP1ikGBD1sNlZuR/vjgFiVaw==` |
+> | West US 3 | rsa-sha2-256 | 12/31/2023 | `pOKzaf3mrTJhfdR/9dbodyNza30TpQrYRFwKAndeaMo=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQC0KEDBaFSLsI28jdc854Rq6AL9Ku8g8L+OWQfWvb1ooBChMMd/oqVvFF9hkLzJ8nFPQw7+esVKys5uFwRTpBNuobF/RVtY0zLsNd+jkPxoUhs7Yl0hI2XXAPdp3uCsID56O+OrB7XbOsPCrJ2aXfiaRheRQg84/92c357uQ/epsva8XCMjIIGOAyEL6d4mnCNJ2Y0mXPJT1lfswoC8i2GSUKdJZhTLCe9zVDvTCTWuZJSH3A8nM3RVtnNgMXfNjh2blwW9YFv5BrMOXA205fahuDcPjwvXo9OMfEneDsrODmiEGYzbYLby/5/KPzz5OVn7BDJma6HL0z07i3PmEzXN` |
+> | West US 3 | rsa-sha2-256 | 12/31/2025 | `WhO1GOFFnv576OFBhEkwtMbBgJdT3FYJeSJzkhEHk6c=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNFP6+UHbTOg4y0RuFS7R/Oqfag5Z7oWy5Q4//saANnPR7387auC1MGHuMAiP++LHlJTTL6/6nwL0gGnhE4ax6eOMj6TP+UnNfSgAmovhnBs0BULnIEpQkCBqawX5llUPYoG1mx9hXW+QPwpsEeK9USMz1uO2O3owTasnIhs0mJuEJVxRK+7bqDjY2+SsKnrMFO/nf62tHr/UfQ1bruCkznkpFctXbdCT6Tg8J2dO1KAIjqq2GiH/dtrS2hGTLdWgVZ1Pqt7b1Gebmeqm3jKK9Z2WaczhA+C3UF6MTCTsatf3Qv5mVnc8ZM5ggK3RsLQJ4zVxy+v7sqwSXjteVVIHN` |
+> | West US 3 | rsa-sha2-512 | 12/31/2023 | `KKcoWCeuJeepexnJCxoFqKJM88XrpsPKavXOoNFEGuY=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDNzhiVgDjCIarGEjKgmSxRh4vWjV6PxFbNK3cD0M4jWGlxPx/otJNEXCMee0hW29b7bwo2+aiyv3AEt7JYTeM/G9SHmenU6MTpqD/lC/LABtqTB7EV9FIFkc8MbbOvEkdTnRJw1d09MTqqwbkR9wq297AWggSzCuPDqMq+268UzsthMzODRVqW3yTr3M6vhlBCPfN5ptcvYwqRaa7Yhe4bdRZ+xYB5I2+ZMkalfn7SQiySSgAGjUJxrxK+LnJKSi32CfqTU8KjWNjCc40eAqexLFjg6AN9BtC0+ZYcD2KQmeqJ8oRCWw9r4CsaduSmcjc7XD75RKGdArjYzjeiVSlt` |
+> | West US 3 | rsa-sha2-512 | 12/31/2025 | `cscyajoE/dnuL7mKJItZIPne/VJeChRoNXKtt8pbniE=` | `AAAAB3NzaC1yc2EAAAADAQABAAABAQDMvb8yWNpx/F1X9ufh1kspD9nlNHJjx9KRbD5qNnk0g+dRgh0NurDdrP6GbEX+MtxbniVxyQd5lW97quIZWhsy94cWO7yAefJzH6LL5ZoBKftt24W/dRBAz6A2RNy5CcRD3H+5beTX3wiM5PaeTvPb2n3k3S/kv5dx3CDZyThKNQlWw957HrqWXBw5Y/urjaFoMc2zykbuYfHDWweD6XhsD+KHDUfvx6LyhrPy35Ur0dwS1V+2RQn9GK1cT7JhjTqLtH6LT9wvN223EwmmMR9MOzt0PFM82KPmTPAYgh0pYsiCyebm7D9lfEKCf2V53xzsfMd5PyNFLUwX3UtibfIh` |
++
storage Storage Blob Change Feed https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blob-change-feed.md
The following example shows a change event record in JSON format that uses event
} ```
+#### Schema version 6
+
+The following event types may be captured in the change feed records with schema version 6:
+
+- BlobCreated
+- BlobDeleted
+- BlobPropertiesUpdated
+- BlobSnapshotCreated
+- BlobTierChanged
+- BlobAsyncOperationInitiated
+
+Schema version 6 adds support for [cold tier](access-tiers-overview.md#cold-tier).
+
+The following example shows a change event record in JSON format that uses event schema version 6:
+
+```json
+{
+ "schemaVersion": 6,
+ "topic": "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>",
+ "subject": "/blobServices/default/containers/<container>/blobs/<blob>",
+ "eventType": "BlobCreated",
+ "eventTime": "2023-10-11T13:12:11.5746587Z",
+ "id": "62616073-8020-0000-00ff-233467060cc0",
+ "data": {
+ "api": "PutBlob",
+ "clientRequestId": "b3f9b39a-ae5a-45ac-afad-95ac9e9f2791",
+ "requestId": "62616073-8020-0000-00ff-233467000000",
+ "etag": "0x8D9F2171BE32588",
+ "contentType": "application/octet-stream",
+ "contentLength": 128,
+ "blobType": "BlockBlob",
+ "blobVersion": "2023-10-11T16:11:52.5901564Z",
+ "containerVersion": "0000000000000001",
+ "blobTier": "Archive",
+ "url": "https://www.myurl.com",
+ "sequencer": "00000000000000010000000000000002000000000000001d",
+ "previousInfo": {
+ "SoftDeleteSnapshot": "2023-10-11T13:12:11.5726507Z",
+ "WasBlobSoftDeleted": "true",
+ "BlobVersion": "2024-02-17T16:11:52.0781797Z",
+ "LastVersion" : "2023-10-11T16:11:52.0781797Z",
+ "PreviousTier": "Hot"
+ },
+ "snapshot" : "2023-10-11T16:09:16.7261278Z",
+ "blobPropertiesUpdated" : {
+ "ContentLanguage" : {
+ "current" : "pl-Pl",
+ "previous" : "nl-NL"
+ },
+ "CacheControl" : {
+ "current" : "max-age=100",
+ "previous" : "max-age=99"
+ },
+ "ContentEncoding" : {
+ "current" : "gzip, identity",
+ "previous" : "gzip"
+ },
+ "ContentMD5" : {
+ "current" : "Q2h1Y2sgSW51ZwDIAXR5IQ==",
+ "previous" : "Q2h1Y2sgSW="
+ },
+ "ContentDisposition" : {
+ "current" : "attachment",
+ "previous" : ""
+ },
+ "ContentType" : {
+ "current" : "application/json",
+ "previous" : "application/octet-stream"
+ }
+ },
+ "asyncOperationInfo": {
+ "DestinationTier": "Hot",
+ "WasAsyncOperation": "true",
+ "CopyId": "copyId"
+ },
+ "blobTagsUpdated": {
+ "previous": {
+ "Tag1": "Value1_3",
+ "Tag2": "Value2_3"
+ },
+ "current": {
+ "Tag1": "Value1_4",
+ "Tag2": "Value2_4"
+ }
+ },
+ "restorePointMarker": {
+ "rpi": "cbd73e3d-f650-4700-b90c-2f067bce639c",
+ "rpp": "cbd73e3d-f650-4700-b90c-2f067bce639c",
+ "rpl": "test-restore-label",
+ "rpt": "2023-10-11T13:56:09.3559772Z"
+ },
+ "storageDiagnostics": {
+ "bid": "9d726db1-8006-0000-00ff-233467000000",
+ "seq": "(2,18446744073709551615,29,29)",
+ "sid": "4cc94e71-f6be-75bf-e7b2-f9ac41458e5a"
+ }
+ }
+}
+```
+ <a id="specifications"></a> ## Specifications
The following example shows a change event record in JSON format that uses event
This section describes known issues and conditions in the current release of the change feed. -- The `url` property of the log file is currently always empty. - The `LastConsumable` property of the segments.json file does not list the very first segment that the change feed finalizes. This issue occurs only after the first segment is finalized. All subsequent segments after the first hour are accurately captured in the `LastConsumable` property. - You currently cannot see the **$blobchangefeed** container when you call the ListContainers API. You can view the contents by calling the ListBlobs API on the $blobchangefeed container directly. - Storage account failover of geo-redundant storage accounts with the change feed enabled may result in inconsistencies between the change feed logs and the blob data and/or metadata. For more information about such inconsistencies, see [Change feed and blob data inconsistencies](../common/storage-disaster-recovery-guidance.md#change-feed-and-blob-data-inconsistencies).
storage Storage Blobs Introduction https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-blobs-introduction.md
Follow these rules when naming a blob:
- A blob name must be at least one character long and cannot be more than 1,024 characters long, for blobs in Azure Storage. - Blob names are case-sensitive. - Reserved URL characters must be properly escaped. -- The number of path segments comprising the blob name cannot exceed 254. A path segment is the string between consecutive delimiter characters (*e.g.*, the forward slash '/') that corresponds to the name of a virtual directory.
+- There are limitations on the number of path segments comprising a blob name. A path segment is the string between consecutive delimiter characters (for example, a forward slash `/`) that corresponds to the directory or virtual directory. The following path segment limitations apply to blob names:
+ - If the storage account *does not* have hierarchical namespace enabled, the number of path segments comprising the blob name cannot exceed 254.
+ - If the storage account has hierarchical namespace enabled, the number of path segments comprising the blob name cannot exceed 63 (including path segments for container name and account host name).
> [!NOTE] > Avoid blob names that end with a dot (.), a forward slash (/), or a sequence or combination of the two. No path segments should end with a dot (.).
storage Storage Quickstart Blobs Cli https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/blobs/storage-quickstart-blobs-cli.md
az login
## Create a resource group
-Create an Azure resource group with the [az group create](/cli/azure/group) command. A resource group is a logical container into which Azure resources are deployed and managed.
+Create an Azure resource group with the [az group create](/cli/azure/group#az-group-create()) command. A resource group is a logical container into which Azure resources are deployed and managed.
Remember to replace placeholder values in angle brackets with your own values:
az group create \
## Create a storage account
-Create a general-purpose storage account with the [az storage account create](/cli/azure/storage/account) command. The general-purpose storage account can be used for all four
+Create a general-purpose storage account with the [az storage account create](/cli/azure/storage/account#az-storage-account-create()) command. The general-purpose storage account can be used for all four
Remember to replace placeholder values in angle brackets with your own values:
az storage account create \
## Create a container
-Blobs are always uploaded into a container. You can organize groups of blobs in containers similar to the way you organize your files on your computer in folders. Create a container for storing blobs with the [az storage container create](/cli/azure/storage/container) command.
+Blobs are always uploaded into a container. You can organize groups of blobs in containers similar to the way you organize your files on your computer in folders. Create a container for storing blobs with the [az storage container create](/cli/azure/storage/container#az-storage-container-create()) command.
The following example uses your Azure AD account to authorize the operation to create the container. Before you create the container, assign the [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor) role to yourself. Even if you are the account owner, you need explicit permissions to perform data operations against the storage account. For more information about assigning Azure roles, see [Assign an Azure role for access to blob data](assign-azure-role-data-access.md).
vi helloworld
When the file opens, press **insert**. Type *Hello world*, then press **Esc**. Next, type *:x*, then press **Enter**.
-In this example, you upload a blob to the container you created in the last step using the [az storage blob upload](/cli/azure/storage/blob) command. It's not necessary to specify a file path since the file was created at the root directory. Remember to replace placeholder values in angle brackets with your own values:
+In this example, you upload a blob to the container you created in the last step using the [az storage blob upload](/cli/azure/storage/blob#az-storage-blob-upload()) command. It's not necessary to specify a file path since the file was created at the root directory. Remember to replace placeholder values in angle brackets with your own values:
```azurecli az storage blob upload \
This operation creates the blob if it doesn't already exist, and overwrites it i
When you upload a blob using the Azure CLI, it issues respective [REST API calls](/rest/api/storageservices/blob-service-rest-api) via http and https protocols.
-To upload multiple files at the same time, you can use the [az storage blob upload-batch](/cli/azure/storage/blob) command.
+To upload multiple files at the same time, you can use the [az storage blob upload-batch](/cli/azure/storage/blob#az-storage-blob-upload-batch()) command.
## List the blobs in a container
-List the blobs in the container with the [az storage blob list](/cli/azure/storage/blob) command. Remember to replace placeholder values in angle brackets with your own values:
+List the blobs in the container with the [az storage blob list](/cli/azure/storage/blob#az-storage-blob-list()) command. Remember to replace placeholder values in angle brackets with your own values:
```azurecli az storage blob list \
az storage blob list \
## Download a blob
-Use the [az storage blob download](/cli/azure/storage/blob) command to download the blob you uploaded earlier. Remember to replace placeholder values in angle brackets with your own values:
+Use the [az storage blob download](/cli/azure/storage/blob#az-storage-blob-download()) command to download the blob you uploaded earlier. Remember to replace placeholder values in angle brackets with your own values:
```azurecli az storage blob download \
azcopy copy 'C:\myDirectory\myFile.txt' 'https://mystorageaccount.blob.core.wind
## Clean up resources
-If you want to delete the resources you created as part of this quickstart, including the storage account, delete the resource group by using the [az group delete](/cli/azure/group) command. Remember to replace placeholder values in angle brackets with your own values:
+If you want to delete the resources you created as part of this quickstart, including the storage account, delete the resource group by using the [az group delete](/cli/azure/group#az-group-delete()) command. Remember to replace placeholder values in angle brackets with your own values:
```azurecli az group delete \
storage Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/policy-reference.md
Title: Built-in policy definitions for Azure Storage description: Lists Azure Policy built-in policy definitions for Azure Storage. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
storage Storage Explorer Support Policy Lifecycle https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/common/storage-explorer-support-policy-lifecycle.md
We strongly recommend to always use the latest versions of Storage Explorer. If
Storage Explorer is governed by the [Modern Lifecycle Policy](https://support.microsoft.com/help/30881/modern-lifecycle-policy). It's expected that users keep their installation of Storage Explorer up to date. Staying up to date ensures that users have the latest capabilities, performance enhancements, security, and service reliability.
-Starting with version 1.14.1, any Storage Explorer release that is greater than 12 months old will be considered out of support. All releases before 1.14.1 will be considered out of support starting on July 14, 2021. Versions that are out of support are no longer guaranteed to work fully as designed and expected. For a list of all releases, their release date, and their end of support date, see [Releases](#releases).
+Starting with version 1.14.1, any Storage Explorer release that is greater than 12 months old will be considered out of support. Starting with 1.31.0, a release's age will be based on the release date of its minor version. All releases before 1.14.1 will be considered out of support starting on July 14, 2021. While a version is in support, Microsoft will endeavor to keep the version working as was intended at its release. Once a version is out of support, it is no longer guaranteed to work as intended. For a list of all releases, their release date, and their end of support date, see [Releases](#releases).
Starting with version 1.13.0, an in-app alert may be displayed once a version is approximately one month away from being out of support. The alert encourages users to update to the latest version of Storage Explorer. Once a version is out of support, the in-app alert may be displayed on each start-up.
This table describes the release date and the end of support date for each relea
| Storage Explorer version | Release date | End of support date | |:-:|::|:-:|
+| v1.31.2 | October 3, 2023 | August 11, 2024 |
+| v1.31.1 | August 22, 2023 | August 11, 2024 |
| v1.31.0 | August 11, 2023 | August 11, 2024 | | v1.30.2 | July 21, 2023 | July 21, 2024 | | v1.30.1 | July 13, 2023 | July 13, 2024 | | v1.30.0 | June 12, 2023 | June 12, 2024 |
+| v1.29.3 | October 6, 2023 | May 24, 2024 |
| v1.29.2 | May 24, 2023 | May 24, 2024 | | v1.29.1 | May 10, 2022 | May 10, 2024 | | v1.29.0 | April 28, 2023 | April 28, 2024 |
storage Files Whats New https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/files-whats-new.md
description: Learn about new features and enhancements in Azure Files and Azure
Previously updated : 07/17/2023 Last updated : 10/11/2023
Azure Files is updated regularly to offer new features and enhancements. This ar
## What's new in 2023
+### 2023 quarter 4 (October, November, December)
+
+#### Azure Files now supports all valid Unicode characters
+
+Expanded character support will allow users to create SMB file shares with file and directory names on par with the NTFS file system for all valid Unicode characters. It also enables tools like AzCopy and Storage Mover to migrate all the files into Azure Files using the REST protocol. Expanded character support is now available in all Azure regions.
+
+For more information, [read the announcement](https://azure.microsoft.com/updates/azurefilessupportforunicodecharacters/).
+ ### 2023 quarter 3 (July, August, September) #### Azure Active Directory support for Azure Files REST API with OAuth authentication is generally available
storage Storage How To Create File Share https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-how-to-create-file-share.md
description: How to create and delete an SMB Azure file share by using the Azure
Previously updated : 05/24/2022 Last updated : 10/10/2023
Standard file shares can be deployed into one of the standard tiers: transaction
> [!Important] > You can move file shares between tiers within GPv2 storage account types (transaction optimized, hot, and cool). Share moves between tiers incur transactions: moving from a hotter tier to a cooler tier will incur the cooler tier's write transaction charge for each file in the share, while a move from a cooler tier to a hotter tier will incur the cool tier's read transaction charge for each file the share.
-The **quota** property means something slightly different between premium and standard file shares:
-- For standard file shares, it's an upper boundary of the Azure file share. If a quota isn't specified, standard file shares can span up to 100 TiB (or 5 TiB if the large file shares property isn't set for a storage account). If you didn't create your storage account with large file shares enabled, see [Enable large files shares on an existing account](#enable-large-file-shares-on-an-existing-account) for how to enable 100 TiB file shares.--- For premium file shares, quota means **provisioned size**. The provisioned size is the amount that you will be billed for, regardless of actual usage. The IOPS and throughput available on a premium file share is based on the provisioned size. For more information on how to plan for a premium file share, see [provisioning premium file shares](understanding-billing.md#provisioned-model). # [Portal](#tab/azure-portal)
-If you just created your storage account, you can navigate to it from the deployment screen by selecting **Go to resource**. Once in the storage account, select the **File shares** in the table of contents for the storage account.
+Follow these instructions to create a new Azure file share using the Azure portal.
+
+1. If you just created your storage account, you can navigate to it from the deployment screen by selecting **Go to resource**. Once in the storage account, select the **File shares** in the table of contents for the storage account.
-In the file share listing, you should see any file shares you have previously created in this storage account; an empty table if no file shares have been created yet. Select **+ File share** to create a new file share.
+1. In the file share listing, you should see any file shares you have previously created in this storage account; an empty table if no file shares have been created yet. Select **+ File share** to create a new file share.
-The new file share blade should appear on the screen. Complete the fields in the new file share blade to create a file share:
+1. The new file share blade should appear on the screen. Complete the fields in the **Basic** tab of the new file share blade to create a file share:
+
+ - **Name**: The name of the file share to be created.
-- **Name**: the name of the file share to be created.-- **Quota**: the quota of the file share for standard file shares; the provisioned size of the file share for premium file shares. For standard file shares, the quota will also determine what performance you receive.-- **Tiers**: the selected tier for a file share. This field is only available in a **general purpose (GPv2) storage account**. You can choose transaction optimized, hot, or cool. The share's tier can be changed at any time. We recommend picking the hottest tier possible during a migration, to minimize transaction expenses, and then switching to a lower tier if desired after the migration is complete.
+ - **Tier**: The selected tier for a standard file share. This field is only available in a **general purpose (GPv2)** storage account type. You can choose transaction optimized, hot, or cool. The share's tier can be changed at any time. We recommend picking the hottest tier possible during a migration, to minimize transaction expenses, and then switching to a lower tier if desired after the migration is complete.
+
+ - **Provisioned capacity**: For premium file shares only, the provisioned capacity is the amount that you'll be billed for regardless of actual usage. This field is only available in a **FileStorage** storage account type. The IOPS and throughput available on a premium file share is based on the provisioned capacity, so you can provision more capacity to get more performance. The minimum size for a premium file share is 100 GiB. For more information on how to plan for a premium file share, see [provisioning premium file shares](understanding-billing.md#provisioned-model).
+
+1. Select the **Backup** tab. By default, [backup is enabled](../../backup/backup-azure-files.md) when you create an Azure file share using the Azure portal. If you want to disable backup for the file share, uncheck the **Enable backup** checkbox. If you want backup enabled, you can either leave the defaults or create a new Recovery Services Vault in the same region and subscription as the storage account. To create a new backup policy, select **Create a new policy**.
-Select **Create** to finishing creating the new share.
+1. Select **Review + create** and then **Create** to create the Azure file share.
# [PowerShell](#tab/azure-powershell) You can create an Azure file share with the [`New-AzRmStorageShare`](/powershell/module/az.storage/New-AzRmStorageShare) cmdlet. The following PowerShell commands assume you have set the variables `$resourceGroupName` and `$storageAccountName` as defined above in the creating a storage account with Azure PowerShell section.
-The following example shows creating a file share with an explicit tier using the `-AccessTier` parameter. If a tier is not specified, the default tier for standard file shares is transaction optimized.
+The following example shows creating a file share with an explicit tier using the `-AccessTier` parameter. If a tier isn't specified, the default tier for standard file shares is transaction optimized.
> [!Important]
-> For premium file shares, the `-QuotaGiB` parameter refers to the provisioned size of the file share. The provisioned size of the file share is the amount you will be billed for, regardless of usage. Standard file shares are billed based on usage rather than provisioned size.
+> For premium file shares, the `-QuotaGiB` parameter refers to the provisioned capacity of the file share. The provisioned capacity of the file share is the amount you'll be billed for, regardless of usage. Standard file shares are billed based on usage rather than provisioned capacity.
```powershell # Assuming $resourceGroupName and $storageAccountName from earlier in this document have already
New-AzRmStorageShare `
You can create an Azure file share with the [`az storage share-rm create`](/cli/azure/storage/share-rm#az-storage-share-rm-create) command. The following Azure CLI commands assume you have set the variables `$resourceGroupName` and `$storageAccountName` as defined above in the creating a storage account with Azure CLI section. > [!Important]
-> For premium file shares, the `--quota` parameter refers to the provisioned size of the file share. The provisioned size of the file share is the amount you will be billed for, regardless of usage. Standard file shares are billed based on usage rather than provisioned size.
+> For premium file shares, the `--quota` parameter refers to the provisioned capacity of the file share. The provisioned capacity of the file share is the amount you'll be billed for, regardless of usage. Standard file shares are billed based on usage rather than provisioned capacity.
```azurecli shareName="myshare"
az storage share-rm create \
> [!Note]
-> The name of your file share must be all lowercase. For complete details about naming file shares and files, see [Naming and referencing shares, directories, files, and metadata](/rest/api/storageservices/Naming-and-Referencing-Shares--Directories--Files--and-Metadata).
+> The name of your file share must be all lower-case letters, numbers, and single hyphens, and must begin and end with a lower-case letter or number. The name can't contain two consecutive hyphens. For complete details about naming file shares and files, see [Naming and referencing shares, directories, files, and metadata](/rest/api/storageservices/Naming-and-Referencing-Shares--Directories--Files--and-Metadata).
### Change the tier of an Azure file share
-File shares deployed in **general purpose v2 (GPv2) storage account** can be in the transaction optimized, hot, or cool tiers. You can change the tier of the Azure file share at any time, subject to transaction costs as described above.
+File shares deployed in a **general purpose v2 (GPv2)** storage account can be in the transaction optimized, hot, or cool tiers. You can change the tier of the Azure file share at any time, subject to transaction costs as described above.
# [Portal](#tab/azure-portal)
-On the main storage account page, select **File shares** select the tile labeled **File shares** (you can also navigate to **File shares** via the table of contents for the storage account).
+On the main storage account page, select **File shares**, and select the tile labeled **File shares** (you can also navigate to **File shares** via the table of contents for the storage account).
:::image type="content" source="media/storage-files-quick-create-use-windows/click-files.png" alt-text="Screenshot of storage account blade, file shares selected.":::
On the resulting dialog, select the desired tier: transaction optimized, hot, or
![A screenshot of the change tier dialog](media/storage-how-to-create-file-share/change-tier-1.png) # [PowerShell](#tab/azure-powershell)
-The following PowerShell cmdlet assumes that you have set the `$resourceGroupName`, `$storageAccountName`, `$shareName` variables as described in the earlier sections of this document.
+The following PowerShell cmdlet assumes that you've set the `$resourceGroupName`, `$storageAccountName`, `$shareName` variables as described in the earlier sections of this document.
```PowerShell Update-AzRmStorageShare `
Update-AzRmStorageShare `
``` # [Azure CLI](#tab/azure-cli)
-The following Azure CLI command assumes that you have set the `$resourceGroupName`, `$storageAccountName`, and `$shareName` variables as described in the earlier sections of this document.
+The following Azure CLI command assumes that you've set the `$resourceGroupName`, `$storageAccountName`, and `$shareName` variables as described in the earlier sections of this document.
```azurecli az storage share-rm update \
storage Storage How To Use Files Portal https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/files/storage-how-to-use-files-portal.md
description: Learn how to create and use Azure file shares with the Azure portal
Previously updated : 10/09/2023 Last updated : 10/10/2023 ms.devlang: azurecli
If you don't have an Azure subscription, create a [free account](https://azure.m
[!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
-If you'd like to install and use PowerShell locally, you'll need the Azure PowerShell module Az version 7.0.0 or later. We recommend installing the latest available version. To find out which version of the Azure PowerShell module you're running, execute `Get-InstalledModule Az`. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Login-AzAccount` to log in to your Azure account. To use multi-factor authentication, you'll need to supply your Azure tenant ID, such as `Login-AzAccount -TenantId <TenantId>`.
+If you'd like to install and use PowerShell locally, you'll need the Azure PowerShell module Az version 7.0.0 or later. We recommend installing the latest available version. To find out which version of the Azure PowerShell module you're running, execute `Get-InstalledModule Az`. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Login-AzAccount` to log in to your Azure account. To use multifactor authentication, you'll need to supply your Azure tenant ID, such as `Login-AzAccount -TenantId <TenantId>`.
# [Azure CLI](#tab/azure-cli)
To create an Azure file share:
![A screenshot of the data storage section of the storage account; select file shares.](media/storage-how-to-use-files-portal/create-file-share-1.png) 1. On the menu at the top of the **File shares** page, select **+ File share**. The **New file share** page drops down.
-1. In **Name**, type *myshare*. Leave **Transaction optimized** selected for **Tier**.
+1. In **Name**, type *myshare*. File share names must be all lower-case letters, numbers, and single hyphens, and must begin and end with a lower-case letter or number. The name can't contain two consecutive hyphens. For details about naming file shares and files, see [Naming and Referencing Shares, Directories, Files, and Metadata](/rest/api/storageservices/Naming-and-Referencing-Shares--Directories--Files--and-Metadata).
+1. Leave **Transaction optimized** selected for **Tier**.
1. Select the **Backup** tab. By default, [backup is enabled](../../backup/backup-azure-files.md) when you create an Azure file share using the Azure portal. If you want to disable backup for the file share, uncheck the **Enable backup** checkbox. If you want backup enabled, you can either leave the defaults or create a new Recovery Services Vault in the same region and subscription as the storage account. To create a new backup policy, select **Create a new policy**.
-1. Select **Review + create** and then **Create** to create the Azure file share.
-File share names must be all lower-case letters, numbers, and single hyphens, and must begin and end with a lower-case letter or number. The name can't contain two consecutive hyphens. For details about naming file shares and files, see [Naming and Referencing Shares, Directories, Files, and Metadata](/rest/api/storageservices/Naming-and-Referencing-Shares--Directories--Files--and-Metadata).
+ :::image type="content" source="media/storage-how-to-use-files-portal/create-file-share-backup.png" alt-text="Screenshot showing how to enable or disable file share backup." border="true":::
+
+1. Select **Review + create** and then **Create** to create the Azure file share.
# [PowerShell](#tab/azure-powershell)
storage Authorize Access Azure Active Directory https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/storage/queues/authorize-access-azure-active-directory.md
While Microsoft recommends using the Azure Identity client library when possible
When you use MSAL to acquire an OAuth token for access to Azure Storage, you need to provide an Azure AD resource ID. The Azure AD resource ID indicates the audience for which a token that is issued can be used to provide access to an Azure resource. In the case of Azure Storage, the resource ID may be specific to a single storage account, or it may apply to any storage account.
-The following table describes the values that you can provide for the resource ID. The resource ID for Azure Storage is the same for all public and sovereign clouds:
+When you provide a resource ID that is specific to a single storage account and service, the resource ID is used to acquire a token for authorizing requests to the specified account and service only. The following table lists the value to use for the resource ID, based on the cloud you're working with. Replace `<account-name>` with the name of your storage account.
-| Resource ID | Description |
-|||
-| `https://<account>.queue.core.windows.net` | The service endpoint for a given storage account. Use this value to acquire a token for authorizing requests to that specific Azure Storage account and service only. Replace the value in brackets with the name of your storage account. |
-| `https://storage.azure.com/` | Use to acquire a token for authorizing requests to any Azure Storage account. |
+| Cloud | Resource ID |
+| | |
+| Azure Global | `https://<account-name>.queue.core.windows.net` |
+| Azure Government | `https://<account-name>.queue.core.usgovcloudapi.net` |
+| Azure China 21Vianet | `https://<account-name>.queue.core.chinacloudapi.cn` |
+
+You can also provide a resource ID that applies to any storage account, as shown in the following table. This resource ID is the same for all public and sovereign clouds, and is used to acquire a token for authorizing requests to any storage account.
+
+| Cloud | Resource ID |
+| | |
+| Azure Global<br />Azure Government<br />Azure China 21Vianet<br /> | `https://storage.azure.com/` |
## Assign Azure roles for access rights
stream-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/stream-analytics/policy-reference.md
Title: Built-in policy definitions for Azure Stream Analytics description: Lists Azure Policy built-in policy definitions for Azure Stream Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
synapse-analytics Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/synapse-analytics/policy-reference.md
Title: Built-in policy definitions description: Lists Azure Policy built-in policy definitions for Azure Synapse Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
virtual-desktop Compare Remote Desktop Clients https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/compare-remote-desktop-clients.md
The following table shows which input methods are available for each Remote Desk
| Mouse | X | X | X | X | X | X | | Touch | X | X | X | X | | X | | Multi-touch | X | X | X | X | | |
-| Pen | X | | X | X\* | | |
-
-\* Pen input redirection is not supported when connecting to Windows Server 2012 or Windows Server 2012 R2.
+| Pen | X | | X | X | | |
### Port redirection
virtual-desktop Onedrive Remoteapp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/onedrive-remoteapp.md
description: Learn how to use Microsoft OneDrive with a RemoteApp in Azure Virtu
Previously updated : 09/27/2023 Last updated : 10/11/2023 # Use Microsoft OneDrive with a RemoteApp in Azure Virtual Desktop
You can use Microsoft OneDrive alongside a RemoteApp in Azure Virtual Desktop, a
> [!IMPORTANT] > - You should only use OneDrive with a RemoteApp for testing purposes as it requires an Insider Preview build of Windows 11 for your session hosts. >
-> - You can't use the OneDrive setting **Start OneDrive automatically when I sign in to Windows**.
+> - You can't use the OneDrive setting **Start OneDrive automatically when I sign in to Windows**, which starts OneDrive when a user signs in. Instead, you need to configure OneDrive to launch by configuring a registry value, which is described in this article.
## User experience
Before you can use OneDrive with a RemoteApp in Azure Virtual Desktop, you need:
- Session hosts in the host pool that:
- - Are running Windows 11 Insider Preview Enterprise multi-session, version 22H2, build 25905 or later. To get Insider Preview builds for multi-session, you need to start with a non-Insider build, join session hosts to the Windows Insider Program, then install the preview build. For more information on the Windows Insider Program, see [Getting started with the Windows Insider Program](https://www.microsoft.com/windowsinsider/getting-started).
+ - Are running Windows 11 Insider Preview Enterprise multi-session, version 22H2, build 25905 or later. To get Insider Preview builds for multi-session, you need to start with a non-Insider build, join session hosts to the Windows Insider Program, then install the preview build. For more information on the Windows Insider Program, see [Get started with the Windows Insider Program](/windows-insider/get-started) and [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds). Intune [doesn't support update rings with multi-session](/mem/intune/fundamentals/azure-virtual-desktop-multi-session#additional-configurations-that-arent-supported-on-windows-10-or-windows-11-enterprise-multi-session-vms).
- Have the latest version of FSLogix installed. For more information, see [Install FSLogix applications](/fslogix/how-to-install-fslogix).
To configure OneDrive to launch with a RemoteApp in Azure Virtual Desktop, follo
You can configure the registry using an enterprise deployment tool such as Intune, Configuration Manager, or Group Policy. Alternatively, to set this registry value using PowerShell, open PowerShell as an administrator and run the following command: ```powershell
- New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name OneDrive -PropertyType String -Value '"C:\Program Files\Microsoft OneDrive\OneDrive.exe\" /background' -Force
+ New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name OneDrive -PropertyType String -Value '"C:\Program Files\Microsoft OneDrive\OneDrive.exe" /background' -Force
``` ## Test OneDrive with a RemoteApp
virtual-desktop Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/prerequisites.md
You have a choice of operating systems (OS) that you can use for session hosts t
|Operating system |User access rights| ||| |<ul><li>[Windows 11 Enterprise multi-session](/lifecycle/products/windows-11-enterprise-and-education)</li><li>[Windows 11 Enterprise](/lifecycle/products/windows-11-enterprise-and-education)</li><li>[Windows 10 Enterprise multi-session](/lifecycle/products/windows-10-enterprise-and-education)</li><li>[Windows 10 Enterprise](/lifecycle/products/windows-10-enterprise-and-education)</li><ul>|License entitlement:<ul><li>Microsoft 365 E3, E5, A3, A5, F3, Business Premium, Student Use Benefit</li><li>Windows Enterprise E3, E5</li><li>Windows VDA E3, E5</li><li>Windows Education A3, A5</li></ul>External users can use [per-user access pricing](https://azure.microsoft.com/pricing/details/virtual-desktop/) by enrolling an Azure subscription instead of license entitlement.</li></ul>|
-|<ul><li>[Windows Server 2022](/lifecycle/products/windows-server-2022)</li><li>[Windows Server 2019](/lifecycle/products/windows-server-2019)</li><li>[Windows Server 2016](/lifecycle/products/windows-server-2016)</li><li>[Windows Server 2012 R2](/lifecycle/products/windows-server-2012-r2)</li></ul>|License entitlement:<ul><li>Remote Desktop Services (RDS) Client Access License (CAL) with Software Assurance (per-user or per-device), or RDS User Subscription Licenses.</li></ul>Per-user access pricing is not available for Windows Server operating systems.|
+|<ul><li>[Windows Server 2022](/lifecycle/products/windows-server-2022)</li><li>[Windows Server 2019](/lifecycle/products/windows-server-2019)</li><li>[Windows Server 2016](/lifecycle/products/windows-server-2016)</li></ul>|License entitlement:<ul><li>Remote Desktop Services (RDS) Client Access License (CAL) with Software Assurance (per-user or per-device), or RDS User Subscription Licenses.</li></ul>Per-user access pricing is not available for Windows Server operating systems.|
> [!IMPORTANT] > - The following items are not supported:
You have a choice of operating systems (OS) that you can use for session hosts t
> - [Virtual Machine Scale Sets](../virtual-machine-scale-sets/overview.md). > > - Support for Windows 7 ended on January 10, 2023.
+> - Support for Windows Server 2012 R2 ended on October 10, 2023. For more information, view [SQL Server 2012 and Windows Server 2012/2012 R2 end of support](/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support).
You can use operating system images provided by Microsoft in the [Azure Marketplace](https://azuremarketplace.microsoft.com), or create your own custom images stored in an Azure Compute Gallery or as a managed image. Using custom image templates for Azure Virtual Desktop enables you to easily create a custom image that you can use when deploying session host virtual machines (VMs). To learn more about how to create custom images, see:
virtual-desktop Client Features Android Chrome Os https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/client-features-android-chrome-os.md
To remove an account you no longer want to use:
### Set orientation
-You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 and Windows Server 2012 R2 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.
+You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.
+
+ > [!IMPORTANT]
+ > Support for Windows Server 2012 R2 ended on October 10, 2023. For more information, view [SQL Server 2012 and Windows Server 2012/2012 R2 end of support](/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support).
To set the orientation:
virtual-desktop Client Features Ios Ipados https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/client-features-ios-ipados.md
Learn how to set display preferences, such as orientation and resolution.
### Set orientation
-You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 and Windows Server 2012 R2 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.
+You can set the orientation of the Remote Desktop client to landscape, portrait, or auto-adjust, where it will match the orientation of your device. Auto-adjust is supported when your remote session is running Windows 10 or later. The window will maintain the same scaling and update the resolution to match the new orientation. This setting applies to all workspaces.
+
+ > [!IMPORTANT]
+ > Support for Windows Server 2012 R2 ended on October 10, 2023. For more information, view [SQL Server 2012 and Windows Server 2012/2012 R2 end of support](/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support).
To set the orientation:
virtual-desktop Connect Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/users/connect-windows.md
Before you can access your resources, you'll need to meet the prerequisites:
- Windows 10 IoT Enterprise - Windows Server 2019 - Windows Server 2016
- - Windows Server 2012 R2
> [!IMPORTANT]
- > Support for Windows 7 ended on January 10, 2023.
+ > - Support for Windows 7 ended on January 10, 2023.
+ > - Support for Windows Server 2012 R2 ended on October 10, 2023. For more information, view [SQL Server 2012 and Windows Server 2012/2012 R2 end of support](/lifecycle/announcements/sql-server-2012-windows-server-2012-2012-r2-end-of-support).
- Download the Remote Desktop client installer, choosing the correct version for your device: - [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139369) *(most common)*
virtual-desktop Whats New Client Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-desktop/whats-new-client-windows.md
The following table lists the current versions available for the public and Insi
Download: [Windows 64-bit](https://go.microsoft.com/fwlink/?linkid=2139233), [Windows 32-bit](https://go.microsoft.com/fwlink/?linkid=2139144), [Windows ARM64](https://go.microsoft.com/fwlink/?linkid=2139368) - Added new parameters for multiple monitor configuration when connecting to a remote resource using the [Uniform Resource Identifier (URI) scheme](uri-scheme.md).-- Added support for the following languages: Czech (Czechia), Hungarian (Hungary), Indonesian (Indonesia), Korean (Korea), Portuguese (Portugal), Turkish (Turkey).
+- Added support for the following languages: Czech (Czechia), Hungarian (Hungary), Indonesian (Indonesia), Korean (Korea), Portuguese (Portugal), Turkish (T├╝rkiye).
- Fixed a bug that caused a crash when using Teams Media Optimization. - Improved client logging, diagnostics, and error classification to help admins troubleshoot connection and feed issues.
virtual-machine-scale-sets Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machine-scale-sets/policy-reference.md
Previously updated : 09/19/2023 Last updated : 10/10/2023 # Azure Policy built-in definitions for Azure Virtual Machine Scale Sets
virtual-machines Basv2 https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/basv2.md
Basv2-series virtual machines offer a balance of compute, memory, and network re
| Size | vCPU | RAM | Base CPU Performance of VM (%) | Initial Credits (#) | Credits banked/hour | Max Banked Credits (#) | Max uncached disk throughput: IOPS/M8ps | Max burst uncached disk throughput: IOPS/MBps | Max Data Disks | Max Network Bandwidth (Gbps) | Max NICs | |--||--|--||||--|--|-||-| | Standard_B2ats_v2 | 2 | 1 | 20% | 60 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |
-| Standard_B2als_v2 | 2 | 4 | 30% | 60 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |
-| Standard_B2as_v2 | 2 | 8 | 40% | 600 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |
-| Standard_B4als_v2 | 4 | 8 | 30% | 120 | 48 | 1152 | 6,400/145 | 20,000/960 | 8 | 6.25 | 2 |
-| Standard_B4as_v2 | 4 | 16 | 40% | 120 | 48 | 1150 | 6,400/145 | 20,000/960 | 8 | 6.25 | 2 |
-| Standard_B8als_v2 | 8 | 16 | 30% | 240 | 96 | 2304 | 12,800/290 | 20,000/960 | 16 | 6.25 | 2 |
-| Standard_B8as_v2 | 8 | 32 | 40% | 240 | 96 | 2304 | 12,800/290 | 20,000/960 | 16 | 6.25 | 2 |
-| Standard_B16als_v2 | 16 | 32 | 30% | 480 | 192 | 4608 | 25,600/600 | 40,000/960 | 32 | 6.25 | 4 |
-| Standard_B16as_v2 | 16 | 64 | 40% | 480 | 192 | 4608 | 25,600/600 | 40,000/960 | 32 | 6.25 | 4 |
-| Standard_B32als_v2 | 32 | 64 | 60% | 960 | 384 | 9216 | 25,600/600 | 80,000/960 | 32 | 6.25 | 4 |
-| Standard_B32as_v2 | 32 | 128 | 40% | 960 | 384 | 9216 | 25,600/600 | 80,000/960 | 32 | 6.25 | 4 |
+| Standard_B2als_v2 | 2 | 4 | 30% | 60 | 36 | 864 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |
+| Standard_B2as_v2 | 2 | 8 | 40% | 600 | 48 | 1152 | 3750/85 | 10,000/960 | 4 | 6.25 | 2 |
+| Standard_B4als_v2 | 4 | 8 | 30% | 120 | 72 | 1728 | 6,400/145 | 20,000/960 | 8 | 6.25 | 2 |
+| Standard_B4as_v2 | 4 | 16 | 40% | 120 | 96 | 2304 | 6,400/145 | 20,000/960 | 8 | 6.25 | 2 |
+| Standard_B8als_v2 | 8 | 16 | 30% | 240 | 144 | 3456 | 12,800/290 | 20,000/960 | 16 | 6.25 | 2 |
+| Standard_B8as_v2 | 8 | 32 | 40% | 240 | 192 | 4608 | 12,800/290 | 20,000/960 | 16 | 6.25 | 2 |
+| Standard_B16als_v2 | 16 | 32 | 30% | 480 | 288 | 6912 | 25,600/600 | 40,000/960 | 32 | 6.25 | 4 |
+| Standard_B16as_v2 | 16 | 64 | 40% | 480 | 384 | 9216 | 25,600/600 | 40,000/960 | 32 | 6.25 | 4 |
+| Standard_B32als_v2 | 32 | 64 | 60% | 960 | 576 | 13824 | 25,600/600 | 80,000/960 | 32 | 6.25 | 4 |
+| Standard_B32as_v2 | 32 | 128 | 40% | 960 | 768 | 18432 | 25,600/600 | 80,000/960 | 32 | 6.25 | 4 |
virtual-machines Bsv2 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/bsv2-series.md
Last updated 06/20/2022 #Required; mm/dd/yyyy format. Date the article was created o
# Bsv2-series
-Bsv2-series virtual machines run on the 3rd Generation Intel&reg; Xeon&reg; Platinum 8370C (Ice Lake) processor in a [hyper threaded](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) configuration, providing low cost CPU burstable general purpose virtual machines. Bsv2-series virtual machines utilize a CPU credit model to track how much CPU is consumed - the virtual machine accumulates CPU credits when a workload is operating below the base CPU performance threshold and, uses credits when running above the base CPU performance threshold until all of its credits are consumed. Upon consuming all the CPU credits, a Bsv2-series virtual machine is throttled back to its base CPU performance until it accumulates the credits to CPU burst again.
+Bsv2-series virtual machines run on the 3rd Generation Intel&reg; Xeon&reg; Platinum 8370C (Ice Lake) processor in a [hyper threaded](https://www.intel.com/content/www/us/en/architecture-and-technology/hyper-threading/hyper-threading-technology.html) configuration, providing low-cost CPU burstable general purpose virtual machines. Bsv2-series virtual machines utilize a CPU credit model to track how much CPU is consumed - the virtual machine accumulates CPU credits when a workload is operating below the base CPU performance threshold and, uses credits when running above the base CPU performance threshold until all of its credits are consumed. Upon consuming all the CPU credits, a Bsv2-series virtual machine is throttled back to its base CPU performance until it accumulates the credits to CPU burst again.
-Bsv2-series virtual machines offer a balance of compute, memory, and network resources and are a cost effective way to run a broad spectrum of general purpose workloads, including large scale micro-services, small and medium databases, virtual desktops, and business-critical applications; and are also an affordable option to run your code repositories and dev/test environments. Bsv2-Series offers virtual machines of up-to 32 vCPU and 128 Gib of RAM, with max network bandwidth of upto 6250 Mbps and max uncached disk thoughput of 600 Mbps. Bsv2-series virtual machines also support attachments of Standard SSD, Standard HDD, Premium SSD disk types with a default Remote-SSD support, you can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).
+Bsv2-series virtual machines offer a balance of compute, memory, and network resources and are a cost-effective way to run a broad spectrum of general-purpose workloads, including large-scale micro-services, small and medium databases, virtual desktops, and business-critical applications; and are also an affordable option to run your code repositories and dev/test environments. Bsv2-Series offers virtual machines of up to 32 vCPU and 128 Gib of RAM, with max network bandwidth of up to 6250 Mbps and max uncached disk throughput of 600 Mbps. Bsv2-series virtual machines also support attachments of Standard SSD, Standard HDD, and Premium SSD disk types with a default Remote-SSD support, you can also attach Ultra Disk storage based on its regional availability. Disk storage is billed separately from virtual machines. [See pricing for disks](https://azure.microsoft.com/pricing/details/managed-disks/).
[Premium Storage](premium-storage-performance.md): Supported<br>
Bsv2-series virtual machines offer a balance of compute, memory, and network res
| Size | vCPU | RAM | Base CPU Performance of VM (%) | Initial Credits (#) | Credits banked/hour | Max Banked Credits (#) | Max uncached disk throughput: IOPS/MBps | Max burst uncached disk throughput: IOPS/MBps | Max Data Disks | Max Network Bandwidth (Gbps) | Max NICs | |-||--|--||||--|--|-||-|
-| Standard_B2ts_v2 | 2 | 1 | 20% | 60 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.250 | 2 |
-| Standard_B2ls_v2 | 2 | 4 | 30% | 60 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.50 | 2 |
-| Standard_B2s_v2 | 2 | 8 | 40% | 60 | 24 | 576 | 3750/85 | 10,000/960 | 4 | 6.50 | 2 |
-| Standard_B4ls_v2 | 4 | 8 | 30% | 120 | 48 | 1152 | 6,400/145 | 20,000/960 | 8 | 6.250 | 2 |
-| Standard_B4s_v2 | 4 | 16 | 40% | 120 | 48 | 1150 | 6,400/145 | 20,000/960 | 8 | 6.250 | 2 |
-| Standard_B8ls_v2 | 8 | 16 | 30% | 240 | 96 | 2304 | 12,800/290 | 20,000/960 | 16 | 3.250 | 2 |
-| Standard_B8s_v2 | 8 | 32 | 40% | 240 | 96 | 2304 | 12,800/290 | 20,000/960 | 16 | 6.250 | 2 |
-| Standard_B16ls_v2 | 16 | 32 | 30% | 480 | 192 | 4608 | 25,600/600 | 40,000/960 | 32 | 6.250 | 4 |
-| Standard_B16s_v2 | 16 | 64 | 40% | 480 | 192 | 4608 | 25,600/600 | 40,000/960 | 32 | 6.250 | 4 |
-| Standard_B32ls_v2 | 32 | 64 | 30% | 960 | 384 | 9216 | 51,200/600 | 80,000/960 | 32 | 6.250 | 4 |
-| Standard_B32s_v2 | 32 | 128 | 40% | 960 | 384 | 9216 | 51,200/600 | 80,000/960 | 32 | 6.250 | 4 |
+| Standard_B2ls_v2 | 2 | 4 | 30% | 60 | 36 | 864 | 3750/85 | 10,000/960 | 4 | 6.50 | 2 |
+| Standard_B2s_v2 | 2 | 8 | 40% | 60 | 48 | 1152 | 3750/85 | 10,000/960 | 4 | 6.50 | 2 |
+| Standard_B4ls_v2 | 4 | 8 | 30% | 120 | 72 | 1728 | 6,400/145 | 20,000/960 | 8 | 6.250 | 2 |
+| Standard_B4s_v2 | 4 | 16 | 40% | 120 | 96 | 2304 | 6,400/145 | 20,000/960 | 8 | 6.250 | 2 |
+| Standard_B8ls_v2 | 8 | 16 | 30% | 240 | 144 | 3456 | 12,800/290 | 20,000/960 | 16 | 3.250 | 2 |
+| Standard_B8s_v2 | 8 | 32 | 40% | 240 | 192 | 4608 | 12,800/290 | 20,000/960 | 16 | 6.250 | 2 |
+| Standard_B16ls_v2 | 16 | 32 | 30% | 480 | 288 | 6912 | 25,600/600 | 40,000/960 | 32 | 6.250 | 4 |
+| Standard_B16s_v2 | 16 | 64 | 40% | 480 | 384 | 9216 | 25,600/600 | 40,000/960 | 32 | 6.250 | 4 |
+| Standard_B32ls_v2 | 32 | 64 | 30% | 960 | 576 | 13824 | 51,200/600 | 80,000/960 | 32 | 6.250 | 4 |
+| Standard_B32s_v2 | 32 | 128 | 40% | 960 | 768 | 18432 | 51,200/600 | 80,000/960 | 32 | 6.250 | 4 |
<sup>*</sup> These IOPs values can be guaranteed by using [Gen2 VMs](generation-2.md)<br>
virtual-machines Ngads V 620 Series https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/ngads-v-620-series.md
Last updated 06/11/2023
> [!IMPORTANT] > The NGads V620 Series is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some aspects of this feature may change prior to general availability (GA). >
-> Customers can [sign up for NGads V620 Series preview today](https://aka.ms/NGadsV620-Series-Public-Preview). NGads V620 Series VMs are initially available in the East US2 and Europe West Azure regions.
+> Customers can [sign up for NGads V620 Series preview today](https://aka.ms/NGadsV620-Series-Public-Preview). NGads V620 Series VMs are initially available in the East US2, Europe West and Sweden Central Azure regions.
The NGads V620 series are GPU-enabled virtual machines with CPU, memory resources and storage resources balanced to generate and stream high quality graphics for a high performance, interactive gaming experience hosted in Azure. They're powered by [AMD Radeon(tm) PRO V620 GPU](https://www.amd.com/en/products/server-accelerators/amd-radeon-pro-v620) and [AMD EPYC 7763 (Milan) CPUs](https://www.amd.com/en/products/cpu/amd-epyc-7763). The AMD Radeon PRO V620 GPUs have a maximum frame buffer of 32 GB, which can be divided up to four ways through hardware partitioning. The AMD EPYC CPUs have a base clock speed of 2.45 GHz and a boost<sup>1</sup> speed of 3.5Ghz. VMs are assigned full cores instead of threads, enabling full access to AMDΓÇÖs powerful ΓÇ£Zen 3ΓÇ¥ cores.<br> (<sup>1</sup> EPYC-018: Max boost for AMD EPYC processors is the maximum frequency achievable by any single core on the processor under normal operating conditions for server systems.)
virtual-machines Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/policy-reference.md
Title: Built-in policy definitions for Azure Virtual Machines description: Lists Azure Policy built-in policy definitions for Azure Virtual Machines. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
virtual-machines N Series Amd Driver Setup https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-machines/windows/n-series-amd-driver-setup.md
**Applies to:** Windows VMs :heavy_check_mark: Flexible scale sets ## NGads V620 Series (preview) ##
-The NGads V620 Series VMs support the AMD Cloud Software driver that comes in two editions: A Gaming driver with regular updates to support the latest titles, and a Professional driver for accelerated Virtual Desktop environments, with Radeon PRO optimizations to support high-end workstation applications.
-
-To take advantage of the GPU capabilities of Azure NGads V620 Series VMs, AMD GPU drivers must be installed.
+The AMD Software: Cloud Edition drivers must be installed to take advantage of the GPU capabilities of Azure NGads V620 Series VMs.
### Requirements | OS | Driver | | -- |- |
-| Windows 11 64-bit 21H2, 22H2<br/><br/>Windows 10 64-bit 21H2, 22H2 <br/><br/>Windows 11 EMS 64-bit 21H2, 22H2<br/><br/> Windows 10 EMS 64-bit 21H2, 22H2<br/><br/>Windows Server 2019 Release 1909<br/><br/>Windows Server 2022 64-bit Release 20348 | [Driver Download](https://go.microsoft.com/fwlink/?linkid=2234555) |
+| Windows 11 64-bit version 21H2, 22H2<br/><br/>Windows 10 64-bit version 21H2, 22H2 <br/><br/>Windows 11 EMS 64-bit 21H2, 22H2<br/><br/> Windows 10 EMS 64-bit 21H2, 22H2<br/><br/>Windows Server 2019 LTSC (version 1809)<br/><br/>Windows Server 2022 64-bit Release 20348 | [23.Q3 (.exe)](https://go.microsoft.com/fwlink/?linkid=2248541) |
### VM Creation Create the VMs using CLI. (Azure AMD GPU driver extensions don't support NGads V620 Series during preview) 1. Review the [CLI VM creation documentation](/azure/virtual-machines/windows/quick-create-cli). ### Driver installation
-1. Download the zip file to a local drive<br>
-2. Unzip to a local drive<br>
-3. Run setup.exe<br>
+1. Connect by Remote Desktop to each NGads V620-series VM<br>
+2. Download the EXE file to a local drive<br>
+3. If you need to uninstall the previous driver version, run "setup.exe -factoryresetinstall" from a command line <br>
+4. For a first-time driver installation, double-click or run ΓÇ£setup.exeΓÇ¥ from a command line<br>
+5. Reboot the VM
+
+### Verify driver installation
+1. You can verify driver installation in Device Manager. The following example shows successful configuration of the Radeon Pro V620 card on an Azure NGads V620 VM. The exact driver date and version will depend on the driver package released.<br><br>
+![NGads driver device manager](https://github.com/isgonzalez-MSFT/azure-docs-pr/assets/135761331/abc86bb4-5d3d-416f-bb7b-822461fd5c37)
+ ## NVv4 Series ## To take advantage of the GPU capabilities of the new Azure NVv4 series VMs running Windows, AMD GPU drivers must be installed. The [AMD GPU Driver Extension](../extensions/hpccompute-amd-gpu-windows.md) installs AMD GPU drivers on a NVv4-series VM. Install or manage the extension using the Azure portal or tools such as Azure PowerShell or Azure Resource Manager templates. See the [AMD GPU Driver Extension documentation](../extensions/hpccompute-amd-gpu-windows.md) for supported operating systems and deployment steps.
virtual-network Default Outbound Access https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/ip-services/default-outbound-access.md
If you deploy a virtual machine in Azure and it doesn't have explicit outbound c
:::image type="content" source="./media/default-outbound-access/default-outbound-access.png" alt-text="Diagram of default outbound access."::: >[!Important]
->On September 30, 2025, default outbound access for new deployments will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/). It is reccomended to use one the explict forms of connectivity discussed below.
+>On September 30, 2025, default outbound access for new deployments will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/default-outbound-access-for-vms-in-azure-will-be-retired-transition-to-a-new-method-of-internet-access/). We recommend that you use one of the explicit forms of connectivity discussed in the following section.
## Why is disabling default outbound access recommended?
There are multiple ways to turn off default outbound access:
* Associate a NAT gateway to the subnet of your virtual machine. * Associate a standard load balancer configured with outbound rules.-
- * Associate a Basic public IP to the virtual machine's network interface (if there's only one network interface).
* Associate a Standard public IP to any of the virtual machine's network interfaces (if there are multiple network interfaces, having a single NIC with a standard public IP prevents default outbound access for the virtual machine).
For more information on outbound connections in Azure and Azure Virtual Network
* [Source Network Address Translation (SNAT) for outbound connections](../../load-balancer/load-balancer-outbound-connections.md).
-* [What is Azure Virtual Network NAT?](../nat-gateway/nat-overview.md)
+* [What is Azure Virtual Network NAT?](../../nat-gateway/nat-overview.md)
+
+* [Azure Virtual Network NAT FAQ](../../nat-gateway/faq.yml)
virtual-network Policy Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/virtual-network/policy-reference.md
Title: Built-in policy definitions for Azure Virtual Network description: Lists Azure Policy built-in policy definitions for Azure Virtual Network. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 09/19/2023 Last updated : 10/10/2023
web-application-firewall Waf Front Door Exclusion https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-exclusion.md
Sometimes Azure Web Application Firewall in Azure Front Door might block a legitimate request. As part of tuning your web application firewall (WAF), you can configure the WAF to allow the request for your application. WAF exclusion lists allow you to omit specific request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
-For example, Azure Active Directory provides tokens that are used for authentication. When these tokens are used in a request header, they can contain special characters that might trigger a false positive detection by one or more WAF rules. You can add the header to an exclusion list, which tells the WAF to ignore the header. The WAF still inspects the rest of the request for suspicious content.
+For example, Microsoft Entra ID provides tokens that are used for authentication. When these tokens are used in a request header, they can contain special characters that might trigger a false positive detection by one or more WAF rules. You can add the header to an exclusion list, which tells the WAF to ignore the header. The WAF still inspects the rest of the request for suspicious content.
## Exclusion scopes
web-application-firewall Waf Front Door Tuning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/afds/waf-front-door-tuning.md
In this example, you perform an exclusion at the most granular level by applying
![Screenshot that shows rule exclusion for a specific rule.](../media/waf-front-door-tuning/exclusion-rule.png)
-Occasionally, there are cases where specific parameters get passed into the WAF in a manner that might not be intuitive. For example, a token gets passed when you authenticate by using Azure Active Directory (Azure AD). The token `__RequestVerificationToken` usually gets passed in as a request cookie.
+Occasionally, there are cases where specific parameters get passed into the WAF in a manner that might not be intuitive. For example, a token gets passed when you authenticate by using Microsoft Entra ID. The token `__RequestVerificationToken` usually gets passed in as a request cookie.
-In some cases where cookies are disabled, this token is also passed in as a request post argument. For this reason, to address Azure AD token false positives, you must ensure that `__RequestVerificationToken` is added to the exclusion list for both `RequestCookieNames` and `RequestBodyPostArgsNames`.
+In some cases where cookies are disabled, this token is also passed in as a request post argument. For this reason, to address Microsoft Entra token false positives, you must ensure that `__RequestVerificationToken` is added to the exclusion list for both `RequestCookieNames` and `RequestBodyPostArgsNames`.
Exclusions on a field name (**Selector**) means that the value will no longer be evaluated by the WAF. The field name itself continues to be evaluated and in rare cases it might match a WAF rule and trigger an action.
web-application-firewall Web Application Firewall Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/web-application-firewall/ag/web-application-firewall-troubleshoot.md
To make an informed decision about handling a false positive, itΓÇÖs important t
One benefit of using an exclusion list is that only a specific part of a request is being disabled. However, this means that a specific exclusion is applicable to all traffic passing through your WAF because it's a global setting. For example, this could lead to an issue if *1=1* is a valid request in the body for a certain app, but not for others. Another benefit is that you can choose between body, headers, and cookies to be excluded if a certain condition is met, as opposed to excluding the whole request.
-Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. For example, there's a token that gets passed when authenticating using Azure Active Directory. This token, *__RequestVerificationToken*, usually get passed in as a Request Cookie. However, in some cases where cookies are disabled, this token is also passed as a request attribute or `arg`. If this happens, you need to ensure that *__RequestVerificationToken* is added to the exclusion list as a **Request attribute name** as well.
+Occasionally, there are cases where specific parameters get passed into the WAF in a manner that may not be intuitive. For example, there's a token that gets passed when authenticating using Microsoft Entra ID. This token, *__RequestVerificationToken*, usually get passed in as a Request Cookie. However, in some cases where cookies are disabled, this token is also passed as a request attribute or `arg`. If this happens, you need to ensure that *__RequestVerificationToken* is added to the exclusion list as a **Request attribute name** as well.
![Exclusions](../media/web-application-firewall-troubleshoot/exclusion-list.png)